From 2c5887cb46883a28d69071c4349c3dabbbe3972c Mon Sep 17 00:00:00 2001
From: Tony Ambardar <itugrok@yahoo.com>
Date: Mon, 22 Jan 2024 00:48:37 -0800
Subject: [PATCH] kmodloader: fix invalid read outside mapped region

Code parsing .modinfo data skips over null sequences without checking
bounds and may read past mapped memory, potentially triggering SIGSEGV.

Fixes: https://github.com/openwrt/openwrt/issues/14463
Fixes: d6e6825c4697 ("add support for module handling")
Refer: 9371411715c8 ("kmodloader: fix out-of-bound access when parsing .modinfo")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
---
 kmodloader.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/kmodloader.c b/kmodloader.c
index 3736942..cad2248 100644
--- a/kmodloader.c
+++ b/kmodloader.c
@@ -437,12 +437,13 @@ static struct module* get_module_info(const char *module, const char *name)
 
 	strings = map + offset;
 	while (true) {
+		char *end = map + offset + size;
 		char *sep;
 		int len;
 
-		while (!strings[0])
+		while ((strings < end) && !strings[0])
 			strings++;
-		if (strings >= map + offset + size)
+		if (strings >= end)
 			break;
 		if (is_builtin) {
 			sep = strstr(strings, ".");
@@ -624,13 +625,14 @@ static int print_modinfo(const struct module *m)
 		printf("name:\t\t%s\n", m->name);
 	printf("filename:\t%s\n", is_builtin ? "(builtin)" : mpath);
 	while (true) {
+		char *end = map + offset + size;
 		char *pname, *pdata;
 		char *dup = NULL;
 		char *sep, *sep2;
 
-		while (!strings[0])
+		while ((strings < end) && !strings[0])
 			strings++;
-		if (strings >= map + offset + size)
+		if (strings >= end)
 			break;
 		if (is_builtin) {
 			sep = strstr(strings, ".");
-- 
2.30.2