kernel: fix TOCTTOU issue in k_thread_name_set

Previously, a racing write to the provided string could result in up to CONFIG_THREAD_MAX_NAME_LEN-2 bytes after the end of user-accessible memory being leaked into the thread name. For now, make a temporary copy. In an ideal world this could copy directly from userspace into the thread name, but that violates the current vrfy / impl split. Signed-off-by: James Harris <james.harris@intel.com>
2021-03-08 09:23:49 -08:00 · 2021-03-08 09:23:49 -08:00 · 33c9be90cc
parent 6f82ebe2e8
commit 33c9be90cc
1 changed files with 7 additions and 8 deletions
--- a/kernel/thread.c
+++ b/kernel/thread.c
@ -237,8 +237,7 @@ int z_impl_k_thread_name_set(struct k_thread *thread, const char *value)
 static inline int z_vrfy_k_thread_name_set(struct k_thread *t, const char *str)
 {
 #ifdef CONFIG_THREAD_NAME
-	size_t len;
-	int err;
+	char name[CONFIG_THREAD_MAX_NAME_LEN];

 	if (t != NULL) {
 		if (Z_SYSCALL_OBJ(t, K_OBJ_THREAD) != 0) {
@ -246,15 +245,15 @@ static inline int z_vrfy_k_thread_name_set(struct k_thread *t, const char *str)
 		}
 	}

-	len = z_user_string_nlen(str, CONFIG_THREAD_MAX_NAME_LEN, &err);
-	if (err != 0) {
-		return -EFAULT;
-	}
-	if (Z_SYSCALL_MEMORY_READ(str, len) != 0) {
+	/* In theory we could copy directly into thread->name, but
+	 * the current z_vrfy / z_impl split does not provide a
+	 * means of doing so.
+	 */
+	if (z_user_string_copy(name, (char *)str, sizeof(name)) != 0) {
 		return -EFAULT;
 	}

-	return z_impl_k_thread_name_set(t, str);
+	return z_impl_k_thread_name_set(t, name);
 #else
 	return -ENOSYS;
 #endif /* CONFIG_THREAD_NAME */