{"id":2228024,"url":"http://patchwork.ozlabs.org/api/patches/2228024/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-um/patch/20260425-mconsole-oob-read-leak-v1-1-7d46e5892c5c@cherr.cc/","project":{"id":60,"url":"http://patchwork.ozlabs.org/api/projects/60/?format=json","name":"User-mode Linux Development","link_name":"linux-um","list_id":"linux-um.lists.infradead.org","list_email":"linux-um@lists.infradead.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260425-mconsole-oob-read-leak-v1-1-7d46e5892c5c@cherr.cc>","list_archive_url":null,"date":"2026-04-24T20:29:24","name":"um: mconsole: Fix out-of-bounds read in mconsole_log()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"01736b830a10d79338c9c51d19306e3ea65be060","submitter":{"id":93227,"url":"http://patchwork.ozlabs.org/api/people/93227/?format=json","name":"Shengzhuo Wei","email":"me@cherr.cc"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-um/patch/20260425-mconsole-oob-read-leak-v1-1-7d46e5892c5c@cherr.cc/mbox/","series":[{"id":501404,"url":"http://patchwork.ozlabs.org/api/series/501404/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-um/list/?series=501404","date":"2026-04-24T20:29:24","name":"um: mconsole: Fix out-of-bounds read in mconsole_log()","version":1,"mbox":"http://patchwork.ozlabs.org/series/501404/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2228024/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2228024/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=temperror header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=xWCO4Ldg;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=cherr.cc header.i=@cherr.cc header.a=rsa-sha256\n header.s=feishu2604220257 header.b=uoG+TyWg;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2Phx70kVz1yDD\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 25 Apr 2026 06:30:04 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wGN9u-0000000DjfC-25t5;\n\tFri, 24 Apr 2026 20:29:54 +0000","from va-2-35.ptr.blmpb.com ([209.127.231.35])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wGN9r-0000000Djep-2XTM\n\tfor linux-um@lists.infradead.org;\n\tFri, 24 Apr 2026 20:29:53 +0000","from pve.cherr ([111.42.148.201]) by smtp.feishu.cn with ESMTPS;\n Sat, 25 Apr 2026 04:29:42 +0800"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help\n\t:List-Post:List-Archive:List-Unsubscribe:List-Id:Mime-Version:Message-Id:\n\tSubject:Content-Transfer-Encoding:Content-Type:From:To:Date:Cc:Reply-To:\n\tContent-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:\n\tResent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;\n\tbh=CC9VmaJmuE4+l9TeEA+2T38jJ6gbwFgmDLEFdtmT0Bg=; b=xWCO4LdgGEOQNSScKY7oqQPNee\n\t4X4cMB6bXrb2twlg8PdpYCxINive925Am2jqBuzsVlpbiU4/56DzJAsWIe375uGD154If6YdtMGnz\n\tZVBZLlbfpkvbNnIEEeUxanO0ak/0cG8lM8grLuA7mSW63rBDftzRCl4hwsFkDp6PsAyS2Skd4US+I\n\thD/V5VIOUiEtht0uvQzccvrrmccSuC5xR/iPD6gRsOzWAduFWCLoggJt6TIs+ukcun0/5lG3NNyQy\n\t+GQNmFKYojw88uRthkC4wpTukqGaWMp1O6f/4p2rPKsUWvFQSja7u7gLNdB/088sk5iOYHNG35JKj\n\txGHZZ39Q==;","v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n s=feishu2604220257; d=cherr.cc; t=1777062585; h=from:subject:\n mime-version:from:date:message-id:subject:to:cc:reply-to:content-type:\n mime-version:in-reply-to:message-id;\n bh=CC9VmaJmuE4+l9TeEA+2T38jJ6gbwFgmDLEFdtmT0Bg=;\n b=uoG+TyWgk36+y0vIGDNcDy6vzceg5aiPPuyVQCI5j8pV46I1lPshDIU8JPNlvJnjNZg0o9\n QF3beZ27f5g2O5xA7CbdmyxGbpwuLhW1NVwvpBkrEbSGirb9AVUcJ+VmCpvcQiRQEdbqRc\n TXS5J0S4nT0qrZYFzjMReH27Mn3P/BFY6ik2ovFEGIxQ3kJaIE9nmiab1VQ7pN3yM1i9Ca\n +PqFR/TUBK9K1KL4DaZiOD5uyL14Ygj/cWJ3bPf0yFDRwWuUJfq0Br5DkEqUMIYmUQlhfq\n 8ArPt1oKlCJOhzTYTIOfiJqIIbp0L4X7iGWYRDLHa89CYaMZZtADkBHMJmX8sw=="],"Cc":"<linux-um@lists.infradead.org>, <linux-kernel@vger.kernel.org>,\n\t\"Shengzhuo Wei\" <me@cherr.cc>","Date":"Sat, 25 Apr 2026 04:29:24 +0800","X-Change-Id":"20260425-mconsole-oob-read-leak-a4b8696ac97b","X-Original-From":"Shengzhuo Wei <me@cherr.cc>","To":"\"Richard Weinberger\" <richard@nod.at>,\n\t\"Anton Ivanov\" <anton.ivanov@cambridgegreys.com>,\n\t\"Johannes Berg\" <johannes@sipsolutions.net>","From":"\"Shengzhuo Wei\" <me@cherr.cc>","Content-Type":"text/plain; charset=UTF-8","X-Mailer":"b4 0.14.2","Content-Transfer-Encoding":"7bit","X-Lms-Return-Path":"<lba+269ebd2b7+c2655d+lists.infradead.org+me@cherr.cc>","X-B4-Tracking":"v=1;\n b=H4sIAKPS62kC/x3MQQqEMAxA0atI1ga0aNW5iswirVGD2gwtDIJ4d 4vLt/j/gsRROMGnuCDyX5JoyKjLAvxKYWGUKRtMZWzVmBYPryHpzqjqMDJNuDNtSI3r7WDJD52\n DHP8iz3K+4/F73w9dsTqnaAAAAA==","Subject":"[PATCH] um: mconsole: Fix out-of-bounds read in mconsole_log()","Message-Id":"<20260425-mconsole-oob-read-leak-v1-1-7d46e5892c5c@cherr.cc>","Mime-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260424_132951_725738_15B78168 ","X-CRM114-Status":"UNSURE (   8.05  )","X-CRM114-Notice":"Please train this message.","X-Spam-Score":"-2.1 (--)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam.  