Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Aug 2017 03:36:23 +0530
From: Vaishali Thakkar <vaishali.thakkar@...cle.com>
To: Rasmus Villemoes <linux@...musvillemoes.dk>,
        Kees Cook <keescook@...omium.org>
Cc: Laura Abbott <labbott@...hat.com>,
        "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: Re: Format string gcc-plugin?

On Friday 24 February 2017 04:45 AM, Rasmus Villemoes wrote:
> On Tue, Feb 14 2017, Kees Cook <keescook@...omium.org> wrote:
> 
>> On Tue, Feb 14, 2017 at 10:01 AM, Laura Abbott <labbott@...hat.com> wrote:
>>> Hi,
>>>
>>> The recent discussions about %pk led me to start playing around
>>> with writing a gcc plugin (notes about writing a gcc plugin are
>>> forthcoming). My idea was to expand checking of the kernel's additional
>>> formats (%pK, %pR etc.) or possibly even change the format
>>> strings. The big issue is that most of vsprintf.c would end up
>>> in the plugin which would be ugly to maintain. This concept could
>>> be used for some of the problems with kernel pointer leaks
>>> https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
>>> but I'm interested if anyone else has thoughts or ideas about
>>> how better to do this (or even not to do this).
>>
>> If we can leverage common code between the plugin and vsprintf.c, it
>> should be doable. I haven't looked at processing format strings at
>> all, though I assume the plugin would need to check the
>> __printf-generated attributes.
>>
> 
> smatch already does type checking of the kernel's %p extensions, plus
> some additional sanity checks (e.g. passing a signed char to %02x,
> duplicate KERN_* or KERN_* prefixes not at the beginning, 0x%d,
> etc.). Maybe Dan Carpenter is the only one actually running it
> periodically. I never managed to get sparse to grok the printf
> attribute, so it uses a hardcoded list of printf-like functions. It
> would be nice to do these checks in a gcc plugin to get wider coverage
> and piggyback on the actual printf attributes, and it would probably be
> easier to keep up with the endless stream of new %pX stuff that way.

Hi all,

I was recently looking at gcc's -Wformat-security and realized that 
there is a TODO point on KSPP's wiki page regarding fixing it for const
strings.

I was wondering that may be we can also try Coccinelle for the type 
checking of %pX extensions? Is there any work done or is someone working 
on this after this discussion?

I'm not sure what is a preferable way over here [GCC plugin or 
Coccinelle scripts] but if noone is working on this then I would like to 
give it a try. Any comments on the same are welcome.

Thanks!

> Rasmus
> 

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.