Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp972788pxb; Tue, 3 Nov 2020 18:32:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJyH8WVdX9dqwtiNISiHApRbW5PvINeibV98zjmxU+9BA8NaJiovYKBSG+rdAy7mvXEIroIe X-Received: by 2002:a17:906:12cf:: with SMTP id l15mr24151007ejb.540.1604457146289; Tue, 03 Nov 2020 18:32:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604457146; cv=none; d=google.com; s=arc-20160816; b=XM4IxfHMZOURM/LuDIYC67ggMSLqaUTNgpFweoBgtc7j5CgJmgcfBSc6Xu6y9/EIxc /+IwcplQcVer67812GcdKO9el48T503k1hDNC/5y2jM425nIvDOihXo/St//YqXaHj0/ OEbq91QKbU7M0HJ+4lKpN05RKXu2+1GNz13eu6In3Ay0ycCEAN8inxIsU7xOZCkzb7Hg u4EYyxoamzUJeAN0GtpXKiPcCA4IQLwtz5zy2hdiXvoFir9p27pA6qQWR7+w4ipUooXz b7iZCGuH3jfq071y1mOy9ccsC2C2fPafO1qe2KrhpOpnMEs+0xWSN16V9kSikREvIBtR nebA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=WE7yAH2aWA3fpPsJ2XJxmxiCEv3IiFflvFYkvVNFDuQ=; b=wcQ2sGlMiwPZKgj6pOtDsadQFi2oaCiiNs7OowwdXydJDwq2NjewT6vneuoOsP/pXT 9zPae6KuhX99qRYRWqKo1p8249fheh8qan9aqG5DHXxdt79odviKjxbfU8bhpwnx7uks z1WDL5QFNDvEG7nbz8WWFMnpvmHloSl9G52ZipTpXaOuBNaLvsJJgQaRxAZ/Ql7J+SxC XgrNX13fcyw1i/1GNShcY5suWVjdkuAkeUnrfIBQjA5Cd7hFoUdXct1Rs5mOfA31bSDt Lv7Xa3BOqm/jC6NG1o1MpCgwm+XaSA11IVdxoqinNDqoMhuAuzMkzMtjlEFiS3yNQ59R r/fA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dxuuu.xyz header.s=fm1 header.b=H4Wk1mVf; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=Rb7WTGEE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q18si521269ejx.84.2020.11.03.18.32.03; Tue, 03 Nov 2020 18:32:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@dxuuu.xyz header.s=fm1 header.b=H4Wk1mVf; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=Rb7WTGEE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730572AbgKDCaq (ORCPT + 99 others); Tue, 3 Nov 2020 21:30:46 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:60075 "EHLO out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729188AbgKDCap (ORCPT ); Tue, 3 Nov 2020 21:30:45 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 64B6B5C00CC; Tue, 3 Nov 2020 21:30:44 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Tue, 03 Nov 2020 21:30:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dxuuu.xyz; h= from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; s=fm1; bh=WE7yAH2aWA3fpPsJ2XJxmxiCEv 3IiFflvFYkvVNFDuQ=; b=H4Wk1mVfzFJCSyX9lNHb20rXl9RDucaXdEQwfD9toY K56XkJANQhatj1b0723ffSKBoWmz+FsmPSDLtAUjnyWx0Yq45rzoH4gLZlirmdnk gx2CBlux45P0XiIQt20worGPYPyHDjtPDNn275e7EJ8G+5c0oa9xISXuNkOdVhKn E50fD52uQTEDzqr546PntIiCkn50wcJZiK+vl39lHVKVbi3eEqTcPrlBmD3hp2i4 Mr3wtDwleuxyDcNVgav1rcmDe4f9zMo6Gu5HjnrUmHkJiMrpfxdErpV1tUx8tLDZ 937YLNgxJg6EeQtNhv7LdGu5OfgDQV3kTH0E8z+UywkA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=WE7yAH2aWA3fpPsJ2 XJxmxiCEv3IiFflvFYkvVNFDuQ=; b=Rb7WTGEEavUFi1ld6gc9+wCoTe+pPrZKg jPKgaJNW5m/C1/RSM+jrRT/xdCJQ+Q7cpzDYNteaoYfE+Us1fN8HRaNVAMgsxUrD hxQGhWSaFA6eyyklm0PA8gd+LGPKcSw7G3DvQVL3g3uasB2z80FOLs/JiJPmB7bw 1f13/lVDP20Fnk6DulUl8qdho5QvYmGlhdEJ/pHs7ZU5xu7X28zbpbBq3jvkRSnu 2ZEqTHv1QPAdxeVXWpm/7nVeSQq3XbMvdZ9vRIj80kvgXxC8BbSaQxpe7iGiETq+ 9g+lywL7L0HPuWFVYFD/j8pHJwp99tqfTQsclMoeAbT2fKLViehrg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedruddtgedggeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgfrhhlucfvnfffucdljedtmdenucfjughrpefhvf fufffkofgggfestdekredtredttdenucfhrhhomhepffgrnhhivghlucgiuhcuoegugihu segugihuuhhurdighiiiqeenucggtffrrghtthgvrhhnpeeifffgledvffeitdeljedvte effeeivdefheeiveevjeduieeigfetieevieffffenucfkphepieelrddukedurddutdeh rdeigeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe gugihusegugihuuhhurdighiii X-ME-Proxy: Received: from localhost.localdomain (c-69-181-105-64.hsd1.ca.comcast.net [69.181.105.64]) by mail.messagingengine.com (Postfix) with ESMTPA id 1C67B3064687; Tue, 3 Nov 2020 21:30:43 -0500 (EST) From: Daniel Xu To: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, ast@kernel.org Cc: Daniel Xu , kernel-team@fb.com Subject: [PATCH bpf-next] lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator Date: Tue, 3 Nov 2020 18:29:43 -0800 Message-Id: X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org do_strncpy_from_user() may copy some extra bytes after the NUL terminator into the destination buffer. This usually does not matter for normal string operations. However, when BPF programs key BPF maps with strings, this matters a lot. A BPF program may read strings from user memory by calling the bpf_probe_read_user_str() helper which eventually calls do_strncpy_from_user(). The program can then key a map with the resulting string. BPF map keys are fixed-width and string-agnostic, meaning that map keys are treated as a set of bytes. The issue is when do_strncpy_from_user() overcopies bytes after the NUL terminator, it can result in seemingly identical strings occupying multiple slots in a BPF map. This behavior is subtle and totally unexpected by the user. This commit uses the proper word-at-a-time APIs to avoid overcopying. Signed-off-by: Daniel Xu --- lib/strncpy_from_user.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c index e6d5fcc2cdf3..d084189eb05c 100644 --- a/lib/strncpy_from_user.c +++ b/lib/strncpy_from_user.c @@ -35,17 +35,22 @@ static inline long do_strncpy_from_user(char *dst, const char __user *src, goto byte_at_a_time; while (max >= sizeof(unsigned long)) { - unsigned long c, data; + unsigned long c, data, mask, *out; /* Fall back to byte-at-a-time if we get a page fault */ unsafe_get_user(c, (unsigned long __user *)(src+res), byte_at_a_time); - *(unsigned long *)(dst+res) = c; if (has_zero(c, &data, &constants)) { data = prep_zero_mask(c, data, &constants); data = create_zero_mask(data); + mask = zero_bytemask(data); + out = (unsigned long *)(dst+res); + *out = (*out & ~mask) | (c & mask); return res + find_zero(data); + } else { + *(unsigned long *)(dst+res) = c; } + res += sizeof(unsigned long); max -= sizeof(unsigned long); } -- 2.28.0