lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAO3upoYdSkDqyLtD8cQh4kws5gdOcAEPSUHnsru23Uo=3c-uMQ@mail.gmail.com>
Date:   Thu, 19 Jul 2018 19:44:53 -0700
From:   Todd Poynor <toddpoynor@...il.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Rob Springer <rspringer@...gle.com>,
        John Joseph <jnjoseph@...gle.com>,
        Ben Chan <benchan@...omium.org>, devel@...verdev.osuosl.org,
        Zhongze Hu <frankhu@...omium.org>,
        lkml <linux-kernel@...r.kernel.org>,
        Simon Que <sque@...omium.org>,
        Guenter Roeck <groeck@...omium.org>,
        Todd Poynor <toddpoynor@...gle.com>,
        Dmitry Torokhov <dtor@...omium.org>
Subject: Re: [PATCH 17/32] staging: gasket: annotate ioctl arg with __user

On Thu, Jul 19, 2018 at 2:37 AM, Greg Kroah-Hartman
<gregkh@...uxfoundation.org> wrote:
> On Tue, Jul 17, 2018 at 01:56:57PM -0700, Todd Poynor wrote:
>> From: Todd Poynor <toddpoynor@...gle.com>
>>
>> For sparse checking.
>
> Close, but you can do better :)
>
>>
>> Reported-by: Dmitry Torokhov <dtor@...omium.org>
>> Signed-off-by: Zhongze Hu <frankhu@...omium.org>
>> Signed-off-by: Todd Poynor <toddpoynor@...gle.com>
>> Reviewed-by: Dmitry Torokhov <dtor@...omium.org>
>> ---
>>  drivers/staging/gasket/apex_driver.c  | 11 ++--
>>  drivers/staging/gasket/gasket_core.c  |  6 ++-
>>  drivers/staging/gasket/gasket_core.h  |  4 +-
>>  drivers/staging/gasket/gasket_ioctl.c | 72 ++++++++++++++-------------
>>  drivers/staging/gasket/gasket_ioctl.h |  4 +-
>>  5 files changed, 52 insertions(+), 45 deletions(-)
>>
>> diff --git a/drivers/staging/gasket/apex_driver.c b/drivers/staging/gasket/apex_driver.c
>> index 612b3ab803196..c91c5aff5ab9c 100644
>> --- a/drivers/staging/gasket/apex_driver.c
>> +++ b/drivers/staging/gasket/apex_driver.c
>> @@ -5,6 +5,7 @@
>>   * Copyright (C) 2018 Google, Inc.
>>   */
>>
>> +#include <linux/compiler.h>
>>  #include <linux/delay.h>
>>  #include <linux/fs.h>
>>  #include <linux/init.h>
>> @@ -142,9 +143,9 @@ static int apex_get_status(struct gasket_dev *gasket_dev);
>>
>>  static uint apex_ioctl_check_permissions(struct file *file, uint cmd);
>>
>> -static long apex_ioctl(struct file *file, uint cmd, ulong arg);
>> +static long apex_ioctl(struct file *file, uint cmd, void __user *arg);
>>
>> -static long apex_clock_gating(struct gasket_dev *gasket_dev, ulong arg);
>> +static long apex_clock_gating(struct gasket_dev *gasket_dev, void __user *arg);
>
> Make this a __user pointer to the correct struct type you are handling
> here.  You know what the type is, use it.

Got it.

