| Message ID | 20231130205607.work.463-kees@kernel.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp678609vqy;
Thu, 30 Nov 2023 12:56:19 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IF7/ZzHWFIDCHlvMfID3mv5OuDA7946eFNGWmxGDe3o4Lt+d/uIdJVct9N3RbEmVRhN3bVS
X-Received: by 2002:a05:6a00:1799:b0:6cd:e2c2:13d7 with SMTP id
s25-20020a056a00179900b006cde2c213d7mr4681131pfg.23.1701377778897;
Thu, 30 Nov 2023 12:56:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701377778; cv=none;
d=google.com; s=arc-20160816;
b=T1ZFJTwcEoD7ZDGN7Ukwr/tB0TGMnjlAtKCCm4RowG8nLWLfJ6I9AToNoKOxuMP7Xi
OpZEfwBIRrxFkC0DXdDyYiGxpSE26/ySVVGu0xvyF/ijucbz4HFCOnR+cWfwfPn7lV4r
WJ8/7ZriJqrUH/+DgSuiHMPDTbcliy4oqEZ0IrVtvuTs8u1LDK7oT9SicXyHa2WB8lkP
7FrkjohJ74PFiMpzoNANcoXzieEANZYISfXIOpdoL0ediWhoQrzWnQeX2Q45+Aae1khi
RjwZmj6ONXpLIAW6o+AgllCNo/s0iA/3yh6QcgGt4Cvw+fbQeUBRm+kHyKyNWRfhv9W0
jdhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=2mqH2Bu8VDSZQl/oVmtaFk1bQrPnLFzomfRgzjPU9ug=;
fh=GWu56dZwFUbHWUbMT5wdLrp8Cgq0rqEO6sqTFSY8UpA=;
b=OOpGxGmiZ4V74fXkBvZ/U/XU/MXhLKaW8yKYDwBwp0daSKmxfo3HXwN7qipEbSfUu+
mE6+Fkm+jaNNWFL/M794JfVXTmaCbeIDS9QYi8E1ZDFSOuWu++flwbdkIkXHKbJrUpSI
dS/+eErMlg9q4p0KPFeGuJ09scopOujuPOvm5d3iGX+qI0ccWbUERYNeRHFmtNzF19R0
OX5Uo+rB4OTTqKX8pbOi78B/PxsjHL2VxjkkyacS4j5Yqt/yoVtX5YTnVcNtGIx1XS6R
yarjladnzjsbYkDO+VK/zFZ5SbZ2vQuQo+Hff2e2bgiCtPho0NqOUBdWysq6BqhIvVDq
1pSA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=dhoUccPU;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
by mx.google.com with ESMTPS id
q7-20020a634307000000b005c1b2d279f3si1989226pga.342.2023.11.30.12.56.18
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 30 Nov 2023 12:56:18 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=dhoUccPU;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by lipwig.vger.email (Postfix) with ESMTP id 036DF801B413;
Thu, 30 Nov 2023 12:56:13 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1376740AbjK3U4F (ORCPT <rfc822;ruipengqi7@gmail.com>
+ 99 others); Thu, 30 Nov 2023 15:56:05 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52418 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1376386AbjK3U4E (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 30 Nov 2023 15:56:04 -0500
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com
[IPv6:2607:f8b0:4864:20::430])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40D10170B
for <linux-kernel@vger.kernel.org>;
Thu, 30 Nov 2023 12:56:10 -0800 (PST)
Received: by mail-pf1-x430.google.com with SMTP id
d2e1a72fcca58-6cb749044a2so1421389b3a.0
for <linux-kernel@vger.kernel.org>;
Thu, 30 Nov 2023 12:56:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1701377770; x=1701982570;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=2mqH2Bu8VDSZQl/oVmtaFk1bQrPnLFzomfRgzjPU9ug=;
b=dhoUccPUzLdedFmR72dBLBBf1AwWJCbZWRG/C11ZKHT5/v2loNjYwqyQHWCR/NFqzx
rGBGX7d51mgrdd6Y3J0GDjJJkU6T6nc8sCL3krUHBrvKyMqmP0Th6gCrBljtEhaoaJyA
rs747QpY0EkW5QjvDmo1KWIZxDlllhNBVS0qI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1701377770; x=1701982570;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=2mqH2Bu8VDSZQl/oVmtaFk1bQrPnLFzomfRgzjPU9ug=;
b=B4AB/NCQWiAy7ytJaSL8YtTNKA+BCL9cOFL1zTHe1pD8PUn8RuIVVUzK0jiDtWyptK
92MBSMN0gH7ilZXKzaZetbF0rUtP2s1siWQQsc5NCUt90dGoyE8ZmrEXPVgY37TlfSgQ
CAqoIrA69iVw30+ZOMt+riT/XrsDWvVSvU9wGKA5vfOeDvhbUzkj94d4Njei8j5yAAsC
8w7qkVEi8Eonj5vRuObEbQLtX6AOJ5+l5Vy/1rrpdQrMETnMsD+nzX0LZz7hulGZQ6ZF
e3t0e6AWoGmAc3qXqU1PKczLwXpDa+Cq0RODJtYcJqVvgIN0aD/Jadl8AZaZ9rJopwVw
CW4A==
X-Gm-Message-State: AOJu0Yz1PzfLZQNzxHPZWtn/tEIcZly1uuF6T/TMDiensGu9gWXpYOtd
5FDeDMM9tV1KMpZ3bEunrCiJyA==
X-Received: by 2002:a05:6a00:3907:b0:6c4:d76a:68ff with SMTP id
fh7-20020a056a00390700b006c4d76a68ffmr28870071pfb.17.1701377769742;
Thu, 30 Nov 2023 12:56:09 -0800 (PST)
Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net.
