* [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
@ 2026-06-02 2:40 Aiden Bowling
2026-06-02 9:25 ` David Laight
2026-06-02 9:53 ` Lorenzo Stoakes
0 siblings, 2 replies; 5+ messages in thread
From: Aiden Bowling @ 2026-06-02 2:40 UTC (permalink / raw)
To: Lorenzo Stoakes
Cc: Andrew Morton, David Hildenbrand, Vlastimil Babka, linux-kernel,
stable, Aiden Bowling
prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
already sized to the full auxv buffer, using 'len' risks a partial write
if the caller supplies a smaller value. Use sizeof(user_auxv) to always
copy the full buffer after validation.
Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com>
---
kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index 62e842055cc9..d3f5229649e3 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
task_lock(current);
- memcpy(mm->saved_auxv, user_auxv, len);
+ memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
task_unlock(current);
return 0;
base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
--
2.54.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
2026-06-02 2:40 [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len Aiden Bowling
@ 2026-06-02 9:25 ` David Laight
2026-06-02 9:53 ` Lorenzo Stoakes
1 sibling, 0 replies; 5+ messages in thread
From: David Laight @ 2026-06-02 9:25 UTC (permalink / raw)
To: Aiden Bowling
Cc: Lorenzo Stoakes, Andrew Morton, David Hildenbrand,
Vlastimil Babka, linux-kernel, stable
On Mon, 1 Jun 2026 22:40:02 -0400
Aiden Bowling <aidenlbowling56@gmail.com> wrote:
> prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
> into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
> already sized to the full auxv buffer, using 'len' risks a partial write
> if the caller supplies a smaller value. Use sizeof(user_auxv) to always
> copy the full buffer after validation.
Is it possibly that the caller only wants to write the first few values?
-- David
>
> Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com>
> ---
> kernel/sys.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 62e842055cc9..d3f5229649e3 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
> BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
>
> task_lock(current);
> - memcpy(mm->saved_auxv, user_auxv, len);
> + memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
> task_unlock(current);
>
> return 0;
>
> base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
2026-06-02 2:40 [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len Aiden Bowling
2026-06-02 9:25 ` David Laight
@ 2026-06-02 9:53 ` Lorenzo Stoakes
[not found] ` <CAGOa741UNr5DzK4vr8RBLvhZcCs9zdva6tqmMptQw5P8ooNEOA@mail.gmail.com>
1 sibling, 1 reply; 5+ messages in thread
From: Lorenzo Stoakes @ 2026-06-02 9:53 UTC (permalink / raw)
To: Aiden Bowling
Cc: Andrew Morton, David Hildenbrand, Vlastimil Babka, linux-kernel,
stable
On Mon, Jun 01, 2026 at 10:40:02PM -0400, Aiden Bowling wrote:
> prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
> into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
> already sized to the full auxv buffer, using 'len' risks a partial write
> if the caller supplies a smaller value. Use sizeof(user_auxv) to always
> copy the full buffer after validation.
Hm, but would this be an issue? A user can specify only a partial write and get
what they expect, I don't think there's any security issue here.
I also guess a user could specify a length that's not a multiple of
sizeof(unsigned long) but again they'd get the results they might expect from
doing something silly like that :)
And users might rely on this only doing a partial write for whatever weird
reason so I don't think we can change this really?
>
> Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com>
> ---
> kernel/sys.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 62e842055cc9..d3f5229649e3 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
> BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
>
> task_lock(current);
> - memcpy(mm->saved_auxv, user_auxv, len);
> + memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
> task_unlock(current);
>
> return 0;
>
> base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
> --
> 2.54.0
>
Cheers, Lorenzo
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-03 9:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-02 2:40 [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len Aiden Bowling
2026-06-02 9:25 ` David Laight
2026-06-02 9:53 ` Lorenzo Stoakes
[not found] ` <CAGOa741UNr5DzK4vr8RBLvhZcCs9zdva6tqmMptQw5P8ooNEOA@mail.gmail.com>
2026-06-02 17:25 ` David Hildenbrand (Arm)
2026-06-03 9:17 ` David Laight
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.