Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/kernel
History
Daniel Xu 6fa6d28051 lib/strncpy_from_user.c: Mask out bytes after NUL terminator. 
do_strncpy_from_user() may copy some extra bytes after the NUL
terminator into the destination buffer. This usually does not matter for
normal string operations. However, when BPF programs key BPF maps with
strings, this matters a lot.

A BPF program may read strings from user memory by calling the
bpf_probe_read_user_str() helper which eventually calls
do_strncpy_from_user(). The program can then key a map with the
destination buffer. BPF map keys are fixed-width and string-agnostic,
meaning that map keys are treated as a set of bytes.

The issue is when do_strncpy_from_user() overcopies bytes after the NUL
terminator, it can result in seemingly identical strings occupying
multiple slots in a BPF map. This behavior is subtle and totally
unexpected by the user.

This commit masks out the bytes following the NUL while preserving
long-sized stride in the fast path.

Fixes: 6ae08ae3de ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers")
Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/21efc982b3e9f2f7b0379eed642294caaa0c27a7.1605642949.git.dxu@dxuuu.xyz
 		2020-11-19 11:56:16 -08:00
..
bpf bpf: Relax return code check for subprograms 2020-11-14 08:17:27 -08:00
cgroup kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
configs
debug kdb: Fix pager search for multi-line strings 2020-10-01 14:44:08 +01:00
dma dma-mapping: move more functions to dma-map-ops.h 2020-10-20 10:41:07 +02:00
entry arch-cleanup-2020-10-22 2020-10-23 10:06:38 -07:00
events task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
gcov
irq task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
kcsan kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
livepatch kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
locking A couple of locking fixes: 2020-11-01 11:08:17 -08:00
power PM: sleep: fix typo in kernel/power/process.c 2020-10-27 19:11:44 +01:00
printk printk: ringbuffer: Replace zero-length array with flexible-array member 2020-10-30 16:57:42 -05:00
rcu stop_machine, rcu: Mark functions as notrace 2020-10-26 12:12:27 +01:00
sched cpufreq: schedutil: Don't skip freq update if need_freq_update is set 2020-11-02 17:57:49 +01:00
time time: Prevent undefined behaviour in timespec64_to_ns() 2020-10-26 11:48:11 +01:00
trace lib/strncpy_from_user.c: Mask out bytes after NUL terminator. 2020-11-19 11:56:16 -08:00
.gitignore
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
Makefile Kbuild updates for v5.10 2020-10-22 13:13:57 -07:00
acct.c kernel: acct.c: fix some kernel-doc nits 2020-10-16 11:11:19 -07:00
async.c
audit.c
audit.h
audit_fsnotify.c
audit_tree.c
audit_watch.c
auditfilter.c
auditsc.c
backtracetest.c
bounds.c
capability.c LSM: Signal to SafeSetID when setting group IDs 2020-10-13 09:17:34 -07:00
compat.c
configs.c
context_tracking.c
cpu.c
cpu_pm.c
crash_core.c
crash_dump.c
cred.c
delayacct.c
dma.c
elfcore.c
exec_domain.c
exit.c pid: move pidfd_get_pid() to pid.c 2020-10-18 09:27:10 -07:00
extable.c
fail_function.c
fork.c kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
freezer.c
futex.c A couple of locking fixes: 2020-11-01 11:08:17 -08:00
gen_kheaders.sh
groups.c LSM: Signal to SafeSetID when setting group IDs 2020-10-13 09:17:34 -07:00
hung_task.c kernel/hung_task.c: make type annotations consistent 2020-11-02 12:14:19 -08:00
iomem.c
irq_work.c
jump_label.c kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
kallsyms.c treewide: Convert macro and uses of __section(foo) to __section("foo") 2020-10-25 14:51:49 -07:00
kcmp.c
kcov.c
kexec.c LSM: Introduce kernel_post_load_data() hook 2020-10-05 13:37:03 +02:00
kexec_core.c kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
kexec_elf.c
kexec_file.c kernel/resource: move and rename IORESOURCE_MEM_DRIVER_MANAGED 2020-10-16 11:11:18 -07:00
kexec_internal.h
kheaders.c
kmod.c
kprobes.c kprobes: Tell lockdep about kprobe nesting 2020-11-04 09:46:06 -05:00
ksysfs.c
kthread.c kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled 2020-11-02 12:14:19 -08:00
latencytop.c
module-internal.h
module.c Modules updates for v5.10 2020-10-22 13:08:57 -07:00
module_signature.c
module_signing.c
notifier.c
nsproxy.c
padata.c
panic.c panic: dump registers on panic_on_warn 2020-10-16 11:11:22 -07:00
params.c params: Replace zero-length array with flexible-array member 2020-10-29 17:22:59 -05:00
pid.c pid: move pidfd_get_pid() to pid.c 2020-10-18 09:27:10 -07:00
pid_namespace.c kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
profile.c
ptrace.c
range.c kernel.h: split out min()/max() et al. helpers 2020-10-16 11:11:19 -07:00
reboot.c
regset.c
relay.c kernel/relay.c: drop unneeded initialization 2020-10-16 11:11:22 -07:00
resource.c kernel/resource: make iomem_resource implicit in release_mem_region_adjustable() 2020-10-16 11:11:18 -07:00
rseq.c
scftorture.c
scs.c
seccomp.c seccomp: Make duplicate listener detection non-racy 2020-10-08 13:17:47 -07:00
signal.c ptrace: fix task_join_group_stop() for the case when current is traced 2020-11-02 12:14:19 -08:00
smp.c Merge tag 'core-rcu-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2020-10-18 14:34:50 -07:00
smpboot.c
smpboot.h
softirq.c
stackleak.c stackleak: let stack_erasing_sysctl take a kernel pointer buffer 2020-09-19 13:13:39 -07:00
stacktrace.c stacktrace: Remove reliable argument from arch_stack_walk() callback 2020-09-18 14:24:16 +01:00
static_call.c static_call: Fix return type of static_call_init 2020-10-02 21:18:25 +02:00
stop_machine.c stop_machine, rcu: Mark functions as notrace 2020-10-26 12:12:27 +01:00
sys.c kernel/sys.c: fix prototype of prctl_get_tid_address() 2020-10-25 11:44:16 -07:00
sys_ni.c mm/madvise: introduce process_madvise() syscall: an external memory hinting API 2020-10-18 09:27:10 -07:00
sysctl-test.c
sysctl.c mm: allow a controlled amount of unfairness in the page lock 2020-09-17 10:26:41 -07:00
task_work.c task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
taskstats.c taskstats: move specifying netlink policy back to ops 2020-10-02 19:11:12 -07:00
test_kprobes.c
torture.c
tracepoint.c tracepoint: Replace zero-length array with flexible-array member 2020-10-29 17:22:59 -05:00
tsacct.c
ucount.c
uid16.c
uid16.h
umh.c usermodehelper: reset umask to default before executing user process 2020-10-06 10:31:52 -07:00
up.c
user-return-notifier.c
user.c
user_namespace.c kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
usermode_driver.c
utsname.c
utsname_sysctl.c
watch_queue.c
watchdog.c
watchdog_hld.c
workqueue.c workqueue: fix a kernel-doc warning 2020-10-16 07:28:20 +02:00
workqueue_internal.h