kobject_uevent: Fix OOB access within zap_modalias_env()

JIRA: https://issues.redhat.com/browse/RHEL-55005
CVE: CVE-2024-42292

commit dd6e989
Author: Zijun Hu <quic_zijuhu@quicinc.com>
Date:   Thu May 30 21:14:37 2024 +0800

    kobject_uevent: Fix OOB access within zap_modalias_env()

    zap_modalias_env() wrongly calculates size of memory block to move, so
    will cause OOB memory access issue if variable MODALIAS is not the last
    one within its @env parameter, fixed by correcting size to memmove.

    Fixes: 9b3fa47 ("kobject: fix suppressing modalias in uevents delivered over netlink")
    Cc: stable@vger.kernel.org
    Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
    Reviewed-by: Lk Sii <lk_sii@163.com>
    Link: https://lore.kernel.org/r/1717074877-11352-1-git-send-email-quic_zijuhu@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

Author: CKI Backport Bot

lib/kobject_uevent.c

@@ -432,8 +432,23 @@ static void zap_modalias_env(struct kobj_uevent_env *env)
 		len = strlen(env->envp[i]) + 1;
 
 		if (i != env->envp_idx - 1) {
+			/* @env->envp[] contains pointers to @env->buf[]
+			 * with @env->buflen chars, and we are removing
+			 * variable MODALIAS here pointed by @env->envp[i]
+			 * with length @len as shown below:
+			 *
+			 * 0               @env->buf[]      @env->buflen
+			 * ---------------------------------------------
+			 * ^             ^              ^              ^
+			 * |             |->   @len   <-| target block |
+			 * @env->envp[0] @env->envp[i]  @env->envp[i + 1]
+			 *
+			 * so the "target block" indicated above is moved
+			 * backward by @len, and its right size is
+			 * @env->buflen - (@env->envp[i + 1] - @env->envp[0]).
+			 */
 			memmove(env->envp[i], env->envp[i + 1],
-				env->buflen - len);
+				env->buflen - (env->envp[i + 1] - env->envp[0]));
 
 			for (j = i; j < env->envp_idx - 1; j++)
 				env->envp[j] = env->envp[j + 1] - len;