From patchwork Fri Jun 28 09:05:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yafang Shao X-Patchwork-Id: 13715780 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9809C30659 for ; Fri, 28 Jun 2024 09:05:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5A95C6B00A1; Fri, 28 Jun 2024 05:05:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 559C26B00A2; Fri, 28 Jun 2024 05:05:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3FB4C6B00A4; Fri, 28 Jun 2024 05:05:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 2018A6B00A1 for ; Fri, 28 Jun 2024 05:05:58 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id CD6E9141800 for ; Fri, 28 Jun 2024 09:05:57 +0000 (UTC) X-FDA: 82279715154.24.3324EB7 Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by imf23.hostedemail.com (Postfix) with ESMTP id DDE24140015 for ; Fri, 28 Jun 2024 09:05:55 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=K+199wWh; spf=pass (imf23.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.215.169 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1719565538; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8rSpj4+mjUH2uIm/J6/DitPwV6C8fJ6cAywoYkpJrFY=; b=n8OyDqEmB+KZyWTjWtgtVLQSlUHaFEXEXFAWXXoU3gyixtWJoZJzjna3kwn5jz31T9eLWJ USNp1LYc2T7e9CWVG8GkPTgYftU/38CusrXnYOSDr/YFK7U6fd0geO4IHPsgeoHZFIjxUJ f9cfpLZ0RYnhXcCzxY6baqenyt4uYfo= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1719565538; a=rsa-sha256; cv=none; b=rW/ovW759LQ8ingEEbOcr51vfrM1RnIb38HJCYddfj55MxdJdmf5ybeGVzCERxdpMMKaiU kpZvCSq2iwZZnZHsa7OInGZPuclqgiEs8hS469uZEsoRRfelqI4hEya79ZAupGGsNZ+i9j 5cpx0YodFawbLXiKHj+aXlH0Dn02aRc= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=K+199wWh; spf=pass (imf23.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.215.169 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-718354c17e4so261248a12.1 for ; Fri, 28 Jun 2024 02:05:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719565555; x=1720170355; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8rSpj4+mjUH2uIm/J6/DitPwV6C8fJ6cAywoYkpJrFY=; b=K+199wWhBvQwChuByv94P+td6MaxfW4z1wl0NXwMQDDWFAZ+BlXHVh+5wm6CFdSZXl cVnuf270VymGzNeufUbt6W3yC04p9ej+0yU1TZM6OZWL88f6/z5mG+qsKW503RUsNulh XqB/CHtoazDcAf8u3YONjKyNRsQ9x3vF2wKTmKgYtAoWAzavX0pAd/K+n8eyaZ09X8OU VWF0gHzMXEFJdEhkzNR64ZdqZMthfQM3VVDgGTjiznh8hLPHKNMVL6myk2MLjVlz01uz akG3vXQgv2TZQpxB+/RD4oX5OonhZlnTvkfciDryBODhqmqwrWH6kjYfRvXq2NG7LiQ7 mkkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719565555; x=1720170355; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8rSpj4+mjUH2uIm/J6/DitPwV6C8fJ6cAywoYkpJrFY=; b=nuAHG2ZjXSXXKmh4HPbNv6LsZMj/eZPToJSZbYkDiQzG8HjJjs8qm+K081TFkrMJP6 BrGc/jQgT0kHzjIhi5NmAws4z+ecKXqBp74Bj6HqtoVxMmSyCyKRTTIcthsPxFm92GZ3 c5rVlPr6/ncBI64Lp8IX4w6QArShybeV+TLD2G8JLTvqnm9UjGscfrMMMp32r6tmyc8z ODcn3+ApVAR6cn66JOIfUceuYacxoWzwBtfuc2wYc6R7M4LWfDkwyzP/AKlgduWURU03 xiIlEVrg7BwcVIh1KWie0qkaSA9RO8EdcbyZJb8dorIzTwpUKhMY9smhGbr/EGp0tbza BN9g== X-Forwarded-Encrypted: i=1; AJvYcCVMX1MbSGAoXQ/P9TvogahonjrSM1zaJubP8U9zUNF5s/S0rIxrA8965TV8tLo69OEhXaNam04mU0Tf19FauqFYfNY= X-Gm-Message-State: AOJu0YwjwpqQe0JxYQhCFyK2poEkWI1LkmBA6mDkBkyeBh/KTdKOdbCV yi3IbHDWbIOuhASqh5VFJDAB8xnEKrkkfY9/OmoDjZYsgHhxIVLF X-Google-Smtp-Source: AGHT+IFlYRl3xHVXsC7P9mtN40+ZKznkLN9wN0U9RRVR76hQVjzS9rrWerayfKdnpHLG4c4CVUtojQ== X-Received: by 2002:a05:6a20:4c16:b0:1bd:22fe:fcaa with SMTP id adf61e73a8af0-1bd22fefd3dmr9032557637.51.1719565554658; Fri, 28 Jun 2024 02:05:54 -0700 (PDT) Received: from localhost.localdomain ([39.144.106.153]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fac10e3a1dsm10473085ad.68.2024.06.28.02.05.