diff mbox series

[v2] exec: avoid gcc-8 warning for get_task_comm

Message ID 20171205151724.1764896-1-arnd@arndb.de
State New
Headers show
Series [v2] exec: avoid gcc-8 warning for get_task_comm | expand

Commit Message

Arnd Bergmann Dec. 5, 2017, 3:17 p.m. UTC
gcc-8 warns about using strncpy() with the source size as the limit:

fs/exec.c:1223:32: error: argument to 'sizeof' in 'strncpy' call is the same expression as the source; did you mean to use the size of the destination? [-Werror=sizeof-pointer-memaccess]

This is indeed slightly suspicious, as it protects us from source
arguments without NUL-termination, but does not guarantee that the
destination is terminated.

This keeps the strncpy() to ensure we have properly padded target buffer,
but ensures that we use the correct length, by passing the actual length
of the destination buffer as well as adding a build-time check to ensure
it is exactly TASK_COMM_LEN.  There are only 23 callsights which I all
reviewed to ensure this is currently the case. We could get away with
doing only the check or passing the right length, but it doesn't hurt
to do both.

Suggested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>

---
 fs/exec.c             | 7 +++----
 include/linux/sched.h | 6 +++++-
 2 files changed, 8 insertions(+), 5 deletions(-)

-- 
2.9.0

Comments

Kees Cook Dec. 5, 2017, 7:09 p.m. UTC | #1
On Tue, Dec 5, 2017 at 7:17 AM, Arnd Bergmann <arnd@arndb.de> wrote:
> gcc-8 warns about using strncpy() with the source size as the limit:

>

> fs/exec.c:1223:32: error: argument to 'sizeof' in 'strncpy' call is the same expression as the source; did you mean to use the size of the destination? [-Werror=sizeof-pointer-memaccess]

>

> This is indeed slightly suspicious, as it protects us from source

> arguments without NUL-termination, but does not guarantee that the

> destination is terminated.

>

> This keeps the strncpy() to ensure we have properly padded target buffer,

> but ensures that we use the correct length, by passing the actual length

> of the destination buffer as well as adding a build-time check to ensure

> it is exactly TASK_COMM_LEN.  There are only 23 callsights which I all

> reviewed to ensure this is currently the case. We could get away with

> doing only the check or passing the right length, but it doesn't hurt

> to do both.

>

> Suggested-by: Kees Cook <keescook@chromium.org>

> Signed-off-by: Arnd Bergmann <arnd@arndb.de>


Awesome. Thanks for checking them all!

Acked-by: Kees Cook <keescook@chromium.org>


-Kees

> ---

>  fs/exec.c             | 7 +++----

>  include/linux/sched.h | 6 +++++-

>  2 files changed, 8 insertions(+), 5 deletions(-)

>

> diff --git a/fs/exec.c b/fs/exec.c

> index 6be2aa0ab26f..156f56acfe8e 100644

> --- a/fs/exec.c

> +++ b/fs/exec.c

> @@ -1216,15 +1216,14 @@ static int de_thread(struct task_struct *tsk)

>         return -EAGAIN;

>  }

>

> -char *get_task_comm(char *buf, struct task_struct *tsk)

> +char *__get_task_comm(char *buf, size_t buf_size, struct task_struct *tsk)

>  {

> -       /* buf must be at least sizeof(tsk->comm) in size */

>         task_lock(tsk);

> -       strncpy(buf, tsk->comm, sizeof(tsk->comm));

> +       strncpy(buf, tsk->comm, buf_size);

>         task_unlock(tsk);

>         return buf;

>  }

> -EXPORT_SYMBOL_GPL(get_task_comm);

> +EXPORT_SYMBOL_GPL(__get_task_comm);

>

>  /*

>   * These functions flushes out all traces of the currently running executable

> diff --git a/include/linux/sched.h b/include/linux/sched.h

> index 21991d668d35..5124ba709830 100644

> --- a/include/linux/sched.h

> +++ b/include/linux/sched.h

> @@ -1503,7 +1503,11 @@ static inline void set_task_comm(struct task_struct *tsk, const char *from)

>         __set_task_comm(tsk, from, false);

>  }

>

> -extern char *get_task_comm(char *to, struct task_struct *tsk);

> +extern char *__get_task_comm(char *to, size_t len, struct task_struct *tsk);

> +#define get_task_comm(buf, tsk) ({                     \

> +       BUILD_BUG_ON(sizeof(buf) != TASK_COMM_LEN);     \

> +       __get_task_comm(buf, sizeof(buf), tsk);         \

> +})

>

>  #ifdef CONFIG_SMP

>  void scheduler_ipi(void);

> --

> 2.9.0

>




-- 
Kees Cook
Pixel Security
David Laight Dec. 6, 2017, 10:11 a.m. UTC | #2
From: Arnd Bergmann

> Sent: 05 December 2017 15:17

> gcc-8 warns about using strncpy() with the source size as the limit:


Hmmm... Someone 'fixed' some of those in the NetBSD tree a few years back.
There was one place where the code was correct.
A potentially unterminated string was being copied into a buffer that was
one byte longer.

