diff options
| author | Andrii Nakryiko <andrii@kernel.org> | 2021-12-14 15:20:54 -0800 |
|---|---|---|
| committer | Andrii Nakryiko <andrii.nakryiko@gmail.com> | 2021-12-17 17:13:53 -0800 |
| commit | 8e706ddc6c0e33a7996cf3122f5c31ab5123a139 (patch) | |
| tree | 150445bf491ec1a3ac837a024d5f3f96767aa2a7 /src | |
| parent | dc49f2d07b7c924f6b6f3595b27a8a326ed483d3 (diff) | |
| download | libbpf-8e706ddc6c0e33a7996cf3122f5c31ab5123a139.tar.gz | |
libbpf: Avoid reading past ELF data section end when copying license
Fix possible read beyond ELF "license" data section if the license
string is not properly zero-terminated. Use the fact that libbpf_strlcpy
never accesses the (N-1)st byte of the source string because it's
replaced with '\0' anyways.
If this happens, it's a violation of contract between libbpf and a user,
but not handling this more robustly upsets CIFuzz, so given the fix is
trivial, let's fix the potential issue.
Fixes: 9fc205b413b3 ("libbpf: Add sane strncpy alternative and use it internally")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20211214232054.3458774-1-andrii@kernel.org
Diffstat (limited to 'src')
| -rw-r--r-- | src/libbpf.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/libbpf.c b/src/libbpf.c index 684c34c..cf862a1 100644 --- a/src/libbpf.c +++ b/src/libbpf.c @@ -1320,7 +1320,10 @@ static int bpf_object__check_endianness(struct bpf_object *obj) static int bpf_object__init_license(struct bpf_object *obj, void *data, size_t size) { - libbpf_strlcpy(obj->license, data, sizeof(obj->license)); + /* libbpf_strlcpy() only copies first N - 1 bytes, so size + 1 won't + * go over allowed ELF data section buffer + */ + libbpf_strlcpy(obj->license, data, min(size + 1, sizeof(obj->license))); pr_debug("license of %s is %s\n", obj->path, obj->license); return 0; } |