From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from va-2-30.ptr.blmpb.com (va-2-30.ptr.blmpb.com [209.127.231.30])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FF083128B2
	for <linux-kernel@vger.kernel.org>; Thu, 23 Apr 2026 03:29:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.127.231.30
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776914948; cv=none; b=uLilLYl/QCjy1brWsusRYK25Xr4EHzgCo2XPALNrbl1IxYSbRkEqPchNAPpJzG9/NznBNtobkJ2ZHLxo/3NizPDLKL+mxuXShT1/KevA5o/NKnyIyCTUCBIrBa1F6bHEsTkOOc7JGTsj1LmR/yg9qviCear/Oom2bQobt/jN6Zo=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776914948; c=relaxed/simple;
	bh=hupgMZGVhOqNAQIufOdm765Rms4MM1k+Q2WLh5QfEDQ=;
	h=References:Subject:Cc:Message-Id:In-Reply-To:To:Mime-Version:Date:
	 Content-Disposition:Content-Type:From; b=rEEW7r5OEGo93mATBxgtc/Uvd5ItOBh1sRu/LWTA7sBM12JEOqVlxClFS7zMg9KXkz5+TK9qvUDTIana7mWrVY2Aao9s2lwEgIICX39O9V0KijIZlS7+YeN0kQ2NA6wjTAdPGDurHguEGP+yV07nljPSGYo/T60JKvD6pgepUJ8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cherr.cc; spf=pass smtp.mailfrom=cherr.cc; dkim=pass (2048-bit key) header.d=cherr.cc header.i=@cherr.cc header.b=VpQ9qT89; arc=none smtp.client-ip=209.127.231.30
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cherr.cc
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cherr.cc
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=cherr.cc header.i=@cherr.cc header.b="VpQ9qT89"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 s=feishu2604220257; d=cherr.cc; t=1776914933; h=from:subject:
 mime-version:from:date:message-id:subject:to:cc:reply-to:content-type:
 mime-version:in-reply-to:message-id;
 bh=Eq2FI4p8/MBsA/db9756DLjX4O4PFQlEacvTm6wyehg=;
 b=VpQ9qT89fDj2QbY5NNxhqIZ3lKfTUvV7KlEpVpeSXya2Int8Fo6Tw0gz0QMflZ1qTi/fb9
 0J9QLFhj4mV0lMT/oequvOYSlPL4Q1zGxmJfuE0rGw/vOgX0kQsltGhHzpv7vmSQWCkNoR
 FXUanT6K/3heuYzmwuEu7xajQr7zukrBNWXLr+480rzSRZMUMrbgYAjz3iTBwXNd3v18/C
 U4VSMAG/OOnXWRVmsl0gAzIMQ4mvD11e/djx5M62DOskM0RI75DaC2a+HZ5GZ2emgmwHap
 3iWn8w6sOr3pWhxYufPj6YanZ3WYbVpafC4h4aM3nAort1LNNpZRO82aIWUC/g==
References: <20260423-fix_exitcode-v1-1-7e4508913d68@cherr.cc> <20260422214507.0078c8ba@pumpkin>
Content-Transfer-Encoding: 7bit
Subject: Re: [PATCH] um: proc/exitcode: fix simple_strtol() out-of-bounds read
Cc: "Richard Weinberger" <richard@nod.at>, 
	"Anton Ivanov" <anton.ivanov@cambridgegreys.com>, 
	"Johannes Berg" <johannes@sipsolutions.net>, 
	"Dan Carpenter" <error27@gmail.com>, 
	"Andrew Morton" <akpm@linux-foundation.org>, 
	"Jeff Dike" <jdike@addtoit.com>, "Yao Zi" <me@ziyao.cc>, 
	<linux-um@lists.infradead.org>, <linux-kernel@vger.kernel.org>
Message-Id: <aemR7Ur4H9dnKQ57@pve.cherr>
In-Reply-To: <20260422214507.0078c8ba@pumpkin>
X-Original-From: Shengzhuo Wei <me@cherr.cc>
To: "David Laight" <david.laight.linux@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Date: Thu, 23 Apr 2026 11:28:45 +0800
Content-Disposition: inline
X-Lms-Return-Path: <lba+269e991f2+42ce73+vger.kernel.org+me@cherr.cc>
Content-Type: text/plain; charset=UTF-8
Received: from pve.cherr ([111.42.148.84]) by smtp.feishu.cn with ESMTPS; Thu, 23 Apr 2026 11:28:48 +0800
From: "Shengzhuo Wei" <me@cherr.cc>

On 2026-04-22 21:45, David Laight wrote:
> On Thu, 23 Apr 2026 01:39:25 +0800
> "Shengzhuo Wei" <me@cherr.cc> wrote:
> 
> > The stack buffer 'buf' is declared as char[sizeof("nnnnn\0")] (7 bytes)
> > and the copy size is min(count, sizeof(buf)).  When a user writes 7 or
> > more bytes, copy_from_user fills all 7 bytes without a NUL terminator.
> > The subsequent call to simple_strtol() expects a NUL-terminated string
> > and will read past the end of buf on the stack.
> 
> You should probably also mention that write(, "123", 3) will lead to
> buf[3] being read - which is uninitialised stack.
> 
> 	David

Thanks for the review, will fix in v2.

Best regards