[PATCH] um: proc/exitcode: fix simple_strtol() out-of-bounds read
Shengzhuo Wei
me at cherr.cc
Wed Apr 22 20:28:45 PDT 2026
On 2026-04-22 21:45, David Laight wrote:
> On Thu, 23 Apr 2026 01:39:25 +0800
> "Shengzhuo Wei" <me at cherr.cc> wrote:
>
> > The stack buffer 'buf' is declared as char[sizeof("nnnnn\0")] (7 bytes)
> > and the copy size is min(count, sizeof(buf)). When a user writes 7 or
> > more bytes, copy_from_user fills all 7 bytes without a NUL terminator.
> > The subsequent call to simple_strtol() expects a NUL-terminated string
> > and will read past the end of buf on the stack.
>
> You should probably also mention that write(, "123", 3) will lead to
> buf[3] being read - which is uninitialised stack.
>
> David
Thanks for the review, will fix in v2.
Best regards
More information about the linux-um
mailing list