From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 8 Oct 2023 18:41:29 +0000 (+0200)
Subject: lib/path: fix possible out of boundary access
X-Git-Tag: v2.40-rc1~207^2~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e192f2d81160c4e4f9a6b21329cf9d6045a405d0;p=thirdparty%2Futil-linux.git

lib/path: fix possible out of boundary access

If fgets reads from a file starting with a NUL byte in ul_path_cpuparse,
then the check for newline leads to an out of boundary access.

Proof of Concept (compile with --enable-asan):

1. Prepare /tmp/poc with required files
```
$ install -d /tmp/poc/sys/devices/system/cpu
$ dd if=/dev/zero of=/tmp/poc/sys/devices/system/cpu/possible bs=1 count=1
$ install -D /dev/null /tmp/poc/proc/cpuinfo
```

2. Run lscpu with sysroot option
```
$ lscpu --sysroot /tmp/poc
=================================================================
==78238==ERROR: AddressSanitizer: heap-buffer-overflow
```

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/lib/path.c b/lib/path.c
index 9d4d3585b1..53bb798687 100644
--- a/lib/path.c
+++ b/lib/path.c
@@ -1042,7 +1042,7 @@ static int ul_path_cpuparse(struct path_cxt *pc, cpu_set_t **set, int maxcpus, i
 		goto out;
 
 	len = strlen(buf);
-	if (buf[len - 1] == '\n')
+	if (len > 0 && buf[len - 1] == '\n')
 		buf[len - 1] = '\0';
 
 	*set = cpuset_alloc(maxcpus, &setsize, NULL);