From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23FF1CF6491 for ; Sat, 28 Sep 2024 21:14:32 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0C7026B01A3; Sat, 28 Sep 2024 17:14:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 04C126B01A6; Sat, 28 Sep 2024 17:14:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E7DE06B01A5; Sat, 28 Sep 2024 17:14:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id C8FCD6B019F for ; Sat, 28 Sep 2024 17:14:30 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 48709815E4 for ; Sat, 28 Sep 2024 21:14:30 +0000 (UTC) X-FDA: 82615400700.04.91871DA Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf01.hostedemail.com (Postfix) with ESMTP id 9C7EE4000C for ; Sat, 28 Sep 2024 21:14:28 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=g9tqavMY; spf=pass (imf01.hostedemail.com: domain of kees@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727558006; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Yxek28B9ZPN9IbpqZZHj2VG73pdZ489N8vUWLPoLPO8=; b=RBJD9iiZFV7UkW90q+AQ2lnbxJdY+94Z0jdLGhtG9uKsnxmQoP24t0jBPeGRfyUW21wg3p fE1u7iGpgXYKFwU9CzFJDSCJtDU2pU5goExto9Dro0tenvQ2rqvROxcHzycknJ2BMpT2Bu DadkXPXQu//pjWhYe9Wis1bWnT3SJrg= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=g9tqavMY; spf=pass (imf01.hostedemail.com: domain of kees@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727558006; a=rsa-sha256; cv=none; b=ZSBeQg5b2hq8LTZ220KcOdxtf+B8HgAORHCUhJ5E3g+x4ejHCt1tXxEQVDOlDWBMLKKJQk VPzwQFxHXlnEXw+und80DHaIXaqkaPQhNeL+yt3o4gcNM4mmr+qbofJF/NtEKAzW9Hk9iZ ZogFa1VysffW98kZff52Ry3qkrs6RPI= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 8E380A40117; Sat, 28 Sep 2024 21:14:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6F384C4CEC3; Sat, 28 Sep 2024 21:14:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1727558067; bh=jktDOh0pQJ6Jkqsq+yKW1qQ5mo20RTE6ds51doxTD2g=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=g9tqavMYyNMNsLQ90Hv8A7KbaPkFXwEzrTr5sUcx3Go75HmSrEM5AGbS3oGkbdlel B6eeA9RvWWVqPZh9Wyg+F2ooAJEJP2A9vmlOpz3KGgnUCCaozlOpVXmu34F4CSTbVW VYi3AeJ+So0qIkRNXn0E4ZMxj7wF4lRw5UT4Z9kANXoElsoElSAq/nMKw4C30aQ1eq FyUyaqsM2A7JG0XC1b589UzBaWfIb8SBg8crnH5eMbtpFnuBXzJZorS5YemcfRe1yg 2gYtwluBB821Xd++PBJbJ5ISoXfK7xESIT3aL16deLWzsV9vCOeNQKEJ+OF0s25yqT cS+Ic0n7Zt0/Q== Date: Sat, 28 Sep 2024 14:14:27 -0700 From: Kees Cook To: Yafang Shao Cc: akpm@linux-foundation.org, torvalds@linux-foundation.org, alx@kernel.org, justinstitt@google.com, ebiederm@xmission.com, alexei.starovoitov@gmail.com, rostedt@goodmis.org, catalin.marinas@arm.com, penguin-kernel@i-love.sakura.ne.jp, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() Message-ID: <202409281411.3C42A3703C@keescook> References: <20240817025624.13157-1-laoar.shao@gmail.com> <20240817025624.13157-6-laoar.shao@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240817025624.13157-6-laoar.shao@gmail.com> X-Rspamd-Server: rspam03 X-Rspam-User: X-Rspamd-Queue-Id: 9C7EE4000C X-Stat-Signature: 39otnemgddyaj64iiq5ztyshrpe7wtp9 X-HE-Tag: 1727558068-366165 X-HE-Meta: