From: Alban Crequy <albancrequy@linux.microsoft.com>
To: bpf@vger.kernel.org
Cc: stable@vger.kernel.org, albancrequy@linux.microsoft.com,
flaniel@linux.microsoft.com, akpm@linux-foundation.org,
andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net,
haoluo@google.com, john.fastabend@gmail.com, jolsa@kernel.org,
kpsingh@kernel.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
martin.lau@linux.dev, mykolal@fb.com, sdf@google.com,
shuah@kernel.org, song@kernel.org, yhs@fb.com
Subject: [PATCH bpf v2 1/2] maccess: fix writing offset in case of fault in strncpy_from_kernel_nofault()
Date: Thu, 10 Nov 2022 09:56:13 +0100 [thread overview]
Message-ID: <20221110085614.111213-2-albancrequy@linux.microsoft.com> (raw)
In-Reply-To: <20221110085614.111213-1-albancrequy@linux.microsoft.com>
If a page fault occurs while copying the first byte, this function resets one
byte before dst.
As a consequence, an address could be modified and leaded to kernel crashes if
case the modified address was accessed later.
Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly")
Cc: <stable@vger.kernel.org> [5.8]
Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com>
Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
---
Changes v1 to v2:
- add 'cc:stable', 'Fixes:' and review tag
- fix my email
- rebase on bpf tree and tag for bpf tree
---
mm/maccess.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/maccess.c b/mm/maccess.c
index 5f4d240f67ec..074f6b086671 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count)
return src - unsafe_addr;
Efault:
pagefault_enable();
- dst[-1] = '\0';
+ dst[0] = '\0';
return -EFAULT;
}
--
2.36.1
next prev parent reply other threads:[~2022-11-10 8:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-10 8:56 [PATCH bpf v2 0/2] Fix offset when fault occurs in strncpy_from_kernel_nofault() Alban Crequy
2022-11-10 8:56 ` Alban Crequy [this message]
2022-11-10 8:56 ` [PATCH bpf v2 2/2] selftests: bpf: add a test when bpf_probe_read_kernel_str() returns EFAULT Alban Crequy
2022-11-10 8:57 ` kernel test robot
2022-11-11 20:10 ` [PATCH bpf v2 0/2] Fix offset when fault occurs in strncpy_from_kernel_nofault() patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221110085614.111213-2-albancrequy@linux.microsoft.com \
--to=albancrequy@linux.microsoft.com \
--cc=akpm@linux-foundation.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=flaniel@linux.microsoft.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=martin.lau@linux.dev \
--cc=mykolal@fb.com \
--cc=sdf@google.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.