[198.0.35.241])
by smtp.gmail.com with ESMTPSA id
r8-20020aa78b88000000b006889511ab14sm1649631pfd.37.2023.11.30.12.56.09
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 30 Nov 2023 12:56:09 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Kees Cook <keescook@chromium.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
linux-trace-kernel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: [PATCH] tracing/uprobe: Replace strlcpy() with strscpy()
Date: Thu, 30 Nov 2023 12:56:08 -0800
Message-Id: <20231130205607.work.463-kees@kernel.org>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1408; i=keescook@chromium.org;
h=from:subject:message-id; bh=VAQ/FNnq8v9CzAsxQVG8VOQQl1gkuhbx7/nJ2nLij24=;
b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlaPbn40MW2pI606YFnUzI2iau9NKfIMFA3hhNz
i9rV8Xp0L+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZWj25wAKCRCJcvTf3G3A
JphxD/0ccMJyONx88iMeiVBBxhpQxMXLZ3/cgij/f1NWWQtky8CiRVSnmiHuwuHEGRkZvv2H9zH
/0t6VYWUDc0KsaXIYuf2zRKW2rexz7CdRO+C/HB4EKf0u7AyY1hly2yTRFmSJfIm5iOg9oGmmVR
ejxK8/epLSsTFuKcCcfcnSGiTrsM8zOGSAAB35wKUazI7JepId+k3bpipXDdTK01v8fpIkabwa1
KSfC2JLVya7CdOm3kF0fNNu8GEcuYeNGLCVloi1RxLNsey1ND0XZ0wPiL3HDkSp8+Lzm9wpoXQ0
jQrOQidOcEUCwsHvQ/xMoGzHIq5DgU5S5Xey3WFjPKyVq3EsNs6YRkN/y2AqQxc4CtJIDA7D6nv
bZkIiEGjX2Aafqf7GYMD6bsqhdQsHccbU7/RbFc6rW2fRcmHnT6h44ht8zPAhXhx28b5+y76JaU
mOgqxXBxGfOU2H3soJFvAcP5ESM9uT7Zlwq2HDx1RlT74wKg7S9ddsXxQBXKhcn9FopV+VKXYVD
B+is63bPLIcijjEk0m6B5/UdHl4OwEkRABa+TUEGSBTCCXg8CZxTzOrvVtKbdK9b/R4u3LvH22M
ZL60zhmY8Cl8gvldvxIQk2CJJRXoyJYkIKcgKDl5e6ej1i9ahR+mrgUGsovY1tzdZKz3TDrGb0p
bjYwntr ZIx4iwLQ==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
Thu, 30 Nov 2023 12:56:14 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1784023905852940330
X-GMAIL-MSGID: 1784023905852940330
|
| Series |
tracing/uprobe: Replace strlcpy() with strscpy()
|
|
Commit Message
Kees Cook
Nov. 30, 2023, 8:56 p.m. UTC
strlcpy() reads the entire source buffer first. This read may exceed
the destination size limit. This is both inefficient and can lead
to linear read overflows if a source string is not NUL-terminated[1].
Additionally, it returns the size of the source string, not the
resulting size of the destination string. In an effort to remove strlcpy()
completely[2], replace strlcpy() here with strscpy().
