From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A970CD735F4 for ; Sat, 30 Nov 2024 07:16:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0CFBF6B007B; Sat, 30 Nov 2024 02:16:10 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 080226B0085; Sat, 30 Nov 2024 02:16:10 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E62586B0088; Sat, 30 Nov 2024 02:16:09 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id C8AE16B0082 for ; Sat, 30 Nov 2024 02:16:09 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 4ACF31A063E for ; Sat, 30 Nov 2024 07:16:09 +0000 (UTC) X-FDA: 82841902290.16.A45E740 Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) by imf06.hostedemail.com (Postfix) with ESMTP id C1B1B18000C for ; Sat, 30 Nov 2024 07:16:00 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=google header.b=TPiq4SmY; dmarc=none; spf=pass (imf06.hostedemail.com: domain of torvalds@linuxfoundation.org designates 209.85.218.51 as permitted sender) smtp.mailfrom=torvalds@linuxfoundation.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1732950963; a=rsa-sha256; cv=none; b=vkTTO1jpthfWiomvNgHMj51A/PZIMEuC7Dg46Hhwq/DhMizoqYMRazHAlJ9GJ1Ghy+WYF5 JBKPYjMP2jbuKw9t36K6IoiR3RzSIoMJDNDRo8cvdpRdUfsWhJF+q4HszKXXmNce6PJdQa SBzALtmfksNpTdTi5mlQ3nE72Nr3yLc= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=google header.b=TPiq4SmY; dmarc=none; spf=pass (imf06.hostedemail.com: domain of torvalds@linuxfoundation.org designates 209.85.218.51 as permitted sender) smtp.mailfrom=torvalds@linuxfoundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1732950963; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SjT13Cv4AdQa2fEkQJmI8w/5/0E5OcwQAJoY5vQggB4=; b=zrJw3vxbcgP8NP5LM1xReF/N18wpiVsCi3WjUypEVvI/rhtJ2yz3uInSltZu8u+QMiIAAB +8hBUB+kTihjBXw6X7DRYIKtYodo6CJ4txxwxYGtFP7A+hzp11QEC803bcuW/iUEaPPAw4 f7zMCerLeVw4zJRCt1mWNu7CTuCnamU= Received: by mail-ej1-f51.google.com with SMTP id a640c23a62f3a-aa549f2fa32so368468866b.0 for ; Fri, 29 Nov 2024 23:16:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; t=1732950965; x=1733555765; darn=kvack.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SjT13Cv4AdQa2fEkQJmI8w/5/0E5OcwQAJoY5vQggB4=; b=TPiq4SmYnWXdxESdU4CbgiHqNQL3DJecSVUqfElXfTjv8NFWg0Funqmglk2VWs5qkR bzyeOvtYQLnjZc6CX0FLtifB2rH/xV9JGhDEKqsA1zXLB165viyQg8Ltjek84+UarX2N Cm2sSZ2WhRQ+wayOjVuIJ57G70YNm/ZtbUwpY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732950965; x=1733555765; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SjT13Cv4AdQa2fEkQJmI8w/5/0E5OcwQAJoY5vQggB4=; b=lcXVPslHvH7q+S0EyO3Cso5wW+gcba2BQgUfRZyGDLvqI9DvAmEXoY/Wc2JMRLvFPO aiWuX4k9r5K2XSpsB7TbfENOuE/ID1BUKF3I1DFuCL+J/Z5s2GZ1lonF4W5wirylDeTg PThDmPM/PkfqW79CCAW3gYhJGiWTMuqSpwU1wge43LgbFxBsB4QED6CU0GFBlCdFwsBY Dyxcd8ZGXFhS9GIKiZlauMXlHD/EI6hbNLiR9D9ze8pKaYMcnWVYWIBEpZymrHWA33DT Kj+YsBiHhtdNQCjPpjauArDL/qMEVy7QnEX+Ybg/gbIFjat5vepdKFKSOwKNGLO35wb0 hu8Q== X-Forwarded-Encrypted: i=1; AJvYcCV2bHtuUKpDjb/zfR9fgLX+ZxVQ++vvUTqMLcZYqLKle9BRX6xCC06kwUeJtekQf8ERSw99qz4reg==@kvack.org X-Gm-Message-State: AOJu0YxvtuHxa0oXHmPQbYloQaXVRNDvTixyR3l+qm1qlH3aRFKQj2Dd rw1SSQscBB2jgTHf9mChkGVNW2rTktRxUHDln5N6HulFnQW1g2BlWOehvxzp14fZHrmfAe0L7cn sdI7Mgw== X-Gm-Gg: ASbGnctTaslHEhJeWpJU5lzBlUZqjTYYg1Qucf1MUFPs+pF68ij8zfHdnj2oQu11WtP 7GMr2ip4a2Ml4nOGV/DnEV4paWPpWYPJOvATPRuRCrucvb+h9CW4eBkLNsL7O2BG3XHG8NIIXWE YI9A9uMYDk48z3l47Xsg7+GCR3wHyzt+t4VYDZFg0vHT1l7q+5r859NtpDLptalhMvrl1mtjlvs Ct0QSYVEse6/RQdTaGS0WKBarXdAq8WFE8SvwRSpCTzH5AwXRXfJoVtkx2dbPAQBXV/MIlQIYY0 eescuHbktcB0z2qVmGT33uik X-Google-Smtp-Source: AGHT+IFxxRyUO2OFllLnNDEo1wl1ToD7UQcMmRRdGkssyVUQkWSyprIu7zDLp/7yaa2QzkA0SnWvHA== X-Received: by 2002:a17:907:7707:b0:aa5:1757:bdd3 with SMTP id a640c23a62f3a-aa580f2c716mr1113987566b.20.1732950965457; Fri, 29 Nov 2024 23:16:05 -0800 (PST) Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com. [209.85.218.50]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-aa5997d55e3sm250667266b.74.2024.11.29.23.16.01 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 29 Nov 2024 23:16:03 -0800 (PST) Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-aa535eed875so378476666b.3 for ; Fri, 29 Nov 2024 23:16:01 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCXiDDN3A7g2Uz4w4CdLvx7TxEdp/H7IbD9h+Hj3AAXD2ZKddmAXHZ1BudGzGQz/Z7s4EVnlj+vYog==@kvack.org X-Received: by 2002:a17:907:7758:b0:aa5:3d75:f419 with SMTP id a640c23a62f3a-aa580f2af8bmr1208100366b.13.1732950961012; Fri, 29 Nov 2024 23:16:01 -0800 (PST) MIME-Version: 1.0 References: <20241130044909.work.541-kees@kernel.org> In-Reply-To: <20241130044909.work.541-kees@kernel.org> From: Linus Torvalds Date: Fri, 29 Nov 2024 23:15:44 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] exec: Make sure task->comm is always NUL-terminated To: Kees Cook Cc: Eric Biederman , Alexander Viro , Christian Brauner , Jan Kara , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Valentin Schneider , Jens Axboe , Pavel Begunkov , Andrew Morton , Chen Yu , Shuah Khan , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , linux-kernel@vger.kernel.org, io-uring@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: multipart/mixed; boundary="0000000000007218e906281c16e8" X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: C1B1B18000C X-Stat-Signature: 3ajfx499pgywte755cmhwy3yj7krk3pn X-HE-Tag: 1732950960-631959 X-HE-Meta: