From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 11 Sep 2024 15:51:53 +0000 (+0200)
Subject: libkmod: Fix OOB write with illegal index files
X-Git-Tag: v34~322
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=47407a2565cbd5c58456e7d2efa57158f5238c06;p=thirdparty%2Fkmod.git

libkmod: Fix OOB write with illegal index files

If an index file with INDEX_NODE_CHILDS flag contains illegal first
and last markers for children, it is possible to trigger an out of
boundary write.

Make sure that first value is not larger than last value while reading
index files.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/126
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---

diff --git a/libkmod/libkmod-index.c b/libkmod/libkmod-index.c
index 36b84a83..ee9b393d 100644
--- a/libkmod/libkmod-index.c
+++ b/libkmod/libkmod-index.c
@@ -247,7 +247,7 @@ static struct index_node_f *index_read(FILE *in, uint32_t offset)
 		int first = read_char(in);
 		int last = read_char(in);
 
-		if (first == EOF || last == EOF)
+		if (first == EOF || last == EOF || first > last)
 			goto err;
 
 		child_count = last - first + 1;
@@ -699,6 +699,10 @@ static struct index_mm_node *index_mm_read_node(struct index_mm *idx,
 	if (offset & INDEX_NODE_CHILDS) {
 		first = read_char_mm(&p);
 		last = read_char_mm(&p);
+
+		if (first > last)
+			return NULL;
+
 		child_count = last - first + 1;
 		for (i = 0; i < child_count; i++)
 			children[i] = read_u32_mm(&p);