libbpf: Fix out-of-bound read · tjh.dev/kernel@236d391

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

libbpf: Fix out-of-bound read

In `set_kcfg_value_str`, an untrusted string is accessed with the assumption
that it will be at least two characters long due to the presence of checks for
opening and closing quotes. But the check for the closing quote
(value[len - 1] != '"') misses the fact that it could be checking the opening
quote itself in case of an invalid input that consists of just the opening
quote.

This commit adds an explicit check to make sure the string is at least two
characters long.

Signed-off-by: Nandakumar Edamana <nandakumar@nandakumar.co.in>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250221210110.3182084-1-nandakumar@nandakumar.co.in

authored by

Nandakumar Edamana and committed by

Andrii Nakryiko 1 year ago 236d3910 11ba7ce0

+1 -1

1 changed file

expand all

tools

lib

bpf

libbpf.c

+1 -1

tools/lib/bpf/libbpf.c

··· 2106 2106 } 2107 2107 2108 2108 len = strlen(value); 2109 - if (value[len - 1] != '"') { 2109 + if (len < 2 || value[len - 1] != '"') { 2110 2110 pr_warn("extern (kcfg) '%s': invalid string config '%s'\n", 2111 2111 ext->name, value); 2112 2112 return -EINVAL;