| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 6 Jun 2020 11:27:59 +0200 (CEST)
From: Julia Lawall <julia.lawall@...ia.fr>
To: Denis Efremov <efremov@...ux.com>
cc: Joe Perches <joe@...ches.com>, cocci@...teme.lip6.fr,
linux-kernel@...r.kernel.org
Subject: Re: [Cocci] [PATCH 2/2] Coccinelle: extend memdup_user rule with
vmemdup_user()
On Sat, 30 May 2020, Denis Efremov wrote:
> Add vmemdup_user() transformations to the memdup_user.cocci rule.
> Commit 50fd2f298bef ("new primitive: vmemdup_user()") introduced
> vmemdup_user(). The function uses kvmalloc with GPF_USER flag.
>
> Signed-off-by: Denis Efremov <efremov@...ux.com>
> ---
> scripts/coccinelle/api/memdup_user.cocci | 49 +++++++++++++++++++++++-
> 1 file changed, 47 insertions(+), 2 deletions(-)
>
> diff --git a/scripts/coccinelle/api/memdup_user.cocci b/scripts/coccinelle/api/memdup_user.cocci
> index 49f487e6a5c8..a50def35136e 100644
> --- a/scripts/coccinelle/api/memdup_user.cocci
> +++ b/scripts/coccinelle/api/memdup_user.cocci
> @@ -37,6 +37,28 @@ identifier l1,l2;
> - ...+>
> - }
>
> +@...ends on patch@
> +expression from,to,size;
> +identifier l1,l2;
> +@@
> +
> +- to = \(kvmalloc\|kvzalloc\)(size,\(GFP_KERNEL\|GFP_USER\));
> ++ to = vmemdup_user(from,size);
> + if (
> +- to==NULL
> ++ IS_ERR(to)
> + || ...) {
> + <+... when != goto l1;
> +- -ENOMEM
> ++ PTR_ERR(to)
> + ...+>
> + }
> +- if (copy_from_user(to, from, size) != 0) {
> +- <+... when != goto l2;
> +- -EFAULT
> +- ...+>
> +- }
> +
This could protect against modifying vmemdup_user. Probably the original
rule should protect against modifying memdup_user as well.
julia
> @r depends on !patch@
> expression from,to,size;
> position p;
> @@ -48,14 +70,37 @@ statement S1,S2;
> if (copy_from_user(to, from, size) != 0)
> S2
>
> -@...ipt:python depends on org@
> +@rv depends on !patch@
> +expression from,to,size;
> +position p;
> +statement S1,S2;
> +@@
> +
> +* to = \(kvmalloc@p\|kvzalloc@p\)(size,\(GFP_KERNEL\|GFP_USER\));
> + if (to==NULL || ...) S1
> + if (copy_from_user(to, from, size) != 0)
> + S2
> +
> +@...ipt:python depends on org && r@
> p << r.p;
> @@
>
> coccilib.org.print_todo(p[0], "WARNING opportunity for memdup_user")
>
> -@...ipt:python depends on report@
> +@...ipt:python depends on report && r@
> p << r.p;
> @@
>
> coccilib.report.print_report(p[0], "WARNING opportunity for memdup_user")
> +
> +@...ipt:python depends on org && rv@
> +p << rv.p;
> +@@
> +
> +coccilib.org.print_todo(p[0], "WARNING opportunity for vmemdup_user")
> +
> +@...ipt:python depends on report && rv@
> +p << rv.p;
> +@@
> +
> +coccilib.report.print_report(p[0], "WARNING opportunity for vmemdup_user")
> --
> 2.26.2
>
> _______________________________________________
> Cocci mailing list
> Cocci@...teme.lip6.fr
> https://systeme.lip6.fr/mailman/listinfo/cocci
>
Powered by blists - more mailing lists