| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.21.1908121210570.3718@hadrien>
Date: Mon, 12 Aug 2019 12:25:45 +0200 (CEST)
From: Julia Lawall <julia.lawall@...6.fr>
To: Alexander Popov <alex.popov@...ux.com>
cc: Julia Lawall <julia.lawall@...6.fr>, Jann Horn <jannh@...gle.com>,
Jens Axboe <axboe@...nel.dk>, Jiri Kosina <jikos@...nel.org>,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
Al Viro <viro@...iv.linux.org.uk>,
Mukesh Ojha <mojha@...eaurora.org>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>,
Denis Efremov <efremov@...ux.com>,
Gilles Muller <Gilles.Muller@...6.fr>,
Nicolas Palix <nicolas.palix@...g.fr>,
Michal Marek <michal.lkml@...kovi.net>, cocci@...teme.lip6.fr
Subject: Re: [PATCH] floppy: fix usercopy direction
On Fri, 9 Aug 2019, Alexander Popov wrote:
> On 09.08.2019 16:56, Julia Lawall wrote:
> > On Fri, 9 Aug 2019, Alexander Popov wrote:
> >> On 27.03.2019 1:03, Jann Horn wrote:
> >>> As sparse points out, these two copy_from_user() should actually be
> >>> copy_to_user().
> >>
> >> I also wrote a coccinelle rule for detecting similar bugs (adding coccinelle
> >> experts to CC).
> >>
> >>
> >> virtual report
> >>
> >> @cfu@
> >
> > You can replace the above line with @cfu exists@. You want to find the
> > existence of such a call, not ensure that the call occurs on every
> > control-flow path, which is the default.
>
> Thanks Julia, I see `exists` allows to drop `<+ +>`, right?
Exists is more efficient when it is possible. It just finds the existence
of a path that has the property rather than collecting information about
all paths. It is related to <+... ...+> because for that there has to
exist at least one match. You could probably do something like
... when any
copy_from_user
... when any
Then with exists you will consider each call one at a time.
>
> > Do you want this rule to go into the kernel?
>
> It turned out that sparse already can find these bugs.
If sparse is already doing this, then perhaps that's sufficient. Someone
just has to be running it :)
julia
> Is this rule useful anyway? If so, I can prepare a patch.
>
> >> identifier f;
> >> type t;
> >> identifier v;
> >> position decl_p;
> >> position copy_p;
> >> @@
> >>
> >> f(..., t v@...l_p, ...)
> >> {
> >> <+...
> >> copy_from_user@...y_p(v, ...)
> >> ...+>
> >> }
> >>
> >> @script:python@
> >> f << cfu.f;
> >> t << cfu.t;
> >> v << cfu.v;
> >> decl_p << cfu.decl_p;
> >> copy_p << cfu.copy_p;
> >> @@
> >>
> >> if '__user' in t:
> >> msg0 = "function \"" + f + "\" has arg \"" + v + "\" of type \"" + t + "\""
> >> coccilib.report.print_report(decl_p[0], msg0)
> >> msg1 = "copy_from_user uses \"" + v + "\" as the destination. What a shame!\n"
> >> coccilib.report.print_report(copy_p[0], msg1)
> >>
> >>
> >> The rule output:
> >>
> >> ./drivers/block/floppy.c:3756:49-52: function "compat_getdrvprm" has arg "arg"
> >> of type "struct compat_floppy_drive_params __user *"
> >> ./drivers/block/floppy.c:3783:5-19: copy_from_user uses "arg" as the
> >> destination. What a shame!
> >>
> >> ./drivers/block/floppy.c:3789:49-52: function "compat_getdrvstat" has arg "arg"
> >> of type "struct compat_floppy_drive_struct __user *"
> >> ./drivers/block/floppy.c:3819:5-19: copy_from_user uses "arg" as the
> >> destination. What a shame!
>
Powered by blists - more mailing lists