	David
Ingo Molnar Dec. 6, 2017, 5:49 p.m. UTC | #3
* Arnd Bergmann <arnd@arndb.de> wrote:

> gcc-8 warns about using strncpy() with the source size as the limit:

> 

> fs/exec.c:1223:32: error: argument to 'sizeof' in 'strncpy' call is the same expression as the source; did you mean to use the size of the destination? [-Werror=sizeof-pointer-memaccess]

> 

> This is indeed slightly suspicious, as it protects us from source

> arguments without NUL-termination, but does not guarantee that the

> destination is terminated.

> 

> This keeps the strncpy() to ensure we have properly padded target buffer,

> but ensures that we use the correct length, by passing the actual length

> of the destination buffer as well as adding a build-time check to ensure

> it is exactly TASK_COMM_LEN.  There are only 23 callsights which I all

> reviewed to ensure this is currently the case. We could get away with

> doing only the check or passing the right length, but it doesn't hurt

> to do both.

> 

> Suggested-by: Kees Cook <keescook@chromium.org>

> Signed-off-by: Arnd Bergmann <arnd@arndb.de>


Looks useful.

Acked-by: Ingo Molnar <mingo@kernel.org>


Thanks,

	Ingo
Kees Cook Dec. 6, 2017, 11:09 p.m. UTC | #4
On Wed, Dec 6, 2017 at 9:49 AM, Ingo Molnar <mingo@kernel.org> wrote:
>

> * Arnd Bergmann <arnd@arndb.de> wrote:

>

>> gcc-8 warns about using strncpy() with the source size as the limit:

>>

>> fs/exec.c:1223:32: error: argument to 'sizeof' in 'strncpy' call is the same expression as the source; did you mean to use the size of the destination? [-Werror=sizeof-pointer-memaccess]

>>

>> This is indeed slightly suspicious, as it protects us from source

>> arguments without NUL-termination, but does not guarantee that the

>> destination is terminated.

>>

>> This keeps the strncpy() to ensure we have properly padded target buffer,

>> but ensures that we use the correct length, by passing the actual length

>> of the destination buffer as well as adding a build-time check to ensure

>> it is exactly TASK_COMM_LEN.  There are only 23 callsights which I all

>> reviewed to ensure this is currently the case. We could get away with

>> doing only the check or passing the right length, but it doesn't hurt

>> to do both.

>>

>> Suggested-by: Kees Cook <keescook@chromium.org>

>> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

>

> Looks useful.

>

> Acked-by: Ingo Molnar <mingo@kernel.org>


Ingo, can you take this into -tip, or should this go via -mm or some other tree?

-Kees

-- 
Kees Cook
Pixel Security
Andrew Morton Dec. 6, 2017, 11:29 p.m. UTC | #5
On Wed, 6 Dec 2017 15:09:20 -0800 Kees Cook <keescook@chromium.org> wrote:

> >> to do both.

> >>

> >> Suggested-by: Kees Cook <keescook@chromium.org>

> >> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

> >

> > Looks useful.

> >

> > Acked-by: Ingo Molnar <mingo@kernel.org>

> 

> Ingo, can you take this into -tip, or should this go via -mm or some other tree?


I have it queued for 4.15.
diff mbox series

Patch

diff --git a/fs/exec.c b/fs/exec.c
index 6be2aa0ab26f..156f56acfe8e 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1216,15 +1216,14 @@  static int de_thread(struct task_struct *tsk)
 	return -EAGAIN;
 }
 
-char *get_task_comm(char *buf, struct task_struct *tsk)
+char *__get_task_comm(char *buf, size_t buf_size, struct task_struct *tsk)
 {
-	/* buf must be at least sizeof(tsk->comm) in size */
 	task_lock(tsk);
-	strncpy(buf, tsk->comm, sizeof(tsk->comm));
+	strncpy(buf, tsk->comm, buf_size);
 	task_unlock(tsk);
 	return buf;
 }
-EXPORT_SYMBOL_GPL(get_task_comm);
+EXPORT_SYMBOL_GPL(__get_task_comm);
 
 /*
  * These functions flushes out all traces of the currently running executable
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 21991d668d35..5124ba709830 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1503,7 +1503,11 @@  static inline void set_task_comm(struct task_struct *tsk, const char *from)
 	__set_task_comm(tsk, from, false);
 }
 
-extern char *get_task_comm(char *to, struct task_struct *tsk);
+extern char *__get_task_comm(char *to, size_t len, struct task_struct *tsk);
+#define get_task_comm(buf, tsk) ({			\
+	BUILD_BUG_ON(sizeof(buf) != TASK_COMM_LEN);	\
+	__get_task_comm(buf, sizeof(buf), tsk);		\
+})
 
 #ifdef CONFIG_SMP
 void scheduler_ipi(void);