| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3ee24295-6d63-6da9-774f-f1a599418685@linux.com>
Date: Fri, 9 Aug 2019 18:05:17 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Julia Lawall <julia.lawall@...6.fr>, Jann Horn <jannh@...gle.com>
Cc: Jens Axboe <axboe@...nel.dk>, Jiri Kosina <jikos@...nel.org>,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
Al Viro <viro@...iv.linux.org.uk>,
Mukesh Ojha <mojha@...eaurora.org>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>,
Denis Efremov <efremov@...ux.com>,
Gilles Muller <Gilles.Muller@...6.fr>,
Nicolas Palix <nicolas.palix@...g.fr>,
Michal Marek <michal.lkml@...kovi.net>, cocci@...teme.lip6.fr
Subject: Re: [PATCH] floppy: fix usercopy direction
On 09.08.2019 16:56, Julia Lawall wrote:
> On Fri, 9 Aug 2019, Alexander Popov wrote:
>> On 27.03.2019 1:03, Jann Horn wrote:
>>> As sparse points out, these two copy_from_user() should actually be
>>> copy_to_user().
>>
>> I also wrote a coccinelle rule for detecting similar bugs (adding coccinelle
>> experts to CC).
>>
>>
>> virtual report
>>
>> @cfu@
>
> You can replace the above line with @cfu exists@. You want to find the
> existence of such a call, not ensure that the call occurs on every
> control-flow path, which is the default.
Thanks Julia, I see `exists` allows to drop `<+ +>`, right?
> Do you want this rule to go into the kernel?
It turned out that sparse already can find these bugs.
Is this rule useful anyway? If so, I can prepare a patch.
>> identifier f;
>> type t;
>> identifier v;
>> position decl_p;
>> position copy_p;
>> @@
>>
>> f(..., t v@...l_p, ...)
>> {
>> <+...
>> copy_from_user@...y_p(v, ...)
>> ...+>
>> }
>>
>> @script:python@
>> f << cfu.f;
>> t << cfu.t;
>> v << cfu.v;
>> decl_p << cfu.decl_p;
>> copy_p << cfu.copy_p;
>> @@
>>
>> if '__user' in t:
>> msg0 = "function \"" + f + "\" has arg \"" + v + "\" of type \"" + t + "\""
>> coccilib.report.print_report(decl_p[0], msg0)
>> msg1 = "copy_from_user uses \"" + v + "\" as the destination. What a shame!\n"
>> coccilib.report.print_report(copy_p[0], msg1)
>>
>>
>> The rule output:
>>
>> ./drivers/block/floppy.c:3756:49-52: function "compat_getdrvprm" has arg "arg"
>> of type "struct compat_floppy_drive_params __user *"
>> ./drivers/block/floppy.c:3783:5-19: copy_from_user uses "arg" as the
>> destination. What a shame!
>>
>> ./drivers/block/floppy.c:3789:49-52: function "compat_getdrvstat" has arg "arg"
>> of type "struct compat_floppy_drive_struct __user *"
>> ./drivers/block/floppy.c:3819:5-19: copy_from_user uses "arg" as the
>> destination. What a shame!
Powered by blists - more mailing lists