> On May 28, 2020, at 5:48 PM, Yonghong Song <yhs@xxxxxx> wrote:
>
> In bpf_seq_printf() helper, when user specified a "%s" in the
> format string, strncpy_from_unsafe() is used to read the actual string
> to a buffer. The string could be a format string or a string in
> the kernel data structure. It is really unlikely that the string
> will reside in the user memory.
>
> This is different from Commit b2a5212fb634 ("bpf: Restrict bpf_trace_printk()'s %s
> usage and add %pks, %pus specifier") which still used
> strncpy_from_unsafe() for "%s" to preserve the old behavior.
>
> If in the future, bpf_seq_printf() indeed needs to read user
> memory, we can implement "%pus" format string.
>
> Based on discussion in [1], if the intent is to read kernel memory,
> strncpy_from_unsafe_strict() should be used. So this patch
> changed to use strncpy_from_unsafe_strict().
>
> [1]: https://lore.kernel.org/bpf/20200521152301.2587579-1-hch@xxxxxx/T/
>
> Cc: Christoph Hellwig <hch@xxxxxx>
> Signed-off-by: Yonghong Song <yhs@xxxxxx>
Acked-by: Song Liu <songliubraving@xxxxxx>
I guess we should add:
Fixes: 492e639f0c22 ("bpf: Add bpf_seq_printf and bpf_seq_write helpers")
