From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CFF56D7360E
	for <linux-mm@archiver.kernel.org>; Sat, 30 Nov 2024 21:40:53 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 18AE16B007B; Sat, 30 Nov 2024 16:40:53 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 13AD46B0082; Sat, 30 Nov 2024 16:40:53 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 032056B0083; Sat, 30 Nov 2024 16:40:52 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id D2BAC6B007B
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 16:40:52 -0500 (EST)
Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id 76B07A1782
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 21:40:52 +0000 (UTC)
X-FDA: 82844081166.06.C4165A1
Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.85.151])
	by imf26.hostedemail.com (Postfix) with ESMTP id E68CC140016
	for <linux-mm@kvack.org>; Sat, 30 Nov 2024 21:40:40 +0000 (UTC)
Authentication-Results: imf26.hostedemail.com;
	dkim=none;
	spf=pass (imf26.hostedemail.com: domain of david.laight@aculab.com designates 185.58.85.151 as permitted sender) smtp.mailfrom=david.laight@aculab.com;
	dmarc=pass (policy=none) header.from=aculab.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1733002843;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=NWydBHsJBFet2oe8GnUPFXWmgB7cUcY5j5pAG+HLobw=;
	b=seX6IkB2qfFqjsHS3scHsO8fSB9nnDwkgohXk4hgHau5vlVZkTg7O9AOdsGRHvDT3ohqHY
	p9BvKXETWZlNmPisB+MjmTJV3qytTAntcBSEz1yZVYe7CeIwKUCZRubTI3281mujZ0Zfjt
	ShC9r1dDZCCCT4/ZQOv5wkff9/DZQ/k=
ARC-Authentication-Results: i=1;
	imf26.hostedemail.com;
	dkim=none;
	spf=pass (imf26.hostedemail.com: domain of david.laight@aculab.com designates 185.58.85.151 as permitted sender) smtp.mailfrom=david.laight@aculab.com;
	dmarc=pass (policy=none) header.from=aculab.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733002843; a=rsa-sha256;
	cv=none;
	b=PO7Keew+kGdpA5jsfnqpD0UUtNdjBfz4/2DtJ27QrUTaWA3xbDLk/nI8qnNELq6ltMwjtd
	xdjuIHP9PjsFLDVcok3Z3qV6Y+CUq8adzMSiOvEBlwpp67mNkn9cgLO7kbC5sqKhm2UArF
	1FHesDFK4BeZ1O/0o937ybWT1xohqWA=
Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by
 relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 uk-mta-188-g14xKN3oMnyOJnv5xybuBA-1; Sat, 30 Nov 2024 21:40:38 +0000
X-MC-Unique: g14xKN3oMnyOJnv5xybuBA-1
X-Mimecast-MFC-AGG-ID: g14xKN3oMnyOJnv5xybuBA
Received: from AcuMS.Aculab.com (10.202.163.4) by AcuMS.aculab.com
 (10.202.163.4) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Sat, 30 Nov
 2024 21:40:14 +0000
Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi
 id 15.00.1497.048; Sat, 30 Nov 2024 21:40:14 +0000
From: David Laight <David.Laight@ACULAB.COM>
To: 'Kees Cook' <kees@kernel.org>, Eric Biederman <ebiederm@xmission.com>
CC: Linus Torvalds <torvalds@linux-foundation.org>, Alexander Viro
	<viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org>, Jan Kara
	<jack@suse.cz>, "linux-mm@kvack.org" <linux-mm@kvack.org>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>, Ingo Molnar
	<mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>, Juri Lelli
	<juri.lelli@redhat.com>, Vincent Guittot <vincent.guittot@linaro.org>,
	Dietmar Eggemann <dietmar.eggemann@arm.com>, Steven Rostedt
	<rostedt@goodmis.org>, Ben Segall <bsegall@google.com>, Mel Gorman
	<mgorman@suse.de>, Valentin Schneider <vschneid@redhat.com>, Jens Axboe
	<axboe@kernel.dk>, Pavel Begunkov <asml.silence@gmail.com>, Andrew Morton
	<akpm@linux-foundation.org>, Chen Yu <yu.c.chen@intel.com>, Shuah Khan
	<skhan@linuxfoundation.org>, =?iso-8859-1?Q?Micka=EBl_Sala=FCn?=
	<mic@digikod.net>, "linux-kernel@vger.kernel.org"
	<linux-kernel@vger.kernel.org>, "io-uring@vger.kernel.org"
	<io-uring@vger.kernel.org>, "linux-hardening@vger.kernel.org"
	<linux-hardening@vger.kernel.org>
Subject: RE: [PATCH] exec: Make sure task->comm is always NUL-terminated
Thread-Topic: [PATCH] exec: Make sure task->comm is always NUL-terminated
Thread-Index: AQHbQuM3vGxCxoQWAEqauiNGu7/fqLLQWTBw
Date: Sat, 30 Nov 2024 21:40:14 +0000
Message-ID: <b11a985992a44152bf8106c084747ed4@AcuMS.aculab.com>
References: <20241130044909.work.541-kees@kernel.org>
In-Reply-To: <20241130044909.work.541-kees@kernel.org>
Accept-Language: en-GB, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.202.205.107]
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: PSeY_weeZPzKQeAr5PXucaFIQZq91G6e4HesxSZEoNU_1733002836
X-Mimecast-Originator: aculab.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Server: rspam05
X-Stat-Signature: p4p186oahuws4zrtisqktugqpxr1ri51
X-Rspamd-Queue-Id: E68CC140016
X-Rspam-User: 
X-HE-Tag: 1733002840-971172
X-HE-Meta: U2FsdGVkX19IU/NSzbZxLhmbvVLtAid9qKWqUqVIs5a2U8DpzL/3eCJjHN0ZftydMWdHN3zOgjEiBLroCyqaZVG74pw9niF/A7BjJAXjXiQ3AVZgTXlH3KE+2uDVi7Lls6xTpRrcSpRT5Y1FOBoFYj+eB0buO69LMbI0hMhkdZbRVtZwXmJfqM/pXIAY2OOhB2ka76x6xk8pKxdEUMiUnxYO7+6mdCf4REjWMZ2ud4LGVzfTSuqralnDZCO6GNea3FUE+oHV9PuOgIqo6VbFrb8roaPTm4IDJHd6EXqTLfuvmRaTLqmIUIVOXhaj5rptYvThLtYyrXs17Cq3FOkJg+MEDZXZsWUEyhB0hw9JPyO7rUQ5/PmLIgMcHNQb1YyKGib/VDx94nlMfCH8FMlooD2PlYjen0O8jwTTXbaRNFKy4JX7ltY20BUrYxNRphe1wwaYdMWFEZBjANrPcKO31eRZHM8Q/9i4CsvvL27ta4Xj3xcvgxC7iufC+se1FC0RK1yubKduSJ4JwYQWGFst5BMN6KnkuMhr8Lme3G6nRibIRqdM6cURRvf6k3KfIlIa+vPPwOzDm5tUKQvZjb//aACu2GoRXGb6kOas/YSGHxCSjhbLuQ9EDYN5ZyzSqSikvxlfV9ChV2pNBATwoC6POI9uoQNPcpZEs47RMSu1CdwIsA4q9l+387603mDbJ6PtZOz5KCjWNW+MX2gPDHz/ZBLJJ3LM0LNQhFgpQLUgme1deA8y0M1O+9pRl6TGGzphOx6aBZvyp9SlUk7jTn6Pnwv1Cqx/HShdiyV45w3PSqvZDZsP7eA3yzW+zI/OmNJjN480mzctyo7gZ89uarXN3QjgrBhr/Dtd8DNysrnNlz4nOufI+RuuxRdbTBUr4CnoOf40YrYuhv2wPZ85A6boasvPMDE4AAmWwWHTATNYbR9CGTRMDhnpZcpn4VQ5DPtgIrjS7lUYCnVWBPbfBsD
 MQe5sEZ6
 TsFxztwuRGD3HeKQ0txOKXyWQTbQqJ07SeOxD2AlNmGw0h0DDaNi5eFvFNmEXnTkg5McutZyPVSpeupUDB/xXGY3K4p38Zv3d94vUPSuW/pBX/9l6+2lU5EgM8j2MZE1L11Fu4y9hEDFZo9eaMGEeLp/lHGvMrI1lgABHlZO+mV9ZHw8jdz+JUSpH/Bq3NecGQ6YkzIhKG4+uaIx8pr2JqZOhxynXHhjX+ViW95eJz/2C25RvYAc2U9cllvWXbw1ifXna30tf7wm87aiLXxzAGC0DpspcuMWZmaU4Lkxkz1KZ05zm2Xf+xVlSv3aGZr4G/QIYbarrM38HENvm1rYM5xj9UcG4aY9mc1nBRuuaM0fXPlKbKfPAUqklQB4fpzNeOHqKakoQM5REBLwepbAHePpTzkg6jYUNUy8TelUYlWyWy2remCQuXCrj1Q==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

