The patch titled Subject: bpf:bpf_seq_printf(): handle potentially unsafe format string better has been added to the -mm tree. Its filename is bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Subject: bpf:bpf_seq_printf(): handle potentially unsafe format string better User the proper helper for kernel or userspace addresses based on TASK_SIZE instead of the dangerous strncpy_from_unsafe function. Cc: Christoph Hellwig <hch@xxxxxx> Cc: Alexei Starovoitov <ast@xxxxxxxxxx> Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx> Cc: "H. Peter Anvin" <hpa@xxxxxxxxx> Cc: Ingo Molnar <mingo@xxxxxxx> Cc: Masami Hiramatsu <mhiramat@xxxxxxxxxx> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- kernel/trace/bpf_trace.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/kernel/trace/bpf_trace.c~bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better +++ a/kernel/trace/bpf_trace.c @@ -588,15 +588,17 @@ BPF_CALL_5(bpf_seq_printf, struct seq_fi } if (fmt[i] == 's') { + void *unsafe_ptr; + /* try our best to copy */ if (memcpy_cnt >= MAX_SEQ_PRINTF_MAX_MEMCPY) { err = -E2BIG; goto out; } - err = strncpy_from_unsafe_strict(bufs->buf[memcpy_cnt], - (void *) (long) args[fmt_cnt], - MAX_SEQ_PRINTF_STR_LEN); + unsafe_ptr = (void *)(long)args[fmt_cnt]; + err = strncpy_from_kernel_nofault(bufs->buf[memcpy_cnt], + unsafe_ptr, MAX_SEQ_PRINTF_STR_LEN); if (err < 0) bufs->buf[memcpy_cnt][0] = '\0'; params[fmt_cnt] = (u64)(long)bufs->buf[memcpy_cnt]; _ Patches currently in -mm which might be from akpm@xxxxxxxxxxxxxxxxxxxx are arch-parisc-include-asm-pgtableh-remove-unused-old_pte.patch mm-slub-add-panic_on_error-to-the-debug-facilities-fix.patch drivers-tty-serial-sh-scic-suppress-uninitialized-var-warning.patch mm.patch mm-free_area_init-allow-defining-max_zone_pfn-in-descending-order-fix-2-fix.patch mm-page_alloc-skip-waternark_boost-for-atomic-order-0-allocations-fix.patch arch-kunmap-remove-duplicate-kunmap-implementations-fix.patch arch-kmap_atomic-consolidate-duplicate-code-checkpatch-fixes.patch arch-kunmap_atomic-consolidate-duplicate-code-checkpatch-fixes.patch kmap-consolidate-kmap_prot-definitions-checkpatch-fixes.patch mm-add-debug_wx-support-fix.patch riscv-support-debug_wx-fix.patch mm-replace-zero-length-array-with-flexible-array-member-fix.patch mm-hugetlb-fix-a-typo-in-comment-manitained-maintained-v2-checkpatch-fixes.patch lib-make-a-test-module-with-get_count_order-long-fix.patch seq_file-introduce-define_seq_attribute-helper-macro-checkpatch-fixes.patch ipc-convert-ipcs_idr-to-xarray-update-fix.patch linux-next-pre.patch linux-next-rejects.patch linux-next-git-rejects.patch linux-next-post.patch kernel-add-panic_on_taint-fix.patch mm-consolidate-pgd_index-and-pgd_offset_k-definitions-fix.patch mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix.patch mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix-fix.patch mmap-locking-api-convert-mmap_sem-call-sites-missed-by-coccinelle-fix-fix-fix.patch mmap-locking-api-rename-mmap_sem-to-mmap_lock-fix.patch mmap-locking-api-convert-mmap_sem-comments-fix.patch mmap-locking-api-convert-mmap_sem-comments-fix-fix.patch mmap-locking-api-convert-mmap_sem-comments-fix-fix-fix.patch mm-pass-task-and-mm-to-do_madvise.patch mm-introduce-external-memory-hinting-api-fix-2-fix.patch mm-support-vector-address-ranges-for-process_madvise-fix-fix-fix-fix-fix.patch maccess-unify-the-probe-kernel-arch-hooks-fix.patch bpf-bpf_seq_printf-handle-potentially-unsafe-format-string-better.patch maccess-always-use-strict-semantics-for-probe_kernel_read-fix.patch x86-use-non-set_fs-based-maccess-routines-checkpatch-fixes.patch doc-cgroup-update-note-about-conditions-when-oom-killer-is-invoked-fix.patch sh-convert-ins-outs-macros-to-inline-functions-checkpatch-fixes.patch kernel-forkc-export-kernel_thread-to-modules.patch