Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp596931pxb; Thu, 12 Nov 2020 11:15:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJxwKQ6LG8KQ2Xm60UU6aFdGsQc2+gFVNMHPKcBVcxayDpaw4RFGp2ZMaD93o3LtAmNX5+3H X-Received: by 2002:a50:fa92:: with SMTP id w18mr1436634edr.44.1605208521366; Thu, 12 Nov 2020 11:15:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605208521; cv=none; d=google.com; s=arc-20160816; b=V9RMhdriq5SPiUTOPruQOwQOG6pinwDANjKMo2xqbEw1oPDIws27nXaFcJ1rIWnanS 2O2mtXIo20zZrnXhieCtM5Rk8A9739IHjY74Jr4lyL4Err5bB07wyorfoFbYQNoJ9Yr1 BxDH6kE/jzI7R1CBRy25NE5Ar7ESmIIYLKUu1rd7YSygmWtwkvzC6Jd/9qwQFkQiX/jO Kj6PPSdau0WeVMhV4Kwa8yQRWEIYcT+ruAX+pGibRdA27NBfgIzfOUq7jgB1hcipLnch pcsk46o8M6eJTVEYf+5/KVMDUba0JWilQYOdsmw949nU/Gh0/0miiiac2FoflhXF6aMC 7Bnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:message-id:date:cc:to:from:subject :content-transfer-encoding:mime-version:dkim-signature :dkim-signature; bh=lQuE8hIsyGPimE/WPTH85XmvdugpBfZsiVINhlZFDRk=; b=AxscJo1xyFjDYRC5H6HDa6lBiH9SiK3pBWwioClh+FG8hq01oJTvRTAdVCJktY/rSv RLyfzveRcFPfI2bb2wJjVDZbHOb27TvgdM550PrK7LkTO43xpEu9osXDkIWM9RiFjbDt Ucqfkc5FkpSyd8KKSTnRceVrw/SVEUT49WAmCmOF2ncsM6G6K6/yW1FIxXJxFWP+1T7N uYb2T7DDutAe/koZfWeaGJC94XCw3oV7vDHYkJ6lyh2RPA/MLeJxUMhsBrlQK8yxHUwm PErVvx5VtTXVwdyOEfR1lbtU6/tx4GLBNtvpAfm90YFHNG/P3Uv57atLZWn5T/AfB/73 h+yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dxuuu.xyz header.s=fm2 header.b=GcXn6ijl; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=lwPvYmO5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y3si4629586edq.324.2020.11.12.11.14.58; Thu, 12 Nov 2020 11:15:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@dxuuu.xyz header.s=fm2 header.b=GcXn6ijl; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=lwPvYmO5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726295AbgKLTNi (ORCPT + 99 others); Thu, 12 Nov 2020 14:13:38 -0500 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:37469 "EHLO wout4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726325AbgKLTNh (ORCPT ); Thu, 12 Nov 2020 14:13:37 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id AC88849E; Thu, 12 Nov 2020 14:13:36 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 12 Nov 2020 14:13:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dxuuu.xyz; h= mime-version:content-transfer-encoding:content-type:subject:from :to:cc:date:message-id:in-reply-to; s=fm2; bh=lQuE8hIsyGPimE/WPT H85XmvdugpBfZsiVINhlZFDRk=; b=GcXn6ijlegQp2Qxhib/YQhm7TVomJD9TZS um2pfdjZKq4DOpc5T1TGQBwHLu59IKclpbnTqh/LFe5TG8CrsCh8E0uAKnCoTHB/ KWDGdQBJpCaZtql+jF6a4Vubw84L1e0IPekDwRsKYQIejdy0KjGYh3vGHTIV2kC3 K4OElGaUN042+Z5BaMdWW/NJ4XagkTgO7a6ZR04O7b8bjxqF3Cn2xZc28kRSBF9S OyeCH8x0SbOW2HKYtv7bTxqew1b+uumOk00UOrd47TL4HS9iGqykiWK4yLtzOfBW P+9FKy5uQGWcccnzAKxKIyWmekqC3PzPQXCUCdmP0oKl/Rus3GtA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=lQuE8hIsyGPimE/WPTH85XmvdugpBfZsiVINhlZFDRk=; b=lwPvYmO5 byrJDGTI0YrdmN6y62PMgKHoyWkBGvQ1iQznHX8enbiMBIWVf+oWLxhlfHYtItHF aT6BjbaVykZojJxXHG6dWgr6xgaIhez1BxcnHhXjkZg10BAEvc8u9GdNulZWjqr7 Y5re4yz9HUtpC+SxNUY+dHZjeKwZTIovYV7+ovMioxYEVSUOik8700kjGZ+Fq3PU de1KM4I9QIHCAhClRIaGGhlc6gzau5LfYZhZIe1b1wNHw0N8wz08CWQjn1cr4wDd gyaSTQrBkZ2iE2jJqjcHZvC4ANeDkOS7QCjjj/GtDFJcwQcW2sfrGrggtSBMAQWI cjbhgwVKwrn/Dw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedruddvfedgleejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdljedtmdenucfjughrpegggfgtuffhvfffkfgjsehtqhertddttdej necuhfhrohhmpedfffgrnhhivghlucgiuhdfuceougiguhesugiguhhuuhdrgiihiieqne cuggftrfgrthhtvghrnhepjeefhfdufeefhfejvdevhfehudeltdeujeevudegvdejvdej leejgfegtdejjeevnecukfhppeeiledrudekuddruddthedrieegnecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepugiguhesugiguhhuuhdrgiih ii X-ME-Proxy: Received: from localhost (c-69-181-105-64.hsd1.ca.comcast.net [69.181.105.64]) by mail.messagingengine.com (Postfix) with ESMTPA id DF0A7328005D; Thu, 12 Nov 2020 14:13:34 -0500 (EST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Subject: Re: [PATCH bpf v5 0/2] Fix bpf_probe_read_user_str() overcopying From: "Daniel Xu" To: "Andrii Nakryiko" Cc: "bpf" , "open list" , "Alexei Starovoitov" , "Daniel Borkmann" , "Song Liu" , "Kernel Team" Date: Thu, 12 Nov 2020 11:10:59 -0800 Message-Id: In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed Nov 11, 2020 at 3:22 PM PST, Andrii Nakryiko wrote: > On Wed, Nov 11, 2020 at 2:46 PM Daniel Xu wrote: > > > > 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, > > kernel}_str helpers") introduced a subtle bug where > > bpf_probe_read_user_str() would potentially copy a few extra bytes afte= r > > the NUL terminator. > > > > This issue is particularly nefarious when strings are used as map keys, > > as seemingly identical strings can occupy multiple entries in a map. > > > > This patchset fixes the issue and introduces a selftest to prevent > > future regressions. > > > > v4 -> v5: > > * don't read potentially uninitialized memory > > I think the bigger problem was that it could overwrite unintended > memory. E.g., in BPF program, if you had something like: > > char my_buf[8 + 3]; > char my_precious_data[5] =3D {1, 2, 3, 4, 5}; How does that happen? The while (max >=3D sizeof(unsigned long)) { /* copy 4 bytes */ max -=3D sizeof(unsigned long) } /* copy byte at a time */ where `max` is the user supplied length should prevent that kind of corruption, right? [...]