From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=q3d4=PO=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CF1F9C433F5
	for <linux-mm@archiver.kernel.org>; Tue, 26 Oct 2021 14:03:14 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 6773A61040
	for <linux-mm@archiver.kernel.org>; Tue, 26 Oct 2021 14:03:14 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 6773A61040
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id B1877940008; Tue, 26 Oct 2021 10:03:13 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id AC764940007; Tue, 26 Oct 2021 10:03:13 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 98F1F940008; Tue, 26 Oct 2021 10:03:13 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0254.hostedemail.com [216.40.44.254])
	by kanga.kvack.org (Postfix) with ESMTP id 8A9AB940007
	for <linux-mm@kvack.org>; Tue, 26 Oct 2021 10:03:13 -0400 (EDT)
Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 4E36B8249980
	for <linux-mm@kvack.org>; Tue, 26 Oct 2021 14:03:13 +0000 (UTC)
X-FDA: 78738755466.04.BDC6A01
Received: from mail-io1-f52.google.com (mail-io1-f52.google.com [209.85.166.52])
	by imf29.hostedemail.com (Postfix) with ESMTP id D843D900025D
	for <linux-mm@kvack.org>; Tue, 26 Oct 2021 14:03:12 +0000 (UTC)
Received: by mail-io1-f52.google.com with SMTP id r194so272863iod.7
        for <linux-mm@kvack.org>; Tue, 26 Oct 2021 07:03:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=jiKBRIJ90WYjcORFiV3ORltYZSK2q2sAgdSrdSfFfbc=;
        b=B5oi/7UCVk36Kltqk5jv0UWKsgnlcJbT+p8jfJZ/39b+wWQ3ihMQCSae2vo2AfNYOV
         rGFEUlC++DoWLCCqPMJWHJOt1HSJyZFJtvVv49eAiawK7btNdoGSa1NDCwrmtXk1QKNU
         vSBGb2llMudk+OZOc4MAqtj9ZyDt/GRG5Xmh0lZMLJUQfXLqcWmfnbKyPUvZsUevSp7r
         Uav5pLsgxuo7NBSBiLlXImmOZ8jx2FcsOPxBS44VwbmHXKYUQ4BPjNlZX9zlsc+Tru3f
         yRRWGvhcXHKmK3hoxpjQGpduRdkJH6Mb3jiEyDSm0HHk/BZg1ycg8Ak+iPaRmnDBUB5W
         DujA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=jiKBRIJ90WYjcORFiV3ORltYZSK2q2sAgdSrdSfFfbc=;
        b=QnNt47u9b6iFnbQ24gdpjhdoVOWrog+QLBD1n3CkkEPcPOYYlanLFAGGBvnMMhi00i
         RQ3dlr7YiWmt7I0EfxVLJMxEqFL/83IJBmAa3/g/Cizy8qFS8KSyjjiL4UYOFHM9YLid
         eZi1FGDBGQoaxNvMTeHDnggkwoxR+7JTT+fQt9CIzJPLdz8o98r2NgH4X5Cuo6KZNd2O
         uKTe27HjG37nly3EdC6dXWJ61gd0c9jl+qEsDKgJKoO/pZk7eVx3SVz2mOeynMXmsvHF
         KfqMQNsBsq0eawB9KU3Qtzk06jnobUkIkgOcTjqUWBNpOFuXiIsUvL/dvLTBbBNxiFWZ
         gsIg==
X-Gm-Message-State: AOAM532J1pv3UfrAmFOyJCddrjhDBsbWHGZ7d6Mfd67GF1w5JdsX7JHK
	tSTte9/Fc4ogMRCo9AOj1DQqfXbwDXCgSzWL4kA=
X-Google-Smtp-Source: ABdhPJxnJMo1zj33+9fiUewOfzyLCzx56/LSGr86u1/7PYep88hWbWvGY1Pv8LiKwv9ITmco8NPZCwRW9GVoSd8560c=
X-Received: by 2002:a05:6638:2257:: with SMTP id m23mr249515jas.139.1635256992171;
 Tue, 26 Oct 2021 07:03:12 -0700 (PDT)
MIME-Version: 1.0
References: <20211025083315.4752-1-laoar.shao@gmail.com> <20211025083315.4752-9-laoar.shao@gmail.com>
 <202110251421.7056ACF84@keescook> <CALOAHbDPs-pbr5CnmuRv+b+CgMdEkzi4Yr2fSO9pKCE-chr3Yg@mail.gmail.com>
 <20211026091211.569a7ba2@gandalf.local.home> <CALOAHbBAKqbZEMvk5PVMrqFR_kjbi_kotGTNTGEW+=JWnC+_uA@mail.gmail.com>
In-Reply-To: <CALOAHbBAKqbZEMvk5PVMrqFR_kjbi_kotGTNTGEW+=JWnC+_uA@mail.gmail.com>
From: Yafang Shao <laoar.shao@gmail.com>
Date: Tue, 26 Oct 2021 22:02:36 +0800
Message-ID: <CALOAHbAa-iMD4k2DEOun+RivUXiSMKR6ndCsqGZMseUbX_9+ww@mail.gmail.com>
Subject: Re: [PATCH v6 08/12] tools/bpf/bpftool/skeleton: make it adopt to
 task comm size change
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Kees Cook <keescook@chromium.org>, Andrew Morton <akpm@linux-foundation.org>, 
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, 
	Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>, Petr Mladek <pmladek@suse.com>, 
	Peter Zijlstra <peterz@infradead.org>, Al Viro <viro@zeniv.linux.org.uk>, 
	Valentin Schneider <valentin.schneider@arm.com>, Qiang Zhang <qiang.zhang@windriver.com>, 
