[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALOAHbBEtViUN3L=741jNF4oFSqvxej-p0vcd-0awShMtmCQvg@mail.gmail.com>
Date: Fri, 14 Jun 2024 10:33:48 +0800
From: Yafang Shao <laoar.shao@...il.com>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: torvalds@...ux-foundation.org, ebiederm@...ssion.com,
alexei.starovoitov@...il.com, rostedt@...dmis.org, linux-mm@...ck.org,
linux-fsdevel@...r.kernel.org, linux-trace-kernel@...r.kernel.org,
audit@...r.kernel.org, linux-security-module@...r.kernel.org,
selinux@...r.kernel.org, bpf@...r.kernel.org, netdev@...r.kernel.org,
dri-devel@...ts.freedesktop.org
Subject: Re: [PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup()
On Fri, Jun 14, 2024 at 5:14 AM Andrew Morton <akpm@...ux-foundation.org> wrote:
>
> On Thu, 13 Jun 2024 10:30:39 +0800 Yafang Shao <laoar.shao@...il.com> wrote:
>
> > In kstrdup(), it is critical to ensure that the dest string is always
> > NUL-terminated. However, potential race condidtion can occur between a
> > writer and a reader.
> >
> > Consider the following scenario involving task->comm:
> >
> > reader writer
> >
> > len = strlen(s) + 1;
> > strlcpy(tsk->comm, buf, sizeof(tsk->comm));
> > memcpy(buf, s, len);
> >
> > In this case, there is a race condition between the reader and the
> > writer. The reader calculate the length of the string `s` based on the
> > old value of task->comm. However, during the memcpy(), the string `s`
> > might be updated by the writer to a new value of task->comm.
> >
> > If the new task->comm is larger than the old one, the `buf` might not be
> > NUL-terminated. This can lead to undefined behavior and potential
> > security vulnerabilities.
> >
> > Let's fix it by explicitly adding a NUL-terminator.
>
> The concept sounds a little strange. If some code takes a copy of a
> string while some other code is altering it, yes, the result will be a
> mess. This is why get_task_comm() exists, and why it uses locking.
>
> I get that "your copy is a mess" is less serious than "your string
> isn't null-terminated" but still. Whichever outcome we get, the
> calling code is buggy and should be fixed.
>
> Are there any other problematic scenarios we're defending against here?
>
> >
> > --- a/mm/util.c
> > +++ b/mm/util.c
> > @@ -60,8 +60,10 @@ char *kstrdup(const char *s, gfp_t gfp)
> >
> > len = strlen(s) + 1;
> > buf = kmalloc_track_caller(len, gfp);
> > - if (buf)
> > + if (buf) {
> > memcpy(buf, s, len);
> > + buf[len - 1] = '\0';
> > + }
> > return buf;
> > }
>
> Now I'll start receiving patches to remove this again. Let's have a
> code comment please.
I will add a comment for it.
>
> And kstrdup() is now looking awfully similar to kstrndup(). Perhaps
> there's a way to reduce duplication?
Yes, I believe we can add a common helper for them :
static char *__kstrndup(const char *s, size_t max, gfp_t gfp)
--
Regards
Yafang
Powered by blists - more mailing lists