api: fix seccomp_export_bpf_mem out-of-bounds read

alyssais · pcmoore · commit e8dbc6b555fb · 2025-03-17T20:31:09.000-04:00
*len is the length of the destination buffer, but program->blks is probably not anywhere near that long. It's already been checked above that BPF_PGM_SIZE(program) is less than or equal to *len, so that's the correct value to use here to avoid either reading or writing too much. I noticed this because tests/11-basic-basic_errors started failing on musl after e797591 ("all: add seccomp_precompute() functionality"). Signed-off-by: Alyssa Ross <hi@alyssa.is> Acked-by: Tom Hromatka <tom.hromatka@oracle.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/src/api.c b/src/api.c
@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
 		if (BPF_PGM_SIZE(program) > *len)
 			rc = _rc_filter(-ERANGE);
 		else
-			memcpy(buf, program->blks, *len);
+			memcpy(buf, program->blks, BPF_PGM_SIZE(program));
 	}
 	*len = BPF_PGM_SIZE(program);
 

Original file line number	Diff line number	Diff line change
`@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,`
`786`	`786`	`if (BPF_PGM_SIZE(program) > *len)`
`787`	`787`	`rc = _rc_filter(-ERANGE);`
`788`	`788`	`else`
`789`		`- memcpy(buf, program->blks, *len);`
	`789`	`+ memcpy(buf, program->blks, BPF_PGM_SIZE(program));`
`790`	`790`	`}`
`791`	`791`	`*len = BPF_PGM_SIZE(program);`
`792`	`792`