libkmod: fix buffer-overflow in weakdep_to_char

author Tobias Stoeckmann <tobias@stoeckmann.org>

Wed, 26 Mar 2025 14:51:22 +0000 (15:51 +0100)

committer Lucas De Marchi <lucas.de.marchi@gmail.com>

Wed, 26 Mar 2025 16:39:42 +0000 (11:39 -0500)
author Tobias Stoeckmann <tobias@stoeckmann.org>
Wed, 26 Mar 2025 14:51:22 +0000 (15:51 +0100)
committer Lucas De Marchi <lucas.de.marchi@gmail.com>
Wed, 26 Mar 2025 16:39:42 +0000 (11:39 -0500)
diff --git a/libkmod/libkmod-config.c b/libkmod/libkmod-config.c

index e52aae77e0f2207c42c0c8a2dfc24495bcfeb1ef..ee1cb94647ef45a9c6028f1055fadfa713c0630f 100644 (file)
--- a/libkmod/libkmod-config.c
+++ b/libkmod/libkmod-config.c
@@ -574,28 +574,30 @@ static char *softdep_to_char(struct kmod_softdep *dep)
  
  static char *weakdep_to_char(struct kmod_weakdep *dep)
  {
-       size_t sz;
+       size_t sz = 1; /* at least '\0' */
+       size_t sz_weak;
         const char *start, *end;
         char *s, *itr;
  
         /* Rely on the fact that dep->weak[] is a strv that points to a contiguous buffer */
         if (dep->n_weak > 0) {
                 start = dep->weak[0];
-               end = dep->weak[dep->n_weak - 1] + strlen(dep->weak[dep->n_weak - 1]) + 1;
-               sz = end - start;
+               end = dep->weak[dep->n_weak - 1] + strlen(dep->weak[dep->n_weak - 1]);
+               sz_weak = end - start;
+               sz += sz_weak;
         } else
-               sz = 0;
+               sz_weak = 0;
  
         itr = s = malloc(sz);
         if (s == NULL)
                 return NULL;
  
-       if (sz) {
+       if (sz_weak) {
                 char *p;
  
                 /* include last '\0' */
-               memcpy(itr, dep->weak[0], sz);
-               for (p = itr; p < itr + sz - 1; p++) {
+               memcpy(itr, dep->weak[0], sz_weak);
+               for (p = itr; p < itr + sz_weak; p++) {
                         if (*p == '\0')
                                 *p = ' ';
                 }
diff --git a/testsuite/rootfs-pristine/test-weakdep/etc/modprobe.d/dumb-weakdep.conf b/testsuite/rootfs-pristine/test-weakdep/etc/modprobe.d/dumb-weakdep.conf

index 181714aba8e0db8524b9794a33520608b1448b40..6fa8355de7c966f4d2e3b36e71c9d9d4ad9347d0 100644 (file)
--- a/testsuite/rootfs-pristine/test-weakdep/etc/modprobe.d/dumb-weakdep.conf
+++ b/testsuite/rootfs-pristine/test-weakdep/etc/modprobe.d/dumb-weakdep.conf
@@ -1 +1,2 @@
+weakdep mod-loop-a     
  weakdep mod-loop-b mod-loop-a mod-simple
diff --git a/testsuite/rootfs-pristine/test-weakdep/modprobe-c.txt b/testsuite/rootfs-pristine/test-weakdep/modprobe-c.txt

index 82485a61923897b419aa9d30c2cbe9449b6d9f53..b34699fd753948312d135e58ba057c0789d6ab95 100644 (file)
--- a/testsuite/rootfs-pristine/test-weakdep/modprobe-c.txt
+++ b/testsuite/rootfs-pristine/test-weakdep/modprobe-c.txt
@@ -1,3 +1,4 @@
+weakdep mod_loop_a 
  weakdep mod_loop_b mod-loop-a mod-simple
  weakdep mod_weakdep mod-simple
author	Tobias Stoeckmann <tobias@stoeckmann.org>
	Wed, 26 Mar 2025 14:51:22 +0000 (15:51 +0100)
committer	Lucas De Marchi <lucas.de.marchi@gmail.com>
	Wed, 26 Mar 2025 16:39:42 +0000 (11:39 -0500)
libkmod/libkmod-config.c		patch \| blob \| blame \| history
testsuite/rootfs-pristine/test-weakdep/etc/modprobe.d/dumb-weakdep.conf		patch \| blob \| blame \| history
testsuite/rootfs-pristine/test-weakdep/modprobe-c.txt		patch \| blob \| blame \| history