kernel/sys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying
into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is
already sized to the full auxv buffer, using 'len' risks a partial write
if the caller supplies a smaller value. Use sizeof(user_auxv) to always
copy the full buffer after validation.
Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com>
---
kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index 62e842055cc9..d3f5229649e3 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
task_lock(current);
- memcpy(mm->saved_auxv, user_auxv, len);
+ memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
task_unlock(current);
return 0;
base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
--
2.54.0On Mon, Jun 01, 2026 at 10:40:02PM -0400, Aiden Bowling wrote: > prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying > into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is > already sized to the full auxv buffer, using 'len' risks a partial write > if the caller supplies a smaller value. Use sizeof(user_auxv) to always > copy the full buffer after validation. Hm, but would this be an issue? A user can specify only a partial write and get what they expect, I don't think there's any security issue here. I also guess a user could specify a length that's not a multiple of sizeof(unsigned long) but again they'd get the results they might expect from doing something silly like that :) And users might rely on this only doing a partial write for whatever weird reason so I don't think we can change this really? > > Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com> > --- > kernel/sys.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/sys.c b/kernel/sys.c > index 62e842055cc9..d3f5229649e3 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, > BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv)); > > task_lock(current); > - memcpy(mm->saved_auxv, user_auxv, len); > + memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv)); > task_unlock(current); > > return 0; > > base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8 > -- > 2.54.0 > Cheers, Lorenzo
On Mon, 1 Jun 2026 22:40:02 -0400 Aiden Bowling <aidenlbowling56@gmail.com> wrote: > prctl_set_auxv() passed the user-supplied 'len' to memcpy() when copying > into mm->saved_auxv, instead of sizeof(user_auxv). Since user_auxv is > already sized to the full auxv buffer, using 'len' risks a partial write > if the caller supplies a smaller value. Use sizeof(user_auxv) to always > copy the full buffer after validation. Is it possibly that the caller only wants to write the first few values? -- David > > Signed-off-by: Aiden Bowling <aidenlbowling56@gmail.com> > --- > kernel/sys.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/sys.c b/kernel/sys.c > index 62e842055cc9..d3f5229649e3 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -2189,7 +2189,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, > BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv)); > > task_lock(current); > - memcpy(mm->saved_auxv, user_auxv, len); > + memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv)); > task_unlock(current); > > return 0; > > base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
© 2016 - 2026 Red Hat, Inc.