From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 8 Oct 2023 18:41:29 +0000 (+0200)
Subject: lib/path: fix possible out of boundary access
X-Git-Tag: v2.39.3~37
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=5ec30a362a5dd91c018c04a64fd1a481029dc4c6;p=thirdparty%2Futil-linux.git

lib/path: fix possible out of boundary access

If fgets reads from a file starting with a NUL byte in ul_path_cpuparse,
then the check for newline leads to an out of boundary access.

Proof of Concept (compile with --enable-asan):

1. Prepare /tmp/poc with required files
```
$ install -d /tmp/poc/sys/devices/system/cpu
$ dd if=/dev/zero of=/tmp/poc/sys/devices/system/cpu/possible bs=1 count=1
$ install -D /dev/null /tmp/poc/proc/cpuinfo
```

2. Run lscpu with sysroot option
```
$ lscpu --sysroot /tmp/poc
=================================================================
==78238==ERROR: AddressSanitizer: heap-buffer-overflow
```

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/lib/path.c b/lib/path.c
index 95a6b8b895..1a8a21c124 100644
--- a/lib/path.c
+++ b/lib/path.c
@@ -1036,7 +1036,7 @@ static int ul_path_cpuparse(struct path_cxt *pc, cpu_set_t **set, int maxcpus, i
 		return rc;
 
 	len = strlen(buf);
-	if (buf[len - 1] == '\n')
+	if (len > 0 && buf[len - 1] == '\n')
 		buf[len - 1] = '\0';
 
 	*set = cpuset_alloc(maxcpus, &setsize, NULL);