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Jun 2024 02:05:54 -0700 (PDT) From: Yafang Shao To: torvalds@linux-foundation.org, laoar.shao@gmail.com Cc: akpm@linux-foundation.org, alexei.starovoitov@gmail.com, audit@vger.kernel.org, bpf@vger.kernel.org, catalin.marinas@arm.com, dri-devel@lists.freedesktop.org, ebiederm@xmission.com, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-security-module@vger.kernel.org, linux-trace-kernel@vger.kernel.org, netdev@vger.kernel.org, penguin-kernel@i-love.sakura.ne.jp, rostedt@goodmis.org, selinux@vger.kernel.org Subject: [PATCH v4 05/11] mm/util: Fix possible race condition in kstrdup() Date: Fri, 28 Jun 2024 17:05:11 +0800 Message-Id: <20240628090517.17994-5-laoar.shao@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20240628090517.17994-1-laoar.shao@gmail.com> References: <20240628085750.17367-1-laoar.shao@gmail.com> <20240628090517.17994-1-laoar.shao@gmail.com> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: DDE24140015 X-Stat-Signature: f3mdyoe6b68yakaj3pjw4khsxdcwu66h X-HE-Tag: 1719565555-149151 X-HE-Meta: U2FsdGVkX19Bt3K6Fk4zJwLsS7A+RUZSJr94rg1TZYkBM1M+FzkHUYOAjvvLvqRRxDbIlJkDUpI6YzRmKKN9c8fdTZnpZGHBThkb+lrC7rFuTlmnYpWb09W1fQbrs1w32OPkD3MjU1EtP1ytM2H76Lg+n+1o5MeB4yoOSR/mmHLR6KiIDn++xXQt2q+tW/1+RvD5fFXooCNH8nJUnbECTXn4suM36vot1fJBDZmPVO3HQuUYU7L3Go1gOyeNorzr+7Af0ukv/AupI2JRQfYHjzoLJyyFl32N/TJiQPXMGEe6kK9DTZX3Yn3af5bpkfCiAuiavLumEUxiwTnsHf6jQLM2nYi+S+CVcf5oerOLrxim03mU/mIGSNA3vVK27NwfVoVd8W7NhF90tQetrBSTRDepzBglPQLbGhY2WbAJqj3eeID4yqFUUZNBlxBDxyz41JKJjV9dkg2LQh8ZgWiZavHYn/bvlpxDQKfrAQVQqBjmR02cGLxIvHc2zAe0Q5MNUHkJg6GrQ5c2ANG1nKnvQF6o5sJnPYyJUC1QVBN1VMkMBCnQNGj7TvRtOW3Yi5iAfRxqkKwWkqx6kEFIIhRVa7c5qyokLM01wzjIRQuDY7O1JMXXjbeJK3CpLCXVpf6ASkLApsddi7xF3g5al0/3Meq+Hy3R/7KSH1UDTWsKvYSiW507XfKzmdNRNYtXYw7Ik2vvOevUXSlB+m+xAZgxF5yQeXRWItGMuufYkxdhuBs0VHmi2xqAGyKEeWkVq+H/GqwoAV6XhpJBkdzGK9mCBAoXJSjZRvfWQxVSs+hRFcHKn3orfyVaSAvaChH46L6I4nztTqeuxnLn+aU7CYeATK730tEC1Obl6rDb52EudQdF0iFpaKFddEgROx4cIeWvXimpg2iPWf8mUfy+6vCKLXprAuHZGB+SkkqyNtogp76OdY337rFdmuVTIpWEBrWlVdC2GbgETvg20R9CZ8X G+3dDKpH X1Tty3BIwzUyl1v9Wn8AqxNB3Kz1b4z/1XrX6pYu0tNlJTclj9SVQmYr4PG9vaSuanUywRs4d0yarhaprxoUS1OoRNcvcgYxrooLWcYn/apeX4OgHmD5KwMsD90A/+DEsNO0hy9s8K+YmOFUaFhGT8D5RJesaAZoS6OMuBxzuSNKjww4rZxAcXmdABlkSzN7lcQhahiDtsnrikYHLHi4PnGm+dXq7PuefqXh2QPuNhDgjPaM25a4lBFDJG7ktwk4eTSB9j9UJeUf3mlf9NgNTdn8wRSL8y+yjT10w0JQr64R/LsZX/gl8e/C1LB5brLunTpa8YoPpoG/2ZgHmsB7NY2GlCIg8uFuhi6iu96tZHmrRGbV1DUDubUiHd5B4Lq1oPFyOQPPCkusToq2oJGOb9zis1+P/fQ5/mxLF0gecfS7g/ZU7xTpm48Z+I/D27GjjgZ9AkSitmrGYLYpc4NVnqSZLTCztBABLt/9GhjpefJQb8I7cGDl8TTO2Q5yuRJfcwjwxk1voWXtXaPw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In kstrdup(), it is critical to ensure that the dest string is always NUL-terminated. However, potential race condidtion can occur between a writer and a reader. Consider the following scenario involving task->comm: reader writer len = strlen(s) + 1; strlcpy(tsk->comm, buf, sizeof(tsk->comm)); memcpy(buf, s, len); In this case, there is a race condition between the reader and the writer. The reader calculate the length of the string `s` based on the old value of task->comm. However, during the memcpy(), the string `s` might be updated by the writer to a new value of task->comm. If the new task->comm is larger than the old one, the `buf` might not be NUL-terminated. This can lead to undefined behavior and potential security vulnerabilities. Let's fix it by explicitly adding a NUL-terminator. Signed-off-by: Yafang Shao Cc: Andrew Morton --- mm/util.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/util.c b/mm/util.c index c9e519e6811f..41c7875572ed 100644 --- a/mm/util.c +++ b/mm/util.c @@ -60,8 +60,14 @@ char *kstrdup(const char *s, gfp_t gfp) len = strlen(s) + 1; buf = kmalloc_track_caller(len, gfp); - if (buf) + if (buf) { memcpy(buf, s, len); + /* During memcpy(), the string might be updated to a new value, + * which could be longer than the string when strlen() is + * called. Therefore, we need to add a null termimator. + */ + buf[len - 1] = '\0'; + } return buf; } EXPORT_SYMBOL(kstrdup);