* + bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch added to -mm tree
@ 2020-06-02 18:31 akpm
0 siblings, 0 replies; 2+ messages in thread
From: akpm @ 2020-06-02 18:31 UTC (permalink / raw)
To: akpm, ast, daniel, hch, hpa, mhiramat, mingo, mm-commits, tglx
The patch titled
Subject: bpf:bpf_seq_printf(): handle potentially unsafe format string better
has been added to the -mm tree. Its filename is
bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Andrew Morton <akpm@linux-foundation.org>
Subject: bpf:bpf_seq_printf(): handle potentially unsafe format string better
User the proper helper for kernel or userspace addresses based on
TASK_SIZE instead of the dangerous strncpy_from_unsafe function.
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
kernel/trace/bpf_trace.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/kernel/trace/bpf_trace.c~bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better
+++ a/kernel/trace/bpf_trace.c
@@ -588,15 +588,17 @@ BPF_CALL_5(bpf_seq_printf, struct seq_fi
}
if (fmt[i] == 's') {
+ void *unsafe_ptr;
+
/* try our best to copy */
if (memcpy_cnt >= MAX_SEQ_PRINTF_MAX_MEMCPY) {
err = -E2BIG;
goto out;
}
- err = strncpy_from_unsafe_strict(bufs->buf[memcpy_cnt],
- (void *) (long) args[fmt_cnt],
- MAX_SEQ_PRINTF_STR_LEN);
+ unsafe_ptr = (void *)(long)args[fmt_cnt];
+ err = strncpy_from_kernel_nofault(bufs->buf[memcpy_cnt],
+ unsafe_ptr, MAX_SEQ_PRINTF_STR_LEN);
if (err < 0)
bufs->buf[memcpy_cnt][0] = '\0';
params[fmt_cnt] = (u64)(long)bufs->buf[memcpy_cnt];
_
Patches currently in -mm which might be from akpm@linux-foundation.org are
arch-parisc-include-asm-pgtableh-remove-unused-old_pte.patch
mm-slub-add-panic_on_error-to-the-debug-facilities-fix.patch
drivers-tty-serial-sh-scic-suppress-uninitialized-var-warning.patch
mm.patch
mm-free_area_init-allow-defining-max_zone_pfn-in-descending-order-fix-2-fix.patch
mm-page_alloc-skip-waternark_boost-for-atomic-order-0-allocations-fix.patch
arch-kunmap-remove-duplicate-kunmap-implementations-fix.patch
arch-kmap_atomic-consolidate-duplicate-code-checkpatch-fixes.patch
arch-kunmap_atomic-consolidate-duplicate-code-checkpatch-fixes.patch
kmap-consolidate-kmap_prot-definitions-checkpatch-fixes.patch
mm-add-debug_wx-support-fix.patch
riscv-support-debug_wx-fix.patch
mm-replace-zero-length-array-with-flexible-array-member-fix.patch
mm-hugetlb-fix-a-typo-in-comment-manitained-maintained-v2-checkpatch-fixes.patch
lib-make-a-test-module-with-get_count_order-long-fix.patch
seq_file-introduce-define_seq_attribute-helper-macro-checkpatch-fixes.patch
ipc-convert-ipcs_idr-to-xarray-update-fix.patch
linux-next-pre.patch
linux-next-rejects.patch
linux-next-git-rejects.patch
linux-next-post.patch
kernel-add-panic_on_taint-fix.patch
mm-consolidate-pgd_index-and-pgd_offset_k-definitions-fix.patch
mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix.patch
mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix-fix.patch
mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix-fix-fix.patch
mmap-locking-api-rename-mmap_sem-to-mmap_lock-fix.patch
mmap-locking-api-convert-mmap_sem-comments-fix.patch
mmap-locking-api-convert-mmap_sem-comments-fix-fix.patch
mmap-locking-api-convert-mmap_sem-comments-fix-fix-fix.patch
mm-pass-task-and-mm-to-do_madvise.patch
mm-introduce-external-memory-hinting-api-fix-2-fix.patch
mm-support-vector-address-ranges-for-process_madvise-fix-fix-fix-fix-fix.patch
maccess-unify-the-probe-kernel-arch-hooks-fix.patch
bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch
maccess-always-use-strict-semantics-for-probe_kernel_read-fix.patch
x86-use-non-set_fs-based-maccess-routines-checkpatch-fixes.patch
doc-cgroup-update-note-about-conditions-when-oom-killer-is-invoked-fix.patch
sh-convert-ins-outs-macros-to-inline-functions-checkpatch-fixes.patch
kernel-forkc-export-kernel_thread-to-modules.patch
^ permalink raw reply [flat|nested] 2+ messages in thread
* incoming
@ 2020-05-23 5:22 Andrew Morton
2020-05-28 2:04 ` + bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch added to -mm tree Andrew Morton
0 siblings, 1 reply; 2+ messages in thread
From: Andrew Morton @ 2020-05-23 5:22 UTC (permalink / raw)
To: Linus Torvalds; +Cc: mm-commits, linux-mm
11 fixes, based on 444565650a5fe9c63ddf153e6198e31705dedeb2:
David Hildenbrand <david@redhat.com>:
device-dax: don't leak kernel memory to user space after unloading kmem
Nick Desaulniers <ndesaulniers@google.com>:
x86: bitops: fix build regression
John Hubbard <jhubbard@nvidia.com>:
rapidio: fix an error in get_user_pages_fast() error handling
selftests/vm/.gitignore: add mremap_dontunmap
selftests/vm/write_to_hugetlbfs.c: fix unused variable warning
Marco Elver <elver@google.com>:
kasan: disable branch tracing for core runtime
Arnd Bergmann <arnd@arndb.de>:
sh: include linux/time_types.h for sockios
Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>:
MAINTAINERS: update email address for Naoya Horiguchi
Mike Rapoport <rppt@linux.ibm.com>:
sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()
Uladzislau Rezki <uladzislau.rezki@sony.com>:
z3fold: fix use-after-free when freeing handles
Baoquan He <bhe@redhat.com>:
MAINTAINERS: add files related to kdump
MAINTAINERS | 7 ++++++-
arch/sh/include/uapi/asm/sockios.h | 2 ++
arch/sparc/mm/srmmu.c | 2 +-
arch/x86/include/asm/bitops.h | 12 ++++++------
drivers/dax/kmem.c | 14 +++++++++++---
drivers/rapidio/devices/rio_mport_cdev.c | 5 +++++
mm/kasan/Makefile | 16 ++++++++--------
mm/kasan/generic.c | 1 -
mm/kasan/tags.c | 1 -
mm/z3fold.c | 11 ++++++-----
tools/testing/selftests/vm/.gitignore | 1 +
tools/testing/selftests/vm/write_to_hugetlbfs.c | 2 --
12 files changed, 46 insertions(+), 28 deletions(-)
^ permalink raw reply [flat|nested] 2+ messages in thread
* + bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch added to -mm tree
2020-05-23 5:22 incoming Andrew Morton
@ 2020-05-28 2:04 ` Andrew Morton
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Morton @ 2020-05-28 2:04 UTC (permalink / raw)
To: akpm, ast, daniel, hch, hpa, mhiramat, mingo, mm-commits, tglx
The patch titled
Subject: bpf:bpf_seq_printf(): handle potentially unsafe format string better
has been added to the -mm tree. Its filename is
bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Andrew Morton <akpm@linux-foundation.org>
Subject: bpf:bpf_seq_printf(): handle potentially unsafe format string better
User the proper helper for kernel or userspace addresses based on
TASK_SIZE instead of the dangerous strncpy_from_unsafe function.
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
kernel/trace/bpf_trace.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/kernel/trace/bpf_trace.c~bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better
+++ a/kernel/trace/bpf_trace.c
@@ -588,15 +588,22 @@ BPF_CALL_5(bpf_seq_printf, struct seq_fi
}
if (fmt[i] == 's') {
+ void *unsafe_ptr;
+
/* try our best to copy */
if (memcpy_cnt >= MAX_SEQ_PRINTF_MAX_MEMCPY) {
err = -E2BIG;
goto out;
}
- err = strncpy_from_unsafe(bufs->buf[memcpy_cnt],
- (void *) (long) args[fmt_cnt],
- MAX_SEQ_PRINTF_STR_LEN);
+ unsafe_ptr = (void *)(long)args[fmt_cnt];
+ if ((unsigned long)unsafe_ptr < TASK_SIZE) {
+ err = strncpy_from_user_nofault(
+ bufs->buf[memcpy_cnt], unsafe_ptr,
+ MAX_SEQ_PRINTF_STR_LEN);
+ } else {
+ err = -EFAULT;
+ }
if (err < 0)
bufs->buf[memcpy_cnt][0] = '\0';
params[fmt_cnt] = (u64)(long)bufs->buf[memcpy_cnt];
_
Patches currently in -mm which might be from akpm@linux-foundation.org are
mm-remove-vm_bug_onpageslab-from-page_mapcount-fix.patch
squashfs-migrate-from-ll_rw_block-usage-to-bio-fix.patch
arch-parisc-include-asm-pgtableh-remove-unused-old_pte.patch
drivers-tty-serial-sh-scic-suppress-uninitialized-var-warning.patch
mm.patch
mm-slub-fix-corrupted-freechain-in-deactivate_slab-fix.patch
mm-slub-add-panic_on_error-to-the-debug-facilities-fix.patch
mm-migratec-call-detach_page_private-to-cleanup-code-fix.patch
mm-migratec-call-detach_page_private-to-cleanup-code-fix-fix.patch
mm-gupc-updating-the-documentation-fix.patch
mm-swapfilec-classify-swap_map_xxx-to-make-it-more-readable-fix.patch
mm-remove-__vmalloc_node_flags_caller-fix.patch
mm-switch-the-test_vmalloc-module-to-use-__vmalloc_node-fix.patch
mm-switch-the-test_vmalloc-module-to-use-__vmalloc_node-fix-fix.patch
mm-remove-vmalloc_user_node_flags-fix.patch
mm-vmalloc-track-which-page-table-levels-were-modified-fix.patch
mm-free_area_init-allow-defining-max_zone_pfn-in-descending-order-fix-2-fix.patch
mm-page_alloc-skip-waternark_boost-for-atomic-order-0-allocations-fix.patch
arch-kunmap-remove-duplicate-kunmap-implementations-fix.patch
arch-kmap_atomic-consolidate-duplicate-code-checkpatch-fixes.patch
arch-kunmap_atomic-consolidate-duplicate-code-checkpatch-fixes.patch
kmap-consolidate-kmap_prot-definitions-checkpatch-fixes.patch
mm-add-debug_wx-support-fix.patch
riscv-support-debug_wx-fix.patch
mm-replace-zero-length-array-with-flexible-array-member-fix.patch
mm-hugetlb-fix-a-typo-in-comment-manitained-maintained-v2-checkpatch-fixes.patch
seq_file-introduce-define_seq_attribute-helper-macro-checkpatch-fixes.patch
ipc-convert-ipcs_idr-to-xarray-update-fix.patch
linux-next-pre.patch
linux-next-rejects.patch
linux-next-post.patch
kernel-add-panic_on_taint-fix.patch
mm-consolidate-pgd_index-and-pgd_offset_k-definitions-fix.patch
mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix.patch
mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix-fix.patch
mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix-fix-fix.patch
mmap-locking-api-rename-mmap_sem-to-mmap_lock-fix.patch
mmap-locking-api-convert-mmap_sem-comments-fix.patch
mmap-locking-api-convert-mmap_sem-comments-fix-fix.patch
mmap-locking-api-convert-mmap_sem-comments-fix-fix-fix.patch
mm-pass-task-and-mm-to-do_madvise.patch
mm-introduce-external-memory-hinting-api-fix-2-fix.patch
mm-support-vector-address-ranges-for-process_madvise-fix-fix-fix-fix-fix.patch
maccess-unify-the-probe-kernel-arch-hooks-fix.patch
bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch
maccess-always-use-strict-semantics-for-probe_kernel_read-fix.patch
x86-use-non-set_fs-based-maccess-routines-checkpatch-fixes.patch
doc-cgroup-update-note-about-conditions-when-oom-killer-is-invoked-fix.patch
kernel-forkc-export-kernel_thread-to-modules.patch
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-06-02 18:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-02 18:31 + bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch added to -mm tree akpm
-- strict thread matches above, loose matches on Subject: below --
2020-05-23 5:22 incoming Andrew Morton
2020-05-28 2:04 ` + bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch added to -mm tree Andrew Morton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.