From: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, rostedt@goodmis.org, mhiramat@kernel.org,
andrii@kernel.org, kernel-team@meta.com,
linux-kernel@vger.kernel.org, Mykyta Yatsenko <yatsenko@meta.com>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling
Date: Wed, 23 Apr 2025 12:37:46 +0100 [thread overview]
Message-ID: <08e3ec4c-4401-403e-9d81-5ee0abebba5c@gmail.com> (raw)
In-Reply-To: <20250422172011.feb243d2f7478c0e7109b74c@linux-foundation.org>
On 4/23/25 01:20, Andrew Morton wrote:
> On Tue, 22 Apr 2025 14:14:49 +0100 Mykyta Yatsenko <mykyta.yatsenko5@gmail.com> wrote:
>
>> From: Mykyta Yatsenko <yatsenko@meta.com>
>>
>> strncpy_from_user_nofault should return the length of the copied string
>> including the trailing NUL, but if the argument unsafe_addr points to
>> an empty string ({'\0'}), the return value is 0.
>>
>> This happens as strncpy_from_user copies terminal symbol into dst
>> and returns 0 (as expected), but strncpy_from_user_nofault does not
>> modify ret as it is not equal to count and not greater than 0, so 0 is
>> returned, which contradicts the contract.
>>
>> ...
>>
> Thanks.
>
> Does this fix any known runtime issue? If so, please fully describe this?
Not that I'm aware of. The issue could be found when trying to copy empty
user space string in BPF program (and relying on return value).There are
some usage of
`strncpy_from_user_nofault` in tracing subsystem, but I'm not sure how to
hit those code paths.
>
>> --- a/mm/maccess.c
>> +++ b/mm/maccess.c
>> @@ -196,7 +196,7 @@ long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
>> if (ret >= count) {
>> ret = count;
>> dst[ret - 1] = '\0';
>> - } else if (ret > 0) {
>> + } else if (ret >= 0) {
>> ret++;
>> }
>>
next prev parent reply other threads:[~2025-04-23 11:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-22 13:14 Mykyta Yatsenko
2025-04-22 15:48 ` Andrii Nakryiko
2025-04-23 0:20 ` Andrew Morton
2025-04-23 11:37 ` Mykyta Yatsenko [this message]
2025-04-23 13:59 ` Steven Rostedt
2025-04-23 14:48 ` Mykyta Yatsenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=08e3ec4c-4401-403e-9d81-5ee0abebba5c@gmail.com \
--to=mykyta.yatsenko5@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andrii@kernel.org \
--cc=keescook@chromium.org \
--cc=kernel-team@meta.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=yatsenko@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox