Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1390215pxb; Fri, 13 Nov 2020 11:22:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJwIYGwad0S142ooQEZpj5tdEzdUganakq5pO3e8ggBTSXkAdvjrLb2HfKUAqMp6DIaycmWJ X-Received: by 2002:aa7:c886:: with SMTP id p6mr3961117eds.352.1605295331889; Fri, 13 Nov 2020 11:22:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605295331; cv=none; d=google.com; s=arc-20160816; b=YH9pj299Bz8KPlK9uX0U+4Ivna9U9d6Gl/sdiX4daGkoswWqhBvAzIUuoj4qoBtorJ kzJwpPpu1OCsqbk7AqeW+b0a27FhadysjxvMLPBaMNkaFrBI6GEQovDXXtMxZk7d9qlQ TvP97QD7qagMJ29LkcyFeRLAmsO1nJ0VAXVbDegqiNN0Drr3zmjyt9WEwWLmlJT9vi7t IZj7aaeRoTXLp244bigCIpkDggcD26LLFc2Upf53jAU7pHxnjB6qFlRnSF0OXSDAgB2O 0Uwro4EaL6a8GSGkTL1qrlPhRPJmWSzRPXWjF+X3ZbmtV0PmJQ86PDTYsHGX8vfrg0yX /mpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=XXBW0bBmLsTXT6Yxa7bmTghcfTK7RHVDHVQ7u0buSxY=; b=YMSGJUGZa7kaGb0LJxSnUMPGQR/uCp4JctU2btpyDA9yNVWHvmQaww34TOcDpmEoUF XYWAudUHGU3D06XL/udldSqb/7K3WZ/LrxHfbbiPgGsPFV/4rNe+LkzA2e24W+k0O+y9 dMee2i2k6vFQ8WtAXU0TBxDEixC3IHoRNSyC0vJ1RG91vikiX0tCwzT87HKTBAlCejrX CL2K1tGGEKJPrx5GZyimhtoxoJUBSTiIzei1aL45hoMdJ3QnaOe/7dTcjMFmKAmmiueR tv2oeGgrDoZwOpNmTHdV3oyf46jI8wY2N4PZ/Jl6Mjj7OVr95qqt5d05ouvWv0mVB2GP 1vsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=vVJCzfng; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bl4si7288235ejb.79.2020.11.13.11.21.49; Fri, 13 Nov 2020 11:22:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=vVJCzfng; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726101AbgKMTRz (ORCPT + 99 others); Fri, 13 Nov 2020 14:17:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48248 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725941AbgKMTRz (ORCPT ); Fri, 13 Nov 2020 14:17:55 -0500 Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2FEFBC0613D1; Fri, 13 Nov 2020 11:17:55 -0800 (PST) Received: by mail-pg1-x542.google.com with SMTP id 62so7846237pgg.12; Fri, 13 Nov 2020 11:17:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=XXBW0bBmLsTXT6Yxa7bmTghcfTK7RHVDHVQ7u0buSxY=; b=vVJCzfngaYfoHchJ6jinD2XojkeeQ1Rr6EaRx4R+fe4r9CbSLBgwS8an/mxGHcIX+8 gqqIBDyEcupPvkXwbzzLMEi6vncwOmBihKN/InTNgBIwlcFzbam+FzvqRSFhxr6HPp4j jh8tNeIJs3pNiJvx3Wc0rsil5mMOwzu7/2hva1wVxauYqEjRCyA84jva/hzDNM2DG/dQ 2+d6HAbCYuK/z7gcvzJQzmWatMX0f3knD5k20oqKA6nJcKPiOHj/OXjD5gwoRzoweAYk W+rvdIitB5OFDVMdAWlMEvPr8vwsArsoVg7GTc/B0w59wnPK8cXc9Xh9xCSaw6v/JaUS 3SNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=XXBW0bBmLsTXT6Yxa7bmTghcfTK7RHVDHVQ7u0buSxY=; b=WWVStPoCr4N++X0EE4ZJfJwXjDjp7g2T558eQJC1xK/yWSFlyIa3UJex1ihbkxiszO h1oWl3QTq8yx3u/xMkoUpTiYinWEsiLLPwl1mSHAmjAW3UaJc3CxnKCl/5WSqBx9w6Wl PKKBcw2J4UJvd/lic6jLKiLxvQwMc9eXYERuDwUjHweIiUEbih1274OSCb6dARpefiOQ SSvvNgUS0icIZd5CDMR+39pbLkOUFtBxE4x1nfeGsqU0DA5rlgnsu6MEyzzGuWOUv4zA UeD9BJ9MKOcsnPvhperPww3013ZGiZo1+mvPJS40wVqVfriumoDpMMIf0emPksUjcyRt gopw== X-Gm-Message-State: AOAM5303WSnOYlbK1+AXwgD1VIC+811rqFzO7j5HAVtps+gcwPqUjuYu G5KB4TmcDRVJpZpLFPA9oEs= X-Received: by 2002:aa7:8744:0:b029:18b:a9e1:803d with SMTP id g4-20020aa787440000b029018ba9e1803dmr3220928pfo.50.1605295074654; Fri, 13 Nov 2020 11:17:54 -0800 (PST) Received: from ast-mbp ([2620:10d:c090:400::5:b8c0]) by smtp.gmail.com with ESMTPSA id a10sm11246946pjq.17.2020.11.13.11.17.