From patchwork Mon Oct 7 14:49:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yafang Shao X-Patchwork-Id: 13824829 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 056A7CFB441 for ; Mon, 7 Oct 2024 14:50:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 83DB96B00A0; Mon, 7 Oct 2024 10:50:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7C6516B00A1; Mon, 7 Oct 2024 10:50:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 63F306B00A2; Mon, 7 Oct 2024 10:50:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 419EA6B00A0 for ; Mon, 7 Oct 2024 10:50:34 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 0310780766 for ; Mon, 7 Oct 2024 14:50:33 +0000 (UTC) X-FDA: 82647092388.13.2115C18 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by imf19.hostedemail.com (Postfix) with ESMTP id 1FCAA1A0008 for ; Mon, 7 Oct 2024 14:50:30 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=eSMYY725; spf=pass (imf19.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.215.182 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728312562; a=rsa-sha256; cv=none; b=NChy3KpF9oLy1GwN/qlWOHHCOHeLUqasA9+qc+yX0J247DRhhAXDX+VfHcSf106QTok13P ypLyr4+XvlCx5vKeOWyVEHBV3a0aji/QvaDkO6pit/zdX9MTJa86wI/NkgMg3BAPco3Xdu pTOH0aIJDKsNAOe2kgZ6jmDzt4rRBV8= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=eSMYY725; spf=pass (imf19.hostedemail.com: domain of laoar.shao@gmail.com designates 209.85.215.182 as permitted sender) smtp.mailfrom=laoar.shao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728312562; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rOSaWXUvmAwO/V+X4Wf8hE6beLEX5jMwcQWbLUwGe5Q=; b=jydqPwPAnvNl5SOD4XRwbTEmKwR+dZjMmvO5kZzWKOj5m4t2ME3j9pGHXhPv9kgZyHUgWq LmAuKPLt9D+eYqMXW7Cb3O5P9i9rfxua0GHFIJ4jyNcGyMp63TeA57lGQvGNxkfuP1yLDc MuXciAJdMNIoPLJdZv8DFnh9LHNU7es= Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-7c3e1081804so1925682a12.3 for ; Mon, 07 Oct 2024 07:50:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728312630; x=1728917430; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rOSaWXUvmAwO/V+X4Wf8hE6beLEX5jMwcQWbLUwGe5Q=; b=eSMYY725w8kHPzSFFq5Jblt0sOa7en2tp6hrMPIlIDNO173y/kB7tIktG9j6npxIzk kwSIHKcb0Xt/jm6OeD472K9C9AznyR3ckhwuc0USTywEmnL3J4ep1cQLNwmyrundz+LO +Q6N2HjjQRejy2TqVI4csrsuvYFEq93mxHbnW5NRwjr1wxLtN/nElZ3LNr6vaXf4alvv a46egmV90Sm7Afr7YdjZvifdFPp5XscO2R5VsRU2EwFB2Lz0p2WhXS5lV9DnvGNjvM5y F0WerHl5JJmtLcIaax7JZLjpu/luQroZlAiwdlGLGAZE8mdBdqn6HKjhvpLVjwvgTbwt 3QDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728312630; x=1728917430; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rOSaWXUvmAwO/V+X4Wf8hE6beLEX5jMwcQWbLUwGe5Q=; b=rp0wfD3I74e7Ti13gxV/abX4kik+cuGT34kBU+fTd44vwxI0kuxr63Zdgr/jHOeryS