of: module: prevent NULL pointer dereference in vsnprintf()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In of_modalias(), we can get passed the str and len parameters which would
cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr
when the length is also 0. Also, we need to filter out the negative values
of the len parameter as these will result in a really huge buffer since
snprintf() takes size_t parameter while ours is ssize_t...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1d211023-3923-685b-20f0-f3f90ea56e1f@omp.ru
Signed-off-by: Rob Herring <robh@kernel.org>

authored by

Sergey Shtylyov and committed by

Rob Herring 2 years ago a1aa5390 b5237d0b

1 changed file

expand all

drivers

module.c

drivers/of/module.c

··· 16 16 ssize_t csize; 17 17 ssize_t tsize; 18 18 19 + /* 20 + * Prevent a kernel oops in vsnprintf() -- it only allows passing a 21 + * NULL ptr when the length is also 0. Also filter out the negative 22 + * lengths... 23 + */ 24 + if ((len > 0 && !str) || len < 0) 25 + return -EINVAL; 26 + 19 27 /* Name & Type */ 20 28 /* %p eats all alphanum characters, so %c must be used here */ 21 29 csize = snprintf(str, len, "of:N%pOFn%c%s", np, 'T',