From nobody Tue Dec 16 16:35:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1D3BC4167D for ; Tue, 12 Dec 2023 21:17:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377562AbjLLVRp (ORCPT ); Tue, 12 Dec 2023 16:17:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59240 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377486AbjLLVRj (ORCPT ); Tue, 12 Dec 2023 16:17:39 -0500 Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F939D5 for ; Tue, 12 Dec 2023 13:17:44 -0800 (PST) Received: by mail-pf1-x436.google.com with SMTP id d2e1a72fcca58-6ce939ecfc2so5567731b3a.2 for ; Tue, 12 Dec 2023 13:17:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1702415864; x=1703020664; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=f0qCHVo7XzgiM/gOkeUKMtC009iJZbF6DLauLv10AR0=; b=WOZlfRw9wQcJVZU/DcREddJjA4kuDbVQF2DFHbCFVR9mI7ZlShplJ0MQo8eOvD8B/p hD+hgaEgYfIlJXfDf0IJUF+OWGiCFz3h/TKZ8EV61Pz/sg3alLeUsJV6UdZGWx2PP1rI 63gDiQTni9P+W5M4ftrKbVUksn0xHUKES0A+A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702415864; x=1703020664; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f0qCHVo7XzgiM/gOkeUKMtC009iJZbF6DLauLv10AR0=; b=EICfugJZLb3OXBPbbSbqYCPfRJhuLw31CzK9Jzw+iDxQxqvJSCLiOddDm53LWL7oL0 7fNk7hGpW47tHSpHJjHsd3KaJ1FCmHlarTDLHUtjU6N74cwzBU1rtAfMIBMKSiqbCkvb 5mZsXm/cwOkY9KMf+/AuCyh1/MbG/4FQU1PGUWiea3RVwW8qNCqMzRVy+vwiB8HR2UuP vgf80AVGp2RSxYiOh5UaEHL1jhISUpUO5/a+rDdMiwRjpnk/629+4g2gdfQDXZ9XFO0b 2Fe7r8Kg7u783Rhz10lhiT/k7I7802vzxmThLeVrIp6QncVoJh6NhhIP3Pbl/f4ujeOe UKgg== X-Gm-Message-State: AOJu0Yx+nNemJEWq1fc9zf5wz2Ew1FATRr39C97nq4D0ucPwyEklGjVm bvsoTz1ufEuoluKSG5NNlkxfaXlSi/RrC4glN0w= X-Google-Smtp-Source: AGHT+IH0jtWZUf2hGPaaxQrJqxuBCy5YRYRX5P8B4FrkUSNzU8QibCISdfs+bItVAVMNJIeIAj6vqQ== X-Received: by 2002:a05:6a20:1483:b0:18c:9855:e949 with SMTP id o3-20020a056a20148300b0018c9855e949mr5672480pzi.15.1702415864415; Tue, 12 Dec 2023 13:17:44 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id t14-20020a63eb0e000000b005ac384b71cbsm8583878pgh.60.2023.12.12.13.17.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 13:17:41 -0800 (PST) From: Kees Cook To: Greg Kroah-Hartman Cc: Kees Cook , Tejun Heo , Azeem Shaikh , Zefan Li , Johannes Weiner , Waiman Long , Christophe JAILLET , linux-kernel@vger.kernel.org, cgroups@vger.kernel.org, bpf@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v3 1/3] kernfs: Convert kernfs_walk_ns() from strlcpy() to strscpy() Date: Tue, 12 Dec 2023 13:17:38 -0800 Message-Id: <20231212211741.164376-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231212211606.make.155-kees@kernel.org> References: <20231212211606.make.155-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1627; i=keescook@chromium.org; h=from:subject; bh=KaMikVVf9IlMYxhWSymwvYJ80Grx9jhkkXD92Gcwols=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBleM3zg8fq+Kgz91M5MgN0iGKTEy9c1pTW6k2g3 Om7gwyq3vSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZXjN8wAKCRCJcvTf3G3A JiEbD/9sPG6e4XUmGL/t2yQxqs/Tot72LHnqAm/mN/d6Ly5AAAqHsoFvek/mQG8wTg0lCNknNj1 YF1q7adAapgFepvZU8OXC+tWuPzPLcG3o8K6Sgkeir5yl9fwIzvjt/J0dJZoYYENLHghz4BAKXi rzcIQJGt+KoQ1kgGjloXVMlL9LG0DZtXjSoBCd9a5u77yL2JMD/XxJt/ttDsxn52o+ts7JLolAo YKyCkIpgJbBrALTTmUjiOCIh1UJzxnQFkN2EtES96fjl+CVDIg/8tmBk5AZZDTh66MQ75dbLi6I +1n+T71e3pcJDw97P1Hfd7QmLBAQSSNgTD8DemX7IVA52zA01seskFB9mwF/8GYRzvm1TJisAqM PeNcVIyvLDfy1ahMBfJszaBkCqnOmmwjVGfSLGhtq93fVgtjaD4zfyP0UtsNFTVVbjQ9tU84hev 7dd6XddCX4RE6UvGt8qoPYZRUlkfb84C+zWvymEA2Gn/eaq8y5odSWRlXl3WFPW3XDvilS4fER6 qrMi85l+bsuNtfTSIwl/x6YCRX3j3zmPwmaI6n8VA3xjMNARhArAAAdpCpG2TjocSWY1ZOID5OX xUkJTCaX7P1h/qoC1gVn2OIdWrbRnbsAXSNrAplbX1sBjWSnBCAUqNNmxw93lDSSn/pSyBZGigO UaMJYSmjnQJhdiw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated[1]. Additionally, it returns the size of the source string, not the resulting size of the destination string. In an effort to remove strlcpy() completely[2], replace strlcpy() here with strscpy(). Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcp= y [1] Link: https://github.com/KSPP/linux/issues/89 [2] Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Azeem Shaikh Link: https://lore.kernel.org/r/20231116192127.1558276-1-keescook@chromium.= org Signed-off-by: Kees Cook Acked-by: Tejun Heo --- fs/kernfs/dir.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index 8b2bd65d70e7..37353901ede1 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -850,16 +850,16 @@ static struct kernfs_node *kernfs_walk_ns(struct kern= fs_node *parent, const unsigned char *path, const void *ns) { - size_t len; + ssize_t len; char *p, *name; =20 lockdep_assert_held_read(&kernfs_root(parent)->kernfs_rwsem); =20 spin_lock_irq(&kernfs_pr_cont_lock); =20 - len =3D strlcpy(kernfs_pr_cont_buf, path, sizeof(kernfs_pr_cont_buf)); + len =3D strscpy(kernfs_pr_cont_buf, path, sizeof(kernfs_pr_cont_buf)); =20 - if (len >=3D sizeof(kernfs_pr_cont_buf)) { + if (len < 0) { spin_unlock_irq(&kernfs_pr_cont_lock); return NULL; } --=20 2.34.1 From nobody Tue Dec 16 16:35:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CAC4C4167B for ; Tue, 12 Dec 2023 21:17:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377545AbjLLVRm (ORCPT ); Tue, 12 Dec 2023 16:17:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231239AbjLLVRi (ORCPT ); Tue, 12 Dec 2023 16:17:38 -0500 Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EAB1BD for ; Tue, 12 Dec 2023 13:17:43 -0800 (PST) Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-6ce6d926f76so4424159b3a.1 for ; Tue, 12 Dec 2023 13:17:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1702415862; x=1703020662; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OxiCx504yHLmFes8dR2H4gaz2egSElvJRBaPgOOtpHk=; b=IdqF6PJiZgqoOF91vWkL9uv6tUIpcXv1DXnHvXWpQB8m5+BNDhZ6YJV13mIh/F4muk gpm+FM+y6gpy8b6eC6AxF8ckl4O+zv0SbDTwYolCQMp6dP0jC3UNVqWAFaTo4wYHoStB qhUIcaKRPNERf6kVb02TsoFI3QXDHgS0YuJjs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702415862; x=1703020662; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OxiCx504yHLmFes8dR2H4gaz2egSElvJRBaPgOOtpHk=; b=auljuO789yzHaK8WjwT+s7HAdro7MMGabPC7tG+U5Xzf4vrjWNih2mFMg4lbt31bH3 D8ZSTYJqD0B6/Zuoq2noH+c8C4zJW7yZXz8gEKmNI4la+STaX1jz5oro7Q8HXiy6qwF3 tHhcuxozvU/3O2SYvDrT15ivHz57eJ4qIdlsZzbUQeTMq7M650sp0ndXlXEQMsydO3uS zDcAI3YeTQps85O2DoEK119giSxSJB2DmKZpHNPy57DgACuPP4k24bVCFPB3fGQfS6Mk eBV9W3+iifBnuazVmpTNnl/TwvidcdAGZiiEcTMyXHa/aPimnax+qeu5FAJzkl00EYtZ WTdA== X-Gm-Message-State: AOJu0YyypOj2ieA2W9jMNTpYpypUW1jI54jBEjRgnAtfs4x51sVeEivm FYAi7OtwJqQ1vBZcGM7BURlRgQ== X-Google-Smtp-Source: AGHT+IFZhYAnfJATAp5f8kNXN8iWkuiSMleFokPSoTjfG2AtdN5pQcDE9+7YEKuV8bBVd3VgTPcxlg== X-Received: by 2002:a05:6a20:54a5:b0:187:4118:140 with SMTP id i37-20020a056a2054a500b0018741180140mr11548864pzk.24.1702415862593; Tue, 12 Dec 2023 13:17:42 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id t18-20020aa79392000000b006ce2e163776sm8602974pfe.106.2023.12.12.13.17.