From: Alyssa Ross <hi@alyssa.is>
Date: Thu, 13 Feb 2025 11:05:17 +0000 (+0100)
Subject: [PATCH] api: fix seccomp_export_bpf_mem out-of-bounds read
X-Git-Tag: archive/raspbian/2.6.0-2+rpi1^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ec1ed4de6b9e87b4051e167665b1e62cad5e854f;p=libseccomp.git

[PATCH] api: fix seccomp_export_bpf_mem out-of-bounds read

*len is the length of the destination buffer, but program->blks is
probably not anywhere near that long.  It's already been checked above
that BPF_PGM_SIZE(program) is less than or equal to *len, so that's
the correct value to use here to avoid either reading or writing too
much.

I noticed this because tests/11-basic-basic_errors started failing on
musl after e797591 ("all: add seccomp_precompute() functionality").

Signed-off-by: Alyssa Ross <hi@alyssa.is>
Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

Gbp-Pq: Name api_fix_seccomp_export_bpf_mem_out-of-bounds_read.patch
---

diff --git a/src/api.c b/src/api.c
index adccef3..65a277a 100644
--- a/src/api.c
+++ b/src/api.c
@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
 		if (BPF_PGM_SIZE(program) > *len)
 			rc = _rc_filter(-ERANGE);
 		else
-			memcpy(buf, program->blks, *len);
+			memcpy(buf, program->blks, BPF_PGM_SIZE(program));
 	}
 	*len = BPF_PGM_SIZE(program);