U2FsdGVkX18jEODeO3gBVEH0TAUThGUoFVjQBIb4wlogVqjowW48K+LRDn3zXbEgfzObmbwgPZcRHSXdDxSbMNy9+isnJi8TZCuO3PoXVoFxaNMxAW3PKRdAjvJnnp7YE50ZpWaAC+hUVACFM2WQhwcxd6uEgJceu+bkesatPntMHIQuqQDs7OAlFmAY0z6b12nPJmOUlmqZ4/fkrm0WCs0ZIRG8ZHe5PEv10qbpC6NCwA5+LCQjXRh2WoW7SleEzf9e2/6I+mFp0TURXRaZkqKRuE0Icu/LXWSFKN77NqjGO5xxSTe0kxolMFPUkcxsNFtIsY01sh+UeGSmInzYrAxeABBNTD4f+qlhC3VLxbX/ZFBDIUV4u/IDOorHzW6UgWTWNIpKkz6Rpx5Wk76CsjVmxfHQJ13Hf/fMFP6ks/8YMX94iF5rprApnT1gVML8hiAPZilPK+DAGgEKNldbsdS04HgpLpQLclWa5jAJ2mJKRwngI2nzlm1hH4GqFyyMpP+wMhVdzj0Yw7EzNhzgLIPFADF0fU9EC4nqAfNBSdJ3uyWONNWlE17BSg5SNPDSsd9rIIAvJoEQZspQP2zVR6NGWNihs/fBcuQ711YRLMjM5TzHyweS7uNDuqdt9FGWgV6rtks9py49kgL6E7tYTs4qppK49HpQwTnlTfoXRZn/ujD8ZZ+RpFtFAoDkwGW/fYyXGdp05Id3ZTgqndGfb9wkwUGd8oYYy/OwKyip3dCkRDuOXEY6q4RYtoS6XSDETsBCcYHQYNPSeB5hpTc2QlvWbSn9kHreGL52Rk+OrFtHL83YYtc1iaNzLblIrqmfkIm4u1yqmoEFNU0hx4yVmDe1vkXPUYbkxHJh4dE+kzgi98GtL3NudKTTVTkC2NqdYy0BXRfiBKswDfiSad2L3GNRxHCuIhcb73WEfSGLlRQ7Ok1N1F5ZBdp127a1gQAEd8DFOmbVZ8uRrRZw5zM lGRrYMN1 Xa6XdQSOtpsvhYqpRFPn3mrHxolg4lhZzgi1eZh+uJ+/ZfWtwRZ4ziDU7+FnxAThqQYvITQViCUAXItXQ9HCbhF6qLxnvcj+9j8WaisR3M+2kC0yCwNoN0+t+LyTLpU093bnDSQtq5r65reUMPhAtoAQA0ealCMTDMdbOd7e8X0S6hBBOzA5+eS+1UszkD0swucdom3yNmxxirRL1uNGS7uUl7Dix5Q4Dpwem/jMIQlHGviDzWV5LLL2hGmXW2e9ZhZrhn4qVUUjxNY654UbjUtY1toieK7UJOLiAXJ67xPgM/zD8hlOInnPAmubPzZWrd9hDd6UxdgDFRkYBC1ckuZxTNPlOXgKVykpRiP961tXmwne0i4QV5Qq7hcCZbhw2SIWHTvI2Tu9Y66/EzXHTUai8sx6jhOsa37HkuoCKqJp65nyihY8k0jPEY+5S6Brj7u9yAIU0FFEXD5JpT12D2a9dQs7mU2T/NLJmFfp3bm1gvu8px0ZKwmnSdWu2nJc1uminRpiztsIY8klJhkvg9LAwfEXCO7Q1cQRy8JbyIfB2L8J+XsbBggC8AV9Ih2wjfyGrbBgNoE/CYlRlkPVROjhS60SgP3NL9cLx9iZqmuzzqRTjgEplf8NGnXTutDyFi0GgCqIBNwGR0EgnqvQBeN8eTVkOWk/JIBSCtMWRud5N7s5MvFDQPZTJMckz8CPivWgCImNEyt2R/dltRCZx/IdZdERv+iYnzi04WtfTh5sGCvaOSIlpKdUd94XrH72JIx+MLzbCli3n9Gxwq78C7hws/vbMl/8DNbbOff4DalFqBdB7Bnkhvv204gR0vvLVO8v992Mq5O0G9fo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --0000000000007218e906281c16e8 Content-Type: text/plain; charset="UTF-8" Edited down to just the end result: On Fri, 29 Nov 2024 at 20:49, Kees Cook wrote: > > void __set_task_comm(struct task_struct *tsk, const char *buf, bool exec) > { > size_t len = min(strlen(buf), sizeof(tsk->comm) - 1); > > trace_task_rename(tsk, buf); > memcpy(tsk->comm, buf, len); > memset(&tsk->comm[len], 0, sizeof(tsk->comm) - len); > perf_event_comm(tsk, exec); > } I actually don't think that's super-safe either. Yeah, it works in practice, and the last byte is certainly always going to be 0, but it might not be reliably padded. Why? It walks over the source twice. First at strlen() time, then at memcpy. So if the source isn't stable, the end result might have odd results with NUL characters in the middle. And strscpy() really was *supposed* to be safe even in this case, and