From: Kees Cook <kees@kernel.org>
To: Bhupesh Sharma <bhsharma@igalia.com>
Cc: Bhupesh <bhupesh@igalia.com>,
akpm@linux-foundation.org, kernel-dev@igalia.com,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-perf-users@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, oliver.sang@intel.com, lkp@intel.com,
laoar.shao@gmail.com, pmladek@suse.com, rostedt@goodmis.org,
mathieu.desnoyers@efficios.com, arnaldo.melo@gmail.com,
alexei.starovoitov@gmail.com, andrii.nakryiko@gmail.com,
mirq-linux@rere.qmqm.pl, peterz@infradead.org,
willy@infradead.org, david@redhat.com, viro@zeniv.linux.org.uk,
ebiederm@xmission.com, brauner@kernel.org, jack@suse.cz,
mingo@redhat.com, juri.lelli@redhat.com, bsegall@google.com,
mgorman@suse.de, vschneid@redhat.com,
linux-trace-kernel@vger.kernel.org
Subject: Re: [PATCH v4 3/3] exec: Add support for 64 byte 'tsk->comm_ext'
Date: Fri, 23 May 2025 13:55:22 -0700 [thread overview]
Message-ID: <202505231346.52F291C54@keescook> (raw)
In-Reply-To: <a7c323fe-6d11-4a21-a203-bd60acbfd831@igalia.com>
On Fri, May 23, 2025 at 06:01:41PM +0530, Bhupesh Sharma wrote:
> 2. %s usage: I checked this at multiple places and can confirm that %s usage
> to print out 'tsk->comm' (as a string), get the longer
> new "extended comm".
As an example of why I don't like this union is that this is now lying
to the compiler. e.g. a %s of an object with a known size (sizeof(comm))
may now run off the end of comm without finding a %NUL character... this
is "safe" in the sense that the "extended comm" is %NUL terminated, but
it makes the string length ambiguous for the compiler (and any
associated security hardening).
> 3. users who do 'sizeof(->comm)' will continue to get the old value because
> of the union.
Right -- this is exactly where I think it can get very very wrong,
leaving things unterminated.
> The problem with having two separate comms: tsk->comm and tsk->ext_comm,
> instead of a union is two fold:
> (a). If we keep two separate statically allocated comms: tsk->comm and
> tsk->ext_comm in struct task_struct, we need to basically keep supporting
> backward compatibility / ABI via tsk->comm and ask new user-land users to
> move to tsk->ext_comm.
>
> (b). If we keep one statically allocated comm: tsk->comm and one dynamically allocated tsk->ext_comm in struct task_struct, then we have the problem of allocating the tsk->ext_comm which _may_ be in the exec() hot path.
>
> I think the discussion between Linus and Yafang (see [1]), was more towards avoiding the approach in 3(a).
>
> Also we discussed the 3(b) approach, during the review of v2 of this series, where there was a apprehensions around: adding another field to store the task name and allocating tsk->ext_comm dynamically in the exec() hot path (see [2]).
Right -- I agree we need them statically allocated. But I think a union
is going to be really error-prone.
How about this: rename task->comm to something else (task->comm_str?),
increase its size and then add ABI-keeping wrappers for everything that
_must_ have the old length.
Doing this guarantees we won't miss anything (since "comm" got renamed),
and during the refactoring all the places where the old length is required
will be glaringly obvious. (i.e. it will be harder to make mistakes
about leaving things unterminated.)
--
Kees Cook
next prev parent reply other threads:[~2025-05-23 20:55 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 6:23 [PATCH v4 0/3] Add support for long task name Bhupesh
2025-05-21 6:23 ` [PATCH v4 1/3] exec: Remove obsolete comments Bhupesh
2025-05-22 6:18 ` Yafang Shao
2025-05-21 6:23 ` [PATCH v4 2/3] treewide: Switch memcpy() users of 'task->comm' to a more safer implementation Bhupesh
2025-05-21 20:02 ` kernel test robot
2025-05-22 19:46 ` Bhupesh Sharma
2025-05-22 6:15 ` Yafang Shao
2025-05-22 6:27 ` Yafang Shao
2025-05-22 19:44 ` Bhupesh Sharma
2025-05-23 9:40 ` Dan Carpenter
2025-05-21 6:23 ` [PATCH v4 3/3] exec: Add support for 64 byte 'tsk->comm_ext' Bhupesh
2025-05-23 3:48 ` Kees Cook
2025-05-23 12:31 ` Bhupesh Sharma
2025-05-23 20:55 ` Kees Cook [this message]
2025-05-26 11:13 ` Bhupesh Sharma
2025-06-30 7:58 ` Bhupesh Sharma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202505231346.52F291C54@keescook \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=arnaldo.melo@gmail.com \
--cc=bhsharma@igalia.com \
--cc=bhupesh@igalia.com \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=bsegall@google.com \
--cc=david@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jack@suse.cz \
--cc=juri.lelli@redhat.com \
--cc=kernel-dev@igalia.com \
--cc=laoar.shao@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=mirq-linux@rere.qmqm.pl \
--cc=oliver.sang@intel.com \
--cc=peterz@infradead.org \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=viro@zeniv.linux.org.uk \
--cc=vschneid@redhat.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).