>
>>  static int apex_enter_reset(struct gasket_dev *gasket_dev, uint type);
>>
>> @@ -635,7 +636,7 @@ static uint apex_ioctl_check_permissions(struct file *filp, uint cmd)
>>  /*
>>   * Apex-specific ioctl handler.
>>   */
>> -static long apex_ioctl(struct file *filp, uint cmd, ulong arg)
>> +static long apex_ioctl(struct file *filp, uint cmd, void __user *arg)
>>  {
>>       struct gasket_dev *gasket_dev = filp->private_data;
>>
>> @@ -655,7 +656,7 @@ static long apex_ioctl(struct file *filp, uint cmd, ulong arg)
>>   * @gasket_dev: Gasket device pointer.
>>   * @arg: User ioctl arg, in this case to a apex_gate_clock_ioctl struct.
>>   */
>> -static long apex_clock_gating(struct gasket_dev *gasket_dev, ulong arg)
>> +static long apex_clock_gating(struct gasket_dev *gasket_dev, void __user *arg)
>
> As above, this should be a different type.
>
>>  {
>>       struct apex_gate_clock_ioctl ibuf;
>>
>> @@ -663,7 +664,7 @@ static long apex_clock_gating(struct gasket_dev *gasket_dev, ulong arg)
>>               return 0;
>>
>>       if (allow_sw_clock_gating) {
>> -             if (copy_from_user(&ibuf, (void __user *)arg, sizeof(ibuf)))
>> +             if (copy_from_user(&ibuf, arg, sizeof(ibuf)))
>>                       return -EFAULT;
>>
>>               gasket_log_error(
>> diff --git a/drivers/staging/gasket/gasket_core.c b/drivers/staging/gasket/gasket_core.c
>> index 947b4fcc76970..ff34af42bbe7c 100644
>> --- a/drivers/staging/gasket/gasket_core.c
>> +++ b/drivers/staging/gasket/gasket_core.c
>> @@ -14,6 +14,7 @@
>>  #include "gasket_page_table.h"
>>  #include "gasket_sysfs.h"
>>
>> +#include <linux/compiler.h>
>>  #include <linux/delay.h>
>>  #include <linux/fs.h>
>>  #include <linux/init.h>
>> @@ -1823,14 +1824,15 @@ static long gasket_ioctl(struct file *filp, uint cmd, ulong arg)
>>                * check_and_invoke_callback.
>>                */
>>               if (driver_desc->ioctl_handler_cb)
>> -                     return driver_desc->ioctl_handler_cb(filp, cmd, arg);
>> +                     return driver_desc->ioctl_handler_cb(
>> +                         filp, cmd, (void __user *)arg);
>
> You can use a temp variable and then only have to cast things once then,
> instead of twice, if you care.  Not a big deal.

But then I have to name it, and I suck at that. :P  I'm trying
switching to "arg" for ulong/int arguments and "argp" for pointer
arguments.

>
>>
>>               gasket_log_error(
>>                       gasket_dev, "Received unknown ioctl 0x%x", cmd);
>
> This is a fun way to cause a DoS on your system, you should fix this up
> in later changes.

Yeah there's another patch coming soon that converts a bunch of errors
and infos to debugs.

>
>>               return -EINVAL;
>>       }
>>
>> -     return gasket_handle_ioctl(filp, cmd, arg);
>> +     return gasket_handle_ioctl(filp, cmd, (void __user *)arg);
>>  }
>>
>>  int gasket_reset(struct gasket_dev *gasket_dev, uint reset_type)
>> diff --git a/drivers/staging/gasket/gasket_core.h b/drivers/staging/gasket/gasket_core.h
>> index 50ad0c8853183..68b4d2ac9fd6c 100644
>> --- a/drivers/staging/gasket/gasket_core.h
>> +++ b/drivers/staging/gasket/gasket_core.h
>> @@ -315,7 +315,7 @@ struct gasket_dev {
>>
>>  /* Type of the ioctl permissions check callback. See below. */
>>  typedef int (*gasket_ioctl_permissions_cb_t)(
>> -     struct file *filp, uint cmd, ulong arg);
>> +     struct file *filp, uint cmd, void __user *arg);
>>
>>  /*
>>   * Device type descriptor.
>> @@ -549,7 +549,7 @@ struct gasket_driver_desc {
>>        * return -EINVAL. Should return an error status (either -EINVAL or
>>        * the error result of the ioctl being handled).
>>        */
>> -     long (*ioctl_handler_cb)(struct file *filp, uint cmd, ulong arg);
>> +     long (*ioctl_handler_cb)(struct file *filp, uint cmd, void __user *arg);
>
> Why are you not using the typedef above?

There's a typedef for the permissions check callback, but not for the
handler callback.  It's a bit confusing, so I tried adding a typedef
for the handler, but now checkpatch is spanking me for adding new
typedefs -- maybe I should drop the existing typedef?

>
>>
>>       /*
>>        * device_status_cb: Callback to determine device health.
>> diff --git a/drivers/staging/gasket/gasket_ioctl.c b/drivers/staging/gasket/gasket_ioctl.c
>> index d0fa05b8bf1d3..ab2376c32c00b 100644
>> --- a/drivers/staging/gasket/gasket_ioctl.c
>> +++ b/drivers/staging/gasket/gasket_ioctl.c
>> @@ -7,6 +7,7 @@
>>  #include "gasket_interrupt.h"
>>  #include "gasket_logging.h"
>>  #include "gasket_page_table.h"
>> +#include <linux/compiler.h>
>>  #include <linux/fs.h>
>>  #include <linux/uaccess.h>
>>
>> @@ -23,17 +24,18 @@
>>  #endif
>>
>>  static uint gasket_ioctl_check_permissions(struct file *filp, uint cmd);
>> -static int gasket_set_event_fd(struct gasket_dev *dev, ulong arg);
>> +static int gasket_set_event_fd(struct gasket_dev *dev, void __user *arg);
>>  static int gasket_read_page_table_size(
>> -     struct gasket_dev *gasket_dev, ulong arg);
>> +     struct gasket_dev *gasket_dev, void __user *arg);
>>  static int gasket_read_simple_page_table_size(
>> -     struct gasket_dev *gasket_dev, ulong arg);
>> +     struct gasket_dev *gasket_dev, void __user *arg);
>>  static int gasket_partition_page_table(
>> -     struct gasket_dev *gasket_dev, ulong arg);
>> -static int gasket_map_buffers(struct gasket_dev *gasket_dev, ulong arg);
>> -static int gasket_unmap_buffers(struct gasket_dev *gasket_dev, ulong arg);
>> +     struct gasket_dev *gasket_dev, void __user *arg);
>> +static int gasket_map_buffers(struct gasket_dev *gasket_dev, void __user *arg);
>> +static int gasket_unmap_buffers(struct gasket_dev *gasket_dev,
>> +                             void __user *arg);
>>  static int gasket_config_coherent_allocator(
>> -     struct gasket_dev *gasket_dev, ulong arg);
>> +     struct gasket_dev *gasket_dev, void __user *arg);
>
>
> For most of these you know the real type, please just use it.

Roger.

>
>>  /*
>>   * standard ioctl dispatch function.
>> @@ -43,9 +45,10 @@ static int gasket_config_coherent_allocator(
>>   *
>>   * Standard ioctl dispatcher; forwards operations to individual handlers.
>>   */
>> -long gasket_handle_ioctl(struct file *filp, uint cmd, ulong arg)
>> +long gasket_handle_ioctl(struct file *filp, uint cmd, void __user *arg)
>>  {
>>       struct gasket_dev *gasket_dev;
>> +     ulong intarg = (ulong)arg;
>
> Ick, really?  That's a horrible name for a variable, especially as it
> doesn't describe what it is...
>
> and "unsigned long" please, ulong is not a "real" kernel type.
>
>>       int retval;
>>
>>       gasket_dev = (struct gasket_dev *)filp->private_data;
>> @@ -74,16 +77,16 @@ long gasket_handle_ioctl(struct file *filp, uint cmd, ulong arg)
>>        */
>>       switch (cmd) {
>>       case GASKET_IOCTL_RESET:
>> -             trace_gasket_ioctl_integer_data(arg);
>> -             retval = gasket_reset(gasket_dev, arg);
>> +             trace_gasket_ioctl_integer_data(intarg);
>> +             retval = gasket_reset(gasket_dev, intarg);
>>               break;
>>       case GASKET_IOCTL_SET_EVENTFD:
>>               retval = gasket_set_event_fd(gasket_dev, arg);
>>               break;
>>       case GASKET_IOCTL_CLEAR_EVENTFD:
>> -             trace_gasket_ioctl_integer_data(arg);
>> +             trace_gasket_ioctl_integer_data(intarg);
>>               retval = gasket_interrupt_clear_eventfd(
>> -                     gasket_dev->interrupt_data, (int)arg);
>> +                     gasket_dev->interrupt_data, (int)intarg);
>
> See, look at that cast, why would you ever think to cast a variabled
> with "int" in the name of it, to an int?  Naming is hard :(

Yeah now that I look at it that was a pretty horrible name.  I hate
naming things.

>
>
>>               break;
>>       case GASKET_IOCTL_PARTITION_PAGE_TABLE:
>>               trace_gasket_ioctl_integer_data(arg);
>> @@ -91,7 +94,7 @@ long gasket_handle_ioctl(struct file *filp, uint cmd, ulong arg)
>>               break;
>>       case GASKET_IOCTL_NUMBER_PAGE_TABLES:
>>               trace_gasket_ioctl_integer_data(gasket_dev->num_page_tables);
>> -             if (copy_to_user((void __user *)arg,
>> +             if (copy_to_user(arg,
>>                                &gasket_dev->num_page_tables,
>
> Nit, you can move this line up one now.

OK.

>
> I'll stop now, you get the idea.  This should be broken up a lot.

I'll split up in some fashion.

Thanks -- Todd

>
> thanks,
>
> greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