This patch series creates a strndup_user() function in order to avoid duplicated
and error-prone (userspace modifying the string after the strlen_user()) code.
The diffstat:
include/linux/string.h | 3 +
kernel/module.c | 19 +-------
mm/util.c | 37 +++++++++++++++
security/keys/keyctl.c | 116 ++++++++++---------------------------------------
4 files changed, 68 insertions(+), 107 deletions(-)
Signed-off-by: Davi Arnaut <[email protected]>
--
diff --git a/include/linux/string.h b/include/linux/string.h
index 369be32..2cb2dc8 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -18,6 +18,9 @@ extern char * strsep(char **,const char
extern __kernel_size_t strspn(const char *,const char *);
extern __kernel_size_t strcspn(const char *,const char *);
+#define strdup_user(s) strndup_user(s, PAGE_SIZE)
+extern char *strndup_user(const char __user *, long);
+
/*
* Include machine specific inline routines
*/
diff --git a/mm/util.c b/mm/util.c
index 5f4bb59..09c2c3b 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -1,6 +1,8 @@
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/module.h>
+#include <linux/err.h>
+#include <asm/uaccess.h>
/**
* kzalloc - allocate memory. The memory is set to zero.
@@ -37,3 +39,38 @@ char *kstrdup(const char *s, gfp_t gfp)
return buf;
}
EXPORT_SYMBOL(kstrdup);
+
+/*
+ * strndup_user - duplicate an existing string from user space
+ *
+ * @s: The string to duplicate
+ * @n: Maximum number of bytes to copy, including the trailing NUL.
+ */
+char *strndup_user(const char __user *s, long n)
+{
+ char *p;
+ long length;
+
+ length = strlen_user(s);
+
+ if (!length)
+ return ERR_PTR(-EFAULT);
+
+ if (length > n)
+ length = n;
+
+ p = kmalloc(length, GFP_KERNEL);
+
+ if (!p)
+ return ERR_PTR(-ENOMEM);
+
+ if (strncpy_from_user(p, s, length) < 0) {
+ kfree(p);
+ return ERR_PTR(-EFAULT);
+ }
+
+ p[length - 1] = '\0';
+
+ return p;
+}
+EXPORT_SYMBOL(strndup_user);
On Maw, 2006-02-14 at 21:47 -0300, Davi Arnaut wrote:
> This patch series creates a strndup_user() function in order to avoid duplicated
> and error-prone (userspace modifying the string after the strlen_user()) code.
Well userspace can still modify in this case. So you could still get a
\0 mid buffer but that seems harmless.
However
> +#define strdup_user(s) strndup_user(s, PAGE_SIZE)
Better this doesn't exist as it is a wrapper for a bad habit that isnt
yet used so why encourage it.
> + length = strlen_user(s);
What if n is very large ? Should use strnlen_user clipped by n
Also say the length limit is 8 and the text is "hello\0"
We get length = 5 5 < 8, alloc 5 bytes set 5th to \0 and return "hell
\0"
On Wed, 15 Feb 2006 02:53:10 +0000
Alan Cox <[email protected]> wrote:
> On Maw, 2006-02-14 at 21:47 -0300, Davi Arnaut wrote:
> > This patch series creates a strndup_user() function in order to avoid duplicated
> > and error-prone (userspace modifying the string after the strlen_user()) code.
>
> Well userspace can still modify in this case. So you could still get a
> \0 mid buffer but that seems harmless.
Yes.
> However
>
> > +#define strdup_user(s) strndup_user(s, PAGE_SIZE)
>
> Better this doesn't exist as it is a wrapper for a bad habit that isnt
> yet used so why encourage it.
>
Ok, I will inline it.
>
> > + length = strlen_user(s);
>
> What if n is very large ? Should use strnlen_user clipped by n
That's what "if (length > n) length = n" is for.
> Also say the length limit is 8 and the text is "hello\0"
>
> We get length = 5 5 < 8, alloc 5 bytes set 5th to \0 and return "hell
> \0"
No, we would get length = 6, strlen_user returns the size of the string
_including_ the terminating NUL.
--
Davi Arnaut