From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 16 Oct 2024 09:42:04 +0000 (+0200)
Subject: modinfo: Prevent out of boundary access
X-Git-Tag: v34~220
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=136ffe757f8b39df0b6d11897db632cdad77ea87;p=thirdparty%2Fkmod.git

modinfo: Prevent out of boundary access

If a module file contains parameter strings longer than INT_MAX, it is
possible to trigger an out of boundary read with memcmp. Since such a
file is very likely broken or of malicious intent, just consider it
invalid and error out.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/184
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---

diff --git a/tools/modinfo.c b/tools/modinfo.c
index f1323c50..40f24ea6 100644
--- a/tools/modinfo.c
+++ b/tools/modinfo.c
@@ -34,14 +34,19 @@ struct param {
 	int typelen;
 };
 
-static struct param *add_param(const char *name, int namelen, const char *param,
-			       int paramlen, const char *type, int typelen,
+static struct param *add_param(const char *name, size_t namelen, const char *param,
+			       size_t paramlen, const char *type, size_t typelen,
 			       struct param **list)
 {
 	struct param *it;
 
+	if (namelen > INT_MAX || paramlen > INT_MAX || typelen > INT_MAX) {
+		errno = EINVAL;
+		return NULL;
+	}
+
 	for (it = *list; it != NULL; it = it->next) {
-		if (it->namelen == namelen && memcmp(it->name, name, namelen) == 0)
+		if (it->namelen == (int)namelen && memcmp(it->name, name, namelen) == 0)
 			break;
 	}
 
@@ -75,7 +80,7 @@ static struct param *add_param(const char *name, int namelen, const char *param,
 static int process_parm(const char *key, const char *value, struct param **params)
 {
 	const char *name, *param, *type;
-	int namelen, paramlen, typelen;
+	size_t namelen, paramlen, typelen;
 	struct param *it;
 	const char *colon = strchr(value, ':');
 	if (colon == NULL) {
@@ -99,7 +104,7 @@ static int process_parm(const char *key, const char *value, struct param **param
 
 	it = add_param(name, namelen, param, paramlen, type, typelen, params);
 	if (it == NULL) {
-		ERR("Out of memory!\n");
+		ERR("Unable to add parameter: %m\n");
 		return -ENOMEM;
 	}