bpf: Fix bpf_strnstr() to handle suffix match cases better

bpf_strnstr() should not treat the ending '\0' of s2 as a matching character
if the parameter 'len' equal to s2 string length, for example:

    1. bpf_strnstr("openat", "open", 4) = -ENOENT
    2. bpf_strnstr("openat", "open", 5) = 0

This patch makes (1) return 0, fix just the `len == strlen(s2)` case.

And fix a more general case when s2 is a suffix of the first len
characters of s1.

Fixes: e91370550f1f ("bpf: Add kfuncs for read-only string operations")
Signed-off-by: Rong Tao <rongtao@cestc.cn>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/tencent_17DC57B9D16BC443837021BEACE84B7C1507@qq.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 6b4877e85a68c9d92260dfc8405a867dc9498f29..b9b0c5fe33f61ad280648a25af4faeb7c91a978d 100644 (file)
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -3664,10 +3664,17 @@ __bpf_kfunc int bpf_strnstr(const char *s1__ign, const char *s2__ign, size_t len
 
        guard(pagefault)();
        for (i = 0; i < XATTR_SIZE_MAX; i++) {
-               for (j = 0; i + j < len && j < XATTR_SIZE_MAX; j++) {
+               for (j = 0; i + j <= len && j < XATTR_SIZE_MAX; j++) {
                        __get_kernel_nofault(&c2, s2__ign + j, char, err_out);
                        if (c2 == '\0')
                                return i;
+                       /*
+                        * We allow reading an extra byte from s2 (note the
+                        * `i + j <= len` above) to cover the case when s2 is
+                        * a suffix of the first len chars of s1.
+                        */
+                       if (i + j == len)
+                               break;
                        __get_kernel_nofault(&c1, s1__ign + j, char, err_out);
                        if (c1 == '\0')
                                return -ENOENT;