So if I'm setting the PR_SET_PROCTITLE_AREA initially to e.g. 1 kB memory
area, without the above code ps will show it entirely regardless of any \0
characters (because parameters are separated by \0).
That makes sense - but note that it's not completely atomic still -
with a syscall you could insert some kind of barrier (rwsem?) to
ensure other processes don't see a halfway updated process name. With
infrequent updates this isn't a problem, but if you're really
intending to update it at a rate where syscall overhead becomes a
problem, then you're also going to see these kinds of issues as well.
Might want to fix the bug later on in that function while you're in
here - the second access_process_vm call is never checked for errors,
but (from my reading) it's possible that the page that the environment
is on could be unmapped between those two calls. The result could
either be a short read (not the end of the world) or a negative value
(error code + small original argument length) passed to strnlen.
Hmm. Originally I thought it would have returned only -1, but if it's -errno
then I'm beginning to wonder if this is a security hole. If the original res
is small enough, and it looks like it can be, that code could get res to
negative, i.e. unlimited. But I can't follow the code right now if it also
means that userspace can read tons of data or if it gets caught by some "<
0" check.
By the time we get to the second read, len is definitely between 0 and
PAGE_SIZE, so that's not a problem. What I'm worried about mostly is
whether strnlen would interpret its argument (negative error + small
positive value = negative value) as a large positive value,
go running
off into the woods and cause an OOPS. Which I suppose is a denial of
service issue.
That said, I'm not really sure why it's written the way it is anyway.
Why not just unconditionally try to load all the way from arg_start to
env_end (or to arg_start + PAGE_SIZE), then just figure out where the
\0 is and you're done? It would seem to have the same effect...