From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E480B84039 for ; Tue, 2 Jun 2026 09:25:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780392344; cv=none; b=UeqB5mP8d+zacXI9lW45gb3mU++1GAQLrAlyaQE3CJph5Imq2pH8RnSuatu/XwMMOs7WGvcsjfrlmbI+1tMKs0L9tcIVa/fPkfnG1GXt6bulza3rUU5a5B0AB6hrhL5JRvL/QfLy6YMB4EZKaBMaiPl49R7BoXjAh0rKeWV0k2I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780392344; c=relaxed/simple; bh=9T0dBdjKmtpuSBlZJADZ1e/C7LfQuy/aeaKDkRDtpk4=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=CQEp7wYqpTTaj3sza3bzVV5l17No1rcxkMfbFtLergH4W5KDnpsgxvhG8x8IVMTkYEPaZsI/thS97s2zZrUfoFi9ZA0Lt9/mTD4z+4Wb6e+SoyT2qqk+a8sGQx4TD4hV6TNtiwBk9naafFlm/24nt0E8xaY4i0cZxIrolKfOXiE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=EBioeMKz; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="EBioeMKz" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-490b09e4cccso6201275e9.0 for ; Tue, 02 Jun 2026 02:25:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780392341; x=1780997141; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=Zekd0wCuq43OHwA3CF1X5oLlOYbGs1agYSly9jzdzX4=; b=EBioeMKzT7HOH05euYxaIwYZYEhnRBilNKovVRRT4Oh1Xt/q5VpwjG6JOmtllZ5uqL N2rgV/gJ9GuC3n9vnMuidXMQCDjIwqykqiy/cR3ebUGmh1lr8hocpidN1+dznvMoJKCu cn2ncyhAqtRT9AlFMXJ7UwHETzEF7u8vLjqGm5KrFgW6Lo3Kw3dw63/6Lh1Z9KZuJ3y5 sntYa0UqZrKWTX/trVAgvSpIdv8eLZNwSOMzbxxIlHePWnknCiQbgzHTGy6P+cCZAPsB FW0CbwcjicbxTHiao2mp8hOforIhSYnNCunIwOiPevvDZt9KD7hyWLruERGD0fJnRSRv 1cBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780392341; x=1780997141; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Zekd0wCuq43OHwA3CF1X5oLlOYbGs1agYSly9jzdzX4=; b=UK12XMNmzwg8FQmTNWTcTjOe7IRIkVrO6YbBMWPLo6tUJKeRNcgB1wOn9cAtCG7SfV skIF4E0Z0Ec6lk0JouC769m81c7ol8y0VHz3RLYiZwbq50ckcBwn7RSi41k4jaFAZ/6p HK/PZ2G6re8K1ja+gJMvvqoOpagztrpyP/mi96nfqvVm0iddk+eypGg/ft1CquYJk/PY 7w/iukD4LXojCgYlQ/A1tinqGeOV8xunNSzI4nF/oCyyOmUd0MgblGDeVnXcqaUo9mNH dpwUc8CyY+zfW/xm1FqwpkS0gCnpR7wjZDxeRgjKOo1ilmIMdmXL55YFjF0CRRK/BfLt KphA== X-Forwarded-Encrypted: i=1; AFNElJ+lDqOoTla01kCjE1QPWHSG6vhQAjVMdLSvSPzCkLy71+2d+h21oRlJ3UwhZnUgvYJr01flGurCgK2bl74=@vger.kernel.org X-Gm-Message-State: AOJu0YwCZWfn2qEgR/Rx+Ax5F+ksExLe/0yjY6YUWrUxN8KqqnQ5K0Dn nJmwYDyKKZnTx7UPCCf9TxA5aj9AUPbjmtBUlfFicbxyonhSlJ8y3xOH X-Gm-Gg: Acq92OG5XO87fuascDvG1ZyERkWhk+6clOxRfxQc//hi7Ewmbo6o3FZab0t5ahzvByD mb4bykP55kP3tULIdR/8oWNnYibmZVyFJD5uUFzwMjMQJo8ey32aebDqYfqU/BDcJrYmvmcqO9A GAigFtWuC7q738N/4q+8Ksuu/AKWXvi5eG/LawbUD7o6bx1wVMiI/Jrd+x7bgT7q5XS6u6Ru/hh 7HWKbBUGvJXd8TM5X7UzkwbOdMNUQe9hf8PFx4tR27Utncf4kIHu028Tuw9mYnZ/OS3GrivEbAh 5RrX3ZFC1ndBJjLPCfKCyJa9V8EpDBhSljPLZ543n4RHnRcl48SrzByjTLuRk5ls31DxEe/CLK0 Gf/GVXh5HdQXYYmh9d73sZl/Gy61WwCLTPbBWWxdhhG26EIb2RbNwhbNkpvSrO76w8HariNz7uj gOP1OXkkTBzl+mbZae//6bemAIamFpWm81+XeDNteuZd1D0JUeRJvxpvhsDC4wnZzsjNbnMdc= X-Received: by 2002:a05:600c:4755:b0:490:4e3e:b483 with SMTP id 5b1f17b1804b1-490a29335camr246690315e9.22.1780392341077; Tue, 02 Jun 2026 02:25:41 -0700 (PDT) Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-490b29f49b8sm25092905e9.15.2026.06.02.02.25.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jun 2026 02:25:40 -0700 (PDT) Date: Tue, 2 Jun 2026 10:25:39 +0100 From: David Laight To: Aiden Bowling Cc: Lorenzo Stoakes , Andrew Morton , David Hildenbrand , Vlastimil Babka , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len Message-ID: <20260602102539.07f8d1fe@pumpkin> In-Reply-To: <20260602024001.14119-2-aidenlbowling56@gmail.com> References: <20260602024001.14119-2-aidenlbowling56@gmail.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Mon, 1 Jun 2026 22:40:02 -0400 Aiden Bowling wrote: > prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying > into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is > already sized to the full auxv buffer, using 'len' risks a partial write > if the caller supplies a smaller value. Use sizeof(user_auxv) to always > copy the full buffer after validation. Is it possibly that the caller only wants to write the first few values? -- David > > Signed-off-by: Aiden Bowling > --- > kernel/sys.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/sys.c b/kernel/sys.c > index 62e842055cc9..d3f5229649e3 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, > BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv)); > > task_lock(current); > - memcpy(mm->saved_auxv, user_auxv, len); > + memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv)); > task_unlock(current); > > return 0; > > base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8