[RFC,v1,1/2] maccess: fix writing offset in case of fault in strncpy_from_kernel_nofault()

Message ID 20221108195211.214025-2-flaniel@linux.microsoft.com
State New
Headers
Series Fix offset when fault occurs in strncpy_from_kernel_nofault() |

Commit Message

Francis Laniel Nov. 8, 2022, 7:52 p.m. UTC
  From: Alban Crequy <albancrequy@microsoft.com>

If a page fault occurs while copying the first byte, this function resets one
byte before dst.
As a consequence, an address could be modified and leaded to kernel crashes if
case the modified address was accessed later.

Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
---
 mm/maccess.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--
2.25.1
  

Comments

Yonghong Song Nov. 8, 2022, 8:35 p.m. UTC | #1
On 11/8/22 11:52 AM, Francis Laniel wrote:
> From: Alban Crequy <albancrequy@microsoft.com>
> 
> If a page fault occurs while copying the first byte, this function resets one
> byte before dst.
> As a consequence, an address could be modified and leaded to kernel crashes if
> case the modified address was accessed later.
> 
> Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
> Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
> ---
>   mm/maccess.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/maccess.c b/mm/maccess.c
> index 5f4d240f67ec..074f6b086671 100644
> --- a/mm/maccess.c
> +++ b/mm/maccess.c
> @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count)
>   	return src - unsafe_addr;
>   Efault:
>   	pagefault_enable();
> -	dst[-1] = '\0';
> +	dst[0] = '\0';

What if the fault is due to dst, so the above won't work, right?

The original code should work fine if the first byte copy is successful.
For the first byte copy fault, maybe just to leave it as is?

>   	return -EFAULT;
>   }
> 
> --
> 2.25.1
>
  
Yonghong Song Nov. 8, 2022, 8:38 p.m. UTC | #2
On 11/8/22 12:35 PM, Yonghong Song wrote:
> 
> 
> On 11/8/22 11:52 AM, Francis Laniel wrote:
>> From: Alban Crequy <albancrequy@microsoft.com>
>>
>> If a page fault occurs while copying the first byte, this function 
>> resets one
>> byte before dst.
>> As a consequence, an address could be modified and leaded to kernel 
>> crashes if
>> case the modified address was accessed later.
>>
>> Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
>> Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
>> ---
>>   mm/maccess.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/mm/maccess.c b/mm/maccess.c
>> index 5f4d240f67ec..074f6b086671 100644
>> --- a/mm/maccess.c
>> +++ b/mm/maccess.c
>> @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const 
>> void *unsafe_addr, long count)
>>       return src - unsafe_addr;
>>   Efault:
>>       pagefault_enable();
>> -    dst[-1] = '\0';
>> +    dst[0] = '\0';
> 
> What if the fault is due to dst, so the above won't work, right?
> 
> The original code should work fine if the first byte copy is successful.
> For the first byte copy fault, maybe just to leave it as is?

Okay, the dst is always safe (from func signature), so change looks okay
to me. Probably mm people can double check.

> 
>>       return -EFAULT;
>>   }
>>
>> -- 
>> 2.25.1
>>
  
Andrew Morton Nov. 8, 2022, 9:05 p.m. UTC | #3
On Tue,  8 Nov 2022 20:52:06 +0100 Francis Laniel <flaniel@linux.microsoft.com> wrote:

> From: Alban Crequy <albancrequy@microsoft.com>
> 
> If a page fault occurs while copying the first byte, this function resets one
> byte before dst.
> As a consequence, an address could be modified and leaded to kernel crashes if
> case the modified address was accessed later.
> 
> Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
> Tested-by: Francis Laniel <flaniel@linux.microsoft.com>

Reviewed-by: Andrew Morton <akpm@linux-foundation.org>

Please merge via the bpf tree.

This looks potentially nasty.  Fortunately only tracing code uses it,
but I'm thinking it should have cc:stable and a Fixes:?
  
Francis Laniel Nov. 9, 2022, 11:04 a.m. UTC | #4
Hi.

Le mardi 8 novembre 2022, 22:05:51 CET Andrew Morton a écrit :
> On Tue,  8 Nov 2022 20:52:06 +0100 Francis Laniel 
<flaniel@linux.microsoft.com> wrote:
> > From: Alban Crequy <albancrequy@microsoft.com>
> > 
> > If a page fault occurs while copying the first byte, this function resets
> > one byte before dst.
> > As a consequence, an address could be modified and leaded to kernel
> > crashes if case the modified address was accessed later.
> > 
> > Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
> > Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
> 
> Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
> 
> Please merge via the bpf tree.
> 
> This looks potentially nasty.  Fortunately only tracing code uses it,
> but I'm thinking it should have cc:stable and a Fixes:?

Thank you for the review!
Sorry, I thought to add stable list but forgot to add it when sending the 
series...
I will sent a v2 with your review and without rfc tag to, among others, 
stable.
  
Alban Crequy Nov. 9, 2022, 11:23 a.m. UTC | #5
On Tue, 8 Nov 2022 12:38:53 -0800
Yonghong Song <yhs@meta.com> wrote:

> On 11/8/22 12:35 PM, Yonghong Song wrote:
> > 
> > 
> > On 11/8/22 11:52 AM, Francis Laniel wrote:  
> >> From: Alban Crequy <albancrequy@microsoft.com>
> >>
> >> If a page fault occurs while copying the first byte, this function 
> >> resets one
> >> byte before dst.
> >> As a consequence, an address could be modified and leaded to
> >> kernel crashes if
> >> case the modified address was accessed later.
> >>
> >> Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
> >> Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
> >> ---
> >>   mm/maccess.c | 2 +-
> >>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/mm/maccess.c b/mm/maccess.c
> >> index 5f4d240f67ec..074f6b086671 100644
> >> --- a/mm/maccess.c
> >> +++ b/mm/maccess.c
> >> @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst,
> >> const void *unsafe_addr, long count)
> >>       return src - unsafe_addr;
> >>   Efault:
> >>       pagefault_enable();
> >> -    dst[-1] = '\0';
> >> +    dst[0] = '\0';  
> > 
> > What if the fault is due to dst, so the above won't work, right?
> > 
> > The original code should work fine if the first byte copy is
> > successful. For the first byte copy fault, maybe just to leave it
> > as is?  
> 
> Okay, the dst is always safe (from func signature), so change looks
> okay to me. Probably mm people can double check.

My understanding was that the bpf verifier is supposed to check that the
dst pointer is safe. But I don't know where it is done, and I don't
know how it can check that the dst buffer is big enough.

> >   
> >>       return -EFAULT;
> >>   }
> >>
> >> -- 
> >> 2.25.1
> >>  
>
  
Yonghong Song Nov. 9, 2022, 4:09 p.m. UTC | #6
On 11/9/22 3:23 AM, Alban Crequy wrote:
> On Tue, 8 Nov 2022 12:38:53 -0800
> Yonghong Song <yhs@meta.com> wrote:
> 
>> On 11/8/22 12:35 PM, Yonghong Song wrote:
>>>
>>>
>>> On 11/8/22 11:52 AM, Francis Laniel wrote:
>>>> From: Alban Crequy <albancrequy@microsoft.com>
>>>>
>>>> If a page fault occurs while copying the first byte, this function
>>>> resets one
>>>> byte before dst.
>>>> As a consequence, an address could be modified and leaded to
>>>> kernel crashes if
>>>> case the modified address was accessed later.
>>>>
>>>> Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
>>>> Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
>>>> ---
>>>>    mm/maccess.c | 2 +-
>>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/mm/maccess.c b/mm/maccess.c
>>>> index 5f4d240f67ec..074f6b086671 100644
>>>> --- a/mm/maccess.c
>>>> +++ b/mm/maccess.c
>>>> @@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst,
>>>> const void *unsafe_addr, long count)
>>>>        return src - unsafe_addr;
>>>>    Efault:
>>>>        pagefault_enable();
>>>> -    dst[-1] = '\0';
>>>> +    dst[0] = '\0';
>>>
>>> What if the fault is due to dst, so the above won't work, right?
>>>
>>> The original code should work fine if the first byte copy is
>>> successful. For the first byte copy fault, maybe just to leave it
>>> as is?
>>
>> Okay, the dst is always safe (from func signature), so change looks
>> okay to me. Probably mm people can double check.
> 
> My understanding was that the bpf verifier is supposed to check that the
> dst pointer is safe. But I don't know where it is done, and I don't
> know how it can check that the dst buffer is big enough.

Yes, the verifier ensures the buffer actually has the capacity
for the buffer size. So we are fine here for 'dst' buffer.

> 
>>>    
>>>>        return -EFAULT;
>>>>    }
>>>>
>>>> -- 
>>>> 2.25.1
>>>>   
>>
>
  

Patch

diff --git a/mm/maccess.c b/mm/maccess.c
index 5f4d240f67ec..074f6b086671 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -97,7 +97,7 @@  long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count)
 	return src - unsafe_addr;
 Efault:
 	pagefault_enable();
-	dst[-1] = '\0';
+	dst[0] = '\0';
 	return -EFAULT;
 }