From patchwork Fri Jun 21 02:29:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yafang Shao X-Patchwork-Id: 13706696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6CFEC2BD05 for ; Fri, 21 Jun 2024 02:31:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 333736B009F; Thu, 20 Jun 2024 22:31:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2E2A96B00A5; Thu, 20 Jun 2024 22:31:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 185D46B00A4; Thu, 20 Jun 2024 22:31:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id E3EA38D0111 for ; Thu, 20 Jun 2024 22:31:32 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 885188078A for ; Fri, 21 Jun 2024 02:31:32 +0000 (UTC) X-FDA: 82253319624.23.8A6C4B4 Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182]) by imf08.hostedemail.com (Postfix) with ESMTP id B7ABA16000A for ; Fri, 21 Jun 2024 02:31:30 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="ZJOivL/E"; spf=pass (imf08.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.167.182 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718937086; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=1K+hSkFBa/z9wm4YENh0APfdLPb/9OfvoDMj7Q9JegI=; b=6/e+Igt8RqEZMKoCeO+xXkcrAHrCYXYyzrOnXqYKGTR0rLhKjkdDP9WLqi8aFOPyuEv0u1 YnI0LRhSSf81+6L+jtKFnRxYYLefA2ydwTRVh9hZL4cO5q5YMmeqms2cBujy+AW8Me82Wv bvBxqGBTXx7+qikZ6a9+3g7ELsWWBgg= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="ZJOivL/E"; spf=pass (imf08.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.167.182 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718937086; a=rsa-sha256; cv=none; b=qw2fgkX92tUIW47S7VoMvXtWcQT9ta4f1LPpr7D3CxBi40lR+sijmE/8R6xJYiCFAxrl9V Zhk7iBsw6BFKPHWR5DQYzCZ9AMe3bq5y/P3uco677S1+SXTuhopy27+3vFb7IvN4/cmzLs SbF0+b76TtXooJebgwyzdT/hLpFTTTc= Received: by mail-oi1-f182.google.com with SMTP id 5614622812f47-3d22802674cso823194b6e.2 for ; Thu, 20 Jun 2024 19:31:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718937090; x=1719541890; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1K+hSkFBa/z9wm4YENh0APfdLPb/9OfvoDMj7Q9JegI=; b=ZJOivL/EFnpT3BFYzaIDvr6lJKWX8SzaimWOXPRMhM0leRgFcZpYKLgKCydzYoNROI 7MPaeP7nzPbinpB6g3giiko/zzqtkxpV+KFmr/wbJom7iwEsiM8UiVvlcrY7ZVBtn6+N ZtoudbEtIHx3/KCIsiHG+xhrXTWMsf+11ljQiBDyPfsH1UBTCfeyWSTk88oKhuithAJF e3RAv8a2/c/f7wWGMbGCeUVh/bBr8iZAVAguRbSxOoX/GmVqM4fvYjO0niREWs4NFTLl U9bBiCTF9UC+pGgv6hDxdlIDdKvvGgKsUhGKd+4hOlQTIynhrW7ML9EDvCXAz9T6jh8d O1lA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718937090; x=1719541890; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1K+hSkFBa/z9wm4YENh0APfdLPb/9OfvoDMj7Q9JegI=; b=cgRXkoVzrUjdO/HeW4z+gHFhFD8wSPo6B8uxfcwpOTC2GcvlN/fKPQiAF/uTWDpPhG vnfqvDOLpgFe/oY1I9xxhIJQIksKrcCHVmc9e9hEbihv417ZOP3DHD6fSSVFYRwsfFF0 6ha25jxUz4cChbFlbYT+E0NtU5ZLiPigSFRuD1pUhbHs2tjni4ZAOzIPOd/SnAkz19uN zohM/vRz+b5IDaYc2tk6SqcW/Yiw1PyyZkLyPTKpv7X/icQfqVbSthxJU9pnK1Bii4FF 6avJOQ2abxmwczpAS0GZw1bRg1gLYziWmxtJWMs7iqhfDnyEhjlPB8/GZ3e3L+S2qxG/ +EQA== X-Forwarded-Encrypted: i=1; AJvYcCWShx/7X4B/BYl3zJsD+VA3RTFH3HzoP7Mn+iTiAC3qSofuoiX3CFmN4fQs4Lhp6DHUBtrOIU7el0NYTRy1+hwroeg= X-Gm-Message-State: AOJu0YyOngJ9mjhOrGEy3ZaDcIHpuSuL1vo4DqWd+b3WdZvlUeYS/4YM xoyi5S/31bo84UuvSlWoH7VxbtClkBYMZQYgu3tK4LrHv+jNIjoX X-Google-Smtp-Source: AGHT+IGPBhm+odN2LJAX3QWj+Jlu2WkC5FUNop9iFT0Xeg6XFGC2MN7wYjSEAKCdXzo9nJ50WQHXKg== X-Received: by 2002:a05:6808:1789:b0:3d2:19da:9573 with SMTP id 5614622812f47-3d51b97ee20mr8962729b6e.15.1718937089513; Thu, 20 Jun 2024 19:31:29 -0700 (PDT) Received: from localhost.localdomain ([39.144.105.24]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-706511944d2sm332488b3a.70.2024.06.20.19.31.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jun 2024 19:31:29 -0700 (PDT) From: Yafang Shao To: torvalds@linux-foundation.org Cc: ebiederm@xmission.com, alexei.starovoitov@gmail.com, rostedt@goodmis.org, catalin.marinas@arm.com, akpm@linux-foundation.org, penguin-kernel@i-love.sakura.ne.jp, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Yafang Shao Subject: [PATCH v3 05/11] mm/util: Fix possible race condition in kstrdup() Date: Fri, 21 Jun 2024 10:29:53 +0800 Message-Id: <20240621022959.9124-6-laoar.shao@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20240621022959.9124-1-laoar.shao@gmail.com> References: <20240621022959.9124-1-laoar.shao@gmail.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: B7ABA16000A X-Stat-Signature: zhqy1o4w1npoohwhy4ycno9a59t1wwt6 X-HE-Tag: 1718937090-181944 X-HE-Meta: U2FsdGVkX19OjSEHU5elFQnW1MDca3AsNqa7dT9NFeRmHuk7jh4AhyX6MD/OgkKAk1/gBGQ2wus50vilrBqmdbojvI0+vnndYqGDGGTkqolM2lNjjNXYdNQIjI7l1llVYKu4N+zz2ukiRCoV4cBvfJmRfdGgQDvcX90uqF30B+QUXS+wLMj1Xc277ePtN14SS4eoeFkRSi3f2NzycvTDPRawUezkLVpMQCk12Y/yzTnV8kPQi9f/IeZgCPdVtVsePjpQDc8fXBN6jO+NB+qDTMQPlu8Je7BJZ0fBlal7CE3aYIavF2nCgBe9jFaHNvJ8JYQ6clmeA4EChKJ51Cmv9QwzD31e12epB3DTq8SRqviNe9B/hXBaSSGM58xRzUmAzSaaEyriaNO1fdZWQRfGWVXUX9HyjHsdaAmD5Gts1SQG/Z3ljnwzSAiNAlGs4ev1lGpngBazcnppa1rpTJSvpHR1sZ4uk1xd70ZvDKpIdFsoRBZe8nxZWN1W6Qaj10NToqcwY6aD/whjggpKTevk9zpy3wqO1SXQ/7ilVQnYhXPy+xVEdgNIZSjiGRIIw+zvPk6HzXXxVYqY8nXyhssr1C88uReP3+ttiAfnb1JPmiJxX9/gYMW4Mq7+MCVNjoSI4VY/ksiPQozoQQUBObdhc5y49ACoP6RwXon4CLpEYDwUUey3kpZgf2U93gLMQnUJ81ZqgO+Tt6GhV1PU11tiK57V40Rjr1wtrE9rkP6NbB/TVFnAgbQ4qwecL7Vd3z5Xp6+H9WKgbaVWN7Ey4PeqkA5D/mRpEt1gBCC0uI7jhsbc7gfImK8QH3QeYO+PLwDwPLl0HH3ALzdGRH+EkjXR+NSCps8LgJKkjBon+gzkkhdnDq/dy4etzWOChqT1Ws6fQADy2vkhrKd4G+QDep8ig9K98QrCgdCLnrTdk7/hig0FXE+6v8M14VJFngoJe7MzZ/93QhKLxJasxd0m0Ae zp4o377p 2inRipzaognVJCJ0/oRNFi4+t/YDIOFHMvyPuS878Q10q4EZjrQhqqWVyvyZdnE0HrbyGEsdes+PnIpdYanayiwzFaHnebQsXF5W7XAjOHXJXoW+ksZONkc/v/6MrXQUiM3kInU16iq15ddoJ7A6v10LAaI1RrzjUPIOHr8pBajPNyD6HHQ2bCGCbmFr0ds/xIvucTizY5t577uj7U07oXZ6tufzqIRDT/Udnu5OBCKcQVaXnx+8MgUjLVIFbKDTqhqXX6yxm9Mq1tfqoCYaEdpN1d5vJo4Pq2WZaSqN8mplVkCouPHhsjdf+djQLjnP46/lP9c5ZcwQADiX1QHkdZ2GRdBVm7nqbYYHMDWaS/cke79oKr4FRln/oM4dQ98edFnAqXXI2Y5I4rXoy5N8vFoFjpsRJZwRdrbRW/Oa0e9266KTmS6voh9qjOmExakDKqMjNauS2aSfrKkONtD/RJskK8SsR2hi3x+I78xHEnZt5z5Vlj29nKtH2niHpo2JLXVn7aA/J5VEffGE= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000023, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In kstrdup(), it is critical to ensure that the dest string is always NUL-terminated. However, potential race condidtion can occur between a writer and a reader. Consider the following scenario involving task->comm: reader writer len = strlen(s) + 1; strlcpy(tsk->comm, buf, sizeof(tsk->comm)); memcpy(buf, s, len); In this case, there is a race condition between the reader and the writer. The reader calculate the length of the string `s` based on the old value of task->comm. However, during the memcpy(), the string `s` might be updated by the writer to a new value of task->comm. If the new task->comm is larger than the old one, the `buf` might not be NUL-terminated. This can lead to undefined behavior and potential security vulnerabilities. Let's fix it by explicitly adding a NUL-terminator. Signed-off-by: Yafang Shao Cc: Andrew Morton --- mm/util.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/util.c b/mm/util.c index c9e519e6811f..41c7875572ed 100644 --- a/mm/util.c +++ b/mm/util.c @@ -60,8 +60,14 @@ char *kstrdup(const char *s, gfp_t gfp) len = strlen(s) + 1; buf = kmalloc_track_caller(len, gfp); - if (buf) + if (buf) { memcpy(buf, s, len); + /* During memcpy(), the string might be updated to a new value, + * which could be longer than the string when strlen() is + * called. Therefore, we need to add a null termimator. + */ + buf[len - 1] = '\0'; + } return buf; } EXPORT_SYMBOL(kstrdup);