try_add_failed_module() uses memcpy() with strlen(name) as the length to copy a module name into mod_fail->name, a fixed-size buffer of MODULE_NAME_LEN bytes. This is an issue as it does no bounds check.
Current callers always pass names originating from mod->name (char[MODULE_NAME_LEN]), so this is not exploitable today. However the function accepts a plain const char * with no documented length contract, making it a latent buffer overflow if a future caller passes a longer string. Replace memcpy() with strscpy(), which bounds the copy to MODULE_NAME_LEN and always NUL-terminates. Signed-off-by: Naveen Kumar Chaudhary <[email protected]> --- kernel/module/stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module/stats.c b/kernel/module/stats.c index 3a9672f93a8e..08724baca773 100644 --- a/kernel/module/stats.c +++ b/kernel/module/stats.c @@ -253,7 +253,7 @@ int try_add_failed_module(const char *name, enum fail_dup_mod_reason reason) mod_fail = kzalloc_obj(*mod_fail); if (!mod_fail) return -ENOMEM; - memcpy(mod_fail->name, name, strlen(name)); + strscpy(mod_fail->name, name, MODULE_NAME_LEN); __set_bit(reason, &mod_fail->dup_fail_mask); atomic_long_inc(&mod_fail->count); list_add_rcu(&mod_fail->list, &dup_failed_modules); -- 2.43.0
