Hi, Lucas! My filters missed your replies, sorry :( On Wed, Jun 9, 2021 at 8:11 PM Lucas De Marchi <lucas.demarchi@xxxxxxxxx> wrote: > > On Tue, Jun 08, 2021 at 09:29:23AM +0300, Yauheni Kaliuta wrote: > >There is potential buffer overrun in kmod_builtin_iter_get_modname() > >for the name of length PATH_MAX. The required buffer size is > >PATH_MAX, so `modname[len] = '\0'` with len == PATH_MAX will write > >right beyond the buffer. > > this doesn't look correct. "with len == PATH_MAX" we will actually > return an error. > > What indeed is happening is truncation: since we are not reserving 1 > char for NUL termination, we will truncate the name. If we update the > commit message to state the right reasoning, then we can land this patch. > > I don't see any buffer overflow here, but I may be missing something. Yes, you are right. I see the actual overflow is fixed by 1cab02ecf6ee ("libkmod: fix an overflow with wrong modules.builtin.modinfo") I should have checked some reports more carefully. Please, ignore the patch. > thanks > LUcas De Marchi > > > > >Check the length against PATH_MAX - 1. > > > >Signed-off-by: Yauheni Kaliuta <ykaliuta@xxxxxxxxxx> > >--- > > libkmod/libkmod-builtin.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > >diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c > >index a002cb5ee2c6..3d4d77ab29b3 100644 > >--- a/libkmod/libkmod-builtin.c > >+++ b/libkmod/libkmod-builtin.c > >@@ -246,7 +246,7 @@ bool kmod_builtin_iter_get_modname(struct kmod_builtin_iter *iter, > > > > len = dot - line; > > > >- if (len >= PATH_MAX) { > >+ if (len >= PATH_MAX - 1) { > > sv_errno = ENAMETOOLONG; > > goto fail; > > } > >-- > >2.31.1 > > > -- WBR, Yauheni