git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Daniel Xu <dxu@dxuuu.xyz>
	Tue, 17 Nov 2020 20:05:45 +0000 (12:05 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 24 Nov 2020 12:39:05 +0000 (13:39 +0100)
commit	6a5a10103647f4b0a8fcc07f7c04b80b5a426e8e
tree	a426e50610341c346860a2dba2c86735bbfd1b51	tree
parent	94ef29cf39fc891c4d9f43e4372f003c4496c772	commit \| diff

lib/strncpy_from_user.c: Mask out bytes after NUL terminator.

[ Upstream commit 6fa6d28051e9fcaa1570e69648ea13a353a5d218 ]

do_strncpy_from_user() may copy some extra bytes after the NUL
terminator into the destination buffer. This usually does not matter for
normal string operations. However, when BPF programs key BPF maps with
strings, this matters a lot.

A BPF program may read strings from user memory by calling the
bpf_probe_read_user_str() helper which eventually calls
do_strncpy_from_user(). The program can then key a map with the
destination buffer. BPF map keys are fixed-width and string-agnostic,
meaning that map keys are treated as a set of bytes.

The issue is when do_strncpy_from_user() overcopies bytes after the NUL
terminator, it can result in seemingly identical strings occupying
multiple slots in a BPF map. This behavior is subtle and totally
unexpected by the user.

This commit masks out the bytes following the NUL while preserving
long-sized stride in the fast path.

Fixes: 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers")
Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/21efc982b3e9f2f7b0379eed642294caaa0c27a7.1605642949.git.dxu@dxuuu.xyz
Signed-off-by: Sasha Levin <sashal@kernel.org>

kernel/trace/bpf_trace.c		diff \| blob \| blame \| history
lib/strncpy_from_user.c		diff \| blob \| blame \| history