zXSBNn2MLFQVqYoJZ6SOg+nMXqt87F8gWoBQCfFSnt4nZRTgTyC1mN6ToW4WwCeiV39r tTZfxspnyb+PW01skRG7mwifkoyGXD9vYve3O2THmThRaLUoTfV+CHRr+VNj74HicZjs bjgkzb7Kv42E1c7dmkBpVi/gy11rjI+l1/5wTFTGgiEO+ja/NtW3kPKTH1oZthlzDFgB vL+Sn9XThW4pehH1eO5mn2CGwkCT3gTPEszacCHHCtxflLbrJCG4APattnQ0UJ4vODIO l78w== X-Forwarded-Encrypted: i=1; AJvYcCVCiOg4lFV/2kTx4n3aA0VqCe+TKR8cqHKHpMWObEsdWwxqc+//yYpaSKJCtTpYnOrvZ9Cynqor6A==@kvack.org X-Gm-Message-State: AOJu0YxhLY6gfFv/PvAPZjeqJhFtjo2GXW3kEhdqJQzUJldHxKFjUhCD FD/EsIHcvTclMnxD2+Qtv8HK4wpUtMmdWQUSscxwUUlJs9pZiLqh X-Google-Smtp-Source: AGHT+IHqOdUcOlcgWNq7VMpvl6yahiIrnpFyiw3ojJd2mp7haZXT77OIrOQnvCwSUS5AAO7Cn/LNdA== X-Received: by 2002:a05:6a20:9d91:b0:1c8:a5ba:d2ba with SMTP id adf61e73a8af0-1d6dfa44e04mr19075009637.22.1728312629925; Mon, 07 Oct 2024 07:50:29 -0700 (PDT) Received: from localhost.localdomain ([223.104.210.43]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71df0d7cf82sm4466432b3a.200.2024.10.07.07.50.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Oct 2024 07:50:29 -0700 (PDT) From: Yafang Shao To: akpm@linux-foundation.org Cc: torvalds@linux-foundation.org, keescook@chromium.org, alx@kernel.org, justinstitt@google.com, ebiederm@xmission.com, alexei.starovoitov@gmail.com, rostedt@goodmis.org, catalin.marinas@arm.com, penguin-kernel@i-love.sakura.ne.jp, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, audit@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Yafang Shao , Andy Shevchenko Subject: [PATCH v9 5/7] mm/util: Fix possible race condition in kstrdup() Date: Mon, 7 Oct 2024 22:49:09 +0800 Message-Id: <20241007144911.27693-6-laoar.shao@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20241007144911.27693-1-laoar.shao@gmail.com> References: <20241007144911.27693-1-laoar.shao@gmail.com> MIME-Version: 1.0 X-Stat-Signature: dzanyaoiziywp1dodbyyrh5tin8469qr X-Rspamd-Queue-Id: 1FCAA1A0008 X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1728312630-807507 X-HE-Meta: U2FsdGVkX18y8IYzAgfFeXFJjkr1muqbJSIoIewzDevMCWnYnFcWapQTmPlhAsFsKGs/W8IF/DGtDzjYyrpF5xGK7Mapk25amM3wTZ43DVA0HdViopNNQ2RbVJwgA8TwFcAtWjuowJluCeWfH5R/BcpayR51zSYhzAw0rBxeguS4k3QA5zal++L3ZWZQaq8sdfMTQE93HfAHLSbpzB2NsxTBKEYabs04xV7rsWcwdFaB6dcCGJHaFfG0NB95E0Lp6dOnyHYUHTp9JZxDWP5BoOsV9vQRUO18JlMoTiS7YgHXE25FKhkWEssrKCuJ253r+YZO7xx0P8APGt22K0tZKDjtyw8Qb/ZFde6jQKkDe1JOq0kUgV6lkvswL+xy2e5dgm3DSbaJk9zR0mOfrB9go7e7VgVeZOvzT9Kd9cVut34gms8LUYxkWYDoSe7HoVNgQJzMDLzlS8wGSNa/465Y58rmAuMH1UBAFVgbi+0mrm3QWW2EPkkiAJZv3iH9N3JkKuEbEjMnnAib7gdYC21XW04pWPlhJwyEL8ehVKXm+HQTs5TfhP5J3xApWdt8p/1yLA4RxuyCFFBFld6HU7XRaHASr9ydcUP2S4caZkDsLVFcb6nkfFzII1iIXltXpq+HF0/G2aj0jyO8lCQfeDz+Q7sds2KmxDY88rSy2c+7ZCQEH90cGJySLFxpD1M/d2V8bj1uyRQcd5s8VIgEXe+9W1YEKqzYIsjR1z5yU42j8/WBPLi7/sPBzK15YoTwsJyXqQuh7pbkBfLL9qDEUR6fX9Juw2oMidPBn84PRN5DVssMwwC+u5DsAHfCFBaJjBwupa1UBP84inXxAHOw+YYbrI1uF2+gOIbw6LtizNFDOABDszEcj3zJA8B+VbzaJ7zKZ8GynoH8WQgkOA/+r+IzKHXDDdVrqk/5jWCKgqnRNS9F4aAhX+XghYeKpyqlwcMAQAshUzyjtfed6ciss1O 