From patchwork Sun Aug 4 07:56:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yafang Shao X-Patchwork-Id: 13752528 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F96FC3DA64 for ; Sun, 4 Aug 2024 07:58:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EF3416B0096; Sun, 4 Aug 2024 03:58:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EA3136B0098; Sun, 4 Aug 2024 03:58:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D43E86B0099; Sun, 4 Aug 2024 03:58:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id B247D6B0096 for ; Sun, 4 Aug 2024 03:58:05 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 72CB2C0AB3 for ; Sun, 4 Aug 2024 07:58:05 +0000 (UTC) X-FDA: 82413809730.19.D73FA9D Received: from mail-oi1-f176.google.com (mail-oi1-f176.google.com [209.85.167.176]) by imf10.hostedemail.com (Postfix) with ESMTP id 9C8E9C0011 for ; Sun, 4 Aug 2024 07:58:03 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=fIbaSsGm; spf=pass (imf10.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.167.176 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722758276; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FVkI7ws3sH8SytGBGHon98LlMkqoO/ooAo5HpqnjZFY=; b=gEU3FW74f82DzoxWj6dLLpr++CxMLq4mgGkygXNyvnOu/HurSe/EjdQsA718xGMHbJXFFW 1N7hvEO4Zlbg51u/W0K6wbE48rCOT12nXzr+HVP3ZDBt+SR7TxJw2dlWD4dhFC2OWBvyFZ 3T3X6TxofeIbrsEghT4qpJMkwQ49Yqg= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=fIbaSsGm; spf=pass (imf10.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.167.176 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722758276; a=rsa-sha256; cv=none; b=B+q54ckJ+jgZtcEH24p4kbMgLpynYOzK189s/NbxoMvIa8kq6etyrG0n5K6Fi3L+sMbWGb 69Xqw6tDZu+msXTP1WHCdPvG20dxeKH5Te/FkGP1eSCD/ImsCcT2fBtqwP7kUHGCeR/RY6 tsiNuKuZ3rozfiXtSIji/UCATRLzJE4= Received: by mail-oi1-f176.google.com with SMTP id 5614622812f47-3db35ec5688so4702195b6e.3 for ; Sun, 04 Aug 2024 00:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722758283; x=1723363083; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FVkI7ws3sH8SytGBGHon98LlMkqoO/ooAo5HpqnjZFY=; b=fIbaSsGmU8c/Z8GIPDQTrXmm0C5fAPk3tF6laYxFWletzoNY5u6TVfY62mJBnU5sf5 FbUMhDJSyt7ctf5FelQItDto9VNW96mir16uxFVNgWnueKKSgTFpbSUaUmCmKdRUCRAH sWfyV6/b8Ezkp2Ao9yleJNmq+2n8Zs5jceInvZEO+JOKnGuG4mOdQ0+CjAeLETWDCbRJ vsreWnqbn+0FqWqBD+DePqaSo8/5R/TW/lSXUTtervFyaGt8+QGdXpc0PZo9aqP7QZc8 gbHAT8FUxbodal7Yo/P+qruWl54Ctk8qs/FpGOhS/SVEXVnEKJaWJsdnxRW24TrlKHad Sj7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722758283; x=1723363083; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FVkI7ws3sH8SytGBGHon98LlMkqoO/ooAo5HpqnjZFY=; b=SrICW1xWJr6TmL3af3Btp6Rbvzns6oh5zSmfAWUm4UqPC28nXhx0jIKQywVPHYOJK0 FUhXZydMWEh0T1r2GW9Kmu6CQlQyTPqE1Athw+Rajoms7QYUzgMJkBGvYjbs86rRGltJ Gkw3t1tRTwW9pghOLLBBK7mhg6+SuqcepZYkQmTMAxQLJ3yE1iPtPX29JO9rZtFXRhXp xXVi6bo9tYPnFku5G5fDZQusHgW1DnWTXYHO/T+yKBr+OyKq4wTqinyrFDw+sSKFpO1u lDlvyeMKY/gSL3vmT1IhOtThuqxIchACm8ehgm7iXUVMHJAovHbD11fd9RkLzaWnYA0s W9JA== X-Forwarded-Encrypted: i=1; AJvYcCUU5FjaKYx86772pbN0Z+9HLy5HPJF0QxPit3yuj/MiuyyKMcKvWgwH5yaoqKEHRpiAf7pszFWelKBX+eW6ktLnSVc= X-Gm-Message-State: AOJu0YyYGFO+yWjsrUDs4vCzhxm8EfoTU/SK36KRnrTOIi9t1xpPIrnh wlKpm1vyx36LnKKhC6bsG2EDtHggurKXA2KcdVRhORr4hIMp3Aw2 X-Google-Smtp-Source: AGHT+IGvj96nN6G8dNTQwO1gCnAi0LCFIOOEmeeyoUDneJo+nlGiP3jzVP2As4CYicNVTrPVKHFDvw== X-Received: by 2002:a05:6808:16ac:b0:3da:e587:3e1d with SMTP id 5614622812f47-3db557fc2cfmr11867023b6e.4.1722758282670; Sun, 04 Aug 2024 00:58:02 -0700 (PDT) Received: from localhost.localdomain ([39.144.105.172]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1ff59178248sm46387605ad.202.2024.08.04.00.57.