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 13:17:41 -0800 (PST) From: Kees Cook To: Greg Kroah-Hartman Cc: Kees Cook , Tejun Heo , Azeem Shaikh , Zefan Li , Johannes Weiner , Waiman Long , Christophe JAILLET , linux-kernel@vger.kernel.org, cgroups@vger.kernel.org, bpf@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v3 2/3] kernfs: Convert kernfs_name_locked() from strlcpy() to strscpy() Date: Tue, 12 Dec 2023 13:17:39 -0800 Message-Id: <20231212211741.164376-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231212211606.make.155-kees@kernel.org> References: <20231212211606.make.155-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2637; i=keescook@chromium.org; h=from:subject; bh=JAJdaxInWUYVNuwIwA8b/GPyHonLetqQSJoS2H+M0wM=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBleM3zBNLwq83oMtldatGW+UhXwbgyaP8FTFySX SrtWyh/9ueJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZXjN8wAKCRCJcvTf3G3A JibgD/4ufESExpzCqMOVFpDS9aGRGAsdrjazCpf2iQUYdg+lI0jphQkKsm1h7avlTW9hQbHum6L XIDQ9PZDb5lLDOIrjLmhf+1t7dFf2HgZDEIL9C1UB40I4ze6I2zfTCPr2rv8KLL0jQEAk/HF/kD KBPvKK8EjofpwVMA4R4UkK3MSVft3BwsaFymv8tPSnP28RqgaQuGyk8s0zXZQhgnhPyCwkDppqf d95VD7b1tomfnFI6BYSAVEQHrqgDQnsPn3M6mCHHHexOvtBkfDk4zqvVq6BsLavJz8cBTGpl5h6 vxv838RYpK/CzhAc+7h/dvNtSXfZ4DADXAYimQlIwpLns6ovAhAtiGPrfqQ7i86/H40wiFiPnaG +rH5o5weDvcjdYHfuJlPCkyF5Y+dzImoFy2JZRb1JppWutCqQbNlDaL7lsICz7Qlx+q85h+3qJd 2lCyNhZz4U+/Wd94y0/qO/r45w3UZU7w268hZ2/cHdHl8TUENeOm6mtDtw6IGfMrIMlgvWv0mY7 w/YnvghTBDpffCRAyaI3Hd26Wo1a8mN2xSSugompKNDzZFvwfsz01buF6HmE2hHT77Zn+Qzg5Uf MFVhfxh2inSL/3Epv/vGCB8mXxgG2gV5JfEib/uhKFmdmTC84lECXJlavTsoFplQXRWLyHkCIvc LPtZ/+CnQncuMaQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated[1]. Additionally, it returns the size of the source string, not the resulting size of the destination string. In an effort to remove strlcpy() completely[2], replace strlcpy() here with strscpy(). Nothing actually checks the return value coming from kernfs_name_locked(), so this has no impact on error paths. The caller hierarchy is: kernfs_name_locked() kernfs_name() pr_cont_kernfs_name() return value ignored cgroup_name() current_css_set_cg_links_read() return value ignored print_page_owner_memcg() return value ignored Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcp= y [1] Link: https://github.com/KSPP/linux/issues/89 [2] Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Azeem Shaikh Link: https://lore.kernel.org/r/20231116192127.1558276-2-keescook@chromium.= org Signed-off-by: Kees Cook Acked-by: Tejun Heo --- fs/kernfs/dir.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index 37353901ede1..8c0e5442597e 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -54,9 +54,9 @@ static bool kernfs_lockdep(struct kernfs_node *kn) static int kernfs_name_locked(struct kernfs_node *kn, char *buf, size_t bu= flen) { if (!kn) - return strlcpy(buf, "(null)", buflen); + return strscpy(buf, "(null)", buflen); =20 - return strlcpy(buf, kn->parent ? kn->name : "/", buflen); + return strscpy(buf, kn->parent ? kn->name : "/", buflen); } =20 /* kernfs_node_depth - compute depth from @from to @to */ @@ -182,12 +182,12 @@ static int kernfs_path_from_node_locked(struct kernfs= _node *kn_to, * @buflen: size of @buf * * Copies the name of @kn into @buf of @buflen bytes. The behavior is - * similar to strlcpy(). + * similar to strscpy(). * * Fills buffer with "(null)" if @kn is %NULL. * - * Return: