On Thu, 2 Mar 2023 14:08:14 -0800 Jakub Kicinski wrote:
> > static ssize_t
> > ikheaders_read(struct file *file, struct kobject *kobj,
> > struct bin_attribute *bin_attr,
> > char *buf, loff_t off, size_t len)
> > {
> > memcpy(buf, &kernel_headers_data + off, len);
> > return len;
> > }
> >
> > I will take a look at the caller's allocation of "buf" and kernel_headers_data.
>
> Mm. Actually stopping to look at the code - I don't see it bound
> checking against kernel_headers_data_end :| Maybe we need:
>
> @@ -34,6 +35,7 @@ ikheaders_read(struct file *file, struct kobject *kobj,
> struct bin_attribute *bin_attr,
> char *buf, loff_t off, size_t len)
> {
> + len = min_t(size_t, kernel_headers_data_end - kernel_headers_data, len);
> memcpy(buf, &kernel_headers_data + off, len);
> return len;
> }
Scratch that, the size is set at init time.
My guess was memcpy() thinks the size of kernel_headers_data
is 1 since it's declared as char?
