From nobody Thu Jun 18 08:15:15 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F84B363C46 for ; Fri, 17 Apr 2026 07:37:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776411437; cv=none; b=aj28zZ8QgHLrGfAwxgMXq7tNnImznlZmpYN7uhRk5rE1qGq6N/wgnzC5myY/bgw9oP2vDJcZTcrB9vxM4E73dA3umU5GwjtlEQ3besM0PoMrR32lWrI7iXkjHc+V/6BhW0hho/NKyjHuq0HOQ1R0lZ54if+p+Db3d1Ee3F2wFFE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776411437; c=relaxed/simple; bh=XytQOPO3oE1nJzqeRyFMunVna+MmEv+hRwXPf2daaa0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=bkjtRte0nvHdztsHKIiJ7NcdyFkbH1kbB2dPj+hZS9kLKkXHOzyVLt/FiP9m14TlIryKbkQaBaaTyS0faT72UyRbc975q3H3Atw5gAdRKr1+X64HVF32eLaWD6HF5eFTu4+yiTa+7EAA9lmDt3tTPZQGe2z4Nq2CL0j4uVGDPds= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.116]) by APP-05 (Coremail) with SMTP id zQCowADndwsi4+Fpg_PXDQ--.78S2; Fri, 17 Apr 2026 15:37:06 +0800 (CST) From: Pengpeng Hou To: Richard Weinberger , Anton Ivanov Cc: Johannes Berg , linux-um@lists.infradead.org, linux-kernel@vger.kernel.org, Pengpeng Hou Subject: [PATCH] um: vector: reject interface specifications with too many arguments Date: Fri, 17 Apr 2026 15:37:04 +0800 Message-ID: <20260417073704.1817-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: zQCowADndwsi4+Fpg_PXDQ--.78S2 X-Coremail-Antispam: 1UD129KBjvdXoWrZrWxXw13Aw4kKFWkAw17GFg_yoWkWFg_Cw 1DXanrGF1a9r4DCwn8Kr1rC3yFvFyDWr1UurW0yr9xuws3ZrsxAr40yF1fXw1xXFW7Xrs8 Kr9rG34Fvr4SkjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUb4AFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Ar0_tr1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j 6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUAVWUtwAv7VC2z280aVAFwI0_Gr0_Cr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCY1x0262kKe7AKxVWU AVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14 v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkG c2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42IY6xIIjxv20xvEc7CjxVAFwI 0_Cr0_Gr1UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVW8JVWx JwCI42IY6I8E87Iv6xkF7I0E14v26r4UJVWxJrUvcSsGvfC2KfnxnUUI43ZEXa7VUj2YLD UUUUU== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" uml_parse_vector_ifspec() stores parsed key/value pairs in the fixed struct arglist token and value arrays, which are both sized to MAXVARGS. The parser increments numargs as it discovers pairs, but it never checks whether another slot is still available before writing into the arrays. Reject interface specifications that exceed MAXVARGS instead of writing past the end of the fixed argument arrays. Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver") Signed-off-by: Pengpeng Hou --- arch/um/drivers/vector_user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/um/drivers/vector_user.c b/arch/um/drivers/vector_user.c index 2ea67e6fd067..3bee634f2102 100644 --- a/arch/um/drivers/vector_user.c +++ b/arch/um/drivers/vector_user.c @@ -93,6 +93,9 @@ struct arglist *uml_parse_vector_ifspec(char *arg) len =3D strlen(arg); for (pos =3D 0; pos < len; pos++) { if (next_starts) { + if (result->numargs >=3D MAXVARGS) + goto cleanup; + if (parsing_token) { result->tokens[result->numargs] =3D arg + pos; } else { --=20 2.50.1 (Apple Git-155)