On 6/4/26 7:45 PM, Naveen Kumar Chaudhary wrote: > Both try_add_failed_module() and kmod_dup_request_exists_wait() use > memcpy() with strlen() to copy module names into fixed-size > char[MODULE_NAME_LEN] buffers. Neither performs a bounds check on the > copy. Current callers always pass names originating from > mod->name (itself char[MODULE_NAME_LEN]), so this is not exploitable > today. However both functions accept a plain const char * with no > documented length contract, making them latent buffer overflows if a > future caller passes a longer string. > > Replace memcpy() with strscpy() in both sites, which bounds the copy > to MODULE_NAME_LEN and always NUL-terminates. > > Signed-off-by: Naveen Kumar Chaudhary <[email protected]>
Reviewed-by: Petr Pavlu <[email protected]> -- Thanks, Petr
