From: Dan Carpenter <dan.carpenter@linaro.org>
To: oe-kbuild@lists.linux.dev, Bhupesh <bhupesh@igalia.com>,
akpm@linux-foundation.org
Cc: lkp@intel.com, oe-kbuild-all@lists.linux.dev, bhupesh@igalia.com,
kernel-dev@igalia.com, linux-kernel@vger.kernel.org,
bpf@vger.kernel.org, linux-perf-users@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
oliver.sang@intel.com, laoar.shao@gmail.com, pmladek@suse.com,
rostedt@goodmis.org, mathieu.desnoyers@efficios.com,
arnaldo.melo@gmail.com, alexei.starovoitov@gmail.com,
andrii.nakryiko@gmail.com, mirq-linux@rere.qmqm.pl,
peterz@infradead.org, willy@infradead.org, david@redhat.com,
viro@zeniv.linux.org.uk, keescook@chromium.org,
ebiederm@xmission.com, brauner@kernel.org, jack@suse.cz,
mingo@redhat.com, juri.lelli@redhat.com, bsegall@google.com,
mgorman@suse.de
Subject: Re: [PATCH v4 2/3] treewide: Switch memcpy() users of 'task->comm' to a more safer implementation
Date: Fri, 23 May 2025 12:40:03 +0300 [thread overview]
Message-ID: <202505221104.qV4Iy0rA-lkp@intel.com> (raw)
In-Reply-To: <20250521062337.53262-3-bhupesh@igalia.com>
Hi Bhupesh,
kernel test robot noticed the following build warnings:
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Bhupesh/exec-Remove-obsolete-comments/20250521-142443
base: https://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace for-next
patch link: https://lore.kernel.org/r/20250521062337.53262-3-bhupesh%40igalia.com
patch subject: [PATCH v4 2/3] treewide: Switch memcpy() users of 'task->comm' to a more safer implementation
config: powerpc64-randconfig-r071-20250522 (https://download.01.org/0day-ci/archive/20250522/202505221104.qV4Iy0rA-lkp@intel.com/config)
compiler: clang version 21.0.0git (https://github.com/llvm/llvm-project f819f46284f2a79790038e1f6649172789734ae8)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202505221104.qV4Iy0rA-lkp@intel.com/
New smatch warnings:
fs/coredump.c:591 do_coredump() error: buffer overflow 'comm' 16 <= 16
fs/coredump.c:1006 validate_coredump_safety() error: buffer overflow 'comm' 16 <= 16
vim +/comm +591 fs/coredump.c
a78282e2c94f4c Linus Torvalds 2024-09-26 524 void do_coredump(const kernel_siginfo_t *siginfo)
10c28d937e2cca Alex Kelly 2012-09-26 525 {
10c28d937e2cca Alex Kelly 2012-09-26 526 struct core_state core_state;
10c28d937e2cca Alex Kelly 2012-09-26 527 struct core_name cn;
10c28d937e2cca Alex Kelly 2012-09-26 528 struct mm_struct *mm = current->mm;
10c28d937e2cca Alex Kelly 2012-09-26 529 struct linux_binfmt * binfmt;
10c28d937e2cca Alex Kelly 2012-09-26 530 const struct cred *old_cred;
10c28d937e2cca Alex Kelly 2012-09-26 531 struct cred *cred;
a78282e2c94f4c Linus Torvalds 2024-09-26 532 int retval = 0;
10c28d937e2cca Alex Kelly 2012-09-26 533 int ispipe;
315c69261dd3fa Paul Wise 2019-08-02 534 size_t *argv = NULL;
315c69261dd3fa Paul Wise 2019-08-02 535 int argc = 0;
fbb1816942c044 Jann Horn 2015-09-09 536 /* require nonrelative corefile path and be extra careful */
fbb1816942c044 Jann Horn 2015-09-09 537 bool need_suid_safe = false;
acdedd99b0f3bf Oleg Nesterov 2013-04-30 538 bool core_dumped = false;
10c28d937e2cca Alex Kelly 2012-09-26 539 static atomic_t core_dump_count = ATOMIC_INIT(0);
10c28d937e2cca Alex Kelly 2012-09-26 540 struct coredump_params cprm = {
5ab1c309b34488 Denys Vlasenko 2012-10-04 541 .siginfo = siginfo,
10c28d937e2cca Alex Kelly 2012-09-26 542 .limit = rlimit(RLIMIT_CORE),
10c28d937e2cca Alex Kelly 2012-09-26 543 /*
10c28d937e2cca Alex Kelly 2012-09-26 544 * We must use the same mm->flags while dumping core to avoid
10c28d937e2cca Alex Kelly 2012-09-26 545 * inconsistency of bit flags, since this flag is not protected
10c28d937e2cca Alex Kelly 2012-09-26 546 * by any locks.
