Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp603697pxb; Thu, 12 Nov 2020 11:26:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJy6y8cAO7ko0DDsKPWbOStYemP7E3xt16MoI13DkCReEvMzrFCTkriNrC/D1+Jsy2oz4ByW X-Received: by 2002:aa7:d351:: with SMTP id m17mr1495209edr.215.1605209202135; Thu, 12 Nov 2020 11:26:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605209202; cv=none; d=google.com; s=arc-20160816; b=vi1KStOMKeb8K/qF5wEI/wyioJ7VJBJ/61tIIDCdI8CaNldF2AnjvdzjfryPFLq9rS llSjMROxWeFwi1K3UjpRYQfg6qJ8EnX4UooKGz+CUTt4kGnlXaGDOn/gEsfUoPUQJ/bX AsW+fJyTSiWwbZTf+r8Q6YQv2v8ZWseHMmDxTx0L3cXFVbU+hPGvpjIqQtem7tnDjFoY 3IbLwesx9P/DlyRJjgj5vVjbjt/TYd6Fw49fAq4JRaS7ofe9IPgdVi/CzVqS+siyRBrk vwYqQXamGPsDOKMuRIXERwOQ3VLhZCHNVzBjIxGc82eXj6ype7CeqvNgjnJ7wSU1jTGh gmDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=KnzRuEV+LobstJGC6w0tpv3PvSKrX4rxoaQQBRAzYiU=; b=X6j+FwqlCJpakscymH+K9LIwvZ3sOZFnGfcITOY0d8QgIZbfBMrmQtuKlo2wikhQ9X eohMR+MD5hVC9LXn18erSYB69yZH7nwAxb0wDPLcdEllcIR8lcjUe/H/ost3fXNhSrEg 2NusxCrSdka79Kq6WBt4DgRmbI6zuxZttPgBQ26LMBXwOnt9aly2yvx3wpo3N8wp8q6b JBVy069pCwPTbyfRK1hDDGGltWPGzd/EVXng6JWi9jcGVMAVJ0a8N8WFu1lVvWnppAC7 2yZ/V4cNy+Tv2ty7+uU7UKNA9efSWk/a5u6o6c2Ttpbi+wb8b8UQWzkMluDWJOTeXgjp FYpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qsk3kUpZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a6si4471725ejx.103.2020.11.12.11.26.17; Thu, 12 Nov 2020 11:26:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qsk3kUpZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726778AbgKLTYp (ORCPT + 99 others); Thu, 12 Nov 2020 14:24:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48660 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726520AbgKLTYp (ORCPT ); Thu, 12 Nov 2020 14:24:45 -0500 Received: from mail-yb1-xb43.google.com (mail-yb1-xb43.google.com [IPv6:2607:f8b0:4864:20::b43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 493EFC0613D1; Thu, 12 Nov 2020 11:24:45 -0800 (PST) Received: by mail-yb1-xb43.google.com with SMTP id 10so6404498ybx.9; Thu, 12 Nov 2020 11:24:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KnzRuEV+LobstJGC6w0tpv3PvSKrX4rxoaQQBRAzYiU=; b=qsk3kUpZlKRzjcppq/TpRxDrqUJwKXNA+RdYZFuY+2q1qDvz67P5ffJm80V+GDTlmt XHNZPw+n8n4X/im0JL3VZqEDaxPzn9JYN2frHecwUGdcKUIXwDhQYWQhUTvhUd0pzUIP qzL3ph2DGhvoAY/eZ61I6su8xFDa6DMvRKzfq30ClK/Rx9CjCcUuvmTtYWcjbBEzVrws GJryqjb4RnmI1Goml4ZI92c7R5py9JKpj0H9Eg0W7ihYdqLSZcT3xR1dHM/0ihGXaf3g eRXBmwEKqQQ79kzxg8ZzYqVc40JJAemb2QFKianeaiBOU6a41fhrEo3an633T509pCG4 QPFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KnzRuEV+LobstJGC6w0tpv3PvSKrX4rxoaQQBRAzYiU=; b=OjGSOjDL545896JIHpBXE6JO0M6SXFu2erOHKxjRnEcfa+BHec5ZLvLHMdFveq4H6r 6M4MRnlu0/kucxWuSJLzG4eFXis+F9Qenxx3RjXoP3syRP4By3huWK3Xe9leUR+ov13A B075Du0lJok0Q1BAdRiebLEBVbU9YVn9ZDfzZlBB8HemsGd/NlJaITVVq4MARLfTc3hU 0b00PoHm2NZkubcoG38GySxPIMGQHZE2PSDCqA1UIx1O+EJLdwwg+orezQrSUAz2vIas 2PhBVRvl6tQVm1IjjjVFt/AdO6Z/e/HCSLFnPlPEgxOIU3ugqTOhnqOmEPepbZIRg6nQ J9Fw== X-Gm-Message-State: AOAM531gAdrP6hbsqM1fZ4tF+Jz9NXDHisPxED+eUymowUnV9dMSVzLa IS58IqXG2qWnYXKWfofectNGycoA08+Se3lg0qyaUJA2Y7aCmQ== X-Received: by 2002:a25:df82:: with SMTP id w124mr1332716ybg.347.1605209084086; Thu, 12 Nov 2020 11:24:44 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Andrii Nakryiko Date: Thu, 12 Nov 2020 11:24:33 -0800 Message-ID: Subject: Re: [PATCH bpf v5 0/2] Fix bpf_probe_read_user_str() overcopying To: Daniel Xu Cc: bpf , open list , Alexei Starovoitov , Daniel Borkmann , Song Liu , Kernel Team Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 12, 2020 at 11:13 AM Daniel Xu wrote: > > On Wed Nov 11, 2020 at 3:22 PM PST, Andrii Nakryiko wrote: > > On Wed, Nov 11, 2020 at 2:46 PM Daniel Xu wrote: > > > > > > 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, > > > kernel}_str helpers") introduced a subtle bug where > > > bpf_probe_read_user_str() would potentially copy a few extra bytes after > > > the NUL terminator. > > > > > > This issue is particularly nefarious when strings are used as map keys, > > > as seemingly identical strings can occupy multiple entries in a map. > > > > > > This patchset fixes the issue and introduces a selftest to prevent > > > future regressions. > > > > > > v4 -> v5: > > > * don't read potentially uninitialized memory > > > > I think the bigger problem was that it could overwrite unintended > > memory. E.g., in BPF program, if you had something like: > > > > char my_buf[8 + 3]; > > char my_precious_data[5] = {1, 2, 3, 4, 5}; > > How does that happen? > > The > > while (max >= sizeof(unsigned long)) { > /* copy 4 bytes */ > > max -= sizeof(unsigned long) > } > > /* copy byte at a time */ > > where `max` is the user supplied length should prevent that kind of > corruption, right? Yes, you are right, I got confused. If the user specified the correct max, then this would have never happened. Never mind. > > [...]