Re: [PATCH bpf v5 0/2] Fix bpf_probe_read_user_str() overcopying
From: Andrii Nakryiko
Date: Wed Nov 11 2020 - 20:35:30 EST
On Wed, Nov 11, 2020 at 2:46 PM Daniel Xu <dxu@xxxxxxxxx> wrote:
>
> 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user,
> kernel}_str helpers") introduced a subtle bug where
> bpf_probe_read_user_str() would potentially copy a few extra bytes after
> the NUL terminator.
>
> This issue is particularly nefarious when strings are used as map keys,
> as seemingly identical strings can occupy multiple entries in a map.
>
> This patchset fixes the issue and introduces a selftest to prevent
> future regressions.
>
> v4 -> v5:
> * don't read potentially uninitialized memory
I think the bigger problem was that it could overwrite unintended
memory. E.g., in BPF program, if you had something like:
char my_buf[8 + 3];
char my_precious_data[5] = {1, 2, 3, 4, 5};
With previous version you'd overwrite my_precious data. BTW, do you
test such scenario in the selftests you added? If not, we should have
something like this as well and validate 1, 2, 3, 4, 5 stay intact.
>
> v3 -> v4:
> * directly pass userspace pointer to prog
> * test more strings of different length
>
> v2 -> v3:
> * set pid filter before attaching prog in selftest
> * use long instead of int as bpf_probe_read_user_str() retval
> * style changes
>
> v1 -> v2:
> * add Fixes: tag
> * add selftest
>
> Daniel Xu (2):
> lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator
> selftest/bpf: Test bpf_probe_read_user_str() strips trailing bytes
> after NUL
>
> lib/strncpy_from_user.c | 9 ++-
> .../bpf/prog_tests/probe_read_user_str.c | 71 +++++++++++++++++++
> .../bpf/progs/test_probe_read_user_str.c | 25 +++++++
> 3 files changed, 100 insertions(+), 5 deletions(-)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/probe_read_user_str.c
> create mode 100644 tools/testing/selftests/bpf/progs/test_probe_read_user_str.c
>
> --
> 2.29.2
>