Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len

Next message: Rosen Penev: "Re: [PATCH 5/7] gpio: ppc44x: Convert GPIO to generic MMIO"
Previous message: Vladimir Murzin: "Re: [PATCH v3 1/2] arm64: cpufeature: Add WORKAROUND_DISABLE_CNP capability"
In reply to: Aiden Bowling: "[PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len"
Next in thread: Lorenzo Stoakes: "Re: [PATCH] kernel/sys.c: fix prctl_set_auxv to use sizeof instead of user-supplied len"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Laight

Date: Tue Jun 02 2026 - 05:26:26 EST

On Mon, 1 Jun 2026 22:40:02 -0400
Aiden Bowling <aidenlbowling56@xxxxxxxxx> wrote:

> prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
> into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
> already sized to the full auxv buffer, using 'len' risks a partial write
> if the caller supplies a smaller value. Use sizeof(user_auxv) to always
> copy the full buffer after validation.

Is it possibly that the caller only wants to write the first few values?

-- David

>
> Signed-off-by: Aiden Bowling <aidenlbowling56@xxxxxxxxx>
> ---
> kernel/sys.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 62e842055cc9..d3f5229649e3 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
> BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
>
> task_lock(current);
> - memcpy(mm->saved_auxv, user_auxv, len);
> + memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
> task_unlock(current);
>
> return 0;
>
> base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8