From nobody Wed Jun 17 07:35:23 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 622223793D3 for ; Thu, 23 Apr 2026 22:48:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776984524; cv=none; b=h7KbQ391LlEypPUe1+3Z9N8stoICCSwmkALW0YjJPeTp1/Xt3nZzyRG9TKyZqb2p6ozgQ/KjMH8LCnc5kb10XZCw2xSosM9jLBCCURIZ84phEqlbYffhRTYTYrlWLyVpmXZo6l+GE7d0fAUlxbHthmUG3YhEdY1NLc+yn/07m5I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776984524; c=relaxed/simple; bh=UHzt3Y+erhhVId0gpWNQ4z8V9kAcOwQRK06pNdPLn7Y=; h=From:Date:Message-ID:To:Cc:Subject:In-Reply-To:References; b=f1vsjQb52plrhBHHBoZcKS+vyoulcUc5OvzvrPLJMKIW3L+sPk0/tia02gHfMb2Vk877v4kc1UmABpvzEqOa7NbNU7g527p22CeQ8rEmUz67YA9xSWqAyi8olIJ/9Gd3jHabBEC813Z+qQOcK9zcJ0MM8qeA00y2l8UfeZN76Rk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 06-uml-vector-v2.eml (unknown [111.196.245.116]) by APP-05 (Coremail) with SMTP id zQCowAAntwq6oeppDoBsDg--.55735S2; Fri, 24 Apr 2026 06:48:27 +0800 (CST) From: Pengpeng Hou Date: Thu, 23 Apr 2026 23:35:00 +0800 Message-ID: <20260424070106.1-uml-vector-v2-pengpeng@iscas.ac.cn> To: Richard Weinberger , Anton Ivanov , Johannes Berg Cc: linux-um@lists.infradead.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn Subject: [PATCH v2] um: vector: reject too many interface arguments In-Reply-To: <20260417073704.1817-1-pengpeng@iscas.ac.cn> References: <20260417073704.1817-1-pengpeng@iscas.ac.cn> X-CM-TRANSID: zQCowAAntwq6oeppDoBsDg--.55735S2 X-Coremail-Antispam: 1UD129KBjvdXoWrZrWxXw13Aw4kKFWkAw17GFg_yoWkWFX_u3 Wqqanrur1S9r4Duw1UKr1rC3ySvFyDWryUCrW0yr9xuw4SvrZxAr40yF1fXw1xX3y7Zrs8 Gry7G34FyrWFkjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbVAFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M280x2IEY4vE77IFxVWUZVW8XwA2ocxC64kIII0Yj4 1l84x0c7CEw4AK67xGY2AK021l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0 I7IYx2IY6xkF7I0E14v26F4j6r4UJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4 vEx4A2jsIEc7CjxVAFwI0_Cr1j6rxdM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVAC Y4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r126r1DMcIj6I8E87Iv67AKxVWUJV W8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAG YxC7MxkF7I0En4kS14v26r126r1DMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r 1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE b7AF67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1I6r4UMIIF0x vE2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF 0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxh VjvjDU0xZFpf9x0JU6v38UUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" uml_parse_vector_ifspec() stores parsed key/value pairs in the fixed struct arglist token and value arrays, which are both sized to MAXVARGS. The parser increments numargs as it discovers pairs, but it never checks whether another slot is still available before writing into the arrays. Reject interface specifications that exceed MAXVARGS instead of writing past the end of the fixed argument arrays. Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver") Signed-off-by: Pengpeng Hou --- Changes since v1: - remove the blank line between Fixes and Signed-off-by diff --git a/arch/um/drivers/vector_user.c b/arch/um/drivers/vector_user.c index 2ea67e6fd067..3bee634f2102 100644 --- a/arch/um/drivers/vector_user.c +++ b/arch/um/drivers/vector_user.c @@ -93,6 +93,9 @@ struct arglist *uml_parse_vector_ifspec(char *arg) len =3D strlen(arg); for (pos =3D 0; pos < len; pos++) { if (next_starts) { + if (result->numargs >=3D MAXVARGS) + goto cleanup; + if (parsing_token) { result->tokens[result->numargs] =3D arg + pos; } else { --=20 2.50.1 (Apple Git-155)