[PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len
From: Aiden Bowling
Date: Mon Jun 01 2026 - 22:47:32 EST
prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
already sized to the full auxv buffer, using 'len' risks a partial write
if the caller supplies a smaller value. Use sizeof(user_auxv) to always
copy the full buffer after validation.
Signed-off-by: Aiden Bowling <aidenlbowling56@xxxxxxxxx>
---
kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index 62e842055cc9..d3f5229649e3 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
task_lock(current);
- memcpy(mm->saved_auxv, user_auxv, len);
+ memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
task_unlock(current);
return 0;
base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
--
2.54.0