Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1156pxb; Wed, 11 Nov 2020 17:46:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJz0SIbugOiL+B+/8fzVlwx09anjMnLHBwCR+jI8j2w6hj47ogg84+dJr6pZq0FizN/GrIRn X-Received: by 2002:a17:906:a996:: with SMTP id jr22mr28740339ejb.463.1605145580231; Wed, 11 Nov 2020 17:46:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605145580; cv=none; d=google.com; s=arc-20160816; b=0UvFjRb7hGEe0ltVl9uK84T6ESRQSRqtH6cdtux3NvPzpNNjGcBxF0MhLam6oH5Nsq g4WCih0HdHepGhTk9/GskyaA1H8LVCU0rodFt6koRAe38qWhcsvtUejY/Sbj0w60Yv5L Y975jU5nAn2Ylj2g+rAD5uMv3ThMU0QkVV7B5W2d75ChGJGPOiWP4FX5WMF6YMdECAY/ ZSdLT8nQgybax+uaugIpCLHpv+6iT1J6JaTdYzjkyVW2sMgU2Da3X6zhJ1+5ABolEJGE lWf/IwP4IDg2R5KAIqH6qO//q2WgwYy/Oe+KHdhUYPfTEiWHt/jliDaVnaLpJyM1xA1u 6NTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ljKcG6eaqnPKwzi5dmIbAYfE4A7fOblLOoaQW0tRpBw=; b=Wkij8g8knXHdGU3KZUvDwNNMpojAS7YBdOX1+h3PmUZ3IV6HFjqsNTwkRR0uxcGVqe xvsEtg8Wu5jut2UvCyyiWjxyQNK8RyfAjwG25/baY3ZczAsYbWPdywqMEEEIW/8kEptF dfDsW8WV4vLtNxema/tEwk7/D4uKVSRVwHY0gCE1eEMIOixJMJ07ixYubtVH5oXXQ/DD 801cWeFJb5+HA0OSLiYm9pnM0A/WGIbqMITS4iL8uhMTm0AsBbdXIXjL3NvC9koa1QTP BG9kSbskrns9Sz46LeKlYXvhPvZfEFIHfn5mwzSKD7ViFfw/sbG3kdR2Gg8srekwdLyF E8dg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Jnf51FXS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t12si2675308ejx.621.2020.11.11.17.45.57; Wed, 11 Nov 2020 17:46:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Jnf51FXS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728862AbgKLBfW (ORCPT + 99 others); Wed, 11 Nov 2020 20:35:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727879AbgKKXUa (ORCPT ); Wed, 11 Nov 2020 18:20:30 -0500 Received: from mail-yb1-xb42.google.com (mail-yb1-xb42.google.com [IPv6:2607:f8b0:4864:20::b42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8698C0613D1; Wed, 11 Nov 2020 15:20:29 -0800 (PST) Received: by mail-yb1-xb42.google.com with SMTP id v92so3524543ybi.4; Wed, 11 Nov 2020 15:20:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ljKcG6eaqnPKwzi5dmIbAYfE4A7fOblLOoaQW0tRpBw=; b=Jnf51FXS3ER0GGQf5NBem7mVbKAlsRD4ICg7XsS49kGjfYcgvPKtzokrRVnttvMgQO GjU+oLrUrKFzIYDfSqADCUfA8ZkX0aJsi5nkAe0u/zD3rXLARFbgjQE3HRKDbGj/i7bI Hs39wOax0eLUiv6oKbL+cKVwayTDn3QtFEJJj7eMOqIVvrkW+NxMx/Q792Sl1VefTtVt CrQ8vCcwyZOM2nRR+BgM5VU0HRcFfR1RVBbPlUdsSJe11ZvRDRo2VSJrKRYnSZGUDr3M jc4Ui5+nUHwugtYlEPgmdVZZY/hkVrx7mAaQeBy+7szVJw7c5qmz2huatu1Xy6u8N3oi RaIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ljKcG6eaqnPKwzi5dmIbAYfE4A7fOblLOoaQW0tRpBw=; b=Gk/5yasO9TbPx1QZvL0R0c50By1ZQmxUyyQEq8mCNkADfy7S6+sNxPPlu0t2zgVxwF IB9J51m3AyW32l+9PoM9oe2WHGH5rr82oA3SYVp2LjLhrAo9gWIm7t3nbdLwzH6M49Vd Er4cyLCXiqxm6UuEULp37CdpSO8PISTCnsodwMiFjOm4+leQMn8FKyaDMmhZOOtbxTMU nV7PalM2ciY4+HHa7mdGFiSwfOIIoHhVpmJFn6C9B6++9Qdb8X5eQRH6JegjHrGQEnQT DG9drhEN3ArRcEfP3d9bIk8H/Iby8fANLQpQeTOGCUV5sBNfipcwvm8oXDqhjP/QVfvI EtCw== X-Gm-Message-State: AOAM530aWEsZ42osFkb8W8nQSMthg4PyyZruGPQk26BdBydfxXKZqT31 Ih0jNBKvcHCfREiaEd2WhLXIPcuqku8/d2EHOZ4= X-Received: by 2002:a25:7717:: with SMTP id s23mr24112471ybc.459.1605136829224; Wed, 11 Nov 2020 15:20:29 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Andrii Nakryiko Date: Wed, 11 Nov 2020 15:20:18 -0800 Message-ID: Subject: Re: [PATCH bpf v5 1/2] lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator To: Daniel Xu Cc: bpf , open list , Alexei Starovoitov , Daniel Borkmann , Song Liu , Kernel Team Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 11, 2020 at 2:46 PM Daniel Xu wrote: > > do_strncpy_from_user() may copy some extra bytes after the NUL > terminator into the destination buffer. This usually does not matter for > normal string operations. However, when BPF programs key BPF maps with > strings, this matters a lot. > > A BPF program may read strings from user memory by calling the > bpf_probe_read_user_str() helper which eventually calls > do_strncpy_from_user(). The program can then key a map with the > resulting string. BPF map keys are fixed-width and string-agnostic, > meaning that map keys are treated as a set of bytes. > > The issue is when do_strncpy_from_user() overcopies bytes after the NUL > terminator, it can result in seemingly identical strings occupying > multiple slots in a BPF map. This behavior is subtle and totally > unexpected by the user. > > This commit has strncpy start copying a byte at a time if a NUL is > spotted. > > Fixes: 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers") > Signed-off-by: Daniel Xu > --- This looks more immediately correct. Acked-by: Andrii Nakryiko > lib/strncpy_from_user.c | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > > diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c > index e6d5fcc2cdf3..83180742e729 100644 > --- a/lib/strncpy_from_user.c > +++ b/lib/strncpy_from_user.c > @@ -40,12 +40,11 @@ static inline long do_strncpy_from_user(char *dst, const char __user *src, > /* Fall back to byte-at-a-time if we get a page fault */ > unsafe_get_user(c, (unsigned long __user *)(src+res), byte_at_a_time); > > + if (has_zero(c, &data, &constants)) > + goto byte_at_a_time; > + > *(unsigned long *)(dst+res) = c; > - if (has_zero(c, &data, &constants)) { > - data = prep_zero_mask(c, data, &constants); > - data = create_zero_mask(data); > - return res + find_zero(data); > - } > + > res += sizeof(unsigned long); > max -= sizeof(unsigned long); > } > -- > 2.29.2 >