[PATCH] um: proc/exitcode: fix simple_strtol() out-of-bounds read

[Shengzhuo Wei]

The stack buffer 'buf' is declared as char[sizeof("nnnnn\0")] (7 bytes)
and the copy size is min(count, sizeof(buf)).  When a user writes 7 or
more bytes, copy_from_user fills all 7 bytes without a NUL terminator.
The subsequent call to simple_strtol() expects a NUL-terminated string
and will read past the end of buf on the stack.

write(2) should report the number of bytes consumed. Returning the original
count would claim success even when the input was truncated, so userspace
cannot detect it.

Clamp the copy length to sizeof(buf)-1, add a terminator, and return the
consumed length.

Fixes: 201f99f170df ("uml: check length in exitcode_proc_write()")
Fixes: e16f5350d4cf ("uml: get declaration of simple_strtoul")
Signed-off-by: Shengzhuo Wei <me at cherr.cc>
---
 arch/um/kernel/exitcode.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/um/kernel/exitcode.c b/arch/um/kernel/exitcode.c
index 43edc2aa57e4fbd4a3d24f96878c76f9f8fd4eaa..8de404ff21a213918c5351bc20a6e047bf1b93f5 100644
--- a/arch/um/kernel/exitcode.c
+++ b/arch/um/kernel/exitcode.c
@@ -43,16 +43,17 @@ static ssize_t exitcode_proc_write(struct file *file,
 	size_t size;
 	int tmp;
 
-	size = min(count, sizeof(buf));
+	size = min(count, sizeof(buf) - 1);
 	if (copy_from_user(buf, buffer, size))
 		return -EFAULT;
+	buf[size] = '\0';
 
 	tmp = simple_strtol(buf, &end, 0);
 	if ((*end != '\0') && !isspace(*end))
 		return -EINVAL;
 
 	uml_exitcode = tmp;
-	return count;
+	return size;
 }
 
 static const struct proc_ops exitcode_proc_ops = {

---
base-commit: 6596a02b207886e9e00bb0161c7fd59fea53c081
change-id: 20260423-fix_exitcode-908061ece624

Best regards,
-- 
Shengzhuo Wei <me at cherr.cc>