Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm()

From: Linus Torvalds <torvalds@linux-foundation.org>
Date: 2024-06-02 20:11:27
Also in: bpf, linux-fsdevel, linux-security-module, selinux

Possibly related (same subject, not in this thread)

2024-06-10 · Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm() · Alexei Starovoitov <hidden>
2024-06-10 · Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm() · Eric W. Biederman <hidden>
2024-06-05 · Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm() · Yafang Shao <hidden>
2024-06-04 · Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm() · Matus Jokay <hidden>
2024-06-04 · Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm() · Matus Jokay <hidden>

On Sun, 2 Jun 2024 at 10:53, Eric W. Biederman [off-list ref] wrote:

The read may race with a write that is changing the location
of '\0'.  Especially if the new value is shorter than
the old value.

It *shouldn't* happen.

So 'strscpy()' itself is written to be NUL-safe, in that if it ever
copies a NUL character, it will stop. Admittedly the byte loop at the
end might technically need a READ_ONCE() for that to eb strictly true
in theory, but in practice it already is.

And even if the new string is shorter, the comm[] array will always
have a NUL terminator _somewhere_, in how the last byte is never
non-NUL.

Now, the only real issue is if something writes *to* the  comm[] array
without following the rules properly - like writing a non-NULL
character to the end of the array before then filling it in with NUL
again.

But that would be a bug on the comm[] writing side, I feel, not a bug
on the reader side.

               Linus

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help