• Daniel Xu's avatar
    lib/strncpy_from_user.c: Mask out bytes after NUL terminator. · 6fa6d280
    Daniel Xu authored
    do_strncpy_from_user() may copy some extra bytes after the NUL
    terminator into the destination buffer. This usually does not matter for
    normal string operations. However, when BPF programs key BPF maps with
    strings, this matters a lot.
    
    A BPF program may read strings from user memory by calling the
    bpf_probe_read_user_str() helper which eventually calls
    do_strncpy_from_user(). The program can then key a map with the
    destination buffer. BPF map keys are fixed-width and string-agnostic,
    meaning that map keys are treated as a set of bytes.
    
    The issue is when do_strncpy_from_user() overcopies bytes after the NUL
    terminator, it can result in seemingly identical strings occupying
    multiple slots in a BPF map. This behavior is subtle and totally
    unexpected by the user.
    
    This commit masks out the bytes following the NUL while preserving
    long-sized stride in the fast path.
    
    Fixes: 6ae08ae3 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers")
    Signed-off-by: default avatarDaniel Xu <dxu@dxuuu.xyz>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Link: https://lore.kernel.org/bpf/21efc982b3e9f2f7b0379eed642294caaa0c27a7.1605642949.git.dxu@dxuuu.xyz
    6fa6d280
bpf_trace.c 58.1 KB