[PATCH] tracing/uprobe: Replace strlcpy() with strscpy()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] tracing/uprobe: Replace strlcpy() with strscpy()
@ 2023-11-30 20:56 Kees Cook
  2023-12-01  5:51 ` Masami Hiramatsu
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Kees Cook @ 2023-11-30 20:56 UTC (permalink / raw)
  To: Steven Rostedt
  Cc: Kees Cook, Masami Hiramatsu, linux-trace-kernel, linux-kernel,
	linux-hardening

strlcpy() reads the entire source buffer first. This read may exceed
the destination size limit. This is both inefficient and can lead
to linear read overflows if a source string is not NUL-terminated[1].
Additionally, it returns the size of the source string, not the
resulting size of the destination string. In an effort to remove strlcpy()
completely[2], replace strlcpy() here with strscpy().

The negative return value is already handled by this code so no new
handling is needed here.

Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1]
Link: https://github.com/KSPP/linux/issues/89 [2]
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: linux-trace-kernel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 kernel/trace/trace_uprobe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
index 99c051de412a..a84b85d8aac1 100644
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -151,7 +151,7 @@ fetch_store_string(unsigned long addr, void *dest, void *base)
 		return -ENOMEM;
 
 	if (addr == FETCH_TOKEN_COMM)
-		ret = strlcpy(dst, current->comm, maxlen);
+		ret = strscpy(dst, current->comm, maxlen);
 	else
 		ret = strncpy_from_user(dst, src, maxlen);
 	if (ret >= 0) {
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] tracing/uprobe: Replace strlcpy() with strscpy()
  2023-11-30 20:56 [PATCH] tracing/uprobe: Replace strlcpy() with strscpy() Kees Cook
@ 2023-12-01  5:51 ` Masami Hiramatsu
  2023-12-01  6:27 ` Masami Hiramatsu
  2023-12-01 18:25 ` Kees Cook
  2 siblings, 0 replies; 5+ messages in thread
From: Masami Hiramatsu @ 2023-12-01  5:51 UTC (permalink / raw)
  To: Kees Cook
  Cc: Steven Rostedt, Masami Hiramatsu, linux-trace-kernel,
	linux-kernel, linux-hardening

On Thu, 30 Nov 2023 12:56:08 -0800
Kees Cook <keescook@chromium.org> wrote:

> strlcpy() reads the entire source buffer first. This read may exceed
> the destination size limit. This is both inefficient and can lead
> to linear read overflows if a source string is not NUL-terminated[1].
> Additionally, it returns the size of the source string, not the
> resulting size of the destination string. In an effort to remove strlcpy()
> completely[2], replace strlcpy() here with strscpy().
> 
> The negative return value is already handled by this code so no new
> handling is needed here.
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1]
> Link: https://github.com/KSPP/linux/issues/89 [2]
> Cc: Steven Rostedt <rostedt@goodmis.org>
> Cc: Masami Hiramatsu <mhiramat@kernel.org>
> Cc: linux-trace-kernel@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Thanks for reporting! Let me pick this.

Thanks!

> ---
>  kernel/trace/trace_uprobe.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> index 99c051de412a..a84b85d8aac1 100644
> --- a/kernel/trace/trace_uprobe.c
> +++ b/kernel/trace/trace_uprobe.c
> @@ -151,7 +151,7 @@ fetch_store_string(unsigned long addr, void *dest, void *base)
>  		return -ENOMEM;
>  
>  	if (addr == FETCH_TOKEN_COMM)
> -		ret = strlcpy(dst, current->comm, maxlen);
> +		ret = strscpy(dst, current->comm, maxlen);
>  	else
>  		ret = strncpy_from_user(dst, src, maxlen);
>  	if (ret >= 0) {
> -- 
> 2.34.1
> 


-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] tracing/uprobe: Replace strlcpy() with strscpy()
  2023-11-30 20:56 [PATCH] tracing/uprobe: Replace strlcpy() with strscpy() Kees Cook
  2023-12-01  5:51 ` Masami Hiramatsu
@ 2023-12-01  6:27 ` Masami Hiramatsu
  2023-12-01 18:24   ` Kees Cook
  2023-12-01 18:25 ` Kees Cook
  2 siblings, 1 reply; 5+ messages in thread
From: Masami Hiramatsu @ 2023-12-01  6:27 UTC (permalink / raw)
  To: Kees Cook
  Cc: Steven Rostedt, Masami Hiramatsu, linux-trace-kernel,
	linux-kernel, linux-hardening

On Thu, 30 Nov 2023 12:56:08 -0800
Kees Cook <keescook@chromium.org> wrote:

> strlcpy() reads the entire source buffer first. This read may exceed
> the destination size limit. This is both inefficient and can lead
> to linear read overflows if a source string is not NUL-terminated[1].
> Additionally, it returns the size of the source string, not the
> resulting size of the destination string. In an effort to remove strlcpy()
> completely[2], replace strlcpy() here with strscpy().
> 
> The negative return value is already handled by this code so no new
> handling is needed here.
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1]
> Link: https://github.com/KSPP/linux/issues/89 [2]
> Cc: Steven Rostedt <rostedt@goodmis.org>
> Cc: Masami Hiramatsu <mhiramat@kernel.org>
> Cc: linux-trace-kernel@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

Hi Kees,

As same as sample's change, should I ask you to pick this to your tree?
Since it is a kind of a part of series patch. I'm OK for it since this
does not change the code so much.

