The patch titled
Subject: mm/memfd: Use strncpy_from_user() to read memfd name
has been added to the -mm mm-unstable branch. Its filename is
mm-memfd-use-strncpy_from_user-to-read-memfd-name.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/mm-memfd-use-strncpy_from_user-to-read-memfd-name.patch
This patch will later appear in the mm-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via the mm-everything
branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there every 2-3 working days
------------------------------------------------------
From: "Isaac J. Manjarres" <isaacmanjarres@xxxxxxxxxx>
Subject: mm/memfd: Use strncpy_from_user() to read memfd name
Date: Fri, 10 Jan 2025 08:59:00 -0800
The existing logic uses strnlen_user() to calculate the length of the
memfd name from userspace and then copies the string into a buffer using
copy_from_user(). This is error-prone, as the string length could have
changed between the time when it was calculated and when the string was
copied. The existing logic handles this by ensuring that the last byte in
the buffer is the terminating zero.
This handling is contrived and can better be handled by using
strncpy_from_user(), which gets the length of the string and copies it in
one shot. Therefore, simplify the logic for copying the memfd name by
using strncpy_from_user().
No functional change.
Link: https://lkml.kernel.org/r/20250110165904.3437374-3-isaacmanjarres@xxxxxxxxxx
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@xxxxxxxxxx>
Reviewed-by: Alice Ryhl <aliceryhl@xxxxxxxxxx>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx>
Cc: John Stultz <jstultz@xxxxxxxxxx>
Cc: Kalesh Singh <kaleshsingh@xxxxxxxxxx>
Cc: Suren Baghdasaryan <surenb@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
mm/memfd.c | 20 ++++++--------------
1 file changed, 6 insertions(+), 14 deletions(-)
--- a/mm/memfd.c~mm-memfd-use-strncpy_from_user-to-read-memfd-name
+++ a/mm/memfd.c
@@ -396,26 +396,18 @@ static char *alloc_name(const char __use
char *name;
long len;
- /* length includes terminating zero */
- len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1);
- if (len <= 0)
- return ERR_PTR(-EFAULT);
- if (len > MFD_NAME_MAX_LEN + 1)
- return ERR_PTR(-EINVAL);
-
- name = kmalloc(len + MFD_NAME_PREFIX_LEN, GFP_KERNEL);
+ name = kmalloc(NAME_MAX + 1, GFP_KERNEL);
if (!name)
return ERR_PTR(-ENOMEM);
strcpy(name, MFD_NAME_PREFIX);
- if (copy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, len)) {
+ /* returned length does not include terminating zero */
+ len = strncpy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, MFD_NAME_MAX_LEN + 1);
+ if (len < 0) {
error = -EFAULT;
goto err_name;
- }
-
- /* terminating-zero may have changed after strnlen_user() returned */
- if (name[len + MFD_NAME_PREFIX_LEN - 1]) {
- error = -EFAULT;
+ } else if (len > MFD_NAME_MAX_LEN) {
+ error = -EINVAL;
goto err_name;
}
_
Patches currently in -mm which might be from isaacmanjarres@xxxxxxxxxx are
mm-memfd-refactor-and-cleanup-the-logic-in-memfd_create.patch
mm-memfd-use-strncpy_from_user-to-read-memfd-name.patch
