Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup()

[PATCH v7 0/8] Improve the copy of task comm · Yafang Shao <hidden> · 2024-08-17
[PATCH v7 1/8] Get rid of __get_task_comm() · Yafang Shao <hidden> · 2024-08-17
[PATCH v7 2/8] auditsc: Replace memcpy() with strscpy() · Yafang Shao <hidden> · 2024-08-17
[PATCH v7 3/8] security: Replace memcpy() with get_task_comm() · Yafang Shao <hidden> · 2024-08-17
[PATCH v7 4/8] bpftool: Ensure task comm is always NUL-terminated · Yafang Shao <hidden> · 2024-08-17
Re: [PATCH v7 4/8] bpftool: Ensure task comm is always NUL-terminated · Alejandro Colomar <alx@kernel.org> · 2024-08-17
Re: [PATCH v7 4/8] bpftool: Ensure task comm is always NUL-terminated · Yafang Shao <hidden> · 2024-08-18
Re: [PATCH v7 4/8] bpftool: Ensure task comm is always NUL-terminated · Alejandro Colomar <alx@kernel.org> · 2024-08-18
[PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Yafang Shao <hidden> · 2024-08-17
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Alejandro Colomar <alx@kernel.org> · 2024-08-17
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Linus Torvalds <torvalds@linux-foundation.org> · 2024-08-17
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Alejandro Colomar <alx@kernel.org> · 2024-08-17
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Kees Cook <kees@kernel.org> · 2024-09-28
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Alejandro Colomar <alx@kernel.org> · 2024-09-29
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Alejandro Colomar <alx@kernel.org> · 2024-09-29
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Andy Shevchenko <hidden> · 2024-09-26
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Yafang Shao <hidden> · 2024-09-27
Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() · Kees Cook <kees@kernel.org> · 2024-09-28
[PATCH v7 6/8] mm/util: Deduplicate code in {kstrdup,kstrndup,kmemdup_nul} · Yafang Shao <hidden> · 2024-08-17
Re: [PATCH v7 6/8] mm/util: Deduplicate code in {kstrdup,kstrndup,kmemdup_nul} · Alejandro Colomar <alx@kernel.org> · 2024-08-17
Re: [PATCH v7 6/8] mm/util: Deduplicate code in {kstrdup,kstrndup,kmemdup_nul} · Alejandro Colomar <alx@kernel.org> · 2024-08-17
Re: [PATCH v7 6/8] mm/util: Deduplicate code in {kstrdup,kstrndup,kmemdup_nul} · Alejandro Colomar <alx@kernel.org> · 2024-08-26
Re: [PATCH v7 6/8] mm/util: Deduplicate code in {kstrdup,kstrndup,kmemdup_nul} · Yafang Shao <hidden> · 2024-08-26
[PATCH v7 7/8] net: Replace strcpy() with strscpy() · Yafang Shao <hidden> · 2024-08-17
[PATCH v7 8/8] drm: Replace strcpy() with strscpy() · Yafang Shao <hidden> · 2024-08-17
Re: [PATCH v7 0/8] Improve the copy of task comm · Yafang Shao <hidden> · 2024-08-26
Re: [PATCH v7 0/8] Improve the copy of task comm · Andrew Morton <akpm@linux-foundation.org> · 2024-08-28

From: Alejandro Colomar <alx@kernel.org>
Date: 2024-08-17 17:03:34
Also in: bpf, dri-devel, linux-fsdevel, linux-mm, linux-security-module, netdev, selinux

Hi Linus,

On Sat, Aug 17, 2024 at 09:26:21AM GMT, Linus Torvalds wrote:

On Sat, 17 Aug 2024 at 01:48, Alejandro Colomar [off-list ref] wrote:

quoted

I would compact the above to:

        len = strlen(s);
        buf = kmalloc_track_caller(len + 1, gfp);
        if (buf)
                strcpy(mempcpy(buf, s, len), "");

No, we're not doing this kind of horror.

Ok.

If _FORTIFY_SOURCE has problems with a simple "memcpy and add NUL",
then _FORTIFY_SOURCE needs to be fixed.

_FORTIFY_SOURCE works (AFAIK) by replacing the usual string calls by
oneis that do some extra work to learn the real size of the buffers.
This means that for _FORTIFY_SOURCE to work, you need to actually call a
function.  Since the "add NUL" is not done in a function call, it's
unprotected (except that sanitizers may protect it via other means).
Here's the fortified version of strcpy(3) in the kernel:

	$ grepc -h -B15 strcpy ./include/linux/fortify-string.h
	/**
	 * strcpy - Copy a string into another string buffer
	 *
	 * @p: pointer to destination of copy
	 * @q: pointer to NUL-terminated source string to copy
	 *
	 * Do not use this function. While FORTIFY_SOURCE tries to avoid
	 * overflows, this is only possible when the sizes of @q and @p are
	 * known to the compiler. Prefer strscpy(), though note its different
	 * return values for detecting truncation.
	 *
	 * Returns @p.
	 *
	 */
	/* Defined after fortified strlen to reuse it. */
	__FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2)
	char *strcpy(char * const POS p, const char * const POS q)
	{
		const size_t p_size = __member_size(p);
		const size_t q_size = __member_size(q);
		size_t size;

		/* If neither buffer size is known, immediately give up. */
		if (__builtin_constant_p(p_size) &&
		    __builtin_constant_p(q_size) &&
		    p_size == SIZE_MAX && q_size == SIZE_MAX)
			return __underlying_strcpy(p, q);
		size = strlen(q) + 1;
		/* Compile-time check for const size overflow. */
		if (__compiletime_lessthan(p_size, size))
			__write_overflow();
		/* Run-time check for dynamic size overflow. */
		if (p_size < size)
			fortify_panic(FORTIFY_FUNC_strcpy, FORTIFY_WRITE, p_size, size, p);
		__underlying_memcpy(p, q, size);
		return p;
	}

We don't replace a "buf[len] = 0" with strcpy(,""). Yes, compilers may
simplify it, but dammit, it's an unreadable incomprehensible mess to
humans, and humans still matter a LOT more.

I understand.  While I don't consider it unreadable anymore (I guess I
got used to it), it felt strange at first.

                Linus

Have a lovely day!
Alex

-- 
<https://www.alejandro-colomar.es/>

Attachments

signature.asc [application/pgp-signature] 833 bytes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help