10c28d937e2cca Alex Kelly 2012-09-26 547 */
10c28d937e2cca Alex Kelly 2012-09-26 548 .mm_flags = mm->flags,
95c5436a488384 Eric W. Biederman 2022-03-08 549 .vma_meta = NULL,
8603b6f58637ce Oleksandr Natalenko 2022-09-03 550 .cpu = raw_smp_processor_id(),
10c28d937e2cca Alex Kelly 2012-09-26 551 };
10c28d937e2cca Alex Kelly 2012-09-26 552
5ab1c309b34488 Denys Vlasenko 2012-10-04 553 audit_core_dumps(siginfo->si_signo);
10c28d937e2cca Alex Kelly 2012-09-26 554
10c28d937e2cca Alex Kelly 2012-09-26 555 binfmt = mm->binfmt;
a78282e2c94f4c Linus Torvalds 2024-09-26 556 if (!binfmt || !binfmt->core_dump)
10c28d937e2cca Alex Kelly 2012-09-26 557 goto fail;
a78282e2c94f4c Linus Torvalds 2024-09-26 558 if (!__get_dumpable(cprm.mm_flags))
10c28d937e2cca Alex Kelly 2012-09-26 559 goto fail;
10c28d937e2cca Alex Kelly 2012-09-26 560
10c28d937e2cca Alex Kelly 2012-09-26 561 cred = prepare_creds();
a78282e2c94f4c Linus Torvalds 2024-09-26 562 if (!cred)
10c28d937e2cca Alex Kelly 2012-09-26 563 goto fail;
10c28d937e2cca Alex Kelly 2012-09-26 564 /*
10c28d937e2cca Alex Kelly 2012-09-26 565 * We cannot trust fsuid as being the "true" uid of the process
10c28d937e2cca Alex Kelly 2012-09-26 566 * nor do we know its entire history. We only know it was tainted
10c28d937e2cca Alex Kelly 2012-09-26 567 * so we dump it as root in mode 2, and only into a controlled
10c28d937e2cca Alex Kelly 2012-09-26 568 * environment (pipe handler or fully qualified path).
10c28d937e2cca Alex Kelly 2012-09-26 569 */
e579d2c259be42 Kees Cook 2013-02-27 570 if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) {
10c28d937e2cca Alex Kelly 2012-09-26 571 /* Setuid core dump mode */
10c28d937e2cca Alex Kelly 2012-09-26 572 cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */
fbb1816942c044 Jann Horn 2015-09-09 573 need_suid_safe = true;
10c28d937e2cca Alex Kelly 2012-09-26 574 }
10c28d937e2cca Alex Kelly 2012-09-26 575
5ab1c309b34488 Denys Vlasenko 2012-10-04 576 retval = coredump_wait(siginfo->si_signo, &core_state);
10c28d937e2cca Alex Kelly 2012-09-26 577 if (retval < 0)
10c28d937e2cca Alex Kelly 2012-09-26 578 goto fail_creds;
10c28d937e2cca Alex Kelly 2012-09-26 579
10c28d937e2cca Alex Kelly 2012-09-26 580 old_cred = override_creds(cred);
10c28d937e2cca Alex Kelly 2012-09-26 581
315c69261dd3fa Paul Wise 2019-08-02 582 ispipe = format_corename(&cn, &cprm, &argv, &argc);
10c28d937e2cca Alex Kelly 2012-09-26 583
10c28d937e2cca Alex Kelly 2012-09-26 584 if (ispipe) {
315c69261dd3fa Paul Wise 2019-08-02 585 int argi;
10c28d937e2cca Alex Kelly 2012-09-26 586 int dump_count;
10c28d937e2cca Alex Kelly 2012-09-26 587 char **helper_argv;
907ed1328d2a74 Lucas De Marchi 2013-04-30 588 struct subprocess_info *sub_info;
10c28d937e2cca Alex Kelly 2012-09-26 589
10c28d937e2cca Alex Kelly 2012-09-26 590 if (ispipe < 0) {
c114e9948c2b6a Roman Kisel 2024-07-18 @591 coredump_report_failure("format_corename failed, aborting core");
e7fd1549aeb83e Oleg Nesterov 2013-07-03 592 goto fail_unlock;
> /* This will always be NUL terminated. */ \
> - memcpy(comm, current->comm, sizeof(comm)); \
> + memcpy(comm, current->comm, TASK_COMM_LEN); \
> + comm[TASK_COMM_LEN] = '\0'; \
^^^^^^^^^^^^^^
This was supposed to be "TASK_COMM_LEN - 1". Also the comment says
it's not required...
10c28d937e2cca Alex Kelly 2012-09-26 593 }
10c28d937e2cca Alex Kelly 2012-09-26 594
10c28d937e2cca Alex Kelly 2012-09-26 595 if (cprm.limit == 1) {
10c28d937e2cca Alex Kelly 2012-09-26 596 /* See umh_pipe_setup() which sets RLIMIT_CORE = 1.
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2025-05-23 9:40 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 6:23 [PATCH v4 0/3] Add support for long task name Bhupesh
2025-05-21 6:23 ` [PATCH v4 1/3] exec: Remove obsolete comments Bhupesh
2025-05-22 6:18 ` Yafang Shao
2025-05-21 6:23 ` [PATCH v4 2/3] treewide: Switch memcpy() users of 'task->comm' to a more safer implementation Bhupesh
2025-05-21 20:02 ` kernel test robot
2025-05-22 19:46 ` Bhupesh Sharma
2025-05-22 6:15 ` Yafang Shao
2025-05-22 6:27 ` Yafang Shao
2025-05-22 19:44 ` Bhupesh Sharma
2025-05-23 9:40 ` Dan Carpenter [this message]
2025-05-21 6:23 ` [PATCH v4 3/3] exec: Add support for 64 byte 'tsk->comm_ext' Bhupesh
2025-05-23 3:48 ` Kees Cook
2025-05-23 12:31 ` Bhupesh Sharma
2025-05-23 20:55 ` Kees Cook
2025-05-26 11:13 ` Bhupesh Sharma
2025-06-30 7:58 ` Bhupesh Sharma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202505221104.qV4Iy0rA-lkp@intel.com \
--to=dan.carpenter@linaro.org \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=arnaldo.melo@gmail.com \
--cc=bhupesh@igalia.com \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=bsegall@google.com \
--cc=david@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jack@suse.cz \
--cc=juri.lelli@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-dev@igalia.com \
--cc=laoar.shao@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=lkp@intel.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=mirq-linux@rere.qmqm.pl \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=oe-kbuild@lists.linux.dev \
--cc=oliver.sang@intel.com \
--cc=peterz@infradead.org \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox