| Message ID | 20171205151724.1764896-1-arnd@arndb.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, Dec 5, 2017 at 7:17 AM, Arnd Bergmann <arnd@arndb.de> wrote: > gcc-8 warns about using strncpy() with the source size as the limit: > > fs/exec.c:1223:32: error: argument to 'sizeof' in 'strncpy' call is the same expression as the source; did you mean to use the size of the destination? [-Werror=sizeof-pointer-memaccess] > > This is indeed slightly suspicious, as it protects us from source > arguments without NUL-termination, but does not guarantee that the > destination is terminated. > > This keeps the strncpy() to ensure we have properly padded target buffer, > but ensures that we use the correct length, by passing the actual length > of the destination buffer as well as adding a build-time check to ensure > it is exactly TASK_COMM_LEN. There are only 23 callsights which I all > reviewed to ensure this is currently the case. We could get away with > doing only the check or passing the right length, but it doesn't hurt > to do both. > > Suggested-by: Kees Cook <keescook@chromium.org> > Signed-off-by: Arnd Bergmann <arnd@arndb.de> Awesome. Thanks for checking them all! Acked-by: Kees Cook <keescook@chromium.org> -Kees > --- > fs/exec.c | 7 +++---- > include/linux/sched.h | 6 +++++- > 2 files changed, 8 insertions(+), 5 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index 6be2aa0ab26f..156f56acfe8e 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1216,15 +1216,14 @@ static int de_thread(struct task_struct *tsk) > return -EAGAIN; > } > > -char *get_task_comm(char *buf, struct task_struct *tsk) > +char *__get_task_comm(char *buf, size_t buf_size, struct task_struct *tsk) > { > - /* buf must be at least sizeof(tsk->comm) in size */ > task_lock(tsk); > - strncpy(buf, tsk->comm, sizeof(tsk->comm)); > + strncpy(buf, tsk->comm, buf_size); > task_unlock(tsk); > return buf; > } > -EXPORT_SYMBOL_GPL(get_task_comm); > +EXPORT_SYMBOL_GPL(__get_task_comm); > > /* > * These functions flushes out all traces of the currently running executable > diff --git a/include/linux/sched.h b/include/linux/sched.h > index 21991d668d35..5124ba709830 100644 > --- a/include/linux/sched.h > +++ b/include/linux/sched.h > @@ -1503,7 +1503,11 @@ static inline void set_task_comm(struct task_struct *tsk, const char *from) > __set_task_comm(tsk, from, false); > } > > -extern char *get_task_comm(char *to, struct task_struct *tsk); > +extern char *__get_task_comm(char *to, size_t len, struct task_struct *tsk); > +#define get_task_comm(buf, tsk) ({ \ > + BUILD_BUG_ON(sizeof(buf) != TASK_COMM_LEN); \ > + __get_task_comm(buf, sizeof(buf), tsk); \ > +}) > > #ifdef CONFIG_SMP > void scheduler_ipi(void); > -- > 2.9.0 >
From: Arnd Bergmann > Sent: 05 December 2017 15:17 > gcc-8 warns about using strncpy() with the source size as the limit: Hmmm... Someone 'fixed' some of those in the NetBSD tree a few years back. There was one place where the code was correct. A potentially unterminated string was being copied into a buffer that was one byte longer. David
* Arnd Bergmann <arnd@arndb.de> wrote: > gcc-8 warns about using strncpy() with the source size as the limit: > > fs/exec.c:1223:32: error: argument to 'sizeof' in 'strncpy' call is the same expression as the source; did you mean to use the size of the destination? [-Werror=sizeof-pointer-memaccess] > > This is indeed slightly suspicious, as it protects us from source > arguments without NUL-termination, but does not guarantee that the > destination is terminated. > > This keeps the strncpy() to ensure we have properly padded target buffer, > but ensures that we use the correct length, by passing the actual length > of the destination buffer as well as adding a build-time check to ensure > it is exactly TASK_COMM_LEN. There are only 23 callsights which I all > reviewed to ensure this is currently the case. We could get away with > doing only the check or passing the right length, but it doesn't hurt > to do both. > > Suggested-by: Kees Cook <keescook@chromium.org> > Signed-off-by: Arnd Bergmann <arnd@arndb.de> Looks useful. Acked-by: Ingo Molnar <mingo@kernel.org> Thanks, Ingo