	robdclark <robdclark@chromium.org>, christian <christian@brauner.io>, 
	Dietmar Eggemann <dietmar.eggemann@arm.com>, Ingo Molnar <mingo@redhat.com>, 
	Juri Lelli <juri.lelli@redhat.com>, Vincent Guittot <vincent.guittot@linaro.org>, 
	David Miller <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, 
	Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, 
	Andrii Nakryiko <andrii@kernel.org>, Martin Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>, 
	Yonghong Song <yhs@fb.com>, john fastabend <john.fastabend@gmail.com>, KP Singh <kpsingh@kernel.org>, 
	dennis.dalessandro@cornelisnetworks.com, 
	mike.marciniszyn@cornelisnetworks.com, dledford@redhat.com, jgg@ziepe.ca, 
	linux-rdma@vger.kernel.org, netdev <netdev@vger.kernel.org>, 
	bpf <bpf@vger.kernel.org>, "linux-perf-use." <linux-perf-users@vger.kernel.org>, 
	linux-fsdevel@vger.kernel.org, Linux MM <linux-mm@kvack.org>, 
	LKML <linux-kernel@vger.kernel.org>, kernel test robot <oliver.sang@intel.com>, 
	kbuild test robot <lkp@intel.com>, Andrii Nakryiko <andrii.nakryiko@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: D843D900025D
X-Stat-Signature: kp4sejnha7cinbfh9c5mz8jihuk8683c
Authentication-Results: imf29.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b="B5oi/7UC";
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf29.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.166.52 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com
X-HE-Tag: 1635256992-649230
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Oct 26, 2021 at 9:55 PM Yafang Shao <laoar.shao@gmail.com> wrote:
>
> On Tue, Oct 26, 2021 at 9:12 PM Steven Rostedt <rostedt@goodmis.org> wrote:
> >
> > On Tue, 26 Oct 2021 10:18:51 +0800
> > Yafang Shao <laoar.shao@gmail.com> wrote:
> >
> > > > So, if we're ever going to copying these buffers out of the kernel (I
> > > > don't know what the object lifetime here in bpf is for "e", etc), we
> > > > should be zero-padding (as get_task_comm() does).
> > > >
> > > > Should this, instead, be using a bounce buffer?
> > >
> > > The comment in bpf_probe_read_kernel_str_common() says
> > >
> > >   :      /*
> > >   :       * The strncpy_from_kernel_nofault() call will likely not fill the
> > >   :       * entire buffer, but that's okay in this circumstance as we're probing
> > >   :       * arbitrary memory anyway similar to bpf_probe_read_*() and might
> > >   :       * as well probe the stack. Thus, memory is explicitly cleared
> > >   :       * only in error case, so that improper users ignoring return
> > >   :       * code altogether don't copy garbage; otherwise length of string
> > >   :       * is returned that can be used for bpf_perf_event_output() et al.
> > >   :       */
> > >
> > > It seems that it doesn't matter if the buffer is filled as that is
> > > probing arbitrary memory.
> > >
> > > >
> > > > get_task_comm(comm, task->group_leader);
> > >
> > > This helper can't be used by the BPF programs, as it is not exported to BPF.
> > >
> > > > bpf_probe_read_kernel_str(&e.comm, sizeof(e.comm), comm);
> >
> > I guess Kees is worried that e.comm will have something exported to user
> > space that it shouldn't. But since e is part of the BPF program, does the
> > BPF JIT take care to make sure everything on its stack is zero'd out, such
> > that a user BPF couldn't just read various items off its stack and by doing
> > so, see kernel memory it shouldn't be seeing?
> >
>

Ah, you mean the BPF JIT has already avoided leaking information to user.
I will check the BPF JIT code first.

> Understood.
> It can leak information to the user if the user buffer is large enough.
>
>
> > I'm guessing it does, otherwise this would be a bigger issue than this
> > patch series.
> >
>
> I will think about how to fix it.
> At first glance, it seems we'd better introduce a new BPF helper like
> bpf_probe_read_kernel_str_pad().
>
> --
> Thanks
> Yafang



-- 
Thanks
Yafang