[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240613023044.45873-6-laoar.shao@gmail.com>
Date: Thu, 13 Jun 2024 10:30:39 +0800
From: Yafang Shao <laoar.shao@...il.com>
To: torvalds@...ux-foundation.org
Cc: ebiederm@...ssion.com,
alexei.starovoitov@...il.com,
rostedt@...dmis.org,
linux-mm@...ck.org,
linux-fsdevel@...r.kernel.org,
linux-trace-kernel@...r.kernel.org,
audit@...r.kernel.org,
linux-security-module@...r.kernel.org,
selinux@...r.kernel.org,
bpf@...r.kernel.org,
netdev@...r.kernel.org,
dri-devel@...ts.freedesktop.org,
Yafang Shao <laoar.shao@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup()
In kstrdup(), it is critical to ensure that the dest string is always
NUL-terminated. However, potential race condidtion can occur between a
writer and a reader.
Consider the following scenario involving task->comm:
reader writer
len = strlen(s) + 1;
strlcpy(tsk->comm, buf, sizeof(tsk->comm));
memcpy(buf, s, len);
In this case, there is a race condition between the reader and the
writer. The reader calculate the length of the string `s` based on the
old value of task->comm. However, during the memcpy(), the string `s`
might be updated by the writer to a new value of task->comm.
If the new task->comm is larger than the old one, the `buf` might not be
NUL-terminated. This can lead to undefined behavior and potential
security vulnerabilities.
Let's fix it by explicitly adding a NUL-terminator.
Signed-off-by: Yafang Shao <laoar.shao@...il.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
---
mm/util.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/mm/util.c b/mm/util.c
index c9e519e6811f..3b383f790208 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -60,8 +60,10 @@ char *kstrdup(const char *s, gfp_t gfp)
len = strlen(s) + 1;
buf = kmalloc_track_caller(len, gfp);
- if (buf)
+ if (buf) {
memcpy(buf, s, len);
+ buf[len - 1] = '\0';
+ }
return buf;
}
EXPORT_SYMBOL(kstrdup);
--
2.39.1
Powered by blists - more mailing lists