38 lines
1.2 KiB
Diff
38 lines
1.2 KiB
Diff
From 904e9dee373eca499e976dce131f0baee06db2d6 Mon Sep 17 00:00:00 2001
|
|
From: Alyssa Ross <hi@alyssa.is>
|
|
Date: Thu, 13 Feb 2025 12:05:17 +0100
|
|
Subject: [PATCH] api: fix seccomp_export_bpf_mem out-of-bounds read
|
|
|
|
*len is the length of the destination buffer, but program->blks is
|
|
probably not anywhere near that long. It's already been checked above
|
|
that BPF_PGM_SIZE(program) is less than or equal to *len, so that's
|
|
the correct value to use here to avoid either reading or writing too
|
|
much.
|
|
|
|
I noticed this because tests/11-basic-basic_errors started failing on
|
|
musl after e797591 ("all: add seccomp_precompute() functionality").
|
|
|
|
Signed-off-by: Alyssa Ross <hi@alyssa.is>
|
|
---
|
|
Link: https://github.com/seccomp/libseccomp/pull/458
|
|
|
|
src/api.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/api.c b/src/api.c
|
|
index adccef3..65a277a 100644
|
|
--- a/src/api.c
|
|
+++ b/src/api.c
|
|
@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
|
|
if (BPF_PGM_SIZE(program) > *len)
|
|
rc = _rc_filter(-ERANGE);
|
|
else
|
|
- memcpy(buf, program->blks, *len);
|
|
+ memcpy(buf, program->blks, BPF_PGM_SIZE(program));
|
|
}
|
|
*len = BPF_PGM_SIZE(program);
|
|
|
|
--
|
|
2.47.0
|
|
|