In that case, please feel free to add my Ack.

Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Thank you,


> ---
>  kernel/trace/trace_uprobe.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> index 99c051de412a..a84b85d8aac1 100644
> --- a/kernel/trace/trace_uprobe.c
> +++ b/kernel/trace/trace_uprobe.c
> @@ -151,7 +151,7 @@ fetch_store_string(unsigned long addr, void *dest, void *base)
>  		return -ENOMEM;
>  
>  	if (addr == FETCH_TOKEN_COMM)
> -		ret = strlcpy(dst, current->comm, maxlen);
> +		ret = strscpy(dst, current->comm, maxlen);
>  	else
>  		ret = strncpy_from_user(dst, src, maxlen);
>  	if (ret >= 0) {
> -- 
> 2.34.1
> 


-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] tracing/uprobe: Replace strlcpy() with strscpy()
  2023-12-01  6:27 ` Masami Hiramatsu
@ 2023-12-01 18:24   ` Kees Cook
  0 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2023-12-01 18:24 UTC (permalink / raw)
  To: Masami Hiramatsu
  Cc: Steven Rostedt, linux-trace-kernel, linux-kernel, linux-hardening

On Fri, Dec 01, 2023 at 03:27:26PM +0900, Masami Hiramatsu wrote:
> On Thu, 30 Nov 2023 12:56:08 -0800
> Kees Cook <keescook@chromium.org> wrote:
> 
> > strlcpy() reads the entire source buffer first. This read may exceed
> > the destination size limit. This is both inefficient and can lead
> > to linear read overflows if a source string is not NUL-terminated[1].
> > Additionally, it returns the size of the source string, not the
> > resulting size of the destination string. In an effort to remove strlcpy()
> > completely[2], replace strlcpy() here with strscpy().
> > 
> > The negative return value is already handled by this code so no new
> > handling is needed here.
> > 
> > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1]
> > Link: https://github.com/KSPP/linux/issues/89 [2]
> > Cc: Steven Rostedt <rostedt@goodmis.org>
> > Cc: Masami Hiramatsu <mhiramat@kernel.org>
> > Cc: linux-trace-kernel@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> 
> Hi Kees,
> 
> As same as sample's change, should I ask you to pick this to your tree?
> Since it is a kind of a part of series patch. I'm OK for it since this
> does not change the code so much.
> 
> In that case, please feel free to add my Ack.
> 
> Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Either way is fine, but I can take it since I've got a few others
already too. :)

Thanks!

-Kees

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] tracing/uprobe: Replace strlcpy() with strscpy()
  2023-11-30 20:56 [PATCH] tracing/uprobe: Replace strlcpy() with strscpy() Kees Cook
  2023-12-01  5:51 ` Masami Hiramatsu
  2023-12-01  6:27 ` Masami Hiramatsu
@ 2023-12-01 18:25 ` Kees Cook
  2 siblings, 0 replies; 5+ messages in thread
From: Kees Cook @ 2023-12-01 18:25 UTC (permalink / raw)
  To: Steven Rostedt, Kees Cook
  Cc: Masami Hiramatsu, linux-trace-kernel, linux-kernel,
	linux-hardening

On Thu, 30 Nov 2023 12:56:08 -0800, Kees Cook wrote:
> strlcpy() reads the entire source buffer first. This read may exceed
> the destination size limit. This is both inefficient and can lead
> to linear read overflows if a source string is not NUL-terminated[1].
> Additionally, it returns the size of the source string, not the
> resulting size of the destination string. In an effort to remove strlcpy()
> completely[2], replace strlcpy() here with strscpy().
> 
> [...]

Applied to for-next/hardening, thanks!

[1/1] tracing/uprobe: Replace strlcpy() with strscpy()
      https://git.kernel.org/kees/c/8a3750ecf810

Take care,

-- 
Kees Cook


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-12-01 18:26 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-30 20:56 [PATCH] tracing/uprobe: Replace strlcpy() with strscpy() Kees Cook
2023-12-01  5:51 ` Masami Hiramatsu
2023-12-01  6:27 ` Masami Hiramatsu
2023-12-01 18:24   ` Kees Cook
2023-12-01 18:25 ` Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox