Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3438882pxb;
        Mon, 16 Nov 2020 15:00:02 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxolASKo4Q8Mr10n/Tq/SujU4ooiyoSZJLR8/3ZvQ2HaHNLLZ27UBZIOBVqmGySYzgjvZS2
X-Received: by 2002:a17:906:1408:: with SMTP id p8mr16504542ejc.548.1605567602328;
        Mon, 16 Nov 2020 15:00:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605567602; cv=none;
        d=google.com; s=arc-20160816;
        b=hznaTELbw+y5xd1aK+ojdbZBYhlZEVZ192iC7p2zSG0lnVVBxMbFNGgmQr/y1xQ3+3
         6or2Z6CtKqIFawHtJ/P2fUe+POI8rd3H3JwYJ8XZlGVpMwwocJ1po6vGPwke5TZjwv1R
         lqoC0J8DP5xKl8W/EWL+G5oCE+4g/c6VfQeKadROaCpWjWNU7Ndos+OrO6PhR0pIu6Or
         U62V/qCb9ZfrGjx6igS4or77g8co0FvXdilAnmTHIPL02TxhywVnTFFmj7Nctvqivzsp
         mMZBarAXeg9yAeNWpdXCVYRMeFQi6mv41fIM8EaCjAo5JlMqOyIgaOH2vaqAo7ur7pEi
         sRUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=iF9pv4yrV71gAZ7pO+xa+oOM736e/dHlJRDoOYN7BR4=;
        b=0swMyQ8fjDFA2jvhnlUuRqZJQDshE7GA5XlExN4qYr9br3bL8tJo1VePKrgRpgTg83
         8Aq55UFd+B/ihryLvtl5RQniXa6p131sLENODeTZdLXVrNDvfZ3v5vJTPcSF9N+N9lTD
         voDTipUuI/h0u/GEeFbyvUkfTGn1Ai3s/99R/RdyQjWyp2bi9YACct+F3LMJVshaNphN
         6tyym56cwXIX41EBY7hF3LiQmEGKwF3xaKyq2UDWDNYZtcNJWFYfc3QNquWegqYuvRMn
         VQBSwWnKPAKQVGMetEFf1uGqiDqVd9S8/bn60cwKPs+S6weiu7SM1QhUAyieCQWj1Sm9
         TYaw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=SAXvYD6F;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i6si12452032ejo.223.2020.11.16.14.59.38;
        Mon, 16 Nov 2020 15:00:02 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=SAXvYD6F;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728317AbgKPWQM (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Mon, 16 Nov 2020 17:16:12 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33090 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726016AbgKPWQM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 16 Nov 2020 17:16:12 -0500
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7F5DC0613CF
        for <linux-kernel@vger.kernel.org>; Mon, 16 Nov 2020 14:16:11 -0800 (PST)
Received: by mail-lf1-x143.google.com with SMTP id r9so27326773lfn.11
        for <linux-kernel@vger.kernel.org>; Mon, 16 Nov 2020 14:16:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=iF9pv4yrV71gAZ7pO+xa+oOM736e/dHlJRDoOYN7BR4=;
        b=SAXvYD6FrqsuD5DpNnkQhTSzDKmNP1Sh38hp3dJSoWvquXLZ9X6xzr2FaysmQoh1H8
         Mu8JA5m8dnSCLh5avzm9QMivhW01tjdrEVuwqCzQiDmNKrvCbwE4Gk7Qben/Btt1sMzM
         HeQv91ZaP57NbJZQ1izw2X/HW2YXwDZfu1AO4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=iF9pv4yrV71gAZ7pO+xa+oOM736e/dHlJRDoOYN7BR4=;
        b=o0ELZYpEHVLSBpvCsJypecYD3vyvHmlcyJyt9w1ew3i7M9AvAISqhLg+rTjYFq3em6
         t1SIjWMmtYY3033+TfmXDNN4NvgE6oNVGQfyQrtEIK70dv0zh83ozCAxcoTQGe7VJwLh
         cYhdiW+fF+vRfYrKgTELWGvirk/kVqYn1uctDdi+G6e+l91d9DLzJI0VRk+5vgQBEKDR
         czNYhHjU6sRkdD6wlpyjp6vNdIKQB/9iT8njInWX+t70LlvIPSyyQNP1x1Dkqri78yno
         7PzxVRwhu+k45f6FUSwlTUzLeJzBCSwXj6W26taMIwvjrLqfZ1RAJPG4LmlVhKFHBvq3
         LcfA==
X-Gm-Message-State: AOAM531aamHMTuSmk5uoxb99HfAqjfRyzdeRJr+p+BWsfH8TnDrTsv2j
        Escltn7jLlsPHa/AeQo8hBCjnTg3gJe2ZQ==
X-Received: by 2002:a19:8243:: with SMTP id e64mr523074lfd.145.1605564969493;
        Mon, 16 Nov 2020 14:16:09 -0800 (PST)
Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com. [209.85.208.171])
        by smtp.gmail.com with ESMTPSA id j22sm2875881lfm.257.2020.11.16.14.16.08
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 16 Nov 2020 14:16:08 -0800 (PST)
Received: by mail-lj1-f171.google.com with SMTP id r17so21914998ljg.5
        for <linux-kernel@vger.kernel.org>; Mon, 16 Nov 2020 14:16:08 -0800 (PST)
X-Received: by 2002:a2e:a375:: with SMTP id i21mr498450ljn.421.1605564967930;
 Mon, 16 Nov 2020 14:16:07 -0800 (PST)
MIME-Version: 1.0
References: <cover.1605560917.git.dxu@dxuuu.xyz> <470ffc3c76414443fc359b884080a5394dcccec3.1605560917.git.dxu@dxuuu.xyz>
In-Reply-To: <470ffc3c76414443fc359b884080a5394dcccec3.1605560917.git.dxu@dxuuu.xyz>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon, 16 Nov 2020 14:15:52 -0800
X-Gmail-Original-Message-ID: <CAHk-=wggUw3XYffJ-od8Dbfh-JkXkEuCPjSRR2Z+8HrNUNxJ=g@mail.gmail.com>
Message-ID: <CAHk-=wggUw3XYffJ-od8Dbfh-JkXkEuCPjSRR2Z+8HrNUNxJ=g@mail.gmail.com>
Subject: Re: [PATCH bpf v6 1/2] lib/strncpy_from_user.c: Don't overcopy bytes
 after NUL terminator
To:     Daniel Xu <dxu@dxuuu.xyz>
Cc:     bpf <bpf@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Song Liu <songliubraving@fb.com>, andrii.nakryiko@gmail.com,
        kernel-team@fb.com
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Nov 16, 2020 at 1:17 PM Daniel Xu <dxu@dxuuu.xyz> wrote:
>
> Based on on-list discussion and some off-list discussion with Alexei,
> I'd like to propose the v4-style patch without the `(*out & ~mask)`
> bit.

