Re: [PATCH] sanitize task->comm to avoid leaking escape codes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrew Morton <akpm@linux-foundation.org>
To: Kees Cook <kees.cook@canonical.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	Roland McGrath <roland@redhat.com>, Ingo Molnar <mingo@elte.hu>,
	Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH] sanitize task->comm to avoid leaking escape codes
Date: Tue, 29 Jun 2010 11:59:56 -0700	[thread overview]
Message-ID: <20100629115956.03c4a0b4.akpm@linux-foundation.org> (raw)
In-Reply-To: <20100629150952.GF4175@outflux.net>

On Tue, 29 Jun 2010 08:09:52 -0700
Kees Cook <kees.cook@canonical.com> wrote:

> On Tue, Jun 29, 2010 at 11:45:14AM +0300, Alexey Dobriyan wrote:
> > On Tue, Jun 29, 2010 at 12:03 AM, Kees Cook <kees.cook@canonical.com> wrote:
> > > On Mon, Jun 28, 2010 at 01:00:28PM -0700, Andrew Morton wrote:
> > >> Surely it would be better to fix the tools which display this info
> > >> rather than making the kernel tell fibs.
> > >
> > > The strncpy in get_task_comm() is totally wrong -- it's testing the length
> > > of task->comm.
> > 
> > It also fills not just any buffer but buffer which is TASK_COMM_LEN byte wide.
> > 
> > > Why should get_task_comm not take a destination buffer length argument?
> > 
> > If you pass too small, you needlessly truncate output.
> 
> If you pass too small a buffer, get_task_comm will happily write all over
> the caller's stack past the end of the buffer if the contents of task->comm
> are large enough:
> 
>         strncpy(buf, tsk->comm, sizeof(tsk->comm));
> 
> The "n" argument to get_task_comm's use of strncpy is totally wrong --
> it needs to be the size of the destination, not the size of the source.
> Luckily, everyone using get_task_comm currently uses buffers that are
> sizeof(task->comm).

It's not "totally wrong" at all.  get_task_comm() *requires* that it be
passed a buffer of at least TASK_COMM_LEN bytes.  sizeof(tsk->comm)
equals TASK_COMM_LEN and always will do so.  We could replace the
sizeof with TASK_COMM_LEN for cosmetic reasons but that's utter
nitpicking.  But then, the comment right there says "buf must be at
least sizeof(tsk->comm) in size".  That's so simple that even a kernel
developer could understand it?

Do we need a runtime check every time to make sure that some developer
didn't misunderstand such a simple thing?  Seems pretty pointless -
there are a zillion such runtime checks we could add.  It'd be better
to do

#define get_task_comm(buf, tsk) {			\
	BUILD_BUG_ON(sizeof(buf) < TASK_COMM_LEN);	\
	__get_task_comm(buf, tsk);			\
}

and save the runtime bloat.  But again, what was special about this
particular programmer error?  There are five or six instances of
strcpy(foo, current->comm).  Do we need runtime checks there as well??

next prev parent reply	other threads:[~2010-06-29 19:00 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-23 18:11 [PATCH] sanitize task->comm to avoid leaking escape codes Kees Cook
2010-06-23 19:41 ` Oleg Nesterov
2010-06-23 20:23   ` Alexey Dobriyan
2010-06-23 21:28     ` Kees Cook
2010-06-28 20:00     ` Andrew Morton
2010-06-28 21:03       ` Kees Cook
2010-06-29  8:45         ` Alexey Dobriyan
2010-06-29 15:09           ` Kees Cook
2010-06-29 18:59             ` Andrew Morton [this message]
2010-06-29 19:13               ` Kees Cook
2010-06-29  4:58   ` Artem Bityutskiy
2010-06-29  4:58     ` Artem Bityutskiy
2010-06-29 13:31     ` Oleg Nesterov
2010-06-29 16:23       ` Paul E. McKenney
2010-06-29 17:18         ` Oleg Nesterov
2010-06-29 17:33           ` Paul E. McKenney
2010-06-29 22:32     ` john stultz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100629115956.03c4a0b4.akpm@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=adobriyan@gmail.com \
    --cc=kees.cook@canonical.com \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=nhorman@tuxdriver.com \
    --cc=oleg@redhat.com \
    --cc=peterz@infradead.org \
    --cc=roland@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.