| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez0Yso71nssZtojpPUNoLUtq=k8yisYEp=v5KKsSOdqcUA@mail.gmail.com>
Date: Tue, 25 Jan 2022 12:43:18 +0100
From: Jann Horn <jannh@...gle.com>
To: Jeff Vander Stoep <jeffv@...gle.com>, Todd Kjos <tkjos@...gle.com>
Cc: kbuild-all@...ts.01.org,
"GNU/Weeb Mailing List" <gwml@...weeb.org>,
kernel list <linux-kernel@...r.kernel.org>,
Tyler Hicks <code@...icks.com>,
Kees Cook <keescook@...omium.org>,
kernel test robot <lkp@...el.com>
Subject: seccomp __user annotation fix backported too far in Android [was: Re:
[ammarfaizi2-block:google/android/kernel/common/android12-5.4 3638/9999]
kernel/seccomp.c:2041:41: sparse: sparse: incorrect type in argument 3
(different address spaces)]
On Tue, Jan 25, 2022 at 12:25 PM kernel test robot <lkp@...el.com> wrote:
> tree: https://github.com/ammarfaizi2/linux-block google/android/kernel/common/android12-5.4
> head: 3307e1a058380163f1a11c8f7632706168f9fcb1
> commit: 5444477e8a4d31f6e6ff720c2d018d06e405bcc1 [3638/9999] UPSTREAM: seccomp: Remove bogus __user annotations
> config: x86_64-randconfig-s022 (https://download.01.org/0day-ci/archive/20220125/202201251943.TPk8Y7Ob-lkp@intel.com/config)
> compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
> reproduce:
> # apt-get install sparse
> # sparse version: v0.6.4-dirty
> # https://github.com/ammarfaizi2/linux-block/commit/5444477e8a4d31f6e6ff720c2d018d06e405bcc1
> git remote add ammarfaizi2-block https://github.com/ammarfaizi2/linux-block
> git fetch --no-tags ammarfaizi2-block google/android/kernel/common/android12-5.4
> git checkout 5444477e8a4d31f6e6ff720c2d018d06e405bcc1
> # save the config file to linux build tree
> mkdir build_dir
> make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=x86_64 SHELL=/bin/bash
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@...el.com>
It looks like this was a bogus backport -
fab686eb0307121e7a2890b6d6c57edd2457863d is marked as 'Fixes:
32927393dc1c ("sysctl: pass kernel pointers to ->proc_handler")', but
Android incorrectly backported the patch further
(https://android-review.googlesource.com/c/kernel/common/+/1535131/).
> sparse warnings: (new ones prefixed by >>)
> >> kernel/seccomp.c:2041:41: sparse: sparse: incorrect type in argument 3 (different address spaces) @@ expected void [noderef] <asn:1> * @@ got void *buffer @@
> kernel/seccomp.c:2041:41: sparse: expected void [noderef] <asn:1> *
> kernel/seccomp.c:2041:41: sparse: got void *buffer
> kernel/seccomp.c:2059:40: sparse: sparse: incorrect type in argument 3 (different address spaces) @@ expected void [noderef] <asn:1> * @@ got void *buffer @@
> kernel/seccomp.c:2059:40: sparse: expected void [noderef] <asn:1> *
> kernel/seccomp.c:2059:40: sparse: got void *buffer
> >> kernel/seccomp.c:2115:54: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *buffer @@ got void [noderef] <asn:1> *buffer @@
> kernel/seccomp.c:2115:54: sparse: expected void *buffer
> kernel/seccomp.c:2115:54: sparse: got void [noderef] <asn:1> *buffer
> kernel/seccomp.c:2119:53: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *buffer @@ got void [noderef] <asn:1> *buffer @@
> kernel/seccomp.c:2119:53: sparse: expected void *buffer
> kernel/seccomp.c:2119:53: sparse: got void [noderef] <asn:1> *buffer
>
> vim +2041 kernel/seccomp.c
>
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2025
> 5444477e8a4d31 Jann Horn 2020-11-20 2026 static int read_actions_logged(struct ctl_table *ro_table, void *buffer,
> d013db029491b4 Tyler Hicks 2018-05-04 2027 size_t *lenp, loff_t *ppos)
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2028 {
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2029 char names[sizeof(seccomp_actions_avail)];
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2030 struct ctl_table table;
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2031
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2032 memset(names, 0, sizeof(names));
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2033
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2034 if (!seccomp_names_from_actions_logged(names, sizeof(names),
> beb44acaf000c9 Tyler Hicks 2018-05-04 2035 seccomp_actions_logged, " "))
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2036 return -EINVAL;
> d013db029491b4 Tyler Hicks 2018-05-04 2037
> d013db029491b4 Tyler Hicks 2018-05-04 2038 table = *ro_table;
> d013db029491b4 Tyler Hicks 2018-05-04 2039 table.data = names;
> d013db029491b4 Tyler Hicks 2018-05-04 2040 table.maxlen = sizeof(names);
> d013db029491b4 Tyler Hicks 2018-05-04 @2041 return proc_dostring(&table, 0, buffer, lenp, ppos);
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2042 }
[...]
Powered by blists - more mailing lists