| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <46ea566b-6c42-a73-31da-ba15ed82aaf@inria.fr>
Date: Fri, 17 Oct 2025 18:51:31 +0800 (+08)
From: Julia Lawall <julia.lawall@...ia.fr>
To: Thomas Gleixner <tglx@...utronix.de>
cc: LKML <linux-kernel@...r.kernel.org>, Julia Lawall <Julia.Lawall@...ia.fr>,
Nicolas Palix <nicolas.palix@...g.fr>, kernel test robot <lkp@...el.com>,
Russell King <linux@...linux.org.uk>, linux-arm-kernel@...ts.infradead.org,
Linus Torvalds <torvalds@...ux-foundation.org>, x86@...nel.org,
Madhavan Srinivasan <maddy@...ux.ibm.com>,
Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>,
Christophe Leroy <christophe.leroy@...roup.eu>,
linuxppc-dev@...ts.ozlabs.org, Paul Walmsley <pjw@...nel.org>,
Palmer Dabbelt <palmer@...belt.com>, linux-riscv@...ts.infradead.org,
Heiko Carstens <hca@...ux.ibm.com>,
Christian Borntraeger <borntraeger@...ux.ibm.com>,
Sven Schnelle <svens@...ux.ibm.com>, linux-s390@...r.kernel.org,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Andrew Cooper <andrew.cooper3@...rix.com>,
Peter Zijlstra <peterz@...radead.org>, Darren Hart <dvhart@...radead.org>,
Davidlohr Bueso <dave@...olabs.net>,
André Almeida <andrealmeid@...lia.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
linux-fsdevel@...r.kernel.org
Subject: Re: [patch V3 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access()
checker script
On Fri, 17 Oct 2025, Thomas Gleixner wrote:
> A common mistake in user access code is that the wrong access mode is
> selected for starting the user access section. As most architectures map
> Read and Write modes to ReadWrite this goes often unnoticed for quite some
> time.
>
> Aside of that the scoped user access mechanism requires that the same
> pointer is used for the actual accessor macros that was handed in to start
> the scope because the pointer can be modified by the scope begin mechanism
> if the architecture supports masking.
>
> Add a basic (and incomplete) coccinelle script to check for the common
> issues. The error output is:
>
> kernel/futex/futex.h:303:2-17: ERROR: Invalid pointer for unsafe_put_user(p) in scoped_masked_user_write_access(to)
> kernel/futex/futex.h:292:2-17: ERROR: Invalid access mode unsafe_get_user() in scoped_masked_user_write_access()
>
> Not-Yet-Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
> Cc: Julia Lawall <Julia.Lawall@...ia.fr>
> Cc: Nicolas Palix <nicolas.palix@...g.fr>
> ---
> scripts/coccinelle/misc/scoped_uaccess.cocci | 108 +++++++++++++++++++++++++++
> 1 file changed, 108 insertions(+)
>
> --- /dev/null
> +++ b/scripts/coccinelle/misc/scoped_uaccess.cocci
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/// Validate scoped_masked_user*access() scopes
> +///
> +// Confidence: Zero
> +// Options: --no-includes --include-headers
> +
> +virtual context
> +virtual report
> +virtual org
> +
> +@...tialize:python@
> +@@
> +
> +scopemap = {
> + 'scoped_masked_user_read_access_size' : 'scoped_masked_user_read_access',
> + 'scoped_masked_user_write_access_size' : 'scoped_masked_user_write_access',
> + 'scoped_masked_user_rw_access_size' : 'scoped_masked_user_rw_access',
> +}
> +
> +# Most common accessors. Incomplete list
> +noaccessmap = {
> + 'scoped_masked_user_read_access' : ('unsafe_put_user', 'unsafe_copy_to_user'),
> + 'scoped_masked_user_write_access' : ('unsafe_get_user', 'unsafe_copy_from_user'),
> +}
> +
> +# Most common accessors. Incomplete list
> +ptrmap = {
> + 'unsafe_put_user' : 1,
> + 'unsafe_get_user' : 1,
> + 'unsafe_copy_to_user' : 0,
> + 'unsafe_copy_from_user' : 0,
> +}
> +
> +print_mode = None
> +
> +def pr_err(pos, msg):
> + if print_mode == 'R':
> + coccilib.report.print_report(pos[0], msg)
> + elif print_mode == 'O':
> + cocci.print_main(msg, pos)
> +
> +@r0 depends on report || org@
> +iterator name scoped_masked_user_read_access,
> + scoped_masked_user_read_access_size,
> + scoped_masked_user_write_access,
> + scoped_masked_user_write_access_size,
> + scoped_masked_user_rw_access,
> + scoped_masked_user_rw_access_size;
> +iterator scope;
> +statement S;
> +@@
> +
> +(
> +(
> +scoped_masked_user_read_access(...) S
> +|
> +scoped_masked_user_read_access_size(...) S
> +|
> +scoped_masked_user_write_access(...) S
> +|
> +scoped_masked_user_write_access_size(...) S
> +|
> +scoped_masked_user_rw_access(...) S
> +|
> +scoped_masked_user_rw_access_size(...) S
> +)
> +&
> +scope(...) S
> +)
> +
> +@...ipt:python depends on r0 && report@
> +@@
> +print_mode = 'R'
> +
> +@...ipt:python depends on r0 && org@
> +@@
> +print_mode = 'O'
> +
> +@r1@
> +expression sp, a0, a1;
> +iterator r0.scope;
> +identifier ac;
> +position p;
> +@@
> +
> + scope(sp,...) {
> + <+...
> + ac@p(a0, a1, ...);
> + ...+>
> + }
This will be more efficient and equally useful with <... ...>
Using + requires that there is at least one match, which has a cost.
julia
> +
> +@...ipt:python@
> +pos << r1.p;
> +scope << r0.scope;
> +ac << r1.ac;
> +sp << r1.sp;
> +a0 << r1.a0;
> +a1 << r1.a1;
> +@@
> +
> +scope = scopemap.get(scope, scope)
> +if ac in noaccessmap.get(scope, []):
> + pr_err(pos, 'ERROR: Invalid access mode %s() in %s()' %(ac, scope))
> +
> +if ac in ptrmap:
> + ap = (a0, a1)[ptrmap[ac]]
> + if sp != ap.lstrip('&').split('->')[0].strip():
> + pr_err(pos, 'ERROR: Invalid pointer for %s(%s) in %s(%s)' %(ac, ap, scope, sp))
>
>
Powered by blists - more mailing lists