kmod_dup_request_exists_wait() uses memcpy() with strlen(module_name) to copy into new_kmod_req->name, a fixed-size char[MODULE_NAME_LEN] buffer. This does not bounds-check the copy and does not explicitly NUL-terminate. The buffer is zeroed from kzalloc_obj() so NUL-termination happens to work, but the pattern is fragile and lacks an explicit bounds check.
Replace with strscpy() which bounds the copy and guarantees NUL-termination. Signed-off-by: Naveen Kumar Chaudhary <[email protected]> --- kernel/module/dups.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module/dups.c b/kernel/module/dups.c index 1d720a5311ba..33bddfb57317 100644 --- a/kernel/module/dups.c +++ b/kernel/module/dups.c @@ -129,7 +129,7 @@ bool kmod_dup_request_exists_wait(char *module_name, bool wait, int *dup_ret) if (!new_kmod_req) return false; - memcpy(new_kmod_req->name, module_name, strlen(module_name)); + strscpy(new_kmod_req->name, module_name, MODULE_NAME_LEN); INIT_WORK(&new_kmod_req->complete_work, kmod_dup_request_complete); INIT_DELAYED_WORK(&new_kmod_req->delete_work, kmod_dup_request_delete); init_completion(&new_kmod_req->first_req_done); -- 2.43.0
