An attempt to pass too long module name to, say, rmmod, may cause an out-of-bounds memory access (as repoted by UBSan): $ rmmod $(for i in $(seq 0 4200); do echo -ne x; done) libkmod/libkmod-module.c:1828:8: runtime error: index 4107 out of bounds for type 'char [4096]' This is because 'snprintf(path, sizeof(path), ...)' may return the value which exceeds 'sizeof(path)' (which happens when an output gets truncated). To play it safe, such a suspicious output is better to be rejected explicitly. Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx> --- libkmod/libkmod-module.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c index 1da64b3..074001e 100644 --- a/libkmod/libkmod-module.c +++ b/libkmod/libkmod-module.c @@ -1810,6 +1810,10 @@ KMOD_EXPORT int kmod_module_get_initstate(const struct kmod_module *mod) pathlen = snprintf(path, sizeof(path), "/sys/module/%s/initstate", mod->name); + if (pathlen >= (int)sizeof(path)) { + /* Too long path was truncated */ + return -EINVAL; + } fd = open(path, O_RDONLY|O_CLOEXEC); if (fd < 0) { err = -errno; -- 2.40.1