8zdmIIxw K1u2ABRyEa5+u9eYmNB6HuglJu/brlhYdmylGEc43PVh3bOmu+A1jSMv9r+FCSglg6+xlFFzYxKIQdhl/u3ylPpC7YiO8u7nMwElMt3Yj3BoNSAY4E8nXmrEpEL1ccmJNmWXne3L0r0U2e3JGEsgaBsBf3Ca+DcbHBOzIFu9UcF+jyI/NPGpZsULegrHpeWKHYFwb7izK+6l3BUjMT7Ob+zyVZPEYeDwxwjg9lkDqhNsdeRqjX3Vjc6XWDq1U7Ts0BY+J+Q1W7yoJgKJN6hAP6OX8mXDTyvySHP8+44yZ7EVwg/TqzwGq/YJWqnY9fYRlE02rFadCUHUmpjAtdo0vY13inqSon7SsBYW/k0IiwYLbaj739dB3O5paATV7NYPAI4HBY1EvPUra1B9GbpCCYpmYkkFWUum8hlYXNNeqRGb/JRKRknbs1lX/ZVV01KZfSqzcZpvBjwW+Iin2IItCDmNuBcFjlvAR66+QHOasE+Hct3JPnBjdeHOzjSIb6N73c0RAkF3pa/dT8udIcMkAte6y4+RrcQeAxXVnQAheZsSN1Gq6eCqUUgGStQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In kstrdup(), it is critical to ensure that the dest string is always NUL-terminated. However, potential race condition can occur between a writer and a reader. Consider the following scenario involving task->comm: reader writer len = strlen(s) + 1; strlcpy(tsk->comm, buf, sizeof(tsk->comm)); memcpy(buf, s, len); In this case, there is a race condition between the reader and the writer. The reader calculates the length of the string `s` based on the old value of task->comm. However, during the memcpy(), the string `s` might be updated by the writer to a new value of task->comm. If the new task->comm is larger than the old one, the `buf` might not be NUL-terminated. This can lead to undefined behavior and potential security vulnerabilities. Let's fix it by explicitly adding a NUL terminator after the memcpy. It is worth noting that memcpy() is not atomic, so the new string can be shorter when memcpy() already copied past the new NUL. Signed-off-by: Yafang Shao Cc: Andrew Morton Cc: Alejandro Colomar Cc: Andy Shevchenko --- mm/util.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/mm/util.c b/mm/util.c index 4f1275023eb7..858a9a2f57e7 100644 --- a/mm/util.c +++ b/mm/util.c @@ -62,8 +62,15 @@ char *kstrdup(const char *s, gfp_t gfp) len = strlen(s) + 1; buf = kmalloc_track_caller(len, gfp); - if (buf) + if (buf) { memcpy(buf, s, len); + /* + * During memcpy(), the string might be updated to a new value, + * which could be longer than the string when strlen() is + * called. Therefore, we need to add a NUL terminator. + */ + buf[len - 1] = '\0'; + } return buf; } EXPORT_SYMBOL(kstrdup);