From patchwork Thu Jun 13 02:30:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yafang Shao X-Patchwork-Id: 13695927 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E7EAC27C53 for ; Thu, 13 Jun 2024 02:31:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3B8216B00A4; Wed, 12 Jun 2024 22:31:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3672A6B00A5; Wed, 12 Jun 2024 22:31:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1E1536B00A6; Wed, 12 Jun 2024 22:31:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id F03BE6B00A4 for ; Wed, 12 Jun 2024 22:31:44 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id A52C3C0553 for ; Thu, 13 Jun 2024 02:31:44 +0000 (UTC) X-FDA: 82224289728.20.2A60C3E Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by imf12.hostedemail.com (Postfix) with ESMTP id D658D40004 for ; Thu, 13 Jun 2024 02:31:42 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=HjAUXZAq; spf=pass (imf12.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.214.176 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718245902; a=rsa-sha256; cv=none; b=aUwwcO5XFnae1t9UE29neDbjg3T93fr7YTIqkUReFacN4KV8aPurcg2PKlRzHBo9By5UUF 8SWK/vb7V0skEAy/SjGf7d89eUNHCs9dslFHVaTAkdBxvryhCbeWp3w23VCz7aPv3mtQQr EpKaplEpzf6FMAwezz95E4/8q7tyIlM= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=HjAUXZAq; spf=pass (imf12.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.214.176 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718245902; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Ei/8xwKAZ1rE7ZNdSGJjlup34y97vbtFvnVfEPyjJ8Q=; b=LBayF2tjcQy3+UiCbXwF6zcth8yRSG1bBMw4Z455eFXBKq4bijuHLoSgLFnJ7yUyQz2P7m z93qztFEaQbi5X64HY6utkjb7jUKDDyUFwLVeiqBiRuSzz0UVaV7AkZeFMoTWm+tcemr/i 3D2XELBqwxOeM7U2dSIGhcUCwjIX7+c= Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1f4a5344ec7so3677495ad.1 for ; Wed, 12 Jun 2024 19:31:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718245902; x=1718850702; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ei/8xwKAZ1rE7ZNdSGJjlup34y97vbtFvnVfEPyjJ8Q=; b=HjAUXZAqgiSyWk9jioQRt7b9avy0EYGxEyx2yZbioABYqgeSnvLOovqxS9u+VXyYyu 4PUBa1QYa9/K2iRHxnFDAxnIn1cGL5x+pbK+zYzD3AN3JOpdp1fPPXfGlF+e03QzJWIa MOcVzLIJO9SwHr+oPfipFxVJhJSEHbdy7jovaMWqdTI6N7saZkacXW+o9k1pQja6tnQR O7t5rTKkAFlpON9o6NQPtclsIEM2pJujFSx0W8+KkN2sQKZqSTNqQx40f/3AwAQilmG1 6b58asp3JY4hXf4LTAdZpGPHBfFwaU5Hkjyw75ykg9tRXjtQUhbJ0fHsa2mjXdKG0Sj4 suiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718245902; x=1718850702; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ei/8xwKAZ1rE7ZNdSGJjlup34y97vbtFvnVfEPyjJ8Q=; b=SniazR4HXmKb4sRSSlDc5OwhVJjw6sZdD2KSZgcobHFeTW7VZ3xHSHgKjVHAi1EdFq ufpaNLWUIrkJ8e9okLFqc37JzJdHVFqf5sDQ51bcV893SNQKKiVSJkGBUl5PwFJxtb1z ubIsdDd9iyBlQi0Ouedm0N6D1qPZHE0z/s4sIIeNVxA2Aqv3b4M7oFwk/7VwvwW3cGSo V6S8IQffLPPCnTp2qy9R+etfrZKc9U1iElRgRelNM5EdqqH+MBmUO28uWUVWVIA42Ib1 UvzvDPQB0C2IZNmVubE7BkQSt7sRJkDE6tfcYjxTcFZugqKvFO6+sMmudXHSF1/IyxX3 zdCQ== X-Forwarded-Encrypted: i=1; AJvYcCUohY9CGoTvQCfQnGcq6J3Z022jbTaw2w1SVLKBLRc7z6T5J0wBrlC5ezaDeIBdWS+4eOob9ge07wpIjmg1JvdSywU= X-Gm-Message-State: AOJu0YwEPBYXdVtY7SfwUM5QDCr8jMsVW2WeAo1SUtycOtlfOkbFW+2W WWdTsolmBspMUEsmeuMIcWUROu5IChveWwJOtM4dKowTx7NW/go0 X-Google-Smtp-Source: AGHT+IFIaVarDVsj1gEbMfPNFvaRxIMZj6V1FUrejF3TL24xnCXwEw+tDOS2CgmUK4jtVsLBUQ40Ug== X-Received: by 2002:a17:902:db11:b0:1f7:1d71:25aa with SMTP id d9443c01a7336-1f84dfbb4cfmr20547645ad.6.1718245901789; Wed, 12 Jun 2024 19:31:41 -0700 (PDT) Received: from localhost.localdomain ([39.144.105.92]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1f855f4d159sm1755695ad.289.2024.06.12.19.31.