From: David Laight <david.laight.linux@gmail.com>
To: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: Aiden Bowling <aidenlbowling56@gmail.com>,
Lorenzo Stoakes <ljs@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Vlastimil Babka <vbabka@kernel.org>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
Date: Wed, 3 Jun 2026 10:17:26 +0100 [thread overview]
Message-ID: <20260603101726.05d1f7a8@pumpkin> (raw)
In-Reply-To: <f6d59be4-db98-431b-97d8-d991e7381135@kernel.org>
On Tue, 2 Jun 2026 19:25:56 +0200
"David Hildenbrand (Arm)" <david@kernel.org> wrote:
> On 6/2/26 16:14, Aiden Bowling wrote:
> > The issue is that using the user-supplied 'len' risks a partial write into mm-
> >>saved_auxv if they pass something smaller than the actual buffer size, even if
> > the buffer is validated. We should always copy the full buffer size after
> > validation to maintain consistency and prevent accidental partial data exposure/
> > corruption.
>
> Which partial data exposure?
>
The one you don't get with the patch because of the previously
unnecessary initialisation of the array :-)
prev parent reply other threads:[~2026-06-03 9:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 2:40 [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len Aiden Bowling
2026-06-02 9:25 ` David Laight
2026-06-02 9:53 ` Lorenzo Stoakes
[not found] ` <CAGOa741UNr5DzK4vr8RBLvhZcCs9zdva6tqmMptQw5P8ooNEOA@mail.gmail.com>
2026-06-02 17:25 ` David Hildenbrand (Arm)
2026-06-03 9:17 ` David Laight [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603101726.05d1f7a8@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=aidenlbowling56@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ljs@kernel.org \
--cc=stable@vger.kernel.org \
--cc=vbabka@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.