From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C127FC433E0 for ; Thu, 28 May 2020 02:04:36 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 70D8C208B8 for ; Thu, 28 May 2020 02:04:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="P1CBXYMU" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 70D8C208B8 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id F40C78001A; Wed, 27 May 2020 22:04:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EF1CA80010; Wed, 27 May 2020 22:04:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E078E8001A; Wed, 27 May 2020 22:04:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0177.hostedemail.com [216.40.44.177]) by kanga.kvack.org (Postfix) with ESMTP id C689E80010 for ; Wed, 27 May 2020 22:04:35 -0400 (EDT) Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 826172488 for ; Thu, 28 May 2020 02:04:35 +0000 (UTC) X-FDA: 76864483710.02.pet95_451faf6cdd55b Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin02.hostedemail.com (Postfix) with ESMTP id 66A27127C for ; Thu, 28 May 2020 02:04:35 +0000 (UTC) X-HE-Tag: pet95_451faf6cdd55b X-Filterd-Recvd-Size: 4414 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf06.hostedemail.com (Postfix) with ESMTP for ; Thu, 28 May 2020 02:04:34 +0000 (UTC) Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7583D207CB; Thu, 28 May 2020 02:04:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590631473; bh=Bm2dTuY2AQspqM7SzMj2c/DT+ozxm6kUi6HWpA8TsHk=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=P1CBXYMU6KgliH8T3/2k6OMetj5IIP9IfCeW6vXHFuAVES38CNoXgmhsLExw5WPRS BGr2sIDNzBzrcfeE+DMAJESNZIIeUKJWWPI8HGY2ObOdmL8XyU7KUun0WVlXahBjEC cDYAJp751q754Z0TTj9fuvNilxFW+islAyRbCf+k= Date: Wed, 27 May 2020 19:04:32 -0700 From: Andrew Morton To: Christoph Hellwig Cc: x86@kernel.org, Alexei Starovoitov , Daniel Borkmann , Masami Hiramatsu , Linus Torvalds , linux-parisc@vger.kernel.org, linux-um@lists.infradead.org, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 12/23] bpf: handle the compat string in bpf_trace_copy_string better Message-Id: <20200527190432.e4af1fba00c13cb1421f5a37@linux-foundation.org> In-Reply-To: <20200521152301.2587579-13-hch@lst.de> References: <20200521152301.2587579-1-hch@lst.de> <20200521152301.2587579-13-hch@lst.de> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 66A27127C X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam03 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, 21 May 2020 17:22:50 +0200 Christoph Hellwig wrote: > User the proper helper for kernel or userspace addresses based on > TASK_SIZE instead of the dangerous strncpy_from_unsafe function. > > ... > > --- a/kernel/trace/bpf_trace.c > +++ b/kernel/trace/bpf_trace.c > @@ -331,8 +331,11 @@ static void bpf_trace_copy_string(char *buf, void *unsafe_ptr, char fmt_ptype, > switch (fmt_ptype) { > case 's': > #ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE > - strncpy_from_unsafe(buf, unsafe_ptr, bufsz); > - break; > + if ((unsigned long)unsafe_ptr < TASK_SIZE) { > + strncpy_from_user_nofault(buf, user_ptr, bufsz); > + break; > + } > + fallthrough; > #endif > case 'k': > strncpy_from_kernel_nofault(buf, unsafe_ptr, bufsz); Another user of strncpy_from_unsafe() has popped up in linux-next's bpf. I did the below, but didn't try very hard - it's probably wrong if CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=n? Anyway, please take a look at all the bpf_trace.c changes in linux-next. From: Andrew Morton Subject: bpf:bpf_seq_printf(): handle potentially unsafe format string better User the proper helper for kernel or userspace addresses based on TASK_SIZE instead of the dangerous strncpy_from_unsafe function. Cc: Christoph Hellwig Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Masami Hiramatsu Cc: Thomas Gleixner Signed-off-by: Andrew Morton --- kernel/trace/bpf_trace.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/kernel/trace/bpf_trace.c~xxx +++ a/kernel/trace/bpf_trace.c @@ -588,15 +588,22 @@ BPF_CALL_5(bpf_seq_printf, struct seq_fi } if (fmt[i] == 's') { + void *unsafe_ptr; + /* try our best to copy */ if (memcpy_cnt >= MAX_SEQ_PRINTF_MAX_MEMCPY) { err = -E2BIG; goto out; } - err = strncpy_from_unsafe(bufs->buf[memcpy_cnt], - (void *) (long) args[fmt_cnt], - MAX_SEQ_PRINTF_STR_LEN); + unsafe_ptr = (void *)(long)args[fmt_cnt]; + if ((unsigned long)unsafe_ptr < TASK_SIZE) { + err = strncpy_from_user_nofault( + bufs->buf[memcpy_cnt], unsafe_ptr, + MAX_SEQ_PRINTF_STR_LEN); + } else { + err = -EFAULT; + } if (err < 0) bufs->buf[memcpy_cnt][0] = '\0'; params[fmt_cnt] = (u64)(long)bufs->buf[memcpy_cnt]; _