From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Yafang Shao <laoar.shao@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-mm <linux-mm@kvack.org>,
Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
linux-trace-kernel <linux-trace-kernel@vger.kernel.org>,
audit@vger.kernel.org,
LSM List <linux-security-module@vger.kernel.org>,
selinux@vger.kernel.org, bpf <bpf@vger.kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm()
Date: Mon, 10 Jun 2024 07:34:01 -0500 [thread overview]
Message-ID: <87ikyhrn7q.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <CAADnVQ+9T4n=ZhNMd57qfu2w=VqHM8Dzx-7UAAinU5MoORg63w@mail.gmail.com> (Alexei Starovoitov's message of "Sun, 2 Jun 2024 11:23:17 -0700")
Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:
> On Sun, Jun 2, 2024 at 10:53 AM Eric W. Biederman <ebiederm@xmission.com> wrote:
>>
>> If you are performing lockless reads and depending upon a '\0'
>> terminator without limiting yourself to the size of the buffer
>> there needs to be a big fat comment as to how in the world
>> you are guaranteed that a '\0' inside the buffer will always
>> be found.
>
> I think Yafang can certainly add such a comment next to
> __[gs]et_task_comm.
>
> I prefer to avoid open coding memcpy + mmemset when strscpy_pad works.
Looking through the code in set_task_comm
strscpy_pad only works when both the source and designation are aligned.
Otherwise it performs a byte a time copy, and is most definitely
susceptible to the race I observed.
Further I looked a couple of the uses of set_task_com, in
fs/proc/base.c, kernel/kthread.c, and kernel/sys.c.
Nowhere do I see a guarantee that the source buffer is word aligned
or even something that would reasonably cause a compiler to place the
buffer that is being passed to set_task_comm to be word aligned.
As far as I can tell it is completely up to the compiler if it will
cause strscpy_pad to honor the word at a time guarantee needed
to make strscpy_pad safe for reading the information.
This is not to say we can't make it safe.
The easiest would be to create an aligned temporary buffer in
set_task_comm, and preserve the existing interface. Alternatively
a type that has the appropriate size and alignment could be used
as input to set_task_comm and it could be caller's responsibility
to use it.
While we can definitely make reading task->comm happen without taking
the lock. Doing so without updating set_task_comm to provide the
guarantees needed to make it safe, looks like a case of play silly
games, win silly prizes.
Eric
next prev parent reply other threads:[~2024-06-10 13:16 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-02 2:37 [PATCH 0/6] kernel: Avoid memcpy of task comm Yafang Shao
2024-06-02 2:37 ` [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm() Yafang Shao
2024-06-02 3:51 ` Eric W. Biederman
2024-06-02 6:56 ` Yafang Shao
2024-06-02 16:35 ` Alexei Starovoitov
2024-06-02 17:52 ` Eric W. Biederman
2024-06-02 18:23 ` Alexei Starovoitov
2024-06-03 11:35 ` Yafang Shao
2024-06-10 12:34 ` Eric W. Biederman [this message]
2024-06-10 23:01 ` Alexei Starovoitov
2024-06-02 20:11 ` Linus Torvalds
2024-06-02 17:56 ` Eric W. Biederman
2024-06-04 13:02 ` Matus Jokay
2024-06-04 20:01 ` Matus Jokay
2024-06-05 2:48 ` Yafang Shao
2024-06-02 2:37 ` [PATCH 2/6] tracing: Replace memcpy() with __get_task_comm() Yafang Shao
2024-06-03 21:20 ` Steven Rostedt
2024-06-03 21:42 ` Linus Torvalds
2024-06-03 22:19 ` Steven Rostedt
2024-06-03 22:23 ` Linus Torvalds
2024-06-03 22:37 ` Steven Rostedt
2024-06-03 22:38 ` Linus Torvalds
2024-06-03 22:40 ` Steven Rostedt
2024-06-04 2:35 ` Yafang Shao
2024-06-02 2:37 ` [PATCH 3/6] auditsc: " Yafang Shao
2024-06-03 21:03 ` Paul Moore
2024-06-02 2:37 ` [PATCH 4/6] security: " Yafang Shao
2024-06-03 22:06 ` Paul Moore
2024-06-02 2:37 ` [PATCH 5/6] bpftool: Make task comm always be NUL-terminated Yafang Shao
2024-06-02 21:01 ` Quentin Monnet
2024-06-02 2:46 ` [PATCH 6/6] selftests/bpf: Replace memcpy() with __get_task_comm() Yafang Shao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ikyhrn7q.fsf@email.froward.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=alexei.starovoitov@gmail.com \
--cc=audit@vger.kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=keescook@chromium.org \
--cc=laoar.shao@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.