From: Kees Cook <kees@kernel.org>
To: Yafang Shao <laoar.shao@gmail.com>
Cc: akpm@linux-foundation.org, torvalds@linux-foundation.org,
alx@kernel.org, justinstitt@google.com, ebiederm@xmission.com,
alexei.starovoitov@gmail.com, rostedt@goodmis.org,
catalin.marinas@arm.com, penguin-kernel@i-love.sakura.ne.jp,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
bpf@vger.kernel.org, netdev@vger.kernel.org,
dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup()
Date: Sat, 28 Sep 2024 14:14:27 -0700 [thread overview]
Message-ID: <202409281411.3C42A3703C@keescook> (raw)
In-Reply-To: <20240817025624.13157-6-laoar.shao@gmail.com>
On Sat, Aug 17, 2024 at 10:56:21AM +0800, Yafang Shao wrote:
> In kstrdup(), it is critical to ensure that the dest string is always
> NUL-terminated. However, potential race condidtion can occur between a
> writer and a reader.
>
> Consider the following scenario involving task->comm:
>
> reader writer
>
> len = strlen(s) + 1;
> strlcpy(tsk->comm, buf, sizeof(tsk->comm));
> memcpy(buf, s, len);
>
> In this case, there is a race condition between the reader and the
> writer. The reader calculate the length of the string `s` based on the
> old value of task->comm. However, during the memcpy(), the string `s`
> might be updated by the writer to a new value of task->comm.
>
> If the new task->comm is larger than the old one, the `buf` might not be
> NUL-terminated. This can lead to undefined behavior and potential
> security vulnerabilities.
>
> Let's fix it by explicitly adding a NUL-terminator.
So, I'm fine with adding this generally, but I'm not sure we can
construct these helpers to be universally safe against the strings
changing out from under them. This situation is distinct to the 'comm'
member, so I'd like to focus on helpers around 'comm' access behaving in
a reliable fashion.
-Kees
>
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> ---
> mm/util.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/mm/util.c b/mm/util.c
> index 983baf2bd675..4542d8a800d9 100644
> --- a/mm/util.c
> +++ b/mm/util.c
> @@ -62,8 +62,14 @@ char *kstrdup(const char *s, gfp_t gfp)
>
> len = strlen(s) + 1;
> buf = kmalloc_track_caller(len, gfp);
> - if (buf)
> + if (buf) {
> memcpy(buf, s, len);
> + /* During memcpy(), the string might be updated to a new value,
> + * which could be longer than the string when strlen() is
> + * called. Therefore, we need to add a null termimator.
> + */
> + buf[len - 1] = '\0';
> + }
> return buf;
> }
> EXPORT_SYMBOL(kstrdup);
> --
> 2.43.5
>
--
Kees Cook
next prev parent reply other threads:[~2024-09-28 21:14 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-17 2:56 [PATCH v7 0/8] Improve the copy of task comm Yafang Shao
2024-08-17 2:56 ` [PATCH v7 1/8] Get rid of __get_task_comm() Yafang Shao
2024-08-17 2:56 ` [PATCH v7 2/8] auditsc: Replace memcpy() with strscpy() Yafang Shao
2024-08-17 2:56 ` [PATCH v7 3/8] security: Replace memcpy() with get_task_comm() Yafang Shao
2024-08-17 2:56 ` [PATCH v7 4/8] bpftool: Ensure task comm is always NUL-terminated Yafang Shao
2024-08-17 8:38 ` Alejandro Colomar
2024-08-18 2:27 ` Yafang Shao
2024-08-18 8:25 ` Alejandro Colomar
2024-08-17 2:56 ` [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() Yafang Shao
2024-08-17 8:48 ` Alejandro Colomar
2024-08-17 16:26 ` Linus Torvalds
2024-08-17 17:03 ` Alejandro Colomar
2024-09-28 21:17 ` Kees Cook
2024-09-29 7:58 ` Alejandro Colomar
2024-09-29 9:48 ` Alejandro Colomar
2024-09-26 17:35 ` Andy Shevchenko
2024-09-27 8:57 ` Yafang Shao
2024-09-28 21:14 ` Kees Cook [this message]
2024-08-17 2:56 ` [PATCH v7 6/8] mm/util: Deduplicate code in {kstrdup,kstrndup,kmemdup_nul} Yafang Shao
2024-08-17 8:57 ` Alejandro Colomar
2024-08-17 9:05 ` Alejandro Colomar
2024-08-26 9:20 ` Alejandro Colomar
2024-08-26 13:13 ` Yafang Shao
2024-08-17 2:56 ` [PATCH v7 7/8] net: Replace strcpy() with strscpy() Yafang Shao
2024-08-17 2:56 ` [PATCH v7 8/8] drm: " Yafang Shao
2024-08-26 2:30 ` [PATCH v7 0/8] Improve the copy of task comm Yafang Shao
2024-08-28 1:19 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202409281411.3C42A3703C@keescook \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=alx@kernel.org \
--cc=audit@vger.kernel.org \
--cc=bpf@vger.kernel.org \
--cc=catalin.marinas@arm.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=ebiederm@xmission.com \
--cc=justinstitt@google.com \
--cc=laoar.shao@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).