From nobody Thu Apr 2 12:31:15 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2660D236453 for ; Sun, 29 Mar 2026 03:09:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774753800; cv=none; b=KBDLnGy4TETs9czaZj2yRdOnfcpyePYkoMP5Jxw/Hl5X7r2ZThMLUhX/YA21VoowEztiecNjoRPA8/XeTCD8B1pCX+TkgFclvYqKepgxxbpHZ9OOkOhyVWizHFF9yZrYLv5KwDplykm0HpkZlYSuoaJCgfBxMzmHwGB8hIZclkU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774753800; c=relaxed/simple; bh=wMhK2UMVmcPr9aCNMlbOtgoAXsQCoBc2NHtFMig7D3c=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=vEA7872f+udLytwFwCCfV0xUKO+cyzwFL46juk8N0e6FccUoGlsKxk8ND+tQQiNKcja5UCcLBA6ql8c3AD6V8mRgSAI9xaD0AMAyaG+M15YsjSwAm/9hWMNCeUq9fqNJ//WI2blVFaz4boJsoLP7i6NcAhq/GXVP7G5IQpZZQ4A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowAB3IGz5l8hpjed8Cw--.19840S2; Sun, 29 Mar 2026 11:09:46 +0800 (CST) From: Pengpeng Hou To: richard@nod.at, anton.ivanov@cambridgegreys.com, johannes@sipsolutions.net Cc: linux-um@lists.infradead.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn Subject: [PATCH] um: mconsole: validate notify socket path length Date: Sun, 29 Mar 2026 11:09:45 +0800 Message-ID: <20260329030945.32368-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qwCowAB3IGz5l8hpjed8Cw--.19840S2 X-Coremail-Antispam: 1UD129KBjvdXoW7JrWkJw43Kw4xXr4UJr45GFg_yoWkXwcE9r y5Zws3KryfuFyDtF13Cwn3XrWak34kZFnxuF4jqFWaya43Wr1akrWvy3sxur1UWr1rWFs7 Aas7AryF93WjgjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUb4xFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Gr0_Xr1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr0_ Cr1l84ACjcxK6I8E87Iv67AKxVWxJr0_GcWl84ACjcxK6I8E87Iv6xkF7I0E14v26F4UJV W0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUXVWUAwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCY1x0262kKe7AKxVWU AVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14 v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkG c2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI 0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4U MIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUDpnQUUU UU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" mconsole_notify() copies the notify socket path into sockaddr_un.sun_path w= ith strcpy(). There is no local check that the supplied path fits in the fi= xed Unix-domain socket path buffer. Reject notify socket paths that do not fit in sun_path instead of copying t= hem blindly. Signed-off-by: Pengpeng Hou --- arch/um/drivers/mconsole_user.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/um/drivers/mconsole_user.c b/arch/um/drivers/mconsole_use= r.c index a04cd13c6315..2c0d2984055c 100644 --- a/arch/um/drivers/mconsole_user.c +++ b/arch/um/drivers/mconsole_user.c @@ -198,8 +198,11 @@ int mconsole_notify(char *sock_name, int type, const v= oid *data, int len) if (err) return err; =20 + memset(&target, 0, sizeof(target)); target.sun_family =3D AF_UNIX; - strcpy(target.sun_path, sock_name); + if (snprintf(target.sun_path, sizeof(target.sun_path), "%s", sock_name) >= =3D + sizeof(target.sun_path)) + return -EINVAL; =20 packet.magic =3D MCONSOLE_MAGIC; packet.version =3D MCONSOLE_VERSION; --=20 2.50.1 (Apple Git-155)