So I've verified that at least on x86-64, this doesn't really make
code generation any worse, and I'm ok with the patch from that
standpoint.

However, this was not what the discussion actually amended at as far
as I'm concerned.

I mentioned that if BPF cares about the bytes past the end of the
string, I want a *BIG COMMENT* about it. Yes, in strncpy_from_user()
itself, but even more in the place that cares.

And no, that does not mean bpf_probe_read_user_str().  That function
clearly doesn't care at all, and doesn't access anything past the end
of the string. I want a comment in whatever code that accesses past
the end of the string.

And your ABI point is actively misleading:

> We can't really zero out the rest of the buffer due to ABI issues.
> The bpf docs state for bpf_probe_read_user_str():
>
> > In case the string length is smaller than *size*, the target is not
> > padded with further NUL bytes.

This comment is actively wrong and misleading.

The code (after the patch) clearly *does* pad a bit with "further NUL
bytes". It's just that it doesn't pad all the way to the end.

Where is the actual buffer zeroing done?

Because without the buffer zeroing, this whole patch is completely
pointless. Which is why I want that comment, and I want a pointer to
where that zeroing is done.

Really. You have two cases:

 (a) the buffer isn't zeroed before the strncpy_from_user()

 (b) the buffer is guaranteed to be zero before that

and in case (a), this patch is pointless, since the data after the
string is already undefined.

And in case (b), I want to see a comment and a pointer to the code
that actually does the zeroing.

HOWEVER. Look at bpf_probe_read_user_str_common(), and notice how it
ALREADY does the zeroing of the buffer past the end, it's just that it
only does it in the error case.

Why do you send this patch, instead of

 (a) get rid of the pointless pre-zeroing

 (b) change bpf_probe_read_user_str_common() to do

        int ret;
        u32 offset;

        ret = strncpy_from_user_nofault(dst, unsafe_ptr, size);
        offset = ret < 0 ? 0 : ret;
        memset(dst+offset, 0, size-offset);
        return ret;

which seems to be much simpler anyway. The comment you quote about
"target is not padded with further NUL bytes" is clearly wrong anyway,
since that error case *does* pad the target with NUL bytes, and always
has.

So honestly, in this whole discussion, it seems rather clear to me
that the bug has always been in bpf, not in strncpy_from_user(). The
ABI comment you quote is clearly not true, and I can point to that
existing bpf_probe_read_user_str_common() code itself:

        ret = strncpy_from_user_nofault(dst, unsafe_ptr, size);
        if (unlikely(ret < 0))
                memset(dst, 0, size);

as to why that is.

But guys, as mentioned, I'm willing to apply this patch, but only if
you add some actually *correct* comments about the odd bpf use of this
string, and point to where the pre-zeroing is done.

               Linus