Re: [PATCH] um: proc/exitcode: fix simple_strtol() out-of-bounds read

Next message: Sungwoo Kim: "Re: [PATCH v3] Fix null-ptr-deref in bio_integrity_map_user()"
Previous message: Yongxing Mou: "Re: [PATCH v4 3/5] phy: qcom: edp: Add SC7280/SC8180X swing/pre-emphasis tables"
In reply to: David Laight: "Re: [PATCH] um: proc/exitcode: fix simple_strtol() out-of-bounds read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Shengzhuo Wei

Date: Wed Apr 22 2026 - 23:29:18 EST

On 2026-04-22 21:45, David Laight wrote:
> On Thu, 23 Apr 2026 01:39:25 +0800
> "Shengzhuo Wei" <me@xxxxxxxx> wrote:
>
> > The stack buffer 'buf' is declared as char[sizeof("nnnnn\0")] (7 bytes)
> > and the copy size is min(count, sizeof(buf)). When a user writes 7 or
> > more bytes, copy_from_user fills all 7 bytes without a NUL terminator.
> > The subsequent call to simple_strtol() expects a NUL-terminated string
> > and will read past the end of buf on the stack.
>
> You should probably also mention that write(, "123", 3) will lead to
> buf[3] being read - which is uninitialised stack.
>
> David

Thanks for the review, will fix in v2.

Best regards