From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85158C52D7F for ; Sat, 17 Aug 2024 17:03:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 96B788D00D5; Sat, 17 Aug 2024 13:03:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 91AA58D00B8; Sat, 17 Aug 2024 13:03:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7E2878D00D5; Sat, 17 Aug 2024 13:03:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 5DF338D00B8 for ; Sat, 17 Aug 2024 13:03:38 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id D98EE1A0423 for ; Sat, 17 Aug 2024 17:03:37 +0000 (UTC) X-FDA: 82462358874.01.E7D2FAD Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf25.hostedemail.com (Postfix) with ESMTP id E8651A0017 for ; Sat, 17 Aug 2024 17:03:35 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=EdabWq0d; spf=pass (imf25.hostedemail.com: domain of alx@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=alx@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723914140; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=b9cqYTyGrSP7Wa/U2NUZUIYzX5tLwhUGLmafqYBYgP8=; b=QJCXdT3nTjHiga8gdzZMuWYMbCz13ewvuUFu9aBD1Mlfoyfw0AgV/HtjAEZpXi2mBbCIQQ Mrkoh2DE6i6fhaV4sPtPZV3AwZQQnB8sdbyxRXlJwZV3uDzNxD+lDKHwGgKAqgxtH6/w4H fA5Bj/RlVMhmv3GMj7yKv7gIQQzKrcs= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723914140; a=rsa-sha256; cv=none; b=o7XtYPPuIf/OSH1IAsbShGYaiV9XBwRQeqVUaa8RxSbBcNG5wrLuNpiNHEsFGfKhzC4L3E 6RbQFSZwO70VzMWeoxaF2jk7qMrZdR7lnyW2hPNdshvI8r/y5EU+k5tLSzkY9XAX5wn3Ao gYnKVZt01kIi9P9Zg5zXDQ8WcSg9g6k= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=EdabWq0d; spf=pass (imf25.hostedemail.com: domain of alx@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=alx@kernel.org; dmarc=pass (policy=none) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id B8573621E5; Sat, 17 Aug 2024 17:03:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 03E87C116B1; Sat, 17 Aug 2024 17:03:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1723914214; bh=WFyA/tqAMMg3mjewQExpczQ1ttYWRQIE/f0Lskwrtmo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=EdabWq0doPpfWz9pF2Ld9tpLm4HMzTpi6r3fhTLX2OY1p75l7B3/zm00zZTV9BTan SBWnUKG21Gy+kLs+auHFYn8KFvpU+5zTkPlU/xEFVQXvuwhYV+RMluoxxyxfON/BxK 5Mh2Q2ILxJnN/d260gXBY3n0iYAunUgcedLgrATwzwSBi5M2KSvxGVOUa+g6vp7N0r //KNIas75bfdgXSc+YkRESg9AbJ5rbl2ikS1NDJkmlFs1aGZZbbllG0v5UPwft9nbB dCwTCz08wCo1N+tHaDB++89/d5lbVD4UPR2MHRUj/UroHSZYk4lb2lwpJx4LxfpBKT fFaFHC1j4OhYw== Date: Sat, 17 Aug 2024 19:03:28 +0200 From: Alejandro Colomar To: Linus Torvalds Cc: Yafang Shao , akpm@linux-foundation.org, justinstitt@google.com, ebiederm@xmission.com, alexei.starovoitov@gmail.com, rostedt@goodmis.org, catalin.marinas@arm.com, penguin-kernel@i-love.sakura.ne.jp, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() Message-ID: References: <20240817025624.13157-1-laoar.shao@gmail.com> <20240817025624.13157-6-laoar.shao@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="htzjtxdf6lu6in7e" Content-Disposition: