I totally forgot that _parse_integer() accepts arbitrary amount of leading zeroes leading to the following:
OK # readlink /proc/1/map_files/56427ecba000-56427eddc000 /lib/systemd/systemd bogus # readlink /proc/1/map_files/00000000000056427ecba000-56427eddc000 /lib/systemd/systemd # readlink /proc/1/map_files/56427ecba000-00000000000056427eddc000 /lib/systemd/systemd Signed-off-by: Alexey Dobriyan <adobri...@gmail.com> --- fs/proc/base.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -1913,9 +1913,11 @@ static int dname_to_vma_addr(struct dentry *dentry, unsigned long *start, unsigned long *end) { const char *str = dentry->d_name.name; + unsigned int len = dentry->d_name.len; unsigned long long sval, eval; - unsigned int len; + if (len > 1 && *str == '0') + return -EINVAL; len = _parse_integer(str, 16, &sval); if (len & KSTRTOX_OVERFLOW) return -EINVAL; @@ -1927,6 +1929,9 @@ static int dname_to_vma_addr(struct dentry *dentry, return -EINVAL; str++; + len = strlen(str); + if (len > 1 && *str == '0') + return -EINVAL; len = _parse_integer(str, 16, &eval); if (len & KSTRTOX_OVERFLOW) return -EINVAL;