From: Kees Cook
> Sent: 30 November 2024 04:49
>
> Instead of adding a new use of the ambiguous strncpy(), we'd want to
> use memtostr_pad() which enforces being able to check at compile time
> that sizes are sensible, but this requires being able to see string
> buffer lengths. Instead of trying to inline __set_task_comm() (which
> needs to call trace and perf functions), just open-code it. But to
> make sure we're always safe, add compile-time checking like we already
> do for get_task_comm().
...
> Here's what I'd prefer to use to clean up set_task_comm(). I merged
> Linus and Eric's suggestions and open-coded memtostr_pad().
> ---
>  fs/exec.c             | 12 ++++++------
>  include/linux/sched.h |  9 ++++-----
>  io_uring/io-wq.c      |  2 +-
>  io_uring/sqpoll.c     |  2 +-
>  kernel/kthread.c      |  3 ++-
>  5 files changed, 14 insertions(+), 14 deletions(-)
>=20
> diff --git a/fs/exec.c b/fs/exec.c
> index e0435b31a811..5f16500ac325 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1200,16 +1200,16 @@ char *__get_task_comm(char *buf, size_t buf_size,=
 struct task_struct *tsk)
>  EXPORT_SYMBOL_GPL(__get_task_comm);
>=20
>  /*
> - * These functions flushes out all traces of the currently running execu=
table
> - * so that a new one can be started
> + * This is unlocked -- the string will always be NUL-terminated, but
> + * may show overlapping contents if racing concurrent reads.
>   */
> -
>  void __set_task_comm(struct task_struct *tsk, const char *buf, bool exec=
)
>  {
> -=09task_lock(tsk);
> +=09size_t len =3D min(strlen(buf), sizeof(tsk->comm) - 1);
> +
>  =09trace_task_rename(tsk, buf);
> -=09strscpy_pad(tsk->comm, buf, sizeof(tsk->comm));
> -=09task_unlock(tsk);
> +=09memcpy(tsk->comm, buf, len);
> +=09memset(&tsk->comm[len], 0, sizeof(tsk->comm) - len);
>  =09perf_event_comm(tsk, exec);

Why not do strscpy_pad() into a local char[16] and then do a 16 byte
memcpy() into the target buffer?

Then non-constant input data will always give a valid '\0' terminated strin=
g
regardless of how strscpy_pad() is implemented.

=09David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1=
PT, UK
Registration No: 1397386 (Wales)