Re: [PATCH v4 2/5] connector: use __get_task_comm in proc_comm_connector
From: Yafang Shao
Date: Thu Oct 14 2021 - 05:26:57 EST
On Thu, Oct 14, 2021 at 12:50 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> On Wed, Oct 13, 2021 at 10:24:18PM -0400, Steven Rostedt wrote:
> > On Thu, 14 Oct 2021 09:48:09 +0800
> > Yafang Shao <laoar.shao@xxxxxxxxx> wrote:
> >
> > > > __get_task_comm() uses strncpy() which my understanding is, does not add
> > > > the nul terminating byte when truncating. Which changes the functionality
> > > > here. As all task comms have a terminating byte, the old method would copy
> > > > that and include it. This won't add the terminating byte if the buffer is
> > > > smaller than the comm, and that might cause issues.
> > > >
> > >
> > > Right, that is a problem.
> > > It seems that we should add a new helper get_task_comm_may_truncated().
> >
> > Or simply change __get_task_comm() to:
> >
> > char *__get_task_comm(char *buf, size_t buf_size, struct task_struct *tsk)
> > {
> > task_lock(tsk);
> > strncpy(buf, tsk->comm, buf_size);
> > /* The copied value is always nul terminated */
> > buf[buf_size - 1] = '\0';
> > task_unlock(tsk);
> > return buf;
> > }
> >
> > But that should probably be a separate patch.
>
> strscpy_pad() is the right thing here -- it'll retain the NUL-fill
> properties of strncpy and terminate correctly.
>
strscpy_pad() can also work, and seems more simple.
> The use of non-terminating issue with strncpy() wasn't a problem here
> because get_task_comm() would always make sure task->comm was
> terminated. (It uses strlcpy(), which I think needs to be changed to
> strscpy_pad() too...)
>
> --
> Kees Cook
--
Thanks
Yafang