From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from va-2-26.ptr.blmpb.com (va-2-26.ptr.blmpb.com [209.127.231.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C5D733CB2F0 for ; Mon, 27 Apr 2026 13:36:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.127.231.26 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777296993; cv=none; b=AZUoWdQhvfTMMyMNI13cs21rQf8IvzchUsV+A6ks/r0NuTUChTMm5MFQVy73A1MquayZ54LyMSwRgbBiqZWkgFAbBaIhuprg+PSYNwGxigTu8Vt1IWw43aBUYzBSrR37lyLGGulCO2fnNeC8ptya9Mt75DH3LbA4xFamIM5TtIs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777296993; c=relaxed/simple; bh=A2xW7XvADE+aAeUFDc2amuKTFIO1kzLbgP9Zjxa8hZg=; h=Mime-Version:To:Subject:Message-Id:In-Reply-To:References:From: Date:Content-Disposition:Cc:Content-Type; b=UD/KIpfN6U8nLBTLuyGhzlXLO3vaMJnUEbl0OmSVzQEUom+XMG0aLdHtbJ6HkE7EB2Q3XTutVLeAABWfMjMfB+SLLBfVmz/9FqmhxFO+w1aH5UzPqbZcXOpk04tnWe+20IM38O2c/4nNdNndTK2oG4iKsmxgVCk3UbZQyU+m4co= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cherr.cc; spf=pass smtp.mailfrom=cherr.cc; dkim=pass (2048-bit key) header.d=cherr.cc header.i=@cherr.cc header.b=DrvfqBfS; arc=none smtp.client-ip=209.127.231.26 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cherr.cc Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cherr.cc Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cherr.cc header.i=@cherr.cc header.b="DrvfqBfS" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=feishu2604220257; d=cherr.cc; t=1777296978; h=from:subject: mime-version:from:date:message-id:subject:to:cc:reply-to:content-type: mime-version:in-reply-to:message-id; bh=baKvzSOW4QC8ZRLKPMcqjLBbH845TIhG5tsH0QB936E=; b=DrvfqBfSwVEO1NDrQYE1Gd8NgGaBXlWcSGsjTDYDuQuTV0GBR/9AN9nONRyImUBlIrh9KM u2AYChcGxdF/0KpDVLIIyAYnkriTLrolAR0VOmqx60eMlPsmRAj2DEFuV25AEAqHe0kq9n qMHoZeCnJLbc7uWVwF1lrPDPpwtpt7qTXzFLNFhg58stMOQ43mli9VhYUalA6+VPFI7QEQ O5yToD/4k0vxhb5LX8HDQJN2+TnDTtVUhmoxRNxw60JTRuT/UEEP0bd2swWc9E7oN0V/XE 65IezDuf7uc4Vzvd00uZcG96g5BfDGdS+zwJevTzsn8u+uVCzstAYGEAyilRxQ== Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 To: "Richard Weinberger" , "Anton Ivanov" , "Johannes Berg" , "Dan Carpenter" , "Andrew Morton" , "Jeff Dike" , "David Laight" Subject: Re: [PATCH] um: proc/exitcode: fix simple_strtol() out-of-bounds read Message-Id: In-Reply-To: <20260423-fix_exitcode-v1-1-7e4508913d68@cherr.cc> References: <20260423-fix_exitcode-v1-1-7e4508913d68@cherr.cc> From: "Shengzhuo Wei" Date: Mon, 27 Apr 2026 21:36:13 +0800 X-Original-From: Shengzhuo Wei Content-Disposition: inline Received: from pve.cherr ([111.42.148.84]) by smtp.feishu.cn with ESMTPS; Mon, 27 Apr 2026 21:36:16 +0800 X-Lms-Return-Path: Content-Transfer-Encoding: 7bit Cc: , , "Shengzhuo Wei" Content-Type: text/plain; charset=UTF-8 On 2026-04-23 01:39, Shengzhuo Wei wrote: > write(2) should report the number of bytes consumed. Returning the original > count would claim success even when the input was truncated, so userspace > cannot detect it. > > Clamp the copy length to sizeof(buf)-1, add a terminator, and return the > consumed length. > > Fixes: 201f99f170df ("uml: check length in exitcode_proc_write()") > Fixes: e16f5350d4cf ("uml: get declaration of simple_strtoul") > Signed-off-by: Shengzhuo Wei > --- > arch/um/kernel/exitcode.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c > index 43edc2aa57e4fbd4a3d24f96878c76f9f8fd4eaa..8de404ff21a213918c5351bc20a6e047bf1b93f5 100644 > --- a/arch/um/kernel/exitcode.c > +++ b/arch/um/kernel/exitcode.c > @@ -43,16 +43,17 @@ static ssize_t exitcode_proc_write(struct file *file, > size_t size; > int tmp; > > - size = min(count, sizeof(buf)); > + size = min(count, sizeof(buf) - 1); > if (copy_from_user(buf, buffer, size)) > return -EFAULT; > + buf[size] = '\0'; > > tmp = simple_strtol(buf, &end, 0); > if ((*end != '\0') && !isspace(*end)) > return -EINVAL; > > uml_exitcode = tmp; > - return count; > + return size; There is another problem that have been talked about in another patch. Not consuming the whole string passed by user may (and will) break some programs that want to ensure "FULL WRITE" that use some function like "while (len > 0) { len -= write(); } ". Should we just let the return count as-is and fix the OOB problem only? Link: https://lore.kernel.org/all/20260424063531.d1508a3c79c4b7808ed04420@linux-foundation.org/t/#u Link: https://lore.kernel.org/all/ef2301c4-bbc5-496e-b9d2-9adcff8b8d42@p183/ Regards, Shengzhuo Wei > } > > static const struct proc_ops exitcode_proc_ops = { > > ---