inline In-Reply-To: X-Stat-Signature: 1tuc7xiemdsoz5ohqbor64pq5em1e5k8 X-Rspamd-Queue-Id: E8651A0017 X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1723914215-509499 X-HE-Meta: U2FsdGVkX19lHSzv0NV6MKMYarCs1T/1/QK7+LW+sTi9mDGC9QTjQgG1O9vZB59ZJmTvm/TuTzKMKSD+teimCjxaNIZcUJ1iU5pRuS3xbKdVwAruQjBlXh9x838p0wPGVBdVj+O1YXW5PoD7j250+RdoAzI90KBvat2Nfe/K0MDQjogt4DkjxE+h4PcJygylPVrgC2NkQRUqBqxUNWjbR3cffsWmuDowsmkjqlrSa4AfkLRS2qI+bVsiXrcAbJ/oU653gTeo3EDSmeiIzI68Llq9jgQQxJFaN/1PKv4GUtzekF3Cl+A6jwpXwvsfwI4u76ocGfUPgrznjcEQL1Gafl83xs+y/0sGLcweuCjyi+UO6ycR57aa/OIe3ceA88s21zjmj3QsiT8cDS4hVNN4qwSTja8Ru86hGQHtunTdNVqKIhuV7h65QNpCFHr+2yvd2UMx4Qer2KU9ywY86IgC/F9uVS9SUCbCIjv711ImS5dZyOjrDNbPUE0dBWPHPBfsQEGAkiwhs/HRR1m++fEtpK3dQwOLUN4VADNd2z1rzcKhCDrvtKaxzyrEdJsSC46d2qNNa6vGyiqMgjfuNsAurzwipKG97Dt8vcwRR8TQVSEEZ8/71NZ7M5kOnUFqZ0Cjz2RsO+335RAC+0uZ065zt+ivvbe+ovTZuH8UBVL3X4Yw+4AMD2DRn92NKEK3Bui3nFauHMO5ahW5YbiKi9rvX1OMZp4YPzpxDv/kvPz9AQVaSE5S4RN9NPbLFwFqNg1THRvxMUhEcnVaNIva71XUvQtyRV3p+kHEYLvWuC4cN4urpfg1n50rKpC1EAjmI/4EZVXVgvV8PH2uvbcF600pA5Nxgd1uNwBR1Xf7FgszoNBbMNApakUx9oRVdPsBVPcvoAX/gVUsyt9LzoiQmSf8A73HIGcDqUd6DoVLiI3Kj5hLtqgxGQSbonhs03jeoI4MossH2JZtar1qmnhlCGs 2W6igHTc D4jSYAjXQO0F9aBWXIAQFQkHgfjKMMo+tLm+NH9/4IP6eFHfjQeK5v/6PRZyAW/d3Wf0u33Lm/Wsyaq6ox4JhlMLtqaPMj1Bz6dtkHV34HytK6s4trpXXFRbBLbt3F+DfwPainp/PhIqhl1nL1Fm0GlOoskaVwyZUU0PzRQDGK73oQXDs+FUXaacqOgdW6iTaoBFw+ibjtYADL9HUrsty6W0OyMkRSqWbcRS2eMZHJjYQ5i31qI1VlqhoxvqoqY/Lwd6KEmWTnK3zyQYJYZ/U2MR1wR+cvb3CgIgnYLD84QrsOKMjgr/nTwStPm7ksyysE/guFQnxUlDBgBK5hZnqPoZcCFo8G3R0gikDyFxNal0CuF65iLAGY8rNkwcwrV5HgQ8zHCU3bY5sUEG4ddtY+/Vckr4eY2o2yCKyAiIb/Xffd15CaR8wmLcDOkKOFg8WqEl4CgHe4J2OBuIk0TGkKSZpDMgFE+sNEF8lqCU9Zs07SvilN/pDM8t0qI/LdDAGtm+2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --htzjtxdf6lu6in7e Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable From: Alejandro Colomar To: Linus Torvalds Cc: Yafang Shao , akpm@linux-foundation.org, justinstitt@google.com, ebiederm@xmission.com, alexei.starovoitov@gmail.com, rostedt@goodmis.org, catalin.marinas@arm.com, penguin-kernel@i-love.sakura.ne.jp, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org Subject: Re: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() References: <20240817025624.13157-1-laoar.shao@gmail.com> <20240817025624.13157-6-laoar.shao@gmail.com> MIME-Version: 1.0 In-Reply-To: Hi Linus, On Sat, Aug 17, 2024 at 09:26:21AM GMT, Linus Torvalds wrote: > On Sat, 17 Aug 2024 at 01:48, Alejandro Colomar wrote: > > > > I would compact the above to: > > > > len =3D strlen(s); > > buf =3D kmalloc_track_caller(len + 1, gfp); > > if (buf) > > strcpy(mempcpy(buf, s, len), ""); >=20 > No, we're not doing this kind of horror. Ok. > If _FORTIFY_SOURCE has problems with a simple "memcpy and add NUL", > then _FORTIFY_SOURCE needs to be fixed. _FORTIFY_SOURCE