[PATCH] um: mconsole: Fix out-of-bounds read in mconsole_log()

[Shengzhuo Wei]

mconsole_parse() matches the 3-byte prefix "log", but mconsole_log()
skips strlen("log ") = 4 bytes, advancing ptr past the NUL terminator
when a client sends "log" without a trailing space.

The length then comes from req->len, the raw recvfrom() count, instead
of req->request.len, so printk() reads up to req->len - 4 bytes of
stale data from a previous request left in the static mc_request
buffer, leaking it to the kernel log.

Use req->cmd->command for the actual command length, add skip_spaces(),
use req->request.len, and guard against non-positive length.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Shengzhuo Wei <me at cherr.cc>
---
 arch/um/drivers/mconsole_kern.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c
index e2a9e8879f584734cf2e94d47e403d03f8aa2131..0dd5aab1544648a7f7942c2eb47a5792e7dd702b 100644
--- a/arch/um/drivers/mconsole_kern.c
+++ b/arch/um/drivers/mconsole_kern.c
@@ -117,10 +117,12 @@ void mconsole_log(struct mc_request *req)
 	int len;
 	char *ptr = req->request.data;
 
-	ptr += strlen("log ");
+	ptr += strlen(req->cmd->command);
+	ptr = skip_spaces(ptr);
 
-	len = req->len - (ptr - req->request.data);
-	printk(KERN_WARNING "%.*s", len, ptr);
+	len = req->request.len - (ptr - req->request.data);
+	if (len > 0)
+		printk(KERN_WARNING "%.*s", len, ptr);
 	mconsole_reply(req, "", 0, 0);
 }
 

---
base-commit: dd6c438c3e64a5ff0b5d7e78f7f9be547803ef1b
change-id: 20260425-mconsole-oob-read-leak-a4b8696ac97b

Best regards,
-- 
Shengzhuo Wei <me at cherr.cc>