The negative return value is already handled by this code so no new
handling is needed here.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1]
Link: https://github.com/KSPP/linux/issues/89 [2]
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: linux-trace-kernel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
kernel/trace/trace_uprobe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Thu, 30 Nov 2023 12:56:08 -0800 Kees Cook <keescook@chromium.org> wrote: > strlcpy() reads the entire source buffer first. This read may exceed > the destination size limit. This is both inefficient and can lead > to linear read overflows if a source string is not NUL-terminated[1]. > Additionally, it returns the size of the source string, not the > resulting size of the destination string. In an effort to remove strlcpy() > completely[2], replace strlcpy() here with strscpy(). > > The negative return value is already handled by this code so no new > handling is needed here. > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1] > Link: https://github.com/KSPP/linux/issues/89 [2] > Cc: Steven Rostedt <rostedt@goodmis.org> > Cc: Masami Hiramatsu <mhiramat@kernel.org> > Cc: linux-trace-kernel@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Thanks for reporting! Let me pick this. Thanks! > --- > kernel/trace/trace_uprobe.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c > index 99c051de412a..a84b85d8aac1 100644 > --- a/kernel/trace/trace_uprobe.c > +++ b/kernel/trace/trace_uprobe.c > @@ -151,7 +151,7 @@ fetch_store_string(unsigned long addr, void *dest, void *base) > return -ENOMEM; > > if (addr == FETCH_TOKEN_COMM) > - ret = strlcpy(dst, current->comm, maxlen); > + ret = strscpy(dst, current->comm, maxlen); > else > ret = strncpy_from_user(dst, src, maxlen); > if (ret >= 0) { > -- > 2.34.1 >
On Thu, 30 Nov 2023 12:56:08 -0800 Kees Cook <keescook@chromium.org> wrote: > strlcpy() reads the entire source buffer first. This read may exceed > the destination size limit. This is both inefficient and can lead > to linear read overflows if a source string is not NUL-terminated[1]. > Additionally, it returns the size of the source string, not the > resulting size of the destination string. In an effort to remove strlcpy() > completely[2], replace strlcpy() here with strscpy(). > > The negative return value is already handled by this code so no new > handling is needed here. > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1] > Link: https://github.com/KSPP/linux/issues/89 [2] > Cc: Steven Rostedt <rostedt@goodmis.org> > Cc: Masami Hiramatsu <mhiramat@kernel.org> > Cc: linux-trace-kernel@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Hi Kees, As same as sample's change, should I ask you to pick this to your tree? Since it is a kind of a part of series patch. I'm OK for it since this does not change the code so much. In that case, please feel free to add my Ack. Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Thank you, > --- > kernel/trace/trace_uprobe.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c > index 99c051de412a..a84b85d8aac1 100644 > --- a/kernel/trace/trace_uprobe.c > +++ b/kernel/trace/trace_uprobe.c > @@ -151,7 +151,7 @@ fetch_store_string(unsigned long addr, void *dest, void *base) > return -ENOMEM; > > if (addr == FETCH_TOKEN_COMM) > - ret = strlcpy(dst, current->comm, maxlen); > + ret = strscpy(dst, current->comm, maxlen); > else > ret = strncpy_from_user(dst, src, maxlen); > if (ret >= 0) { > -- > 2.34.1 >
On Fri, Dec 01, 2023 at 03:27:26PM +0900, Masami Hiramatsu wrote: > On Thu, 30 Nov 2023 12:56:08 -0800 > Kees Cook <keescook@chromium.org> wrote: > > > strlcpy() reads the entire source buffer first. This read may exceed > > the destination size limit. This is both inefficient and can lead > > to linear read overflows if a source string is not NUL-terminated[1]. > > Additionally, it returns the size of the source string, not the > > resulting size of the destination string. In an effort to remove strlcpy() > > completely[2], replace strlcpy() here with strscpy(). > > > > The negative return value is already handled by this code so no new > > handling is needed here. > > > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1] > > Link: https://github.com/KSPP/linux/issues/89 [2] > > Cc: Steven Rostedt <rostedt@goodmis.org> > > Cc: Masami Hiramatsu <mhiramat@kernel.org> > > Cc: linux-trace-kernel@vger.kernel.org > > Signed-off-by: Kees Cook <keescook@chromium.org> > > Hi Kees, > > As same as sample's change, should I ask you to pick this to your tree? > Since it is a kind of a part of series patch. I'm OK for it since this > does not change the code so much. > > In that case, please feel free to add my Ack. > > Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Either way is fine, but I can take it since I've got a few others already too. :) Thanks! -Kees
On Thu, 30 Nov 2023 12:56:08 -0800, Kees Cook wrote: > strlcpy() reads the entire source buffer first. This read may exceed > the destination size limit. This is both inefficient and can lead > to linear read overflows if a source string is not NUL-terminated[1]. > Additionally, it returns the size of the source string, not the > resulting size of the destination string. In an effort to remove strlcpy() > completely[2], replace strlcpy() here with strscpy(). > > [...] Applied to for-next/hardening, thanks! [1/1] tracing/uprobe: Replace strlcpy() with strscpy() https://git.kernel.org/kees/c/8a3750ecf810 Take care,
diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c index 99c051de412a..a84b85d8aac1 100644 --- a/kernel/trace/trace_uprobe.c +++ b/kernel/trace/trace_uprobe.c @@ -151,7 +151,7 @@ fetch_store_string(unsigned long addr, void *dest, void *base) return -ENOMEM; if (addr == FETCH_TOKEN_COMM) - ret = strlcpy(dst, current->comm, maxlen); + ret = strscpy(dst, current->comm, maxlen); else ret = strncpy_from_user(dst, src, maxlen); if (ret >= 0) {