| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jan 2017 06:49:43 +0100 (CET)
From: Julia Lawall <julia.lawall@...6.fr>
To: Kees Cook <keescook@...omium.org>
cc: cocci@...teme.lip6.fr, Pengfei Wang <wpengfeinudt@...il.com>,
Vaishali Thakkar <vthakkar1994@...il.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [RFC] coccicheck: add a test for repeat memory fetches
On Tue, 10 Jan 2017, Kees Cook wrote:
> On Tue, Jan 10, 2017 at 1:14 PM, Julia Lawall <julia.lawall@...6.fr> wrote:
> > OK, I have the impression that what you are looking for is the following,
> > that currently does not seem to work well. Still maybe it gives an idea.
> >
> > The basic pattern is the following sequence:
> >
> > 1. copy_from_user
> > 2. test on a field of the copied value
> > 3. another copy_from_user
> > 4. a use of the same field as tested in step 2 from the structure obtained
> > by the second copy_from_user or a function call with the structure as an
> > argument
>
> This looks pretty good!
>
> > In the case where the second copy_from_user stores the result in a
> > pointer, then a return with no reference of the tested field is also a
> > concern, unless, the pointer was already kfreed.
>
> I think sequence "2" above missing just looking at a direct value,
> like if instead of a field it was a u32. Also, should binop include
> "=="?
I wasn't sure what to do with a direct value, because one wouldn't know
what field it would correspond to. A solution could be to pull the first
field out of the structure declaration.
I'll add == and !=.
> And we need to add back in get_user() too... hmmm
OK.
julia
Powered by blists - more mailing lists