I thought it was until I looked closer. But I think strscpy() can be saved. Something (UNTESTED!) like the attached I think does the right thing. I added a couple of "READ_ONCE()" things to make it really super-clear that strscpy() reads the source exactly once, and to not allow any compiler re-materialization of the reads (although I think that when I asked people, it turns out neither gcc nor clang rematerialize memory accesses, so that READ_ONCE is likely more a documentation ad theoretical thing than a real thing). And yes, we could make the word-at-a-time case also know about masking the last word, but it's kind of annoying and depends on byte ordering. Hmm? I don't think your version is wrong, but I also think we'd be better off making our 'strscpy()' infrastructure explicitly safe wrt unstable source strings. Linus --0000000000007218e906281c16e8 Content-Type: text/x-patch; charset="US-ASCII"; name="patch.diff" Content-Disposition: attachment; filename="patch.diff" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_m43u8l1f0 IGxpYi9zdHJpbmcuYyB8IDE0ICsrKysrKystLS0tLS0tCiAxIGZpbGUgY2hhbmdlZCwgNyBpbnNl cnRpb25zKCspLCA3IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2xpYi9zdHJpbmcuYyBiL2xp Yi9zdHJpbmcuYwppbmRleCA3NjMyN2I1MWUzNmYuLmEyYTY3OGU0NTM4OSAxMDA2NDQKLS0tIGEv bGliL3N0cmluZy5jCisrKyBiL2xpYi9zdHJpbmcuYwpAQCAtMTM3LDcgKzEzNyw3IEBAIHNzaXpl X3Qgc2l6ZWRfc3Ryc2NweShjaGFyICpkZXN0LCBjb25zdCBjaGFyICpzcmMsIHNpemVfdCBjb3Vu dCkKIAlpZiAoSVNfRU5BQkxFRChDT05GSUdfS01TQU4pKQogCQltYXggPSAwOwogCi0Jd2hpbGUg KG1heCA+PSBzaXplb2YodW5zaWduZWQgbG9uZykpIHsKKwl3aGlsZSAobWF4ID4gc2l6ZW9mKHVu c2lnbmVkIGxvbmcpKSB7CiAJCXVuc2lnbmVkIGxvbmcgYywgZGF0YTsKIAogCQljID0gcmVhZF93 b3JkX2F0X2FfdGltZShzcmMrcmVzKTsKQEAgLTE1MywxMCArMTUzLDEwIEBAIHNzaXplX3Qgc2l6 ZWRfc3Ryc2NweShjaGFyICpkZXN0LCBjb25zdCBjaGFyICpzcmMsIHNpemVfdCBjb3VudCkKIAkJ bWF4IC09IHNpemVvZih1bnNpZ25lZCBsb25nKTsKIAl9CiAKLQl3aGlsZSAoY291bnQpIHsKKwl3 aGlsZSAoY291bnQgPiAwKSB7CiAJCWNoYXIgYzsKIAotCQljID0gc3JjW3Jlc107CisJCWMgPSBS RUFEX09OQ0Uoc3JjW3Jlc10pOwogCQlkZXN0W3Jlc10gPSBjOwogCQlpZiAoIWMpCiAJCQlyZXR1 cm4gcmVzOwpAQCAtMTY0LDExICsxNjQsMTEgQEAgc3NpemVfdCBzaXplZF9zdHJzY3B5KGNoYXIg KmRlc3QsIGNvbnN0IGNoYXIgKnNyYywgc2l6ZV90IGNvdW50KQogCQljb3VudC0tOwogCX0KIAot CS8qIEhpdCBidWZmZXIgbGVuZ3RoIHdpdGhvdXQgZmluZGluZyBhIE5VTDsgZm9yY2UgTlVMLXRl cm1pbmF0aW9uLiAqLwotCWlmIChyZXMpCi0JCWRlc3RbcmVzLTFdID0gJ1wwJzsKKwkvKiBGaW5h bCBieXRlIC0gZm9yY2UgTlVMIHRlcm1pbmF0aW9uICovCisJZGVzdFtyZXNdID0gMDsKIAotCXJl dHVybiAtRTJCSUc7CisJLyogUmV0dXJuIC1FMkJJRyBpZiB0aGUgc291cmNlIGNvbnRpbnVlZC4u ICovCisJcmV0dXJuIFJFQURfT05DRShzcmNbcmVzXSkgPyAtRTJCSUcgOiByZXM7CiB9CiBFWFBP UlRfU1lNQk9MKHNpemVkX3N0cnNjcHkpOwogCg== --0000000000007218e906281c16e8--