U2FsdGVkX1/RDjBL7Jtjvmuz9f1QWnbTaFZUpZ/+WFesqWL0ROcWm+K3SomvwzzP83W2wnC85zVbRWq9ICFOVmDMkfA+v1kLFxeoBtOn12DhGMmGa9M0x0BImOIwaZv9oBChWmkic+VxSGqHPs5RondeO2cLCgP5SCQ0p+5TtKNe+Aejp2sceqghZkzYrTlMHJVYzSnztV2fKack9A4JrAMAhe23SMWWfwnDiTHuUe78tYvV0cZUs7KE3FVEmDO7x/zSgnIhFR4uNddEuKYUe+ezQBHaS6IssQxuE0hOPrzcBxJ9RrR6oEjleSYxZgAsAiLp7tm8FCMQQYlEuQzcmM7nX1IlUe50BoSWRIIDLw9T9GQaeqD263OfNViPatUofxnZySvBxhe4PYHHpX7MF1wn0bpO/x/nN+/x4ekCfVePOYdlQ5xBFEnmTxejwj55zGj2KdnYqhNSgbAZKG+n4ajWe5GZWJ7ZxP4liIosLvFitiK7OtDDOCHDMGP+ayMlpus3NVU4nHuwwBjBvIVIsDd8qIRFMfyEF/wYL0Z8EuiS5xu6/ugIe4CsdMMZ+y6XikcMoYe8eV3XO7ttW3wm3PUedyxXCwuwgq/KjQA3+BYPOt54yX4W2t5ectf9HZXn6Cgc+RoussoMCJbbZpJY6XlrWdwrfbc73ukppThYPQpPkKCAwwuiSmyMbdSlp4Uv4QO86+0LYmELykg/HfXOAdOMIngONDE72fTCQ8q4oGq2rnWdMra8vmYW8J7aqDpOW+xCBbLhIYDOas++Gl2soJ4uP8COOffjeB3rnVhTCLYB4JmZ2ABYdoWpzyywjTf2eO9puYU9wQ4LCCFi5+wZH3dAWO9cX55I8jPU2odOmvm91n5YwsZwFAIuTugznG6h8rwZ7HjfUJJkZXklNwvktkcYgQs6zPNICReWF2lnCnm+Wns3eEg/HPFLhCM28GOX/xERhKeBf9EsvHz09K3 +pbdLqjs u9QNv6RWd4LBprvHtvt3XXNbLrK0p9LNEbulHVu3ZRuA5Qv2rLzdOCSkSM56vdrFzRPVs2fcVzT1SNigdCQwvBzExdfNC6vM9ZogcCUgWEtZO03EmsrBs+HiZayfEkuFH1ISPCJ40u+FpeDHzBliM5CsicrVXHtplwW9EHu7aMt0ZEsh7Egp9647AWNz1QLUE6J6eE0JaxsXiPaY8x0NaF7lwy09jDPFq/WQTiOq02mJn8huzq6xRDObet9blbHJ8xIMK4a9zLM8h1tT4yBP73f+uE/LHlIkTkvk4NO41rFjoAK6rH9uMdIYsOciFvkrf9hIc3lzDJimnMRTM6VfYkThnoWDXTiCk0f6i1m/T9VZpLM+SjHrih541r8tkcKPd4njQQdPvFyd9xECUtmFBXc/S9w== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sat, Aug 17, 2024 at 10:56:21AM +0800, Yafang Shao wrote: > In kstrdup(), it is critical to ensure that the dest string is always > NUL-terminated. However, potential race condidtion can occur between a > writer and a reader. > > Consider the following scenario involving task->comm: > > reader writer > > len = strlen(s) + 1; > strlcpy(tsk->comm, buf, sizeof(tsk->comm)); > memcpy(buf, s, len); > > In this case, there is a race condition between the reader and the > writer. The reader calculate the length of the string `s` based on the > old value of task->comm. However, during the memcpy(), the string `s` > might be updated by the writer to a new value of task->comm. > > If the new task->comm is larger than the old one, the `buf` might not be > NUL-terminated. This can lead to undefined behavior and potential > security vulnerabilities. > > Let's fix it by explicitly adding a NUL-terminator. So, I'm fine with adding this generally, but I'm not sure we can construct these helpers to be universally safe against the strings changing out from under them. This situation is distinct to the 'comm' member, so I'd like to focus on helpers around 'comm' access behaving in a reliable fashion. -Kees > > Signed-off-by: Yafang Shao > Cc: Andrew Morton > --- > mm/util.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/mm/util.c b/mm/util.c > index 983baf2bd675..4542d8a800d9 100644 > --- a/mm/util.c > +++ b/mm/util.c > @@ -62,8 +62,14 @@ char *kstrdup(const char *s, gfp_t gfp) > > len = strlen(s) + 1; > buf = kmalloc_track_caller(len, gfp); > - if (buf) > + if (buf) { > memcpy(buf, s, len); > + /* During memcpy(), the string might be updated to a new value, > + * which could be longer than the string when strlen() is > + * called. Therefore, we need to add a null termimator. > + */ > + buf[len - 1] = '\0'; > + } > return buf; > } > EXPORT_SYMBOL(kstrdup); > -- > 2.43.5 > -- Kees Cook