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 04 Aug 2024 00:58:02 -0700 (PDT) From: Yafang Shao To: akpm@linux-foundation.org Cc: torvalds@linux-foundation.org, ebiederm@xmission.com, alexei.starovoitov@gmail.com, rostedt@goodmis.org, catalin.marinas@arm.com, penguin-kernel@i-love.sakura.ne.jp, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Yafang Shao Subject: [PATCH v5 5/9] mm/util: Fix possible race condition in kstrdup() Date: Sun, 4 Aug 2024 15:56:15 +0800 Message-Id: <20240804075619.20804-6-laoar.shao@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20240804075619.20804-1-laoar.shao@gmail.com> References: <20240804075619.20804-1-laoar.shao@gmail.com> MIME-Version: 1.0 X-Rspam-User: X-Stat-Signature: 3gt7zgfo5swq93h7khuadri98wezwff6 X-Rspamd-Queue-Id: 9C8E9C0011 X-Rspamd-Server: rspam11 X-HE-Tag: 1722758283-408754 X-HE-Meta: U2FsdGVkX1/joAweLuEsxJdJb74iEzFuJ2FaJOUTf4smXEem0ogGQM9SoSyewPOH7drGY1TUmpUULA+s1IlYjMJJFFGOaXansKbEoBKQvFjbJCVRu7UGQjLMHmt4RjNxXCYcRkhOYj6dDPDbbxuvDoSWvNrDvm6rU7+O1OAZx/c5DYr93ssfdEqwvxcrXknmpzmm/bnEHffec6FjVmumDyxDh83HbE1t6SE/j5v2qSWMOm1IBq/KFM87xERc6uf7cJ4wfPTz/wXh0nvgO6GC5Z6uXqslzvOcuHj5jHKjrInXpsfneb/r4s5bQFuR8bzENNzLzjIGqlGJlnmQVXtWe3Q/9W4qeOw7xCyLBEY/KgYSNjNfvP03eKVpnATI7E+d2pK95wE1XvACYpTPTX7RS7Yl0bU+zfOcAZPJfvOXbhqmWEXPg3kDrY+BOSoXbEnIA4k/BhUxZjMvFihQRWLgeZHfjT7XDDrVrjU9rO/V0vp2sDoQDJZmO/SPNrrkCcHduBd/74HGi0WGkGZaukpfR6VaJ+vL6EkakHxD+xMcPPHUWKPC+Df7WxADf1OqazZIZFH853te4GpWgGqDAzJHv/pjyPs+zjJkmnpeiaMc3zo824az0k/kw8eYRycODDOOSxT8/dPJ8S2/bFdVmB6cSgoFYpLvMpbMRHL8wSN0aatQ3hF28Enurx53FpJmLwMpUQi7FhJLETDl1SyD20uE3pnRvob1CG7Cb/1TfUx+CqXC8y7TQGeMiWSyqbyH9vFKE4ncFyXzyoATKIguE/7Tj1OzRs7coNVABKB5HhfXP5Z0gEigWadNLqFQVRkuwt+Pn4DI3/76qfAXVXgbMG9iM1zDORj6Md4NNDVfBUpbb6h37D8QhXbM6+aKoXIQklQriA2XS4r20aTfiPCpqPj5H8/QppnOBEZOUl/OGFQ5Su3gF5ZdnYt8rK1ZaG4iY1zYgdpr7EK8pCSVwUzPGyE ydNrjBeW NyeiuHKARRYcI2pz823BuIeCfgddPn78zh4JXDmmi//gp5gyRDUHTGq0JWvnDBB1FRIcuq5gxHAQRpQ1UjvGdbjiNWt1o1hBfMoz6UYGg8Q0WT5XadJyyufumx5pL3YzrAsJh+Az79nDqdtQHHAVwgLzfLBx7s8jZYTtnl5joC6jHQM4q9NaR3LL+fO8+QSPJABAZx3eYfpokRipS1q/s5h5/pfeWJou//MvHMA5D3PKn3vBcsR+Za+NQGMWWpVaycaBi9qz5qYmFkk/rq0NQ/X+Q6WFZPW/grXMsO73dp2jDKnsJXfK2+3mVue0mZh2UQNlIrnMETpxNFsf8JysP2wxdENfOsglpUquQFSC8bb+lCJlwJ1MEC/joWwJkYBpaIkGVrzmIef8g6/mDnJQ1/4zd6ndxRnCMQmn558GMFzZz0s8BikKDD6yy3vDit9YoIIX0gS91jbxWsOdMpo18gx7cFujUdAdKr5ebV73EUiqWVaSSPH7HKEtb0fOPXCYgaifilhzOeAPTIVw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In kstrdup(), it is critical to ensure that the dest string is always NUL-terminated. However, potential race condidtion can occur between a writer and a reader. Consider the following scenario involving task->comm: reader writer len = strlen(s) + 1; strlcpy(tsk->comm, buf, sizeof(tsk->comm)); memcpy(buf, s, len); In this case, there is a race condition between the reader and the writer. The reader calculate the length of the string `s` based on the old value of task->comm. However, during the memcpy(), the string `s` might be updated by the writer to a new value of task->comm. If the new task->comm is larger than the old one, the `buf` might not be NUL-terminated. This can lead to undefined behavior and potential security vulnerabilities. Let's fix it by explicitly adding a NUL-terminator. Signed-off-by: Yafang Shao Cc: Andrew Morton --- mm/util.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/util.c b/mm/util.c index 678c647b778f..912d64ede234 100644 --- a/mm/util.c +++ b/mm/util.c @@ -62,8 +62,14 @@ char *kstrdup(const char *s, gfp_t gfp) len = strlen(s) + 1; buf = kmalloc_track_caller(len, gfp); - if (buf) + if (buf) { memcpy(buf, s, len); + /* During memcpy(), the string might be updated to a new value, + * which could be longer than the string when strlen() is + * called. Therefore, we need to add a null termimator. + */ + buf[len - 1] = '\0'; + } return buf; } EXPORT_SYMBOL(kstrdup);