From patchwork Sat Aug 17 02:56:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yafang Shao X-Patchwork-Id: 13766927 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71E58C3DA4A for ; Sat, 17 Aug 2024 02:57:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0D95E6B03F6; Fri, 16 Aug 2024 22:57:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 08A4D8D0066; Fri, 16 Aug 2024 22:57:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E94E26B03F8; Fri, 16 Aug 2024 22:57:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id C9F896B03F6 for ; Fri, 16 Aug 2024 22:57:35 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 7BDCD120432 for ; Sat, 17 Aug 2024 02:57:35 +0000 (UTC) X-FDA: 82460226870.23.A9D4DB9 Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by imf21.hostedemail.com (Postfix) with ESMTP id A1D191C0004 for ; Sat, 17 Aug 2024 02:57:33 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=WWTw9p+5; spf=pass (imf21.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.214.171 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723863394; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Dg8K6fIsZQLFiS7Xpg/1YZlm81yjN4oHJWyrWmInMGw=; b=PmrbQ+MjXOWujpoVIwLYGdlLLJ/rKgUAJtZfov4SlcJyr91WkDJY7b+JTfZFLA9kiyR5GY xsuHBaVJe7LTsnwtj+y74eG9kthUuQB7HUPUz7gV5wFInXeEM3wXGZp7v8TsQSWWgES1MH GS8fWZ/Oig1oTCyYk0es86bxz+07iAs= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=WWTw9p+5; spf=pass (imf21.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.214.171 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723863394; a=rsa-sha256; cv=none; b=0Zo4jGedGlAsQqq65m1zFX3Ifif3kxmd7MhHgmRaKaugLKeFv+wUJt60Uo8gBrJDoDQ0tR 1XrXynKtfYkK6j/AizRs/OdPpruCZV+LEE4hbClbkqUHSnjiGwLxGhUhkUKsbM9T5Ot4Ad 1QBz0dZ1rnFXJlp/AlEcBBIPl4GKLew= Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-20203988f37so14318355ad.1 for ; Fri, 16 Aug 2024 19:57:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723863452; x=1724468252; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Dg8K6fIsZQLFiS7Xpg/1YZlm81yjN4oHJWyrWmInMGw=; b=WWTw9p+5fAv7UQJ1udYvkcpF91AldwNbGmPGcjHN9vLghr/F12kPJ4cPXXksE58FS5 ZY8c9XnK0sv3pEeum62Py3Ex1ztTaiL0PgqTQQ46vaV1/5/VC73aVG6rr+Jv5uifkejr 3ussERP5H2wIxs9GC2l1z3/BTY7CkF84gtzkZaHjh+xVkPatX+3zyyTOzYmZvKU4iEHo hgRy2YnUACOoCfTUyPK0ZVXAwp2HcSMYoVLJVX8iMwGOGhhom2kMvQhv7jaExzb23iz+ pnq2KLSQ+L4p1yngoH3r0DM3f0tq71gnasCsL9TR93NT6eVBvGQB7WT8QZA32ZyVmz9M LNIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723863452; x=1724468252; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Dg8K6fIsZQLFiS7Xpg/1YZlm81yjN4oHJWyrWmInMGw=; b=XvrFP4/JpV3bTjl1I336Q8SNiooi2fUt+HMMpCOKfJyEZCU6OdU0se+wgmyV1tujXr iCrxoSgWQDHmT1OM49Vng4G9xS3TPMQhc8xmMtYmfSra1vDKJFgYLOv6S31kntvlmQZt R60mmppqACG4Lsguapt49Qy1gyP06Ni7wveS8oW/HOtumIhm50MZD1paI2DvjN+Lp4Jg TKoSA0aIsCoXvbntVPOTSapzavRaVKhkJPKImjy4NswFyy1e9ktivu5MFpfX/43gqpGs 5/4GGAf1bC946XRcqXPJ6g5F4x2/MjW+8PI3jJF7gQ+HJN9uaGiPdXSy0nUZtDIn9LrU iNtw== X-Forwarded-Encrypted: i=1; AJvYcCUnvl8JocnVNguaJiCEyeguwwfq4IpibZs0cPpY2LiP/KYPwiJRrLTQYRPSPHACwas3N2iClY+peg==@kvack.org X-Gm-Message-State: AOJu0Yw1ZhhhY2DOi9L88DJNBPM1V1coW3XTdPSJTwtK/Qn9Q2kdUzum ie6qy2JiZe457C99MuhC32QaAC5jroNLdHCJclY/0OekBWirPoEC X-Google-Smtp-Source: AGHT+IF3ZN+4FrJiR5tCQknEVTwkbUbAx80SeY+AiIkjp+qgoruwIjB5dCv+k+zHBrTId5++7+R3wA== X-Received: by 2002:a17:902:cccc:b0:1fb:7b01:7980 with SMTP id d9443c01a7336-20203af4193mr61360745ad.0.1723863452450; Fri, 16 Aug 2024 19:57:32 -0700 (PDT) Received: from localhost.localdomain ([183.193.177.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-201f031c5e1sm31801785ad.94.2024.08.16.19.57.