libkmod: Fix OOB write with illegal index files

If an index file with INDEX_NODE_CHILDS flag contains illegal first
and last markers for children, it is possible to trigger an out of
boundary write.

Make sure that first value is not larger than last value while reading
index files.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/126
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>

diff --git a/libkmod/libkmod-index.c b/libkmod/libkmod-index.c
index 36b84a836fccbd448d2cb84c9b35bd04561be0e9..ee9b393d471b8b8bc63f9019b798e9c169c54f51 100644 (file)
--- a/libkmod/libkmod-index.c
+++ b/libkmod/libkmod-index.c
@@ -247,7 +247,7 @@ static struct index_node_f *index_read(FILE *in, uint32_t offset)
                int first = read_char(in);
                int last = read_char(in);
 
-               if (first == EOF || last == EOF)
+               if (first == EOF || last == EOF || first > last)
                        goto err;
 
                child_count = last - first + 1;
@@ -699,6 +699,10 @@ static struct index_mm_node *index_mm_read_node(struct index_mm *idx,
        if (offset & INDEX_NODE_CHILDS) {
                first = read_char_mm(&p);
                last = read_char_mm(&p);
+
+               if (first > last)
+                       return NULL;
+
                child_count = last - first + 1;
                for (i = 0; i < child_count; i++)
                        children[i] = read_u32_mm(&p);