[PATCH] kobject_uevent: Fix OOB access within zap_modalias_env()

From: Zijun Hu
Date: Fri May 24 2024 - 00:20:37 EST

Next message: Bagas Sanjaya: "Re: [PATCH 6.8 00/23] 6.8.11-rc1 review"
Previous message: Greg Kroah-Hartman: "Re: [PATCH v2] regmap-i2c: Subtract reg size from max_write"
Next in thread: Greg KH: "Re: [PATCH] kobject_uevent: Fix OOB access within zap_modalias_env()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

zap_modalias_env() wrongly calculates size of memory block
to move, so maybe cause OOB memory access issue, fixed by
correcting size to memmove.

Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
---
lib/kobject_uevent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
index 03b427e2707e..f153b4f9d4d9 100644
--- a/lib/kobject_uevent.c
+++ b/lib/kobject_uevent.c
@@ -434,7 +434,7 @@ static void zap_modalias_env(struct kobj_uevent_env *env)

if (i != env->envp_idx - 1) {
memmove(env->envp[i], env->envp[i + 1],
- env->buflen - len);
+ env->buf + env->buflen - env->envp[i + 1]);

for (j = i; j < env->envp_idx - 1; j++)
env->envp[j] = env->envp[j + 1] - len;
--
2.7.4

Next message: Bagas Sanjaya: "Re: [PATCH 6.8 00/23] 6.8.11-rc1 review"
Previous message: Greg Kroah-Hartman: "Re: [PATCH v2] regmap-i2c: Subtract reg size from max_write"
Next in thread: Greg KH: "Re: [PATCH] kobject_uevent: Fix OOB access within zap_modalias_env()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]