Hi, Lucas!
My filters missed your replies, sorry :(
On Wed, Jun 9, 2021 at 8:11 PM Lucas De Marchi <lucas.demarchi@xxxxxxxxx> wrote:
>
> On Tue, Jun 08, 2021 at 09:29:23AM +0300, Yauheni Kaliuta wrote:
> >There is potential buffer overrun in kmod_builtin_iter_get_modname()
> >for the name of length PATH_MAX. The required buffer size is
> >PATH_MAX, so `modname[len] = '\0'` with len == PATH_MAX will write
> >right beyond the buffer.
>
> this doesn't look correct. "with len == PATH_MAX" we will actually
> return an error.
>
> What indeed is happening is truncation: since we are not reserving 1
> char for NUL termination, we will truncate the name. If we update the
> commit message to state the right reasoning, then we can land this patch.
>
> I don't see any buffer overflow here, but I may be missing something.
Yes, you are right. I see the actual overflow is fixed by
1cab02ecf6ee ("libkmod: fix an overflow with wrong modules.builtin.modinfo")
I should have checked some reports more carefully. Please, ignore the patch.
> thanks
> LUcas De Marchi
>
> >
> >Check the length against PATH_MAX - 1.
> >
> >Signed-off-by: Yauheni Kaliuta <ykaliuta@xxxxxxxxxx>
> >---
> > libkmod/libkmod-builtin.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> >diff --git a/libkmod/libkmod-builtin.c b/libkmod/libkmod-builtin.c
> >index a002cb5ee2c6..3d4d77ab29b3 100644
> >--- a/libkmod/libkmod-builtin.c
> >+++ b/libkmod/libkmod-builtin.c
> >@@ -246,7 +246,7 @@ bool kmod_builtin_iter_get_modname(struct kmod_builtin_iter *iter,
> >
> > len = dot - line;
> >
> >- if (len >= PATH_MAX) {
> >+ if (len >= PATH_MAX - 1) {
> > sv_errno = ENAMETOOLONG;
> > goto fail;
> > }
> >--
> >2.31.1
> >
>
--
WBR, Yauheni
