From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Yafang Shao <laoar.shao@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-mm <linux-mm@kvack.org>,
Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
linux-trace-kernel <linux-trace-kernel@vger.kernel.org>,
audit@vger.kernel.org,
LSM List <linux-security-module@vger.kernel.org>,
selinux@vger.kernel.org, bpf <bpf@vger.kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm()
Date: Sun, 02 Jun 2024 12:52:07 -0500 [thread overview]
Message-ID: <874jabdygo.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <CAADnVQJ_RPg_xTjuO=+3G=4auZkS-t-F2WTs18rU2PbVdJVbdQ@mail.gmail.com> (Alexei Starovoitov's message of "Sun, 2 Jun 2024 09:35:19 -0700")
Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:
> On Sat, Jun 1, 2024 at 11:57 PM Yafang Shao <laoar.shao@gmail.com> wrote:
>>
>> On Sun, Jun 2, 2024 at 11:52 AM Eric W. Biederman <ebiederm@xmission.com> wrote:
>> >
>> > Yafang Shao <laoar.shao@gmail.com> writes:
>> >
>> > > Quoted from Linus [0]:
>> > >
>> > > Since user space can randomly change their names anyway, using locking
>> > > was always wrong for readers (for writers it probably does make sense
>> > > to have some lock - although practically speaking nobody cares there
>> > > either, but at least for a writer some kind of race could have
>> > > long-term mixed results
>> >
>> > Ugh.
>> > Ick.
>> >
>> > This code is buggy.
>> >
>> > I won't argue that Linus is wrong, about removing the
>> > task_lock.
>> >
>> > Unfortunately strscpy_pad does not work properly with the
>> > task_lock removed, and buf_size larger that TASK_COMM_LEN.
>> > There is a race that will allow reading past the end
>> > of tsk->comm, if we read while tsk->common is being
>> > updated.
>>
>> It appears so. Thanks for pointing it out. Additionally, other code,
>> such as the BPF helper bpf_get_current_comm(), also uses strscpy_pad()
>> directly without the task_lock. It seems we should change that as
>> well.
>
> Hmm. What race do you see?
> If lock is removed from __get_task_comm() it probably can be removed from
> __set_task_comm() as well.
> And both are calling strscpy_pad to write and read comm.
> So I don't see how it would read past sizeof(comm),
> because 'buf' passed into __set_task_comm is NUL-terminated.
> So the concurrent read will find it.
The read may race with a write that is changing the location
of '\0'. Especially if the new value is shorter than
the old value.
If you are performing lockless reads and depending upon a '\0'
terminator without limiting yourself to the size of the buffer
there needs to be a big fat comment as to how in the world
you are guaranteed that a '\0' inside the buffer will always
be found.
Eric
next prev parent reply other threads:[~2024-06-02 17:53 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-02 2:37 [PATCH 0/6] kernel: Avoid memcpy of task comm Yafang Shao
2024-06-02 2:37 ` [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm() Yafang Shao
2024-06-02 3:51 ` Eric W. Biederman
2024-06-02 6:56 ` Yafang Shao
2024-06-02 16:35 ` Alexei Starovoitov
2024-06-02 17:52 ` Eric W. Biederman [this message]
2024-06-02 18:23 ` Alexei Starovoitov
2024-06-03 11:35 ` Yafang Shao
2024-06-10 12:34 ` Eric W. Biederman
2024-06-10 23:01 ` Alexei Starovoitov
2024-06-02 20:11 ` Linus Torvalds
2024-06-02 17:56 ` Eric W. Biederman
2024-06-04 13:02 ` Matus Jokay
2024-06-04 20:01 ` Matus Jokay
2024-06-05 2:48 ` Yafang Shao
2024-06-02 2:37 ` [PATCH 2/6] tracing: Replace memcpy() with __get_task_comm() Yafang Shao
2024-06-03 21:20 ` Steven Rostedt
2024-06-03 21:42 ` Linus Torvalds
2024-06-03 22:19 ` Steven Rostedt
2024-06-03 22:23 ` Linus Torvalds
2024-06-03 22:37 ` Steven Rostedt
2024-06-03 22:38 ` Linus Torvalds
2024-06-03 22:40 ` Steven Rostedt
2024-06-04 2:35 ` Yafang Shao
2024-06-02 2:37 ` [PATCH 3/6] auditsc: " Yafang Shao
2024-06-03 21:03 ` Paul Moore
2024-06-02 2:37 ` [PATCH 4/6] security: " Yafang Shao
2024-06-03 22:06 ` Paul Moore
2024-06-02 2:37 ` [PATCH 5/6] bpftool: Make task comm always be NUL-terminated Yafang Shao
2024-06-02 21:01 ` Quentin Monnet
2024-06-02 2:46 ` [PATCH 6/6] selftests/bpf: Replace memcpy() with __get_task_comm() Yafang Shao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jabdygo.fsf@email.froward.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=alexei.starovoitov@gmail.com \
--cc=audit@vger.kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=keescook@chromium.org \
--cc=laoar.shao@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.