From: Dmitry Antipov <dmantipov@yandex.ru>
Date: Fri, 19 May 2023 07:46:38 +0000 (+0300)
Subject: libkmod: fix possible out-of-bounds memory access
X-Git-Tag: v31~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=badacf76e46b3602bc0e99ffc677ccbe53691f62;p=thirdparty%2Fkmod.git

libkmod: fix possible out-of-bounds memory access

An attempt to pass too long module name to, say, rmmod, may
cause an out-of-bounds memory access (as repoted by UBSan):

$ rmmod $(for i in $(seq 0 4200); do echo -ne x; done)
libkmod/libkmod-module.c:1828:8: runtime error: index 4107 out of bounds for type 'char [4096]'

This is because 'snprintf(path, sizeof(path), ...)' may return the
value which exceeds 'sizeof(path)' (which happens when an output
gets truncated). To play it safe, such a suspicious output is
better to be rejected explicitly.

Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Link: https://lore.kernel.org/r/20230519074638.402045-1-dmantipov@yandex.ru
---

diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
index 1da64b30..7736b7e1 100644
--- a/libkmod/libkmod-module.c
+++ b/libkmod/libkmod-module.c
@@ -1810,6 +1810,10 @@ KMOD_EXPORT int kmod_module_get_initstate(const struct kmod_module *mod)
 
 	pathlen = snprintf(path, sizeof(path),
 				"/sys/module/%s/initstate", mod->name);
+	if (pathlen >= (int)sizeof(path)) {
+		/* Too long path was truncated */
+		return -ENAMETOOLONG;
+	}
 	fd = open(path, O_RDONLY|O_CLOEXEC);
 	if (fd < 0) {
 		err = -errno;