Re: [PATCH v2 2/2] mm/memfd: Use strncpy_from_user() to read memfd name

[Isaac Manjarres]

On Thu, Jan 09, 2025 at 11:31:59AM +0000, Lorenzo Stoakes wrote:
> On Wed, Jan 08, 2025 at 06:15:36PM -0800, Isaac Manjarres wrote:
> > On Wed, Jan 08, 2025 at 06:58:00PM +0000, Lorenzo Stoakes wrote:
> > > On Tue, Jan 07, 2025 at 10:48:02AM -0800, Isaac J. Manjarres wrote:
> > > >  		goto err_name;
> > > > -	}
> > > > -
> > > > -	/* terminating-zero may have changed after strnlen_user() returned */
> > > > -	if (name[len + MFD_NAME_PREFIX_LEN - 1]) {
> > > > -		error = -EFAULT;
> > > > +	} else if (len > MFD_NAME_MAX_LEN) {
> > > > +		error = -EINVAL;
> > >
> > > I don't think this can ever happen? It just truncates, looking at the code
> > > for strncpy_from_user().
> > >
> >
> > I double checked, and this case is possible. The maximum we allow to
> > strncpy_from_user() to read is MFD_NAME_MAX_LEN + 1 via the count
> > argument, so that includes the NULL terminator in the userspace buffer.
> >
> 
> > strncpy_from_user() then returns the length of the string without the
> > NULL terminator. The check is for just MFD_NAME_MAX_LEN, so this is
> > meant to catch the case where the string, not including the NULL
> > terminator, is greater than MFD_NAME_MAX_LEN, which is invalid, as
> > well as the case where the string becomes malformed/corrupted mid-copy.
> 
> Actually you're right :) apologies, I misread the strncpy_from_user()
> implementation.
> 
> So I think you should be good here - have you tested this scenario in
> practice just to confirm?
> 
> Cheers!

No worries! Yes, I tested this out and confirmed that we do return
-EINVAL in this case before and after this change, so it should be
fine.

Thanks for the review :)! I'll be sending out v3 of this series
shortly.

--Isaac