tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

kobject_uevent: Fix OOB access within zap_modalias_env()

zap_modalias_env() wrongly calculates size of memory block to move, so
will cause OOB memory access issue if variable MODALIAS is not the last
one within its @env parameter, fixed by correcting size to memmove.

Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Reviewed-by: Lk Sii <lk_sii@163.com>
Link: https://lore.kernel.org/r/1717074877-11352-1-git-send-email-quic_zijuhu@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Zijun Hu and committed by
Greg Kroah-Hartman dd6e9894 880f5f58

+16 -1
+16 -1
lib/kobject_uevent.c
··· 433 433 len = strlen(env->envp[i]) + 1; 434 434 435 435 if (i != env->envp_idx - 1) { 436 + /* @env->envp[] contains pointers to @env->buf[] 437 + * with @env->buflen chars, and we are removing 438 + * variable MODALIAS here pointed by @env->envp[i] 439 + * with length @len as shown below: 440 + * 441 + * 0 @env->buf[] @env->buflen 442 + * --------------------------------------------- 443 + * ^ ^ ^ ^ 444 + * | |-> @len <-| target block | 445 + * @env->envp[0] @env->envp[i] @env->envp[i + 1] 446 + * 447 + * so the "target block" indicated above is moved 448 + * backward by @len, and its right size is 449 + * @env->buflen - (@env->envp[i + 1] - @env->envp[0]). 450 + */ 436 451 memmove(env->envp[i], env->envp[i + 1], 437 - env->buflen - len); 452 + env->buflen - (env->envp[i + 1] - env->envp[0])); 438 453 439 454 for (j = i; j < env->envp_idx - 1; j++) 440 455 env->envp[j] = env->envp[j + 1] - len;