diff options
| author | Breno Leitao <leitao@debian.org> | 2026-04-27 17:30:37 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-04-29 04:28:11 +0300 |
| commit | 92ceb7bff62c2606f664c204750eca0b85d44112 (patch) | |
| tree | aa3b04733e17dc9c7fe6f20afcdcf539e37f892a /include/linux/execmem.h | |
| parent | e6dd94252b0fa7b4fcc00577c6898432c5d97a08 (diff) | |
| download | linux-92ceb7bff62c2606f664c204750eca0b85d44112.tar.xz | |
netconsole: propagate device name truncation in dev_name_store()
dev_name_store() calls strscpy(nt->np.dev_name, buf, IFNAMSIZ) without
checking the return value. If userspace writes an interface name longer
than IFNAMSIZ - 1, strscpy() silently truncates and returns -E2BIG, but
the function ignores it and reports a fully successful write back to
userspace.
If a real interface happens to match the truncated name, netconsole will
bind to the wrong device on the next enable, sending kernel logs and
panic output to an unintended network segment with no indication to
userspace that anything was rewritten.
Reject writes whose length cannot fit in nt->np.dev_name up front:
if (count >= IFNAMSIZ)
return -ENAMETOOLONG;
This is not a big deal of a problem, but, it is still the correct
approach.
Fixes: 0bcc1816188e57 ("[NET] netconsole: Support dynamic reconfiguration using configfs")
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260427-netconsole_ai_fixes-v2-3-59965f29d9cc@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/linux/execmem.h')
0 files changed, 0 insertions, 0 deletions