works (AFAIK) by replacing the usual string calls by oneis that do some extra work to learn the real size of the buffers. This means that for _FORTIFY_SOURCE to work, you need to actually call a function. Since the "add NUL" is not done in a function call, it's unprotected (except that sanitizers may protect it via other means). Here's the fortified version of strcpy(3) in the kernel: $ grepc -h -B15 strcpy ./include/linux/fortify-string.h /** * strcpy - Copy a string into another string buffer * * @p: pointer to destination of copy * @q: pointer to NUL-terminated source string to copy * * Do not use this function. While FORTIFY_SOURCE tries to avoid * overflows, this is only possible when the sizes of @q and @p are * known to the compiler. Prefer strscpy(), though note its different * return values for detecting truncation. * * Returns @p. * */ /* Defined after fortified strlen to reuse it. */ __FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2) char *strcpy(char * const POS p, const char * const POS q) { const size_t p_size =3D __member_size(p); const size_t q_size =3D __member_size(q); size_t size; /* If neither buffer size is known, immediately give up. */ if (__builtin_constant_p(p_size) && __builtin_constant_p(q_size) && p_size =3D=3D SIZE_MAX && q_size =3D=3D SIZE_MAX) return __underlying_strcpy(p, q); size =3D strlen(q) + 1; /* Compile-time check for const size overflow. */ if (__compiletime_lessthan(p_size, size)) __write_overflow(); /* Run-time check for dynamic size overflow. */ if (p_size < size) fortify_panic(FORTIFY_FUNC_strcpy, FORTIFY_WRITE, p_size, size, p); __underlying_memcpy(p, q, size); return p; } > We don't replace a "buf[len] =3D 0" with strcpy(,""). Yes, compilers may > simplify it, but dammit, it's an unreadable incomprehensible mess to > humans, and humans still matter a LOT more. I understand. While I don't consider it unreadable anymore (I guess I got used to it), it felt strange at first. >=20 > Linus Have a lovely day! Alex --=20 --htzjtxdf6lu6in7e Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE6jqH8KTroDDkXfJAnowa+77/2zIFAmbA19sACgkQnowa+77/ 2zIEAA//cSO5TER2rwseJ/ok0csn2IXjUaI0+NFv3HxRr9JU5EYfGxGjUpUr1YJW upOq6aClxC/IX92s1cm3+HLu60WHKisWeVbR2cUxMUYij3GG/oJsZtaorKWht1xy LPcoxJ3jad4f1CizEpgsZqiHEh8268embvgGpLsJEwHkYHq8JCstS48Wnuqcajx5 xDj9AM+fVtQ+x4RfFxGD4HtFoPWlHhkRS+wBgft09EUFzPiRWZynqTfq1lQuShm7 cBkDCH550QdgnHyu9wT4CY/3KnuybekcKkqQJXwi8Snw/FEZ+KnEBkCmC64UimEV 3VMX2yEvfkVQepZzsZ5vteO0KPd2+kdc+cdd3m29kw4tggsmPcptqVPofxtB1UzG uZwj13eqjdhvTunRIp4lnqIE12MH2I2tinH/LaKU8Hx54HmEe2b0GcKSPZS5rC9f BTj7YlZBzsI+50qWJoE6cHb4MraUwdubY5fFA5tPI2z+/5v69TEiX9seCS6cZH59 hHeKCDnRYvvqpH48w3JtYDroAOBA1QE6rUulRtEQaHJjpgsscp67+aLphOAY2pii iI+jJPkLTAAphkNmJxV/SPOFNB90XmYAfL+maTz0po09EuJMA8Aj4VugWxbMIs7f jO+zORD/dO86aEY99VOX6NJxhO50h1Q7BAvf1FASHafi3fahRgI= =xff3 -----END PGP SIGNATURE----- --htzjtxdf6lu6in7e--