On Mon, Aug 12, 2024 at 10:10 PM Alexei Starovoitov
<alexei.starovoitov@xxxxxxxxx> wrote:
>
> On Mon, Aug 12, 2024 at 6:26 PM Jordan Rome <linux@xxxxxxxxxxxxxx> wrote:
> >
> > This adds a kfunc wrapper around strncpy_from_user,
> > which can be called from sleepable BPF programs.
> >
> > This matches the non-sleepable 'bpf_probe_read_user_str'
> > helper.
> >
> > Signed-off-by: Jordan Rome <linux@xxxxxxxxxxxxxx>
> > ---
> > kernel/bpf/helpers.c | 36 ++++++++++++++++++++++++++++++++++++
> > 1 file changed, 36 insertions(+)
> >
> > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> > index d02ae323996b..e87d5df658cb 100644
> > --- a/kernel/bpf/helpers.c
> > +++ b/kernel/bpf/helpers.c
> > @@ -2939,6 +2939,41 @@ __bpf_kfunc void bpf_iter_bits_destroy(struct bpf_iter_bits *it)
> > bpf_mem_free(&bpf_global_ma, kit->bits);
> > }
> >
> > +/**
> > + * bpf_copy_from_user_str() - Copy a string from an unsafe user address
> > + * @dst: Destination address, in kernel space. This buffer must be at
> > + * least @dst__szk bytes long.
> > + * @dst__szk: Maximum number of bytes to copy, including the trailing NUL.
> > + * @unsafe_ptr__ign: Source address, in user space.
> > + *
> > + * Copies a NUL-terminated string from userspace to BPF space. If user string is
> > + * too long this will still ensure zero termination in the dst buffer unless
> > + * buffer size is 0.
> > + */
> > +__bpf_kfunc int bpf_copy_from_user_str(void *dst, u32 dst__szk, const void __user *unsafe_ptr__ign)
> > +{
> > + int ret;
> > + int count;
> > +
> > + if (unlikely(!dst__szk))
> > + return 0;
> > +
> > + count = dst__szk - 1;
> > + if (unlikely(!count)) {
> > + ((char *)dst)[0] = '\0';
> > + return 1;
> > + }
> > +
> > + ret = strncpy_from_user(dst, unsafe_ptr__ign, count);
> > + if (ret >= 0) {
> > + if (ret == count)
> > + ((char *)dst)[ret] = '\0';
> > + ret++;
> > + }
> > +
> > + return ret;
> > +}
>
> The above will not pad the buffer and it will create instability
> when the target buffer is a part of the map key. Consider:
>
> struct map_key {
> char str[100];
> };
> struct {
> __uint(type, BPF_MAP_TYPE_HASH);
> __type(key, struct map_key);
> } hash SEC(".maps");
>
> struct map_key key;
> bpf_copy_from_user_str(key.str, sizeof(key.str), user_string);
>
> The verifier will think that all of the 'key' is initialized,
> but for short strings the key will have garbage.
>
> bpf_probe_read_kernel_str() has the same issue as above, but
> let's fix it here first and update read_kernel_str() later.
>
> pw-bot: cr
You're saying we should always do a memset using `dst__szk` on success
of copying the string?
