From: Breno Leitao <leitao@debian.org>
To: Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Keiichi Kii <k-keiichi@bx.jp.nec.com>,
Satyam Sharma <satyam@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Matthew Wood <thepacketgeek@gmail.com>,
asantostc@gmail.com, gustavold@gmail.com
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Breno Leitao <leitao@debian.org>,
kernel-team@meta.com
Subject: [PATCH net 3/3] netconsole: propagate device name truncation in dev_name_store()
Date: Thu, 23 Apr 2026 02:41:17 -0700 [thread overview]
Message-ID: <20260423-netconsole_ai_fixes-v1-3-92b8b7de9a2c@debian.org> (raw)
In-Reply-To: <20260423-netconsole_ai_fixes-v1-0-92b8b7de9a2c@debian.org>
dev_name_store() calls strscpy(nt->np.dev_name, buf, IFNAMSIZ) without
checking the return value. If userspace writes an interface name longer
than IFNAMSIZ - 1, strscpy() silently truncates and returns -E2BIG, but
the function ignores it and reports a fully successful write back to
userspace.
If a real interface happens to match the truncated name, netconsole will
bind to the wrong device on the next enable, sending kernel logs and
panic output to an unintended network segment with no indication to
userspace that anything was rewritten.
Reject writes whose length cannot fit in nt->np.dev_name up front:
if (count >= IFNAMSIZ)
return -ENAMETOOLONG;
This is not a big deal of a problem, but, it is still the correct
approach.
Fixes: 0bcc1816188e57 ("[NET] netconsole: Support dynamic reconfiguration using configfs")
Signed-off-by: Breno Leitao <leitao@debian.org>
---
drivers/net/netconsole.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index 4bef003d9df64..3914fb90f9afd 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -816,6 +816,9 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
{
struct netconsole_target *nt = to_target(item);
+ if (count >= IFNAMSIZ)
+ return -ENAMETOOLONG;
+
dynamic_netconsole_mutex_lock();
if (nt->state == STATE_ENABLED) {
pr_err("target (%s) is enabled, disable to update parameters\n",
--
2.52.0
prev parent reply other threads:[~2026-04-23 9:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 9:41 [PATCH net 0/3] netconsole: configfs store callback fixes Breno Leitao
2026-04-23 9:41 ` [PATCH net 1/3] netconsole: return count instead of strnlen(buf, count) from store callbacks Breno Leitao
2026-04-23 9:41 ` [PATCH net 2/3] netconsole: avoid clobbering userdatum value on truncated write Breno Leitao
2026-04-23 9:41 ` Breno Leitao [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260423-netconsole_ai_fixes-v1-3-92b8b7de9a2c@debian.org \
--to=leitao@debian.org \
--cc=akpm@linux-foundation.org \
--cc=andrew+netdev@lunn.ch \
--cc=asantostc@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gustavold@gmail.com \
--cc=k-keiichi@bx.jp.nec.com \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=satyam@infradead.org \
--cc=thepacketgeek@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox