From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52F13C2D0A3 for ; Wed, 4 Nov 2020 02:30:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E692622264 for ; Wed, 4 Nov 2020 02:30:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=dxuuu.xyz header.i=@dxuuu.xyz header.b="H4Wk1mVf"; dkim=temperror (0-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="Rb7WTGEE" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730216AbgKDCaq (ORCPT ); Tue, 3 Nov 2020 21:30:46 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:60075 "EHLO out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729188AbgKDCap (ORCPT ); Tue, 3 Nov 2020 21:30:45 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 64B6B5C00CC; Tue, 3 Nov 2020 21:30:44 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Tue, 03 Nov 2020 21:30:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dxuuu.xyz; h= from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; s=fm1; bh=WE7yAH2aWA3fpPsJ2XJxmxiCEv 3IiFflvFYkvVNFDuQ=; b=H4Wk1mVfzFJCSyX9lNHb20rXl9RDucaXdEQwfD9toY K56XkJANQhatj1b0723ffSKBoWmz+FsmPSDLtAUjnyWx0Yq45rzoH4gLZlirmdnk gx2CBlux45P0XiIQt20worGPYPyHDjtPDNn275e7EJ8G+5c0oa9xISXuNkOdVhKn E50fD52uQTEDzqr546PntIiCkn50wcJZiK+vl39lHVKVbi3eEqTcPrlBmD3hp2i4 Mr3wtDwleuxyDcNVgav1rcmDe4f9zMo6Gu5HjnrUmHkJiMrpfxdErpV1tUx8tLDZ 937YLNgxJg6EeQtNhv7LdGu5OfgDQV3kTH0E8z+UywkA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=WE7yAH2aWA3fpPsJ2 XJxmxiCEv3IiFflvFYkvVNFDuQ=; b=Rb7WTGEEavUFi1ld6gc9+wCoTe+pPrZKg jPKgaJNW5m/C1/RSM+jrRT/xdCJQ+Q7cpzDYNteaoYfE+Us1fN8HRaNVAMgsxUrD hxQGhWSaFA6eyyklm0PA8gd+LGPKcSw7G3DvQVL3g3uasB2z80FOLs/JiJPmB7bw 1f13/lVDP20Fnk6DulUl8qdho5QvYmGlhdEJ/pHs7ZU5xu7X28zbpbBq3jvkRSnu 2ZEqTHv1QPAdxeVXWpm/7nVeSQq3XbMvdZ9vRIj80kvgXxC8BbSaQxpe7iGiETq+ 9g+lywL7L0HPuWFVYFD/j8pHJwp99tqfTQsclMoeAbT2fKLViehrg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedruddtgedggeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgfrhhlucfvnfffucdljedtmdenucfjughrpefhvf fufffkofgggfestdekredtredttdenucfhrhhomhepffgrnhhivghlucgiuhcuoegugihu segugihuuhhurdighiiiqeenucggtffrrghtthgvrhhnpeeifffgledvffeitdeljedvte effeeivdefheeiveevjeduieeigfetieevieffffenucfkphepieelrddukedurddutdeh rdeigeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe gugihusegugihuuhhurdighiii X-ME-Proxy: Received: from localhost.localdomain (c-69-181-105-64.hsd1.ca.comcast.net [69.181.105.64]) by mail.messagingengine.com (Postfix) with ESMTPA id 1C67B3064687; Tue, 3 Nov 2020 21:30:43 -0500 (EST) From: Daniel Xu To: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, ast@kernel.org Cc: Daniel Xu , kernel-team@fb.com Subject: [PATCH bpf-next] lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator Date: Tue, 3 Nov 2020 18:29:43 -0800 Message-Id: X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org do_strncpy_from_user() may copy some extra bytes after the NUL terminator into the destination buffer. This usually does not matter for normal string operations. However, when BPF programs key BPF maps with strings, this matters a lot. A BPF program may read strings from user memory by calling the bpf_probe_read_user_str() helper which eventually calls do_strncpy_from_user(). The program can then key a map with the resulting string. BPF map keys are fixed-width and string-agnostic, meaning that map keys are treated as a set of bytes. The issue is when do_strncpy_from_user() overcopies bytes after the NUL terminator, it can result in seemingly identical strings occupying multiple slots in a BPF map. This behavior is subtle and totally unexpected by the user. This commit uses the proper word-at-a-time APIs to avoid overcopying. Signed-off-by: Daniel Xu --- lib/strncpy_from_user.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c index e6d5fcc2cdf3..d084189eb05c 100644 --- a/lib/strncpy_from_user.c +++ b/lib/strncpy_from_user.c @@ -35,17 +35,22 @@ static inline long do_strncpy_from_user(char *dst, const char __user *src, goto byte_at_a_time; while (max >= sizeof(unsigned long)) { - unsigned long c, data; + unsigned long c, data, mask, *out; /* Fall back to byte-at-a-time if we get a page fault */ unsafe_get_user(c, (unsigned long __user *)(src+res), byte_at_a_time); - *(unsigned long *)(dst+res) = c; if (has_zero(c, &data, &constants)) { data = prep_zero_mask(c, data, &constants); data = create_zero_mask(data); + mask = zero_bytemask(data); + out = (unsigned long *)(dst+res); + *out = (*out & ~mask) | (c & mask); return res + find_zero(data); + } else { + *(unsigned long *)(dst+res) = c; } + res += sizeof(unsigned long); max -= sizeof(unsigned long); } -- 2.28.0