Re: [PATCH] modules: Fix corruption of /proc/kallsyms

[Luis Chamberlain]

On Fri, Jul 01, 2022 at 12:44:03PM +0300, Adrian Hunter wrote:
> The commit 91fb02f31505 ("module: Move kallsyms support into a separate
> file") changed from using strlcpy() to using strscpy() which created a
> buffer overflow. That happened because:
>  1) an incorrect value was passed as the buffer length
>  2) strscpy() (unlike strlcpy()) may copy beyond the length of the
>     input string when copying word-by-word.
> The assumption was that because it was already known that the strings
> being copied would fit in the space available, it was not necessary
> to correctly set the buffer length.  strscpy() breaks that assumption
> because although it will not touch bytes beyond the given buffer length
> it may write bytes beyond the input string length when writing
> word-by-word.
> 
> The result of the buffer overflow is to corrupt the symbol type
> information that follows. e.g.
> 
>  $ sudo cat -v /proc/kallsyms | grep '\^' | head
>  ffffffffc0615000 ^@ rfcomm_session_get  [rfcomm]
>  ffffffffc061c060 ^@ session_list        [rfcomm]
>  ffffffffc06150d0 ^@ rfcomm_send_frame   [rfcomm]
>  ffffffffc0615130 ^@ rfcomm_make_uih     [rfcomm]
>  ffffffffc07ed58d ^@ bnep_exit   [bnep]
>  ffffffffc07ec000 ^@ bnep_rx_control     [bnep]
>  ffffffffc07ec1a0 ^@ bnep_session        [bnep]
>  ffffffffc07e7000 ^@ input_leds_event    [input_leds]
>  ffffffffc07e9000 ^@ input_leds_handler  [input_leds]
>  ffffffffc07e7010 ^@ input_leds_disconnect       [input_leds]
> 
> Notably, the null bytes (represented above by ^@) can confuse tools.
> 
> Fix by correcting the buffer length.
> 
> Fixes: 91fb02f31505 ("module: Move kallsyms support into a separate file")
> Signed-off-by: Adrian Hunter <adrian.hunter@xxxxxxxxx>

Queued up thanks!

  Luis