Re: [PATCH] um: reject out-of-range port channel numbers

Next message: Michael Bommarito: "[PATCH] checkpatch: recognize Assisted-by: tag"
Previous message: Jarkko Sakkinen: "Re: [PATCH v2] KEYS: trusted: Debugging as a feature"
In reply to: Johannes Berg: "Re: [PATCH] um: reject out-of-range port channel numbers"
Next in thread: Pengpeng Hou: "Re: [PATCH] um: reject out-of-range port channel numbers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Anton Ivanov

Date: Wed Apr 08 2026 - 04:34:25 EST

On 08/04/2026 08:39, Johannes Berg wrote:

On Thu, 2026-04-02 at 00:03 +0800, Pengpeng Hou wrote:

port_init() parses the port channel number into an int, formats it into
a small fixed string buffer, and later passes it to htons() for bind().
Out-of-range values can therefore overflow the local device-name buffer
and still get silently truncated at the socket layer.

So ... you have a whole bunch of these fixes, but do we really assume
that the kernel command-line is somehow attacker controlled for ARCH=um?

Maybe I'm not imagining the right things, but I have a hard time seeing
anyone run a service of any sort where the command line gets to be user-
controlled, and yet the kernel needs to be secure against that user; in
a normal ARCH=um scenario the command line is written by the user as
something like

linux foo=bar mem=256M ...

and then can happily attach gdb to the process and muck with it any way
they want anyway?

I'd probably say the code shouldn't have been this way at the start, but
I'm also not convinced it's even really worth fixing for anything but
the "look my LLM found _something_" creds...

johannes

--
Anton R. Ivanov
Cambridgegreys Limited. Registered in England. Company Number 10273661
https://www.cambridgegreys.com/