Code parsing .modinfo data skips over null sequences without checking
bounds and may read past mapped memory, potentially triggering SIGSEGV.
Fixes: https://github.com/openwrt/openwrt/issues/14463
Fixes: d6e6825c4697 ("add support for module handling")
Refer:
9371411715c8 ("kmodloader: fix out-of-bound access when parsing .modinfo")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
strings = map + offset;
while (true) {
+ char *end = map + offset + size;
char *sep;
int len;
- while (!strings[0])
+ while ((strings < end) && !strings[0])
strings++;
- if (strings >= map + offset + size)
+ if (strings >= end)
break;
if (is_builtin) {
sep = strstr(strings, ".");
printf("name:\t\t%s\n", m->name);
printf("filename:\t%s\n", is_builtin ? "(builtin)" : mpath);
while (true) {
+ char *end = map + offset + size;
char *pname, *pdata;
char *dup = NULL;
char *sep, *sep2;
- while (!strings[0])
+ while ((strings < end) && !strings[0])
strings++;
- if (strings >= map + offset + size)
+ if (strings >= end)
break;
if (is_builtin) {
sep = strstr(strings, ".");