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jun 2024 19:31:41 -0700 (PDT) From: Yafang Shao To: torvalds@linux-foundation.org Cc: ebiederm@xmission.com, alexei.starovoitov@gmail.com, rostedt@goodmis.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Yafang Shao , Andrew Morton Subject: [PATCH v2 05/10] mm/util: Fix possible race condition in kstrdup() Date: Thu, 13 Jun 2024 10:30:39 +0800 Message-Id: <20240613023044.45873-6-laoar.shao@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20240613023044.45873-1-laoar.shao@gmail.com> References: <20240613023044.45873-1-laoar.shao@gmail.com> MIME-Version: 1.0 X-Stat-Signature: mih3woekreda7b8dtpsrzuosuw9q4hip X-Rspamd-Queue-Id: D658D40004 X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1718245902-293409 X-HE-Meta: U2FsdGVkX19KcG9gc2Cvhk1wCJqz1W3WZxZSK3ImSN3nOgG7O/4eva4r6IuJfnY17KY4XaVyTuu3X48+9m/5Klh4zp5xyPe7jVN+TY5OiQnvvupBnGKoVpYH65VHkqQ8SVmWu+CxJNEFJBYgSjMhG2hf/lkR8Dnh2uhrCJpIpfmE2yl+f15gctSg/GbxxXjZbZBdwoe9dh00vaCwNXse+LUKYwI86e0fi9+XQpcZ2nBaBfrm3KnhrefYIyPMqym4ZQBLQZzMp/Zg53t3ZE1tJYGqE7kCj0DfT3nTP/GLuFkVyoCcruTqfeeioi5XrlLHEX6JyfBDbCdrNiqVxghx8Lx8uYfKq1aHfsvKWq/6f/AVUaYHwW/FLtiPoPk40bxAhTfy417YGC6lCmdqAXDyLBwCHOTENl3yHhe+iyvd6Pjp+a8Lf3BQoOkl/695ovzugjn+wajLlePm0veTRbXR44L0qlqGhtD3H8WRuO6/k6t7u2Vl5DxDlCmkr6X6nAfI5xVnq5sCo9/ZH17haU8cPJ22lXhlzhpW5TTzwGSmTRtZjj7maASx57038YHXhFcGZizegPnGSWEDPge0nyeSFlmDlB7DeIE7ORWLqUjCvbxS6Gcb628m7zaVOrp15DXjoN0o2icfAilK5XwYZvFJRSaJMV0gf8pAjaC0Uvx/w9oezuYPpNy2UwM5TdKD9O7pvmMMrRylJH62y52DYFKTZsecuiHo1TwK5DtGlr2AP66Z+bLLZtvI69dZTVsnBSApARtf/yGR8w9TobhveaMn7KhZQ99OE4bwj7gascDboGzlA0YVvzCparwevQTaf8pd3YJVUCkglJZHMX4udQhS5adXp0/5iJ0BhVKBE9WwDQBg0jxPZnTG1gLEc4YmGvsi/PQA0XyekkRZILS9+YaeXeaMSV/qMy9ra1ZhYPERSLZthO6xKtqE5VEKzjEQUf4ils2DglPpqwfoUvYuCaK 5ZQzjxS+ 7YiGQCaykNf4t3HPqADWwkJT2EUrCtJVginRGeW1df/qvk9VMEAKILPd00Hg6/OXiJ5C+fcIxjAabQCwazUsHQTWF+o0iJvVAOn1MLWPoTKFJu5G0O62ce4uSbj8Gr4yjRi5MPnpAqpK5WU4EOYXxDnWWUBeD9VdHt5tgJfSqATr+T9bAzmGiny0DYxDrmmxtYromkw/S+rN4xppUz2/b8HQxgG36nm0S9YEOY8e+GUaxC5eQEenmGBaDkH2DK6JxL3KiUcfqgh2LHyNYB3cG0dNzFGyHQp4EIcCFkO1GSPhNQkPtA5tgkdhdsuFLWb6ywMlYC75vqnoIVTA64Q+KPtYhUzsCwnwXDn5YzwVyNsXjC2YL45jXfmQDMT4xhV61Ife3flH4K7e7wMvJpTRgLM19F0jurHmA+z1POPMfN1nv02lEfvEiLVk0pN0Cl9OzimdMaz8K5tXfEMTDQL4oO5P/yf0jLB8PMW18TobnyXM7pmRVPrYAVC9lOoRm11QxSJkAZPT/WA326DM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In kstrdup(), it is critical to ensure that the dest string is always NUL-terminated. However, potential race condidtion can occur between a writer and a reader. Consider the following scenario involving task->comm: reader writer len = strlen(s) + 1; strlcpy(tsk->comm, buf, sizeof(tsk->comm)); memcpy(buf, s, len); In this case, there is a race condition between the reader and the writer. The reader calculate the length of the string `s` based on the old value of task->comm. However, during the memcpy(), the string `s` might be updated by the writer to a new value of task->comm. If the new task->comm is larger than the old one, the `buf` might not be NUL-terminated. This can lead to undefined behavior and potential security vulnerabilities. Let's fix it by explicitly adding a NUL-terminator. Signed-off-by: Yafang Shao Cc: Andrew Morton --- mm/util.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/util.c b/mm/util.c index c9e519e6811f..3b383f790208 100644 --- a/mm/util.c +++ b/mm/util.c @@ -60,8 +60,10 @@ char *kstrdup(const char *s, gfp_t gfp) len = strlen(s) + 1; buf = kmalloc_track_caller(len, gfp); - if (buf) + if (buf) { memcpy(buf, s, len); + buf[len - 1] = '\0'; + } return buf; } EXPORT_SYMBOL(kstrdup);