On Fri, Feb 02, 2024 at 06:27:32PM +0000, Al Viro wrote: > Think what happens if you fetch ->len in state prior to > rename and ->name - after. memcpy() from one memory object > with length that matches another, UAF right there.
s/UAF/fairly easy oops/ - you can end up fetching past the end of
page that hosts kmalloc'ed object, and there's no promise that anything
will be mapped there. I really need more coffee...
