[PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling
@ 2025-04-22 13:14 Mykyta Yatsenko
  2025-04-22 15:48 ` Andrii Nakryiko
  2025-04-23  0:20 ` Andrew Morton
  0 siblings, 2 replies; 6+ messages in thread
From: Mykyta Yatsenko @ 2025-04-22 13:14 UTC (permalink / raw)
  To: akpm, linux-mm, rostedt, mhiramat, andrii, kernel-team, linux-kernel
  Cc: Mykyta Yatsenko

From: Mykyta Yatsenko <yatsenko@meta.com>

strncpy_from_user_nofault should return the length of the copied string
including the trailing NUL, but if the argument unsafe_addr points to
an empty string ({'\0'}), the return value is 0.

This happens as strncpy_from_user copies terminal symbol into dst
and returns 0 (as expected), but strncpy_from_user_nofault does not
modify ret as it is not equal to count and not greater than 0, so 0 is
returned, which contradicts the contract.

Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
---
 mm/maccess.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/maccess.c b/mm/maccess.c
index 8f0906180a94..831b4dd7296c 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -196,7 +196,7 @@ long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
 	if (ret >= count) {
 		ret = count;
 		dst[ret - 1] = '\0';
-	} else if (ret > 0) {
+	} else if (ret >= 0) {
 		ret++;
 	}

-- 
2.49.0

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling
  2025-04-22 13:14 [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling Mykyta Yatsenko
@ 2025-04-22 15:48 ` Andrii Nakryiko
  2025-04-23  0:20 ` Andrew Morton
  1 sibling, 0 replies; 6+ messages in thread
From: Andrii Nakryiko @ 2025-04-22 15:48 UTC (permalink / raw)
  To: Mykyta Yatsenko
  Cc: akpm, linux-mm, rostedt, mhiramat, andrii, kernel-team,
	linux-kernel, Mykyta Yatsenko

On Tue, Apr 22, 2025 at 6:15 AM Mykyta Yatsenko
<mykyta.yatsenko5@gmail.com> wrote:
>
> From: Mykyta Yatsenko <yatsenko@meta.com>
>
> strncpy_from_user_nofault should return the length of the copied string
> including the trailing NUL, but if the argument unsafe_addr points to
> an empty string ({'\0'}), the return value is 0.
>
> This happens as strncpy_from_user copies terminal symbol into dst
> and returns 0 (as expected), but strncpy_from_user_nofault does not
> modify ret as it is not equal to count and not greater than 0, so 0 is
> returned, which contradicts the contract.
>
> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
> ---
>  mm/maccess.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>

Reviewed-by: Andrii Nakryiko <andrii@kernel.org>

> diff --git a/mm/maccess.c b/mm/maccess.c
> index 8f0906180a94..831b4dd7296c 100644
> --- a/mm/maccess.c
> +++ b/mm/maccess.c
> @@ -196,7 +196,7 @@ long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
>         if (ret >= count) {
>                 ret = count;
>                 dst[ret - 1] = '\0';
> -       } else if (ret > 0) {
> +       } else if (ret >= 0) {
>                 ret++;
>         }
>
> --
> 2.49.0
>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling
  2025-04-22 13:14 [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling Mykyta Yatsenko
  2025-04-22 15:48 ` Andrii Nakryiko
@ 2025-04-23  0:20 ` Andrew Morton
  2025-04-23 11:37   ` Mykyta Yatsenko
  1 sibling, 1 reply; 6+ messages in thread
From: Andrew Morton @ 2025-04-23  0:20 UTC (permalink / raw)
  To: Mykyta Yatsenko
  Cc: linux-mm, rostedt, mhiramat, andrii, kernel-team, linux-kernel,
	Mykyta Yatsenko, Kees Cook

On Tue, 22 Apr 2025 14:14:49 +0100 Mykyta Yatsenko <mykyta.yatsenko5@gmail.com> wrote:

> From: Mykyta Yatsenko <yatsenko@meta.com>
> 
> strncpy_from_user_nofault should return the length of the copied string
> including the trailing NUL, but if the argument unsafe_addr points to
> an empty string ({'\0'}), the return value is 0.
> 
> This happens as strncpy_from_user copies terminal symbol into dst
> and returns 0 (as expected), but strncpy_from_user_nofault does not
> modify ret as it is not equal to count and not greater than 0, so 0 is
> returned, which contradicts the contract.
> 
> ...
>

Thanks.

Does this fix any known runtime issue?  If so, please fully describe this?

