All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
@ 2026-06-02  2:40 Aiden Bowling
  2026-06-02  9:25 ` David Laight
  2026-06-02  9:53 ` Lorenzo Stoakes
  0 siblings, 2 replies; 5+ messages in thread
From: Aiden Bowling @ 2026-06-02  2:40 UTC (permalink / raw)
  To: Lorenzo Stoakes
  Cc: Andrew Morton, David Hildenbrand, Vlastimil Babka, linux-kernel,
	stable, Aiden Bowling

prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
already sized to the full auxv buffer, using 'len' risks a partial write
if the caller supplies a smaller value. Use sizeof(user_auxv) to always
copy the full buffer after validation.

Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com>
---
 kernel/sys.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index 62e842055cc9..d3f5229649e3 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
 	BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
 
 	task_lock(current);
-	memcpy(mm->saved_auxv, user_auxv, len);
+	memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
 	task_unlock(current);
 
 	return 0;

base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
  2026-06-02  2:40 [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len Aiden Bowling
@ 2026-06-02  9:25 ` David Laight
  2026-06-02  9:53 ` Lorenzo Stoakes
  1 sibling, 0 replies; 5+ messages in thread
From: David Laight @ 2026-06-02  9:25 UTC (permalink / raw)
  To: Aiden Bowling
  Cc: Lorenzo Stoakes, Andrew Morton, David Hildenbrand,
	Vlastimil Babka, linux-kernel, stable

On Mon,  1 Jun 2026 22:40:02 -0400
Aiden Bowling <aidenlbowling56@gmail.com> wrote:

> prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
> into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
> already sized to the full auxv buffer, using 'len' risks a partial write
> if the caller supplies a smaller value. Use sizeof(user_auxv) to always
> copy the full buffer after validation.

Is it possibly that the caller only wants to write the first few values?

-- David

> 
> Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com>
> ---
>  kernel/sys.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 62e842055cc9..d3f5229649e3 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
>  	BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
>  
>  	task_lock(current);
> -	memcpy(mm->saved_auxv, user_auxv, len);
> +	memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
>  	task_unlock(current);
>  
>  	return 0;
> 
> base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
  2026-06-02  2:40 [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len Aiden Bowling
  2026-06-02  9:25 ` David Laight
@ 2026-06-02  9:53 ` Lorenzo Stoakes
       [not found]   ` <CAGOa741UNr5DzK4vr8RBLvhZcCs9zdva6tqmMptQw5P8ooNEOA@mail.gmail.com>
  1 sibling, 1 reply; 5+ messages in thread
From: Lorenzo Stoakes @ 2026-06-02  9:53 UTC (permalink / raw)
  To: Aiden Bowling
  Cc: Andrew Morton, David Hildenbrand, Vlastimil Babka, linux-kernel,
	stable

On Mon, Jun 01, 2026 at 10:40:02PM -0400, Aiden Bowling wrote:
> prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
> into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
> already sized to the full auxv buffer, using 'len' risks a partial write
> if the caller supplies a smaller value. Use sizeof(user_auxv) to always
> copy the full buffer after validation.

Hm, but would this be an issue? A user can specify only a partial write and get
what they expect, I don't think there's any security issue here.

I also guess a user could specify a length that's not a multiple of
sizeof(unsigned long) but again they'd get the results they might expect from
doing something silly like that :)

And users might rely on this only doing a partial write for whatever weird
reason so I don't think we can change this really?

>
> Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com>
> ---
>  kernel/sys.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 62e842055cc9..d3f5229649e3 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
>  	BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
>
>  	task_lock(current);
> -	memcpy(mm->saved_auxv, user_auxv, len);
> +	memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
>  	task_unlock(current);
>
>  	return 0;
>
> base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
> --
> 2.54.0
>

Cheers, Lorenzo

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
       [not found]   ` <CAGOa741UNr5DzK4vr8RBLvhZcCs9zdva6tqmMptQw5P8ooNEOA@mail.gmail.com>
@ 2026-06-02 17:25     ` David Hildenbrand (Arm)
  2026-06-03  9:17       ` David Laight
  0 siblings, 1 reply; 5+ messages in thread
From: David Hildenbrand (Arm) @ 2026-06-02 17:25 UTC (permalink / raw)
  To: Aiden Bowling, Lorenzo Stoakes
  Cc: Andrew Morton, Vlastimil Babka, linux-kernel, stable

On 6/2/26 16:14, Aiden Bowling wrote:
> The issue is that using the user-supplied 'len' risks a partial write into mm-
>>saved_auxv if they pass something smaller than the actual buffer size, even if
> the buffer is validated. We should always copy the full buffer size after
> validation to maintain consistency and prevent accidental partial data exposure/
> corruption.

Which partial data exposure?

-- 
Cheers,

David

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
  2026-06-02 17:25     ` David Hildenbrand (Arm)
@ 2026-06-03  9:17       ` David Laight
  0 siblings, 0 replies; 5+ messages in thread
From: David Laight @ 2026-06-03  9:17 UTC (permalink / raw)
  To: David Hildenbrand (Arm)
  Cc: Aiden Bowling, Lorenzo Stoakes, Andrew Morton, Vlastimil Babka,
	linux-kernel, stable

On Tue, 2 Jun 2026 19:25:56 +0200
"David Hildenbrand (Arm)" <david@kernel.org> wrote:

> On 6/2/26 16:14, Aiden Bowling wrote:
> > The issue is that using the user-supplied 'len' risks a partial write into mm-  
> >>saved_auxv if they pass something smaller than the actual buffer size, even if  
> > the buffer is validated. We should always copy the full buffer size after
> > validation to maintain consistency and prevent accidental partial data exposure/
> > corruption.  
> 
> Which partial data exposure?
> 

The one you don't get with the patch because of the previously
unnecessary initialisation of the array :-)

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-03  9:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-02  2:40 [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len Aiden Bowling
2026-06-02  9:25 ` David Laight
2026-06-02  9:53 ` Lorenzo Stoakes
     [not found]   ` <CAGOa741UNr5DzK4vr8RBLvhZcCs9zdva6tqmMptQw5P8ooNEOA@mail.gmail.com>
2026-06-02 17:25     ` David Hildenbrand (Arm)
2026-06-03  9:17       ` David Laight

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.