the length of @kn's name and if @buf isn't long enough, - * it's filled up to @buflen-1 and nul terminated. + * Return: the resulting length of @buf. If @buf isn't long enough, + * it's filled up to @buflen-1 and nul terminated, and returns -E2BIG. * * This function can be called from any context. */ --=20 2.34.1 From nobody Tue Dec 16 16:35:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E552C41535 for ; Tue, 12 Dec 2023 21:17:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377531AbjLLVRk (ORCPT ); Tue, 12 Dec 2023 16:17:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229541AbjLLVRh (ORCPT ); Tue, 12 Dec 2023 16:17:37 -0500 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C784ABC for ; Tue, 12 Dec 2023 13:17:42 -0800 (PST) Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1d0b2752dc6so54812055ad.3 for ; Tue, 12 Dec 2023 13:17:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1702415862; x=1703020662; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YgP6QDGYW90+EPtUKh6hhExTw/nr/8L1WXYuh71GNlI=; b=EBII8CWqTewHCYUKQvaukG1zWeJjB2pl/RbMg+j8fFcvUq11md9ygurXaQ0F8RZJRd QN9d/19YNp3UbZ8oh9br9LCWCn2S3HP6xRQ592cXogzBEjuqKMlAo7D2tjJgS0BmhQwY x3edF44sbx8FhzObBflU+lF0Lssb3eOq3JnHc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702415862; x=1703020662; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YgP6QDGYW90+EPtUKh6hhExTw/nr/8L1WXYuh71GNlI=; b=iuhE7Nkn8Reo7m6bFH0pWTKdAC6Ae3+H5cnNOjBqs3/dbY6tFHDJT7hBwnPxRt3FUm fJfk7Fo+zxsA8v2rJLZrLIQVFHDkshB9Ni3P4o62jOLSnMetgm3s/e6vDdJNS8JB8U9V upTdCJkyZDRwKA8B8OvBY1/V/qZ96Byucqz96GHtsH9YvQgkb2sh9soyXpmTUuTfYN05 wM3DCA1TM58cLdtNyrLp7+SzHWu6oa1MdOQSPs+S200sUCLj76QSXz0nKIY3GYNN9fZR 8+KT0z4chNyH9d1+uxbo4UIcTF8fKvtLCdiYSylgzA7jH04hOT6/Typ384iCujEayVhG U43Q== X-Gm-Message-State: AOJu0YyR/cbIYnwwSr5UoDdYPmjaGi7l8kxdDHEixt6sntj1YdvOWikR pyvqFOc9bqQyMQbIqqm17gCAhg== X-Google-Smtp-Source: AGHT+IFjDgIDgEDyV0NYMtC7wrznCUmiU5/lWSweOP8HyZzQAO0+By9K4rXrnLgAr+Ii7qKKdIvgKg== X-Received: by 2002:a17:902:e74e:b0:1cc:5e1b:98b5 with SMTP id p14-20020a170902e74e00b001cc5e1b98b5mr7270093plf.66.1702415862230; Tue, 12 Dec 2023 13:17:42 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id g14-20020a1709029f8e00b001cf7c07be50sm9052322plq.58.2023.12.12.13.17.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 13:17:41 -0800 (PST) From: Kees Cook To: Greg Kroah-Hartman Cc: Kees Cook , Tejun Heo , Zefan Li , Johannes Weiner , Waiman Long , cgroups@vger.kernel.org, Azeem Shaikh , Christophe JAILLET , linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v3 3/3] kernfs: Convert kernfs_path_from_node_locked() from strlcpy() to strscpy() Date: Tue, 12 Dec 2023 13:17:40 -0800 Message-Id: <20231212211741.164376-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231212211606.make.155-kees@kernel.org> References: <20231212211606.make.155-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=8042; i=keescook@chromium.org; h=from:subject; bh=shZXUYfHvcn83JB9rTJeaRzUZqZ1UgzjWRrQTVCVtxU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBleM30G+t8NV/vyHSFzjkC+K+Zj47yXA4kAs33K S4H3DoxNmuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZXjN9AAKCRCJcvTf3G3A JkyTEAConGhiBLHsocQ8sbSwq6RTnjeVAFv2A72J5kJK8MHW3sFiydk6ragXK0H4NjhddAT6k9R Iwpc+sAMeXtC5LSHlbkxzwxmAmTpvdZ0+HkpGNofYnO1GRBS2tNZQBx2xovmaBZGLhI3uL1S2Mf uFy1jEp7IRjwOUbM1zHWV4bM+TLIxRHQDtwtec7aUCS9kz92muBO+LZI8wOqu3//0chhPA/oJYK OmIQjfULUR5a/IzcHJAYVXdcRoDKXwclSWSFPM/lbR+ZX7XOdatfwteancUB7mA3VqMASoK6jzD /WWodvOyGvMywKDybb9iVwPwLdcDqi6f6YRwUsKHrO1PU0X/vaRreWv0AW+McpdjcGDDak159n5 dLG/EkNlTRggxw61NNRmjuUIplvXSnvWAMjv1qumw8iiEzajnLTxs+d3rF7yWOneFFWz8cuucBs T6q984RP+2VM4dWIU9dRcdMhF4+sfRiXBnCq95xZcrcakrbEqaZ1G6JMiaKn+pTpTGFBrSw9CAT 91oa2XERahlLlqpV8VMm0QS8tptziqLPqdU3+jQq45xdbDLw4g26B01O8G9PkgXEBkYxNXi2CfE mc85dyxzgFB/wBjBPh0kEN9HaDc4FwRSQ25SkObRCYaStboeynzw51FRZV/pJz/aF6MJJlMUqNu aYQ0Cy79yRW6wZg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" One of the last remaining users of strlcpy() in the kernel is kernfs_path_from_node_locked(), which passes back the problematic "length we _would_ have copied" return value to indicate truncation. Convert the chain of all callers to use the negative return value (some of which already doing this explicitly). All callers were already also checking for negative return values, so the risk to missed checks looks very low. In this analysis, it was found that cgroup1_release_agent() actually didn't handle the "too large" condition, so this is technically also a bug fix. :) Here's the chain of callers, and resolution identifying each one as now handling the correct return value: kernfs_path_from_node_locked() kernfs_path_from_node() pr_cont_kernfs_path() returns void kernfs_path() sysfs_warn_dup() return value ignored cgroup_path() blkg_path() bfq_bic_update_cgroup() return value ignored TRACE_IOCG_PATH() return value ignored TRACE_CGROUP_PATH() return value ignored perf_event_cgroup() return value ignored task_group_path() return value ignored damon_sysfs_memcg_path_eq() return value ignored get_mm_memcg_path() return value ignored lru_gen_seq_show() return value ignored cgroup_path_from_kernfs_id() return value ignored cgroup_show_path() already converted "too large" error to negative val= ue cgroup_path_ns_locked() cgroup_path_ns() bpf_iter_cgroup_show_fdinfo() return value ignored cgroup1_release_agent() wasn't checking "too large" error proc_cgroup_show() already converted "too large" to negative v= alue Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Zefan Li Cc: Johannes Weiner Cc: Waiman Long Cc: cgroups@vger.kernel.org Co-developed-by: Azeem Shaikh Signed-off-by: Azeem Shaikh Link: https://lore.kernel.org/r/20231116192127.1558276-3-keescook@chromium.= org Signed-off-by: Kees Cook --- fs/kernfs/dir.c | 34 +++++++++++++++++----------------- kernel/cgroup/cgroup-v1.c | 2 +- kernel/cgroup/cgroup.c | 4 ++-- kernel/cgroup/cpuset.c | 2 +- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index 8c0e5442597e..8ec73f6cf6ec 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -127,7 +127,7 @@ static struct kernfs_node *kernfs_common_ancestor(struc= t kernfs_node *a, * * [3] when @kn_to is %NULL result will be "(null)" * - * Return: the length of the full path. If the full length is equal to or + * Return: the length of the constructed path. If the path would have been * greater than @buflen, @buf contains the truncated path with the trailing * '\0'. On error, -errno is returned. */ @@ -138,16 +138,17 @@ static int kernfs_path_from_node_locked(struct kernfs= _node *kn_to, struct kernfs_node *kn, *common; const char parent_str[] =3D "/.."; size_t depth_from, depth_to, len =3D 0; + ssize_t copied; int i, j; =20 if (!kn_to) - return strlcpy(buf, "(null)", buflen); + return strscpy(buf, "(null)", buflen); =20 if (!kn_from) kn_from =3D kernfs_root(kn_to)->kn; =20 if (kn_from =3D=3D