> --- a/mm/maccess.c
> +++ b/mm/maccess.c
> @@ -196,7 +196,7 @@ long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
>  	if (ret >= count) {
>  		ret = count;
>  		dst[ret - 1] = '\0';
> -	} else if (ret > 0) {
> +	} else if (ret >= 0) {
>  		ret++;
>  	}
>  



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling
  2025-04-23  0:20 ` Andrew Morton
@ 2025-04-23 11:37   ` Mykyta Yatsenko
  2025-04-23 13:59     ` Steven Rostedt
  0 siblings, 1 reply; 6+ messages in thread
From: Mykyta Yatsenko @ 2025-04-23 11:37 UTC (permalink / raw)
  To: Andrew Morton
  Cc: linux-mm, rostedt, mhiramat, andrii, kernel-team, linux-kernel,
	Mykyta Yatsenko, Kees Cook

On 4/23/25 01:20, Andrew Morton wrote:
> On Tue, 22 Apr 2025 14:14:49 +0100 Mykyta Yatsenko <mykyta.yatsenko5@gmail.com> wrote:
>
>> From: Mykyta Yatsenko <yatsenko@meta.com>
>>
>> strncpy_from_user_nofault should return the length of the copied string
>> including the trailing NUL, but if the argument unsafe_addr points to
>> an empty string ({'\0'}), the return value is 0.
>>
>> This happens as strncpy_from_user copies terminal symbol into dst
>> and returns 0 (as expected), but strncpy_from_user_nofault does not
>> modify ret as it is not equal to count and not greater than 0, so 0 is
>> returned, which contradicts the contract.
>>
>> ...
>>
> Thanks.
>
> Does this fix any known runtime issue?  If so, please fully describe this?
Not that I'm aware of. The issue could be found when trying to copy empty
user space string in BPF program (and relying on return value).There are 
some usage of
`strncpy_from_user_nofault` in tracing subsystem, but I'm not sure how to
hit those code paths.
>
>> --- a/mm/maccess.c
>> +++ b/mm/maccess.c
>> @@ -196,7 +196,7 @@ long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
>>   	if (ret >= count) {
>>   		ret = count;
>>   		dst[ret - 1] = '\0';
>> -	} else if (ret > 0) {
>> +	} else if (ret >= 0) {
>>   		ret++;
>>   	}
>>   




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling
  2025-04-23 11:37   ` Mykyta Yatsenko
@ 2025-04-23 13:59     ` Steven Rostedt
  2025-04-23 14:48       ` Mykyta Yatsenko
  0 siblings, 1 reply; 6+ messages in thread
From: Steven Rostedt @ 2025-04-23 13:59 UTC (permalink / raw)
  To: Mykyta Yatsenko
  Cc: Andrew Morton, linux-mm, mhiramat, andrii, kernel-team,
	linux-kernel, Mykyta Yatsenko, Kees Cook

On Wed, 23 Apr 2025 12:37:46 +0100
Mykyta Yatsenko <mykyta.yatsenko5@gmail.com> wrote:

> > Does this fix any known runtime issue?  If so, please fully describe this?  
> Not that I'm aware of. The issue could be found when trying to copy empty
> user space string in BPF program (and relying on return value).There are 
> some usage of
> `strncpy_from_user_nofault` in tracing subsystem, but I'm not sure how to
> hit those code paths.
> >  

Although your patch found a bug in the tracing subsystem, this wasn't the
cause. It only cared if the read faulted or not. It was incorrectly
checking for zero as non fault when in reality, it needed to check >= 0.

With that fixed, it should work the same with or without this patch.

-- Steve


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling
  2025-04-23 13:59     ` Steven Rostedt
@ 2025-04-23 14:48       ` Mykyta Yatsenko
  0 siblings, 0 replies; 6+ messages in thread
From: Mykyta Yatsenko @ 2025-04-23 14:48 UTC (permalink / raw)
  To: Steven Rostedt
  Cc: Andrew Morton, linux-mm, mhiramat, andrii, kernel-team,
	linux-kernel, Mykyta Yatsenko, Kees Cook

On 4/23/25 14:59, Steven Rostedt wrote:
> On Wed, 23 Apr 2025 12:37:46 +0100
> Mykyta Yatsenko <mykyta.yatsenko5@gmail.com> wrote:
>
>>> Does this fix any known runtime issue?  If so, please fully describe this?
>> Not that I'm aware of. The issue could be found when trying to copy empty
>> user space string in BPF program (and relying on return value).There are
>> some usage of
>> `strncpy_from_user_nofault` in tracing subsystem, but I'm not sure how to
>> hit those code paths.
>>>   
> Although your patch found a bug in the tracing subsystem, this wasn't the
> cause. It only cared if the read faulted or not. It was incorrectly
> checking for zero as non fault when in reality, it needed to check >= 0.
>
> With that fixed, it should work the same with or without this patch.
>
> -- Steve
Sure, I had in mind usages from trace_probe_kernel.h,
namely fetch_store_string_user, fetch_store_string, having a second look,
it appears these only used in trace_events_synth.c, and we are good there.


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2025-04-23 14:48 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-22 13:14 [PATCH v2] maccess: fix strncpy_from_user_nofault empty string handling Mykyta Yatsenko
2025-04-22 15:48 ` Andrii Nakryiko
2025-04-23  0:20 ` Andrew Morton
2025-04-23 11:37   ` Mykyta Yatsenko
2025-04-23 13:59     ` Steven Rostedt
2025-04-23 14:48       ` Mykyta Yatsenko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox