kernel: fix TOCTTOU issue in k_thread_name_set
Previously, a racing write to the provided string could result in up to CONFIG_THREAD_MAX_NAME_LEN-2 bytes after the end of user-accessible memory being leaked into the thread name. For now, make a temporary copy. In an ideal world this could copy directly from userspace into the thread name, but that violates the current vrfy / impl split. Signed-off-by: James Harris <james.harris@intel.com>
This commit is contained in:
James Harris
Anas Nashif
parent
6f82ebe2e8
commit
33c9be90cc
|
|
@ -237,8 +237,7 @@ int z_impl_k_thread_name_set(struct k_thread *thread, const char *value)
|
|||
static inline int z_vrfy_k_thread_name_set(struct k_thread *t, const char *str)
|
||||
{
|
||||
#ifdef CONFIG_THREAD_NAME
|
||||
size_t len;
|
||||
int err;
|
||||
char name[CONFIG_THREAD_MAX_NAME_LEN];
|
||||
|
||||
if (t != NULL) {
|
||||
if (Z_SYSCALL_OBJ(t, K_OBJ_THREAD) != 0) {
|
||||
|
|
@ -246,15 +245,15 @@ static inline int z_vrfy_k_thread_name_set(struct k_thread *t, const char *str)
|
|||
}
|
||||
}
|
||||
|
||||
len = z_user_string_nlen(str, CONFIG_THREAD_MAX_NAME_LEN, &err);
|
||||
if (err != 0) {
|
||||
return -EFAULT;
|
||||
}
|
||||
if (Z_SYSCALL_MEMORY_READ(str, len) != 0) {
|
||||
/* In theory we could copy directly into thread->name, but
|
||||
* the current z_vrfy / z_impl split does not provide a
|
||||
* means of doing so.
|
||||
*/
|
||||
if (z_user_string_copy(name, (char *)str, sizeof(name)) != 0) {
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
return z_impl_k_thread_name_set(t, str);
|
||||
return z_impl_k_thread_name_set(t, name);
|
||||
#else
|
||||
return -ENOSYS;
|
||||
#endif /* CONFIG_THREAD_NAME */
|
||||
|
|
|
|||
Loading…
Reference in a new issue