The original\n message has been attached to this so you can view it or label\n similar future email.  If you have any questions, see\n the administrator of that system for details.\n Content preview:  mconsole_parse() matches the 3-byte prefix \"log\",\n but mconsole_log()\n    skips strlen(\"log \") = 4 bytes, advancing ptr past the NUL terminator when\n    a client sends \"log\" without a trailing space. The length then comes from\n    req->len, the raw recvfrom() count, instead of req->request.len,\n so printk()\n    reads up to req->len - 4 bytes of stale data from a previous request left\n    in the static mc_reque [...]\n Content analysis details:   (-2.1 points, 5.0 required)\n  pts rule name              description\n ---- ----------------------\n --------------------------------------------------\n  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record\n -0.0 SPF_PASS               SPF: sender matches SPF record\n -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from\n author's\n                             domain\n -0.1 DKIM_VALID             Message has at least one valid DKIM or DK\n signature\n -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from\n                             envelope-from domain\n  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,\n not necessarily valid\n -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%\n                             [score: 0.0000]","X-BeenThere":"linux-um@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"<linux-um.lists.infradead.org>","List-Unsubscribe":"<http://lists.infradead.org/mailman/options/linux-um>,\n <mailto:linux-um-request@lists.infradead.org?subject=unsubscribe>","List-Archive":"<http://lists.infradead.org/pipermail/linux-um/>","List-Post":"<mailto:linux-um@lists.infradead.org>","List-Help":"<mailto:linux-um-request@lists.infradead.org?subject=help>","List-Subscribe":"<http://lists.infradead.org/mailman/listinfo/linux-um>,\n <mailto:linux-um-request@lists.infradead.org?subject=subscribe>","Sender":"\"linux-um\" <linux-um-bounces@lists.infradead.org>","Errors-To":"linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"mconsole_parse() matches the 3-byte prefix \"log\", but mconsole_log()\nskips strlen(\"log \") = 4 bytes, advancing ptr past the NUL terminator\nwhen a client sends \"log\" without a trailing space.\n\nThe length then comes from req->len, the raw recvfrom() count, instead\nof req->request.len, so printk() reads up to req->len - 4 bytes of\nstale data from a previous request left in the static mc_request\nbuffer, leaking it to the kernel log.\n\nUse req->cmd->command for the actual command length, add skip_spaces(),\nuse req->request.len, and guard against non-positive length.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Shengzhuo Wei <me@cherr.cc>\n---\n arch/um/drivers/mconsole_kern.c | 8 +++++---\n 1 file changed, 5 insertions(+), 3 deletions(-)\n\n\n---\nbase-commit: dd6c438c3e64a5ff0b5d7e78f7f9be547803ef1b\nchange-id: 20260425-mconsole-oob-read-leak-a4b8696ac97b\n\nBest regards,","diff":"diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c\nindex e2a9e8879f584734cf2e94d47e403d03f8aa2131..0dd5aab1544648a7f7942c2eb47a5792e7dd702b 100644\n--- a/arch/um/drivers/mconsole_kern.c\n+++ b/arch/um/drivers/mconsole_kern.c\n@@ -117,10 +117,12 @@ void mconsole_log(struct mc_request *req)\n \tint len;\n \tchar *ptr = req->request.data;\n \n-\tptr += strlen(\"log \");\n+\tptr += strlen(req->cmd->command);\n+\tptr = skip_spaces(ptr);\n \n-\tlen = req->len - (ptr - req->request.data);\n-\tprintk(KERN_WARNING \"%.*s\", len, ptr);\n+\tlen = req->request.len - (ptr - req->request.data);\n+\tif (len > 0)\n+\t\tprintk(KERN_WARNING \"%.*s\", len, ptr);\n \tmconsole_reply(req, \"\", 0, 0);\n }\n \n","prefixes":[]}