| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <38fbe522-f757-4de9-acf3-1483b90898f6@lucifer.local>
Date: Fri, 10 Jan 2025 12:48:44 +0000
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: "Isaac J. Manjarres" <isaacmanjarres@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, kaleshsingh@...gle.com,
jstultz@...gle.com, aliceryhl@...gle.com, surenb@...gle.com,
kernel-team@...roid.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/2] mm/memfd: Use strncpy_from_user() to read memfd
name
On Thu, Jan 09, 2025 at 10:59:05AM -0800, Isaac J. Manjarres wrote:
> The existing logic uses strnlen_user() to calculate the length of the
> memfd name from userspace and then copies the string into a buffer using
> copy_from_user(). This is error-prone, as the string length
> could have changed between the time when it was calculated and when the
> string was copied. The existing logic handles this by ensuring that the
> last byte in the buffer is the terminating zero.
>
> This handling is contrived and can better be handled by using
> strncpy_from_user(), which gets the length of the string and copies
> it in one shot. Therefore, simplify the logic for copying the memfd
> name by using strncpy_from_user().
>
> No functional change.
>
> Reviewed-by: Alice Ryhl <aliceryhl@...gle.com>
> Signed-off-by: Isaac J. Manjarres <isaacmanjarres@...gle.com>
LGTM,
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
> ---
> mm/memfd.c | 20 ++++++--------------
> 1 file changed, 6 insertions(+), 14 deletions(-)
>
> diff --git a/mm/memfd.c b/mm/memfd.c
> index bf0c2d97b940..5b7c5892ba64 100644
> --- a/mm/memfd.c
> +++ b/mm/memfd.c
> @@ -396,26 +396,18 @@ static char *alloc_name(const char __user *uname)
> char *name;
> long len;
>
> - /* length includes terminating zero */
> - len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1);
> - if (len <= 0)
> - return ERR_PTR(-EFAULT);
> - if (len > MFD_NAME_MAX_LEN + 1)
> - return ERR_PTR(-EINVAL);
> -
> - name = kmalloc(len + MFD_NAME_PREFIX_LEN, GFP_KERNEL);
> + name = kmalloc(NAME_MAX + 1, GFP_KERNEL);
> if (!name)
> return ERR_PTR(-ENOMEM);
>
> strcpy(name, MFD_NAME_PREFIX);
> - if (copy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, len)) {
> + /* returned length does not include terminating zero */
> + len = strncpy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, MFD_NAME_MAX_LEN + 1);
> + if (len < 0) {
> error = -EFAULT;
> goto err_name;
> - }
> -
> - /* terminating-zero may have changed after strnlen_user() returned */
> - if (name[len + MFD_NAME_PREFIX_LEN - 1]) {
> - error = -EFAULT;
> + } else if (len > MFD_NAME_MAX_LEN) {
> + error = -EINVAL;
> goto err_name;
> }
>
> --
> 2.47.1.613.gc27f4b7a9f-goog
>
Powered by blists - more mailing lists