From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 12081D7360D
	for <linux-mm@archiver.kernel.org>; Sat, 30 Nov 2024 21:05:26 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 675346B007B; Sat, 30 Nov 2024 16:05:26 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6253B6B0082; Sat, 30 Nov 2024 16:05:26 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 5138E6B0083; Sat, 30 Nov 2024 16:05:26 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 33CDA6B007B
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 16:05:26 -0500 (EST)
Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id C770980D0B
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 21:05:25 +0000 (UTC)
X-FDA: 82843991748.03.D961D91
Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91])
	by imf16.hostedemail.com (Postfix) with ESMTP id 406CD180006
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 21:05:14 +0000 (UTC)
Authentication-Results: imf16.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b="XplM/77y";
	dmarc=pass (policy=quarantine) header.from=kernel.org;
	spf=pass (imf16.hostedemail.com: domain of kees@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=kees@kernel.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733000715; a=rsa-sha256;
	cv=none;
	b=vE4Qb1xzR1cert10Ao39JkcMLVnB/IiyFPtXJCZvsJgOdQlCNHB8zYgB6V8HQ+KrtByZ/Y
	Ms/fvfFAflIyYQp6Fbd2PMOP2ZFXZCeTxsRi7qzqnpD0bTTLMe7IIR0Taz7/1BFEGlmtjq
	1BTPDet9Diq19gUKY5D2gzIi2vQUwmU=
ARC-Authentication-Results: i=1;
	imf16.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b="XplM/77y";
	dmarc=pass (policy=quarantine) header.from=kernel.org;
	spf=pass (imf16.hostedemail.com: domain of kees@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=kees@kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1733000715;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=qdcJIqHEn/4rKvxeODbBdOaYjGNs4YOdzs38KaeoZD4=;
	b=BJ7FOAfSbvqZla4MYj8AuHtTTCZ4mrE6IxBKfgGjbVSkCjraeRxanPtAnob2Q2WzRFcl8q
	JbtSAQJs82Y79tXQv7jPxQEkspnBM9l/ZEz9NAfoCx3sfLTc3IK7yhOYDbqfAPGaLAOy5+
	MFexRdKKqgAjhnZ6QqE7ON1dPbs/Pe0=
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by nyc.source.kernel.org (Postfix) with ESMTP id 8F2D3A407EA;
	Sat, 30 Nov 2024 21:03:30 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4D685C4CECC;
	Sat, 30 Nov 2024 21:05:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1733000722;
	bh=+T8n7bvP/HSW8AefSu6V2BUZeXCElB+vKKwnKLP6Cw0=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=XplM/77yzRsY9Ul5Am4/Jwt/PYl8JmH6EQ0wAJgk6PnNXv19zdEsOrrCXqBV5vK96
	 qBng8VIUTIVUOmM4l1e2WWWABx38GhF/3UMfUlX0RXA3s8EODIDg2gJTvOsfpVYFQN
	 D1ccZf8sjL5Xuc1nZ4q/I28ZyB0ZtabCku9rjhcGMWmJCxs4dQigzAZMz3dHW5hQpJ
	 /lPc66WwkVgYxFIh5gSfkbQKtXgFfHPaoi9EcwgGBOWoY2QClLB3CXAOffZWU4IbCk
	 WVpLengyHosmhp/1ps3/Ap8Go54v+hpOOVH3bzN8oArTmgeIABnS8wAyCXaPPeih16
	 GEibrkTK8QWjQ==
Date: Sat, 30 Nov 2024 13:05:18 -0800
From: Kees Cook <kees@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Eric Biederman <ebiederm@xmission.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
	linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
	Ingo Molnar <mingo@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Juri Lelli <juri.lelli@redhat.com>,
	Vincent Guittot <vincent.guittot@linaro.org>,
	Dietmar Eggemann <dietmar.eggemann@arm.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
	Valentin Schneider <vschneid@redhat.com>,
	Jens Axboe <axboe@kernel.dk>,
	Pavel Begunkov <asml.silence@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Chen Yu <yu.c.chen@intel.com>,
	Shuah Khan <skhan@linuxfoundation.org>,
	=?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>,
	linux-kernel@vger.kernel.org, io-uring@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH] exec: Make sure task->comm is always NUL-terminated
Message-ID: <202411301244.381F2B8D17@keescook>
References: <20241130044909.work.541-kees@kernel.org>
 <CAHk-=wjAmu9OBS--RwB+HQn4nhUku=7ECOnSRP8JG0oRU97-kA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHk-=wjAmu9OBS--RwB+HQn4nhUku=7ECOnSRP8JG0oRU97-kA@mail.gmail.com>
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 406CD180006
X-Stat-Signature: w6f5eo5w6ioi7meig8embzmxnnpa6yib
X-Rspam-User: 
X-HE-Tag: 1733000714-81296
X-HE-Meta: U2FsdGVkX19fcatkpoWSoJFClkocl14wU2bJ3EvPdPDmAjv/jSnMhVtYT9fEwT2ecsEQ/yKMIPP3bF2fxgGn9MnnOjQko3HV5woDqK9jGaNGZ+Oa72V0UAEOJBi0hJunif0kT4kQ3KeES8MhACIGEH4UUWVuQHSFjkmjyebx0D2rUEUSN4f48ZvU/tnOTIltrhl82X4NSYfWa6gYU17HAzx8ekjBN5VEgjJXrwOhiwmbMg3/J9e0KzVN8pkCtJDqIeaHgoNEseGg3Z7Exw1FQCqZ37egPkPpVvydOirkm8cOoCf/DBve7AtzMEXQSn1mo94KeG4jwbS1nju4pRJVKs3nEQRG7nipoYW55DTVN/0nCpfcNMtUtnaaZ5sOkFGkpxHv7rJaHV/YNVEEhYJbiG10+Gx3QCHbPIibxF8b8pyoE99RLtgLzg4S8z5zh4l3sja1BmALjqEFTSZTHmUawQ8KSkUZ+QN2UOQvReOYmBHvelG5wXtyLZxwuNWS2h5MUDeoqnRwHArt2Lha2g695FO/ErYUSp03EXvoJ8tdb8/CWJcAZMeqqlWYLZtooeKB6iYDiTQML+5AmQQFN8pDTsiGjS0sLdnJN2EKUVp+aun1V2U4NHThboPcr4ynVXKcZmVpZPi6M8GoIhHzh+s4Zt1F6TaL4tLtgLq3j8dpVEujbPSl79IbIHaEuTLEuh58QOGtDQYE1EVPDUFMqvAE1U/M4o57nZCSA2upkLV8AyeYbCG2GtqZXrpJl24FmDPx9sS4htOh4SLZ8gcmZSLodZf5TkRY5M8tYLvQJCVTmijAsAVVeK5UtNbhbq1MKsBj8a/dwTZp3lf4tCbeeytCVXzfJrsMUjrs+SrfSf7vvNlxvz+Wynz9joANPu/ytxj0hRFQ/frg9IdHk6bgs9rNNnQUcpb68RD7s2kmV7Gv1VV6ec7UwvT4nDJvCYq7IeldErw7rs5l92lUWO2vSJ4
 oGXSW89S
 J2ef2vb/Kej+Wz9GqY3CsORW06d8HiS+UrChZwUmtlbWus3cmmwEVEs7H8IiA7rfWo/Ei/1WylUBD1Aff6FUpa1iCFPLTSiIjRjOs060Dkm8M9i8S6lShz1JToIUTn4I3KsP55b3W+P9EoD7Sooj5shd7M0vhmfkVm7QLKdaWV84imLqWYER0NaRSVwT2Djs1iTlz4DrCg4LIabUae9495o8CYWq9qOqxDjfAayLsRmJq9ggqCv0arz48ESQsfNTFPWfjokdmJIyRjGoRsutR+dAOMjPIB/RhEb6kP2k2mg53GQjEKJN0l8p8v6dXtPI/XEkC4J3EJNPqPU5sSuS1Dz9CzlZWDeMJlp4D
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Fri, Nov 29, 2024 at 11:15:44PM -0800, Linus Torvalds wrote:
> Edited down to just the end result:
> 
> On Fri, 29 Nov 2024 at 20:49, Kees Cook <kees@kernel.org> wrote:
> >
> >  void __set_task_comm(struct task_struct *tsk, const char *buf, bool exec)
> >  {
> >         size_t len = min(strlen(buf), sizeof(tsk->comm) - 1);
> >
> >         trace_task_rename(tsk, buf);
> >         memcpy(tsk->comm, buf, len);
> >         memset(&tsk->comm[len], 0, sizeof(tsk->comm) - len);
> >         perf_event_comm(tsk, exec);
> >  }
> 
> I actually don't think that's super-safe either. Yeah, it works in
> practice, and the last byte is certainly always going to be 0, but it
> might not be reliably padded.

