From: Tony Ambardar Date: Mon, 22 Jan 2024 08:48:37 +0000 (-0800) Subject: kmodloader: fix invalid read outside mapped region X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=2c5887cb46883a28d69071c4349c3dabbbe3972c;p=project%2Fubox.git kmodloader: fix invalid read outside mapped region Code parsing .modinfo data skips over null sequences without checking bounds and may read past mapped memory, potentially triggering SIGSEGV. Fixes: https://github.com/openwrt/openwrt/issues/14463 Fixes: d6e6825c4697 ("add support for module handling") Refer: 9371411715c8 ("kmodloader: fix out-of-bound access when parsing .modinfo") Signed-off-by: Tony Ambardar --- diff --git a/kmodloader.c b/kmodloader.c index 3736942..cad2248 100644 --- a/kmodloader.c +++ b/kmodloader.c @@ -437,12 +437,13 @@ static struct module* get_module_info(const char *module, const char *name) strings = map + offset; while (true) { + char *end = map + offset + size; char *sep; int len; - while (!strings[0]) + while ((strings < end) && !strings[0]) strings++; - if (strings >= map + offset + size) + if (strings >= end) break; if (is_builtin) { sep = strstr(strings, "."); @@ -624,13 +625,14 @@ static int print_modinfo(const struct module *m) printf("name:\t\t%s\n", m->name); printf("filename:\t%s\n", is_builtin ? "(builtin)" : mpath); while (true) { + char *end = map + offset + size; char *pname, *pdata; char *dup = NULL; char *sep, *sep2; - while (!strings[0]) + while ((strings < end) && !strings[0]) strings++; - if (strings >= map + offset + size) + if (strings >= end) break; if (is_builtin) { sep = strstr(strings, ".");