[PATCH v2] module: use strscpy() to copy module names in stats and dup tracking

Thu, 04 Jun 2026 10:45:16 -0700 

Both try_add_failed_module() and kmod_dup_request_exists_wait() use
memcpy() with strlen() to copy module names into fixed-size
char[MODULE_NAME_LEN] buffers. Neither performs a bounds check on the
copy. Current callers always pass names originating from
mod->name (itself char[MODULE_NAME_LEN]), so this is not exploitable
today. However both functions accept a plain const char * with no
documented length contract, making them latent buffer overflows if a
future caller passes a longer string.

Replace memcpy() with strscpy() in both sites, which bounds the copy
to MODULE_NAME_LEN and always NUL-terminates.

Signed-off-by: Naveen Kumar Chaudhary <[email protected]>
---

v1 -> v2:
        - Dropped third argument to strscpy
        - Merged the other patch 
https://lore.kernel.org/linux-modules/jmm7r4r3k3qt767tl7lojglosgc3umhc63cdp2fckdkgb3fzki@3fgvxgvzo5ex/

Thanks Petr for the reviews. Taken care of the suggestions.

Regards,
Naveen

 kernel/module/dups.c  | 2 +-
 kernel/module/stats.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/module/dups.c b/kernel/module/dups.c
index 1d720a5311ba..33bddfb57317 100644
--- a/kernel/module/dups.c
+++ b/kernel/module/dups.c
@@ -129,7 +129,7 @@ bool kmod_dup_request_exists_wait(char *module_name, bool 
wait, int *dup_ret)
        if (!new_kmod_req)
                return false;
 
-       memcpy(new_kmod_req->name, module_name, strlen(module_name));
+       strscpy(new_kmod_req->name, module_name);
        INIT_WORK(&new_kmod_req->complete_work, kmod_dup_request_complete);
        INIT_DELAYED_WORK(&new_kmod_req->delete_work, kmod_dup_request_delete);
        init_completion(&new_kmod_req->first_req_done);
diff --git a/kernel/module/stats.c b/kernel/module/stats.c
index 3a9672f93a8e..08724baca773 100644
--- a/kernel/module/stats.c
+++ b/kernel/module/stats.c
@@ -253,7 +253,7 @@ int try_add_failed_module(const char *name, enum 
fail_dup_mod_reason reason)
        mod_fail = kzalloc_obj(*mod_fail);
        if (!mod_fail)
                return -ENOMEM;
-       memcpy(mod_fail->name, name, strlen(name));
+       strscpy(mod_fail->name, name);
        __set_bit(reason, &mod_fail->dup_fail_mask);
        atomic_long_inc(&mod_fail->count);
        list_add_rcu(&mod_fail->list, &dup_failed_modules);
-- 
2.43.0

Reply via email to