On 6/3/26 6:25 PM, Naveen Kumar Chaudhary wrote: > kmod_dup_request_exists_wait() uses memcpy() with strlen(module_name) to > copy into new_kmod_req->name, a fixed-size char[MODULE_NAME_LEN] buffer. > This does not bounds-check the copy and does not explicitly NUL-terminate. > The buffer is zeroed from kzalloc_obj() so NUL-termination happens to > work, but the pattern is fragile and lacks an explicit bounds check. > > Replace with strscpy() which bounds the copy and guarantees > NUL-termination. > > Signed-off-by: Naveen Kumar Chaudhary <[email protected]> > --- > kernel/module/dups.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/module/dups.c b/kernel/module/dups.c > index 1d720a5311ba..33bddfb57317 100644 > --- a/kernel/module/dups.c > +++ b/kernel/module/dups.c > @@ -129,7 +129,7 @@ bool kmod_dup_request_exists_wait(char *module_name, bool > wait, int *dup_ret) > if (!new_kmod_req) > return false; > > - memcpy(new_kmod_req->name, module_name, strlen(module_name)); > + strscpy(new_kmod_req->name, module_name, MODULE_NAME_LEN); > INIT_WORK(&new_kmod_req->complete_work, kmod_dup_request_complete); > INIT_DELAYED_WORK(&new_kmod_req->delete_work, kmod_dup_request_delete); > init_completion(&new_kmod_req->first_req_done);
This can be shortened to: strscpy(new_kmod_req->name, module_name); I also suggest merging this patch and the second patch [1], which cleans up the same issue in the module stats code, into one. [1] https://lore.kernel.org/linux-modules/jmm7r4r3k3qt767tl7lojglosgc3umhc63cdp2fckdkgb3fzki@3fgvxgvzo5ex/ -- Thanks, Petr
