lib/path: fix possible out of boundary access

If fgets reads from a file starting with a NUL byte in ul_path_cpuparse, then the check for newline leads to an out of boundary access. Proof of Concept (compile with --enable-asan): 1. Prepare /tmp/poc with required files ``` $ install -d /tmp/poc/sys/devices/system/cpu $ dd if=/dev/zero of=/tmp/poc/sys/devices/system/cpu/possible bs=1 count=1 $ install -D /dev/null /tmp/poc/proc/cpuinfo ``` 2. Run lscpu with sysroot option ``` $ lscpu --sysroot /tmp/poc ================================================================= ==78238==ERROR: AddressSanitizer: heap-buffer-overflow ``` Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2023-10-08 20:41:29 +0200
committer: Tobias Stoeckmann <tobias@stoeckmann.org> 2023-10-08 20:47:30 +0200
commit: e192f2d81160c4e4f9a6b21329cf9d6045a405d0 (patch)
tree: 1417ea58a96fd74169dec87dff78bb0b22ed6ce5 /lib/path.c
parent: 762898e3fe469991be742216e573609142a0df99 (diff)
download: util-linux-e192f2d81160c4e4f9a6b21329cf9d6045a405d0.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/path.c b/lib/path.c
index 9d4d3585b1..53bb798687 100644
--- a/lib/path.c
+++ b/lib/path.c
@@ -1042,7 +1042,7 @@ static int ul_path_cpuparse(struct path_cxt *pc, cpu_set_t **set, int maxcpus, i
 		goto out;
 
 	len = strlen(buf);
-	if (buf[len - 1] == '\n')
+	if (len > 0 && buf[len - 1] == '\n')
 		buf[len - 1] = '\0';
 
 	*set = cpuset_alloc(maxcpus, &setsize, NULL);
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2023-10-08 20:41:29 +0200
committer	Tobias Stoeckmann <tobias@stoeckmann.org>	2023-10-08 20:47:30 +0200
commit	e192f2d81160c4e4f9a6b21329cf9d6045a405d0 (patch)
tree	1417ea58a96fd74169dec87dff78bb0b22ed6ce5 /lib/path.c
parent	762898e3fe469991be742216e573609142a0df99 (diff)
download	util-linux-e192f2d81160c4e4f9a6b21329cf9d6045a405d0.tar.gz