Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1747990pxb; Mon, 22 Feb 2021 09:51:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJxUU0sqHpRhwo17a8EDKM1CGvUp06zgjcF10C5KB/BLr8hzULk1JpTFXFjVJFcCBs+n4F5Q X-Received: by 2002:a17:906:f10c:: with SMTP id gv12mr12016600ejb.407.1614016308737; Mon, 22 Feb 2021 09:51:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614016308; cv=none; d=google.com; s=arc-20160816; b=kNpX9iPyaGMQCxp76kWbjvExGfUxZvPYNTzFPo1LviHlVx51P6Wx47iu7uX53np17y +ntq1g+VKobHc86mnZXY5VUR/1iIdHjukogBCxHt+WMHfoGKIWa9PkeLHavsrfpa9dhP 2bSX5suOXYHeJryOGaQlq6cfRNB5FXWzN8Rg19eU9MBIupYDCV8ZiTl4co0Y4Zpj7Fbb T6d9afPMBbGAYbomF5cKk+N3JPwXwfwYWTpaXnz5bC+8bXxYQf0LdXFtJJd7Zpb5Iloo e7oo7hr78SG06SxEvj/KbdZ2Nl4F+uTAx1YXfepcCcZcCWE4L/Jw6XJp7pvYhg92kULE jTZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=gkOIi4Eg6FucusEB8cdMG0etWojxhIXLoQ0MQn689GE=; b=NuBPpguo1hv1UMb5ZoOaBvTvN1dzr9NSTvnSwHRlprbZ87IlCKEAOA1+czqGrTQFui cKDH9guosJ1otEgpBBd3WavwEfQ4LVGaBKoNeI21zhDZaysiRLiJbOO7uOb7amOWKs9Q KPV/U3mNCxGul4NkOzjmdTLgJ57run+5XpAej6dyPVK/tQDWSo7/UKIE4yKBNNv+Nlri x0Y88CPlKvhI3ho8w2j0jPWo6YPyDEQgMZictMUQYfZhghUybZ3o0VuQHxslnI6K7elh PWhd7w0a4DtUGd4QTTZ2KEut1lcA1OrPd0wD+E3fo0bMPVFPGIMja4ISClPWaIJCnYp1 L/NA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j15si13758265edw.310.2021.02.22.09.51.25; Mon, 22 Feb 2021 09:51:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231593AbhBVRuZ (ORCPT + 99 others); Mon, 22 Feb 2021 12:50:25 -0500 Received: from mail.kernel.org ([198.145.29.99]:33860 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230177AbhBVRuU (ORCPT ); Mon, 22 Feb 2021 12:50:20 -0500 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C9FC964F00; Mon, 22 Feb 2021 17:49:38 +0000 (UTC) Date: Mon, 22 Feb 2021 12:49:36 -0500 From: Steven Rostedt To: Romain Perier Cc: Kees Cook , kernel-hardening@lists.openwall.com, Ingo Molnar , linux-kernel@vger.kernel.org Subject: Re: [PATCH 16/20] tracing/probe: Manual replacement of the deprecated strlcpy() with return values Message-ID: <20210222124936.03103585@gandalf.local.home> In-Reply-To: <20210222151231.22572-17-romain.perier@gmail.com> References: <20210222151231.22572-1-romain.perier@gmail.com> <20210222151231.22572-17-romain.perier@gmail.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 22 Feb 2021 16:12:27 +0100 Romain Perier wrote: > The strlcpy() reads the entire source buffer first, it is dangerous if > the source buffer lenght is unbounded or possibility non NULL-terminated. > It can lead to linear read overflows, crashes, etc... > > As recommended in the deprecated interfaces [1], it should be replaced > by strscpy. > > This commit replaces all calls to strlcpy that handle the return values > by the corresponding strscpy calls with new handling of the return > values (as it is quite different between the two functions). > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > > Signed-off-by: Romain Perier > --- > kernel/trace/trace_uprobe.c | 11 +++++------ > 1 file changed, 5 insertions(+), 6 deletions(-) > > diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c > index 3cf7128e1ad3..f9583afdb735 100644 > --- a/kernel/trace/trace_uprobe.c > +++ b/kernel/trace/trace_uprobe.c > @@ -154,12 +154,11 @@ fetch_store_string(unsigned long addr, void *dest, void *base) > u8 *dst = get_loc_data(dest, base); > void __user *src = (void __force __user *) addr; > > - if (unlikely(!maxlen)) > - return -ENOMEM; Don't remove the above. You just broke the else side. > - > - if (addr == FETCH_TOKEN_COMM) > - ret = strlcpy(dst, current->comm, maxlen); > - else > + if (addr == FETCH_TOKEN_COMM) { > + ret = strscpy(dst, current->comm, maxlen); > + if (ret == -E2BIG) > + return -ENOMEM; I'm not sure the above is what we want. current->comm is always nul terminated, and not only that, it will never be bigger than TASK_COMM_LEN. If the "dst" location is smaller than comm (maxlen < TASK_COMM_LEN), it is still OK to copy a partial string. It should not return -ENOMEM which looks to be what happens with this patch. In other words, it looks like this patch breaks the current code in more ways than one. -- Steve > + } else > ret = strncpy_from_user(dst, src, maxlen); > if (ret >= 0) { > if (ret == maxlen)