From nobody Fri Jun 19 09:10:45 2026
Received: from sg-3-43.ptr.tlmpb.com (sg-3-43.ptr.tlmpb.com [101.45.255.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D313A2F8E96
	for <linux-kernel@vger.kernel.org>; Tue, 16 Jun 2026 03:52:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=101.45.255.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781581936; cv=none;
 b=ItVymy8ZMkzncnER5x6XoGsR87T8j6Cs9ExeIwVr2TBL122fEdFInPshMG57S9BHF4EL/0pcaCDsTOQdksx5503GIv2huYqc9r9jzKRUulcKQ400O9H3bsdruwNdTwQeu6SqOaUYIe2ojzRxpJyHcISaXyZxiA/zeLkuVGpUKbk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781581936; c=relaxed/simple;
	bh=6i93qgia2ceLeFnesKpgRFgIRJ3SvGdcE7dsjPhV304=;
	h=To:Message-Id:Mime-Version:From:Subject:Content-Type:Cc:Date;
 b=TGvpztKksujBiCgomtPMUmK7yDH17qnbfwXkXWL//9m/QjVwjfidzlyUMPuwwTUHeEEV5WzA8VOHecaWqOvgmbKJwr70FeO4SVOLHQb13ivGRnrhxCz50tsLo+WliGCvo99NDkQkCIL+Rg1ZrmGQZzAEs1u5uYdpNLDrf75ajeE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=cherr.cc;
 spf=pass smtp.mailfrom=cherr.cc;
 dkim=pass (2048-bit key) header.d=cherr.cc header.i=@cherr.cc
 header.b=XxymL61X; arc=none smtp.client-ip=101.45.255.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=cherr.cc
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cherr.cc
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=cherr.cc header.i=@cherr.cc
 header.b="XxymL61X"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 s=feishu2604220257; d=cherr.cc; t=1781581885; h=from:subject:
 mime-version:from:date:message-id:subject:to:cc:reply-to:content-type:
 mime-version:in-reply-to:message-id;
 bh=CC9VmaJmuE4+l9TeEA+2T38jJ6gbwFgmDLEFdtmT0Bg=;
 b=XxymL61XvZgVQF1YxGm3+R18cpPktpALxkVX5/i7fY/x7R8N/KXdA+dtp8cyLg7L+DEZOe
 9jFaSXrcawdMwoFdSrxEeWESV9aYFkwoo6hsmWOxFM/btGD+GuFYXFBky6TTCZ9PAq9aAD
 okr105nI9i2tf+XPeXxHKrwyOFKx6aaoToOoN1ZWp1hgmEkrYuke8K8q2IJcE89YzEpnlF
 D53Lqiq49zYY/n4ocaPCEJPQzDZMuLYFzW1B2TeYuw5a+jNLVtFOokkIeUyHYBmTGTJmzx
 Qw7JODaifVjlrP0+P7lYk+pNr7pb99AXv9fvhL/EerycWjeHlinvGlTjxPXmeg==
Received: from pve.cherr ([111.40.58.131]) by smtp.feishu.cn with ESMTPS;
 Tue, 16 Jun 2026 11:51:22 +0800
To: "Richard Weinberger" <richard@nod.at>,
	"Anton Ivanov" <anton.ivanov@cambridgegreys.com>,
	"Johannes Berg" <johannes@sipsolutions.net>
X-Original-From: Shengzhuo Wei <me@cherr.cc>
Message-Id: <20260616-mconsole-oob-read-leak-v1-1-528d711f63fb@cherr.cc>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Mailer: b4 0.14.2
From: "Shengzhuo Wei" <me@cherr.cc>
Subject: [PATCH RESEND] um: mconsole: Fix out-of-bounds read in mconsole_log()
X-Lms-Return-Path: <lba+26a30c83b+3dc998+vger.kernel.org+me@cherr.cc>
Cc: <linux-um@lists.infradead.org>, <linux-kernel@vger.kernel.org>,
	"Shengzhuo Wei" <me@cherr.cc>
Date: Tue, 16 Jun 2026 11:51:14 +0800
Content-Type: text/plain; charset="utf-8"

mconsole_parse() matches the 3-byte prefix "log", but mconsole_log()
skips strlen("log ") =3D 4 bytes, advancing ptr past the NUL terminator
when a client sends "log" without a trailing space.

The length then comes from req->len, the raw recvfrom() count, instead
of req->request.len, so printk() reads up to req->len - 4 bytes of
stale data from a previous request left in the static mc_request
buffer, leaking it to the kernel log.

Use req->cmd->command for the actual command length, add skip_spaces(),
use req->request.len, and guard against non-positive length.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Shengzhuo Wei <me@cherr.cc>
---
 arch/um/drivers/mconsole_kern.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_ker=
n.c
index e2a9e8879f584734cf2e94d47e403d03f8aa2131..0dd5aab1544648a7f7942c2eb47=
a5792e7dd702b 100644
--- a/arch/um/drivers/mconsole_kern.c
+++ b/arch/um/drivers/mconsole_kern.c
@@ -117,10 +117,12 @@ void mconsole_log(struct mc_request *req)
 	int len;
 	char *ptr =3D req->request.data;
=20
-	ptr +=3D strlen("log ");
+	ptr +=3D strlen(req->cmd->command);
+	ptr =3D skip_spaces(ptr);
=20
-	len =3D req->len - (ptr - req->request.data);
-	printk(KERN_WARNING "%.*s", len, ptr);
+	len =3D req->request.len - (ptr - req->request.data);
+	if (len > 0)
+		printk(KERN_WARNING "%.*s", len, ptr);
 	mconsole_reply(req, "", 0, 0);
 }
=20

---
base-commit: dd6c438c3e64a5ff0b5d7e78f7f9be547803ef1b
change-id: 20260425-mconsole-oob-read-leak-a4b8696ac97b

Best regards,
--=20
Shengzhuo Wei <me@cherr.cc>