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Aug 2024 19:57:31 -0700 (PDT) From: Yafang Shao To: akpm@linux-foundation.org Cc: torvalds@linux-foundation.org, alx@kernel.org, justinstitt@google.com, ebiederm@xmission.com, alexei.starovoitov@gmail.com, rostedt@goodmis.org, catalin.marinas@arm.com, penguin-kernel@i-love.sakura.ne.jp, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Yafang Shao Subject: [PATCH v7 5/8] mm/util: Fix possible race condition in kstrdup() Date: Sat, 17 Aug 2024 10:56:21 +0800 Message-Id: <20240817025624.13157-6-laoar.shao@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20240817025624.13157-1-laoar.shao@gmail.com> References: <20240817025624.13157-1-laoar.shao@gmail.com> MIME-Version: 1.0 X-Stat-Signature: d4k31eqikomss7dzhb13upr1na36rmfa X-Rspam-User: X-Rspamd-Queue-Id: A1D191C0004 X-Rspamd-Server: rspam02 X-HE-Tag: 1723863453-184897 X-HE-Meta: U2FsdGVkX1+qxLr8jDskefJloL5L1RCFo5OdNGnLiMdphtt3OtQfn4x3WMJP4ubg5eXcJeMtPMm5kRzQDgT2qZyR4JG6sheUX08vFYvBanX925Oi9X5dqgmrjpO28cecBZUClFCCPs7Xgi0CdVBzF1Uvr9vb5oG5Kr24j63kTtp+QGrJPove54a9QwUoaEwDykhCaKuMwsKuFTmkRttXnKQIH7x3wAFVg5Xp/TsGkI52RzxoKHKD1pqdUNZumhUkmucSi4VuYIv0YSTPrhEKdwbpG65TZflnN6OWQ7mNe3G35ui8Q4R1STWJ154VexZCIfYjj5wPsxOJKsPVteMQeflvAhxm4pgMo0ub86myCAW9iGh+AYmEqNsaVgb11kZlGjo1i2Nu5rx2Uv8f/vDdPeq7+rmwnqhSY6iayCZEk1zTxQN4iZ7Uuch4vRcLYdg0wsyH5izKpi2QO729bdVPlc0J8AOir0ISPHmxk2Hb8XTT6+a1VVbdjxRpy2qyO1H05dR4Ple5ySWc5mMCsG7y7eXJeeVsB+CmYDMJWCQU1DTcNG9JFjyjUPQvZAhy/aTY2TdXoRApKj3mokr2V8+JiBmhsBOh1ndI9pVRkI+uajBs37V6NpPtA5hoPX2NB8R/vuNQ8I5wxO0clQlXeG1JsozcXvQqZglKMu5fJ8jCOPcGb0jiG8xJHsaH86Ybt/Drj7YEDdq4mIU5XQOU4GjFSNHsuRU6RkPerNN1CpKkDePXd3QTTkWoduM9lu7TBHVQS+ogO3N4CAohp7zKupDGRIbWGhUO8L6NVuKQF7Hww25NcXQE8BZm5+dqZiRlVw9uXSzQ9LdHUAbs7ILE1Lrr8poGezKNPcn/oIfnkIUY/KN6I7dieRK5c9xm7hA9Xu+xcCeb7VvzdviLUQyrRVxPWaMlk6gNJTNSirrIzdV16Xq9AodkVHoeCs7EijhNtZJXPVocSdg2ebFY9JVAJbA U+ta0kA+ WhGOCDhykPWU4qcz+3d+KI1uTGlOeqtfAZCDKR4SCRJHFi33/1ahy6hOTn8bpjeb6R/c6kcL5lnT8yRdy2Jg7rn7BkR9UR0+jDAK8XRjdALB0E1lauYLl3PqVvnHfkQ3Lyr+kn3taCPluH1YUuih5ludrXFdSwKaxG4I+tCVmU9h1p44uXXzn1tl9QD5qttRSdjOPbCvoZO4R6wQ4RuhzBgnoHeqnlgQVeOCUAo7AWH12lh4VB4guVFEWmqgWSGziKI4E7bBA+soF3D2Bfm3Nr3sRktdpT6cMyzgjImr7+oqwt2s+n5UqaU1LrSebStuoVd2LfzVdZJZQzbmFysMExBA4tlSv6RuDtPPuuK32oxRyofz9tOmeDDS3JLBZjXvZ1jwWNtXWXEinKxoOTOB9OiMhedbLoSOLA3affPsBlkeOjU2aiR2/idFGVtECcsgYFXWVs7dL9TqFv15Or6hsfV8K1PZJLXQh1KPfjBmLcYfzcn3P6tgnzFRFw2rYigXHm3VPvFpe0QrA0mpQazGwurXIoTZYT3qmU2THmnuPr7gEn57Q+ecSL0EWWz7wEZqIJv7IEOS9/9KvJlERlQTimzfF/w== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000010, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In kstrdup(), it is critical to ensure that the dest string is always NUL-terminated. However, potential race condidtion can occur between a writer and a reader. Consider the following scenario involving task->comm: reader writer len = strlen(s) + 1; strlcpy(tsk->comm, buf, sizeof(tsk->comm)); memcpy(buf, s, len); In this case, there is a race condition between the reader and the writer. The reader calculate the length of the string `s` based on the old value of task->comm. However, during the memcpy(), the string `s` might be updated by the writer to a new value of task->comm. If the new task->comm is larger than the old one, the `buf` might not be NUL-terminated. This can lead to undefined behavior and potential security vulnerabilities. Let's fix it by explicitly adding a NUL-terminator. Signed-off-by: Yafang Shao Cc: Andrew Morton --- mm/util.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/util.c b/mm/util.c index 983baf2bd675..4542d8a800d9 100644 --- a/mm/util.c +++ b/mm/util.c @@ -62,8 +62,14 @@ char *kstrdup(const char *s, gfp_t gfp) len = strlen(s) + 1; buf = kmalloc_track_caller(len, gfp); - if (buf) + if (buf) { memcpy(buf, s, len); + /* During memcpy(), the string might be updated to a new value, + * which could be longer than the string when strlen() is + * called. Therefore, we need to add a null termimator. + */ + buf[len - 1] = '\0'; + } return buf; } EXPORT_SYMBOL(kstrdup);