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Nov 2020 11:17:53 -0800 (PST) Date: Fri, 13 Nov 2020 11:17:51 -0800 From: Alexei Starovoitov To: Linus Torvalds Cc: Daniel Xu , bpf , Linux Kernel Mailing List , Alexei Starovoitov , Daniel Borkmann , kernel-team@fb.com Subject: Re: [PATCH bpf v5 1/2] lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator Message-ID: <20201113191751.rwgv2gyw5dblhe3j@ast-mbp> References: <20201113170338.3uxdgb4yl55dgto5@ast-mbp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 13, 2020 at 10:08:02AM -0800, Linus Torvalds wrote: > On Fri, Nov 13, 2020 at 9:03 AM Alexei Starovoitov > wrote: > > > > Linus, > > I think you might have an opinion about it. > > Please see commit log for the reason we need this fix. > > Why is BPF doing this? > > The thing is, if you care about the data after the strncpy, you should > be clearing it yourself. > > The kernel "strncpy_from_user()" is *NOT* the same as "strncpy()", > despite the name. It never has been, and it never will be. Just the > return value being different should have given it away. > > In particular, "strncpy()" is documented to zero-pad the end of the > area. strncpy_from_user() in contrast, is documented to NOT do that. > You cannot - and must not - depend on it. > > If you want the zero-padding, you need to do it yourself. We're not > slowing down strncpy_from_user() because you want it, because NOBODY > ELSE cares, and you're depending on semantics that do not exist, and > have never existed. > > So if you want padding, you do something like > > long strncpy_from_user_pad(char *dst, const char __user *src, long count) > { > long res = strncpy_from_user(dst, src, count) > if (res >= 0) > memset(dst+res, 0, count-res); > return res; > } > > because BPF is doing things wrong as-is, and the problem is very much > that BPF is relying on undefined data *after* the string. > > And again - we're not slowing down the good cases just because BPF > depends on bad behavior. You misunderstood. BPF side does not depend on zero padding. The destination buffer was already initialized with zeros before the call. What BPF didn't expect is strncpy_from_user() copying extra garbage after NUL byte. I bet some kernel routine would be equally surprised by such behavior. Hence I still think the fix belongs in this function. I think the theoretical performance degradation is exactly theoretical. The v4 approach preserves performance. It wasn't switching to byte_at_a_time: https://patchwork.kernel.org/project/netdevbpf/patch/4ff12d0c19de63e7172d25922adfb83ae7c8691f.1604620776.git.dxu@dxuuu.xyz/ but it caused KASAN splats, since kernel usage of strncpy_from_user() doesn't init dest array unlike bpf does.