diff options
| author | Kees Cook <kees@kernel.org> | 2024-11-30 07:06:55 +0300 |
|---|---|---|
| committer | Kees Cook <kees@kernel.org> | 2024-12-17 03:53:00 +0300 |
| commit | 3a3f61ce5e0b4bcf730acc09c1af91012d241f85 (patch) | |
| tree | fb789240fafc051aeb40f066152bcae0adf2cc14 /include/linux | |
| parent | fa1bdca98d74472dcdb79cb948b54f63b5886c04 (diff) | |
| download | linux-3a3f61ce5e0b4bcf730acc09c1af91012d241f85.tar.xz | |
exec: Make sure task->comm is always NUL-terminated
Using strscpy() meant that the final character in task->comm may be
non-NUL for a moment before the "string too long" truncation happens.
Instead of adding a new use of the ambiguous strncpy(), we'd want to
use memtostr_pad() which enforces being able to check at compile time
that sizes are sensible, but this requires being able to see string
buffer lengths. Instead of trying to inline __set_task_comm() (which
needs to call trace and perf functions), just open-code it. But to
make sure we're always safe, add compile-time checking like we already
do for get_task_comm().
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Kees Cook <kees@kernel.org>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/sched.h | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/include/linux/sched.h b/include/linux/sched.h index e6ee4258169a..ac9f429ddc17 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1932,11 +1932,10 @@ static inline void kick_process(struct task_struct *tsk) { } #endif extern void __set_task_comm(struct task_struct *tsk, const char *from, bool exec); - -static inline void set_task_comm(struct task_struct *tsk, const char *from) -{ - __set_task_comm(tsk, from, false); -} +#define set_task_comm(tsk, from) ({ \ + BUILD_BUG_ON(sizeof(from) != TASK_COMM_LEN); \ + __set_task_comm(tsk, from, false); \ +}) extern char *__get_task_comm(char *to, size_t len, struct task_struct *tsk); #define get_task_comm(buf, tsk) ({ \ |