Re: [PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup()

[PATCH v2 00/10] Improve the copy of task comm · Yafang Shao <hidden> · 2024-06-13
[PATCH v2 01/10] fs/exec: Drop task_lock() inside __get_task_comm() · Yafang Shao <hidden> · 2024-06-13
[PATCH v2 02/10] auditsc: Replace memcpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-13
[PATCH v2 03/10] security: Replace memcpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-13
[PATCH v2 04/10] bpftool: Ensure task comm is always NUL-terminated · Yafang Shao <hidden> · 2024-06-13
[PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup() · Yafang Shao <hidden> · 2024-06-13
Re: [PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup() · Andrew Morton <akpm@linux-foundation.org> · 2024-06-13
Re: [PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup() · Linus Torvalds <torvalds@linux-foundation.org> · 2024-06-13
Re: [PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup() · Yafang Shao <hidden> · 2024-06-14
Re: [PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup() · Yafang Shao <hidden> · 2024-06-14
[PATCH v2 06/10] mm/kmemleak: Replace strncpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-13
Re: [PATCH v2 06/10] mm/kmemleak: Replace strncpy() with __get_task_comm() · Catalin Marinas <catalin.marinas@arm.com> · 2024-06-13
Re: [PATCH v2 06/10] mm/kmemleak: Replace strncpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-13
Re: [PATCH v2 06/10] mm/kmemleak: Replace strncpy() with __get_task_comm() · Catalin Marinas <catalin.marinas@arm.com> · 2024-06-14
Re: [PATCH v2 06/10] mm/kmemleak: Replace strncpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-14
[PATCH v2 07/10] tsacct: Replace strncpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-13
[PATCH v2 08/10] tracing: Replace strncpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-13
[PATCH v2 09/10] net: Replace strcpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-13
[PATCH v2 10/10] drm: Replace strcpy() with __get_task_comm() · Yafang Shao <hidden> · 2024-06-13

From: Yafang Shao <hidden>
Date: 2024-06-14 02:34:27
Also in: bpf, dri-devel, linux-fsdevel, linux-mm, linux-security-module, linux-trace-kernel, selinux

On Fri, Jun 14, 2024 at 5:14 AM Andrew Morton [off-list ref] wrote:

On Thu, 13 Jun 2024 10:30:39 +0800 Yafang Shao [off-list ref] wrote:

quoted

In kstrdup(), it is critical to ensure that the dest string is always
NUL-terminated. However, potential race condidtion can occur between a
writer and a reader.

Consider the following scenario involving task->comm:

    reader                    writer

  len = strlen(s) + 1;
                             strlcpy(tsk->comm, buf, sizeof(tsk->comm));
  memcpy(buf, s, len);

In this case, there is a race condition between the reader and the
writer. The reader calculate the length of the string `s` based on the
old value of task->comm. However, during the memcpy(), the string `s`
might be updated by the writer to a new value of task->comm.

If the new task->comm is larger than the old one, the `buf` might not be
NUL-terminated. This can lead to undefined behavior and potential
security vulnerabilities.

Let's fix it by explicitly adding a NUL-terminator.

The concept sounds a little strange.  If some code takes a copy of a
string while some other code is altering it, yes, the result will be a
mess.  This is why get_task_comm() exists, and why it uses locking.

I get that "your copy is a mess" is less serious than "your string
isn't null-terminated" but still.  Whichever outcome we get, the
calling code is buggy and should be fixed.

Are there any other problematic scenarios we're defending against here?

quoted

--- a/mm/util.c
+++ b/mm/util.c

@@ -60,8 +60,10 @@ char *kstrdup(const char *s, gfp_t gfp)

      len = strlen(s) + 1;
      buf = kmalloc_track_caller(len, gfp);
-     if (buf)
+     if (buf) {
              memcpy(buf, s, len);
+             buf[len - 1] = '\0';
+     }
      return buf;
 }

Now I'll start receiving patches to remove this again.  Let's have a
code comment please.

I will add a comment for it.

And kstrdup() is now looking awfully similar to kstrndup().  Perhaps
there's a way to reduce duplication?

Yes, I believe we can add a common helper for them :

  static char *__kstrndup(const char *s, size_t max, gfp_t gfp)

-- 
Regards
Yafang

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help