On Wed, Dec 6, 2017 at 9:49 AM, Ingo Molnar <mingo@kernel.org> wrote: > > * Arnd Bergmann <arnd@arndb.de> wrote: > >> gcc-8 warns about using strncpy() with the source size as the limit: >> >> fs/exec.c:1223:32: error: argument to 'sizeof' in 'strncpy' call is the same expression as the source; did you mean to use the size of the destination? [-Werror=sizeof-pointer-memaccess] >> >> This is indeed slightly suspicious, as it protects us from source >> arguments without NUL-termination, but does not guarantee that the >> destination is terminated. >> >> This keeps the strncpy() to ensure we have properly padded target buffer, >> but ensures that we use the correct length, by passing the actual length >> of the destination buffer as well as adding a build-time check to ensure >> it is exactly TASK_COMM_LEN. There are only 23 callsights which I all >> reviewed to ensure this is currently the case. We could get away with >> doing only the check or passing the right length, but it doesn't hurt >> to do both. >> >> Suggested-by: Kees Cook <keescook@chromium.org> >> Signed-off-by: Arnd Bergmann <arnd@arndb.de> > > Looks useful. > > Acked-by: Ingo Molnar <mingo@kernel.org> Ingo, can you take this into -tip, or should this go via -mm or some other tree? -Kees
On Wed, 6 Dec 2017 15:09:20 -0800 Kees Cook <keescook@chromium.org> wrote: > >> to do both. > >> > >> Suggested-by: Kees Cook <keescook@chromium.org> > >> Signed-off-by: Arnd Bergmann <arnd@arndb.de> > > > > Looks useful. > > > > Acked-by: Ingo Molnar <mingo@kernel.org> > > Ingo, can you take this into -tip, or should this go via -mm or some other tree? I have it queued for 4.15.
diff --git a/fs/exec.c b/fs/exec.c index 6be2aa0ab26f..156f56acfe8e 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1216,15 +1216,14 @@ static int de_thread(struct task_struct *tsk) return -EAGAIN; } -char *get_task_comm(char *buf, struct task_struct *tsk) +char *__get_task_comm(char *buf, size_t buf_size, struct task_struct *tsk) { - /* buf must be at least sizeof(tsk->comm) in size */ task_lock(tsk); - strncpy(buf, tsk->comm, sizeof(tsk->comm)); + strncpy(buf, tsk->comm, buf_size); task_unlock(tsk); return buf; } -EXPORT_SYMBOL_GPL(get_task_comm); +EXPORT_SYMBOL_GPL(__get_task_comm); /* * These functions flushes out all traces of the currently running executable diff --git a/include/linux/sched.h b/include/linux/sched.h index 21991d668d35..5124ba709830 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1503,7 +1503,11 @@ static inline void set_task_comm(struct task_struct *tsk, const char *from) __set_task_comm(tsk, from, false); } -extern char *get_task_comm(char *to, struct task_struct *tsk); +extern char *__get_task_comm(char *to, size_t len, struct task_struct *tsk); +#define get_task_comm(buf, tsk) ({ \ + BUILD_BUG_ON(sizeof(buf) != TASK_COMM_LEN); \ + __get_task_comm(buf, sizeof(buf), tsk); \ +}) #ifdef CONFIG_SMP void scheduler_ipi(void);
gcc-8 warns about using strncpy() with the source size as the limit: fs/exec.c:1223:32: error: argument to 'sizeof' in 'strncpy' call is the same expression as the source; did you mean to use the size of the destination? [-Werror=sizeof-pointer-memaccess] This is indeed slightly suspicious, as it protects us from source arguments without NUL-termination, but does not guarantee that the destination is terminated. This keeps the strncpy() to ensure we have properly padded target buffer, but ensures that we use the correct length, by passing the actual length of the destination buffer as well as adding a build-time check to ensure it is exactly TASK_COMM_LEN. There are only 23 callsights which I all reviewed to ensure this is currently the case. We could get away with doing only the check or passing the right length, but it doesn't hurt to do both. Suggested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- fs/exec.c | 7 +++---- include/linux/sched.h | 6 +++++- 2 files changed, 8 insertions(+), 5 deletions(-)