Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function

[Simon McVittie <smcv () debian org>]

On Tue, 30 May 2017 at 08:17:54 +0400, Ilya Matveychikov wrote:
> When using get_options() it's possible to specify a range of numbers,
> like 1-100500. The problem is that it doesn't track array size while
> calling internally to get_range() which iterates over the range and
> fills the memory with numbers.

Is there a realistic way in which an attacker can provide Linux kernel
command-line arguments, without being able to achieve arbitrary code
execution via those command-line arguments?

In other words, is this a security vulnerability, or just a bug?

(If the attacker can already achieve arbitrary code execution then
this bug does not give them any capability they do not already have.)

    S