Re: [PATCH] sanitize task->comm to avoid leaking escape codes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Artem Bityutskiy <dedekind1@gmail.com>,
	john stultz <johnstul@us.ibm.com>,
	Kees Cook <kees.cook@canonical.com>,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	Roland McGrath <roland@redhat.com>, Ingo Molnar <mingo@elte.hu>,
	Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH] sanitize task->comm to avoid leaking escape codes
Date: Tue, 29 Jun 2010 10:33:49 -0700	[thread overview]
Message-ID: <20100629173349.GH2765@linux.vnet.ibm.com> (raw)
In-Reply-To: <20100629171846.GA18440@redhat.com>

On Tue, Jun 29, 2010 at 07:18:46PM +0200, Oleg Nesterov wrote:
> On 06/29, Paul E. McKenney wrote:
> >
> > On Tue, Jun 29, 2010 at 03:31:31PM +0200, Oleg Nesterov wrote:
> >
> > > So, afaics, set_task_comm()->wmb() buys nothing and should be removed.
> > > The last zero char in task_struct->comm[] is always here, at least this
> > > guarantees that strcpy(char *dest, tsk->comm) is always safe.
> > >
> > > (I cc'ed the expert, Paul can correct me)
> >
> > First, all of the implementations that I can see do task_lock(tsk), which
> > should prevent readers from seeing any changes.  So I am guessing that
> > you guys want to allow readers to get at ->comm without having to acquire
> > this lock.
> 
> Ah, sorry for confusion.
> 
> No, we are not trying to invent the lockless get_task_comm(). I'd say
> it is not needed, if we really care about the precise ->comm we can
> take task->alloc_lock.
> 
> The only problem is that I believe that set_task_comm() wrongly pretends
> wmb() can help the lockless reader, it does:
> 
> 	task_lock(tsk);
> 
> 	/*
> 	 * Threads may access current->comm without holding
> 	 * the task lock, so write the string carefully.
> 	 * Readers without a lock may see incomplete new
> 	 * names but are safe from non-terminating string reads.
> 	 */
> 	memset(tsk->comm, 0, TASK_COMM_LEN);
> 	wmb();
> 	strlcpy(tsk->comm, buf, sizeof(tsk->comm));
> 	task_unlock(tsk);
> 
> but afaics this wmb() buys absolutely nothing if we race with the
> reader doing, say,
> 
> 	printk("my name is %s\n", current->comm);
> 
> Afaics, this wmb()
> 
> 	- can't prevent from printing the mixture of the old/new data
> 
> 	- is not needed to make strcpy(somewhere, task->comm) safe,
> 	  the final char is always '0', we never change it.
> 
> 	- adds the unnecessary confusion

I agree -- I cannot see how this wmb() can help.

> > [... snip a lot of good ideas ...]
> 
> Thanks a lot, Paul ;)

Glad you liked them.  ;-)

							Thanx, Paul

next prev parent reply	other threads:[~2010-06-29 17:33 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-23 18:11 [PATCH] sanitize task->comm to avoid leaking escape codes Kees Cook
2010-06-23 19:41 ` Oleg Nesterov
2010-06-23 20:23   ` Alexey Dobriyan
2010-06-23 21:28     ` Kees Cook
2010-06-28 20:00     ` Andrew Morton
2010-06-28 21:03       ` Kees Cook
2010-06-29  8:45         ` Alexey Dobriyan
2010-06-29 15:09           ` Kees Cook
2010-06-29 18:59             ` Andrew Morton
2010-06-29 19:13               ` Kees Cook
2010-06-29  4:58   ` Artem Bityutskiy
2010-06-29  4:58     ` Artem Bityutskiy
2010-06-29 13:31     ` Oleg Nesterov
2010-06-29 16:23       ` Paul E. McKenney
2010-06-29 17:18         ` Oleg Nesterov
2010-06-29 17:33           ` Paul E. McKenney [this message]
2010-06-29 22:32     ` john stultz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100629173349.GH2765@linux.vnet.ibm.com \
    --to=paulmck@linux.vnet.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=dedekind1@gmail.com \
    --cc=johnstul@us.ibm.com \
    --cc=kees.cook@canonical.com \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=nhorman@tuxdriver.com \
    --cc=oleg@redhat.com \
    --cc=peterz@infradead.org \
    --cc=roland@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.