[PATCH] um: reject out-of-range port channel numbers
Anton Ivanov
anton.ivanov at cambridgegreys.com
Wed Apr 8 01:00:38 PDT 2026
On 08/04/2026 08:39, Johannes Berg wrote:
> On Thu, 2026-04-02 at 00:03 +0800, Pengpeng Hou wrote:
>> port_init() parses the port channel number into an int, formats it into
>> a small fixed string buffer, and later passes it to htons() for bind().
>> Out-of-range values can therefore overflow the local device-name buffer
>> and still get silently truncated at the socket layer.
> So ... you have a whole bunch of these fixes, but do we really assume
> that the kernel command-line is somehow attacker controlled for ARCH=um?
>
> Maybe I'm not imagining the right things, but I have a hard time seeing
> anyone run a service of any sort where the command line gets to be user-
> controlled, and yet the kernel needs to be secure against that user; in
> a normal ARCH=um scenario the command line is written by the user as
> something like
>
> linux foo=bar mem=256M ...
>
> and then can happily attach gdb to the process and muck with it any way
> they want anyway?
>
> I'd probably say the code shouldn't have been this way at the start, but
> I'm also not convinced it's even really worth fixing for anything but
> the "look my LLM found _something_" creds...
+1
>
> johannes
>
--
Anton R. Ivanov
Cambridgegreys Limited. Registered in England. Company Number 10273661
https://www.cambridgegreys.com/
More information about the linux-um
mailing list