kn_to) - return strlcpy(buf, "/", buflen); + return strscpy(buf, "/", buflen); =20 common =3D kernfs_common_ancestor(kn_from, kn_to); if (WARN_ON(!common)) @@ -158,18 +159,19 @@ static int kernfs_path_from_node_locked(struct kernfs= _node *kn_to, =20 buf[0] =3D '\0'; =20 - for (i =3D 0; i < depth_from; i++) - len +=3D strlcpy(buf + len, parent_str, - len < buflen ? buflen - len : 0); + for (i =3D 0; i < depth_from; i++) { + copied =3D strscpy(buf + len, parent_str, buflen - len); + if (copied < 0) + return copied; + len +=3D copied; + } =20 /* Calculate how many bytes we need for the rest */ for (i =3D depth_to - 1; i >=3D 0; i--) { for (kn =3D kn_to, j =3D 0; j < i; j++) kn =3D kn->parent; - len +=3D strlcpy(buf + len, "/", - len < buflen ? buflen - len : 0); - len +=3D strlcpy(buf + len, kn->name, - len < buflen ? buflen - len : 0); + + len +=3D scnprintf(buf + len, buflen - len, "/%s", kn->name); } =20 return len; @@ -214,7 +216,7 @@ int kernfs_name(struct kernfs_node *kn, char *buf, size= _t buflen) * path (which includes '..'s) as needed to reach from @from to @to is * returned. * - * Return: the length of the full path. If the full length is equal to or + * Return: the length of the constructed path. If the path would have been * greater than @buflen, @buf contains the truncated path with the trailing * '\0'. On error, -errno is returned. */ @@ -265,12 +267,10 @@ void pr_cont_kernfs_path(struct kernfs_node *kn) sz =3D kernfs_path_from_node(kn, NULL, kernfs_pr_cont_buf, sizeof(kernfs_pr_cont_buf)); if (sz < 0) { - pr_cont("(error)"); - goto out; - } - - if (sz >=3D sizeof(kernfs_pr_cont_buf)) { - pr_cont("(name too long)"); + if (sz =3D=3D -E2BIG) + pr_cont("(name too long)"); + else + pr_cont("(error)"); goto out; } =20 diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c index 76db6c67e39a..9cb00ebe9ac6 100644 --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -802,7 +802,7 @@ void cgroup1_release_agent(struct work_struct *work) goto out_free; =20 ret =3D cgroup_path_ns(cgrp, pathbuf, PATH_MAX, &init_cgroup_ns); - if (ret < 0 || ret >=3D PATH_MAX) + if (ret < 0) goto out_free; =20 argv[0] =3D agentbuf; diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index 4b9ff41ca603..8d2674c6aaef 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -1893,7 +1893,7 @@ int cgroup_show_path(struct seq_file *sf, struct kern= fs_node *kf_node, len =3D kernfs_path_from_node(kf_node, ns_cgroup->kn, buf, PATH_MAX); spin_unlock_irq(&css_set_lock); =20 - if (len >=3D PATH_MAX) + if (len =3D=3D -E2BIG) len =3D -ERANGE; else if (len > 0) { seq_escape(sf, buf, " \t\n\\"); @@ -6301,7 +6301,7 @@ int proc_cgroup_show(struct seq_file *m, struct pid_n= amespace *ns, if (cgroup_on_dfl(cgrp) || !(tsk->flags & PF_EXITING)) { retval =3D cgroup_path_ns_locked(cgrp, buf, PATH_MAX, current->nsproxy->cgroup_ns); - if (retval >=3D PATH_MAX) + if (retval =3D=3D -E2BIG) retval =3D -ENAMETOOLONG; if (retval < 0) goto out_unlock; diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index 615daaf87f1f..fb29158ae825 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -4941,7 +4941,7 @@ int proc_cpuset_show(struct seq_file *m, struct pid_n= amespace *ns, retval =3D cgroup_path_ns(css->cgroup, buf, PATH_MAX, current->nsproxy->cgroup_ns); css_put(css); - if (retval >=3D PATH_MAX) + if (retval =3D=3D -E2BIG) retval =3D -ENAMETOOLONG; if (retval < 0) goto out_free; --=20 2.34.1