Right, my concern over comm is strictly about unterminated reads (i.e.
exposing memory contents stored after "comm" in the task_struct). I've not
been worried about "uninitialized content" exposure because the starting
contents have always been wiped and will (now) always end with a NUL,
so the worst exposure is seeing prior or racing bytes of whatever is
being written into comm concurrently.

> Why? It walks over the source twice. First at strlen() time, then at
> memcpy. So if the source isn't stable, the end result might have odd
> results with NUL characters in the middle.

Yeah, this just means it has greater potential to be garbled.

> And strscpy() really was *supposed* to be safe even in this case, and
> I thought it was until I looked closer.
> 
> But I think strscpy() can be saved.

Yeah, fixing the final NUL byte write is needed.

> Something (UNTESTED!) like the attached I think does the right thing.
> I added a couple of "READ_ONCE()" things to make it really super-clear
> that strscpy() reads the source exactly once, and to not allow any
> compiler re-materialization of the reads (although I think that when I
> asked people, it turns out neither gcc nor clang rematerialize memory
> accesses, so that READ_ONCE is likely more a documentation ad
> theoretical thing than a real thing).

This is fine, but it doesn't solve either an unstable source nor
concurrent writers to dest. If source changes out from under strscpy,
we can still copy a "torn" write. If destination changes out from under
strscpy, we just get a potentially interleaved output (but with the
NUL-write change, we never have a dest that _lacks_ a NUL terminator).

So yeah, let's change the loop as you have it. I'm fine with the
READ_ONCE() additions, but I'm not clear on what benefit it has.

> Hmm? I don't think your version is wrong, but I also think we'd be
> better off making our 'strscpy()' infrastructure explicitly safe wrt
> unstable source strings.

Agreed. I'll get this tested against our string handling selftests...

-- 
Kees Cook