[PATH 0/2] strndup_user, description

[PATH 0/2] strndup_user, description

[Davi Arnaut]

This patch series creates a strndup_user() function in order to avoid duplicated
and error-prone (userspace modifying the string after the strlen_user()) code.

The diffstat:

 include/linux/string.h |    3 +
 kernel/module.c        |   19 +-------
 mm/util.c              |   37 +++++++++++++++
 security/keys/keyctl.c |  116 ++++++++++---------------------------------------
 4 files changed, 68 insertions(+), 107 deletions(-)

Signed-off-by: Davi Arnaut <davi.arnaut@gmail.com>
--

diff --git a/include/linux/string.h b/include/linux/string.h
index 369be32..2cb2dc8 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -18,6 +18,9 @@ extern char * strsep(char **,const char 
 extern __kernel_size_t strspn(const char *,const char *);
 extern __kernel_size_t strcspn(const char *,const char *);
 
+#define strdup_user(s)	strndup_user(s, PAGE_SIZE)
+extern char *strndup_user(const char __user *, long);
+
 /*
  * Include machine specific inline routines
  */
diff --git a/mm/util.c b/mm/util.c
index 5f4bb59..09c2c3b 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -1,6 +1,8 @@
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <linux/module.h>
+#include <linux/err.h>
+#include <asm/uaccess.h>
 
 /**
  * kzalloc - allocate memory. The memory is set to zero.
@@ -37,3 +39,38 @@ char *kstrdup(const char *s, gfp_t gfp)
 	return buf;
 }
 EXPORT_SYMBOL(kstrdup);
+
+/*
+ * strndup_user - duplicate an existing string from user space
+ *
+ * @s: The string to duplicate
+ * @n: Maximum number of bytes to copy, including the trailing NUL.
+ */
+char *strndup_user(const char __user *s, long n)
+{
+	char *p;
+	long length;
+
+	length = strlen_user(s);
+
+	if (!length)
+		return ERR_PTR(-EFAULT);
+
+	if (length > n)
+		length = n;
+
+	p = kmalloc(length, GFP_KERNEL);
+
+	if (!p)
+		return ERR_PTR(-ENOMEM);
+
+	if (strncpy_from_user(p, s, length) < 0) {
+		kfree(p);
+		return ERR_PTR(-EFAULT);
+	}
+
+	p[length - 1] = '\0';
+
+	return p;
+}
+EXPORT_SYMBOL(strndup_user);

Re: [PATH 0/2] strndup_user, description

[Alan Cox]

On Maw, 2006-02-14 at 21:47 -0300, Davi Arnaut wrote:
> This patch series creates a strndup_user() function in order to avoid duplicated
> and error-prone (userspace modifying the string after the strlen_user()) code.

Well userspace can still modify in this case. So you could still get a
\0 mid buffer but that seems harmless.

However

> +#define strdup_user(s)	strndup_user(s, PAGE_SIZE)

Better this doesn't exist as it is a wrapper for a bad habit that isnt
yet used so why encourage it.



> +	length = strlen_user(s);

What if n is very large ? Should use strnlen_user clipped by n

Also say the length limit is 8 and the text is "hello\0"

We get length = 5  5 < 8, alloc 5 bytes set 5th to \0 and return "hell
\0"

Re: [PATH 0/2] strndup_user, description

[Davi Arnaut]

On Wed, 15 Feb 2006 02:53:10 +0000
Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:

> On Maw, 2006-02-14 at 21:47 -0300, Davi Arnaut wrote:
> > This patch series creates a strndup_user() function in order to avoid duplicated
> > and error-prone (userspace modifying the string after the strlen_user()) code.
> 
> Well userspace can still modify in this case. So you could still get a
> \0 mid buffer but that seems harmless.

Yes.

> However
> 
> > +#define strdup_user(s)	strndup_user(s, PAGE_SIZE)
> 
> Better this doesn't exist as it is a wrapper for a bad habit that isnt
> yet used so why encourage it.
> 

Ok, I will inline it.
 
> 
> > +	length = strlen_user(s);
> 
> What if n is very large ? Should use strnlen_user clipped by n

That's what "if (length > n) length = n" is for.
 
> Also say the length limit is 8 and the text is "hello\0"
> 
> We get length = 5  5 < 8, alloc 5 bytes set 5th to \0 and return "hell
> \0"

No, we would get length = 6, strlen_user returns the size of the string
_including_ the terminating NUL.

--
Davi Arnaut