Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 10 Jun 2019 11:20:43 -0700
From: Kees Cook <>
To: "Khajapasha, Mohammed" <>
Cc: "" <>
Subject: Re: Regarding add detection for double-reads

On Mon, Jun 10, 2019 at 05:19:17PM +0000, Khajapasha, Mohammed wrote:
> As discussed over IRC, could you please provide some point on "add detection for double-reads".


This was about following up on building a good Coccinelle script that
would warn about cases where the kernel reads from userspace twice at
the same location which may result in bugs like reading the size of a
structure at the start of a structure, allocating a size, then filling
the structure with a second read (at which point the size may have
changed). For example:

struct example {
	unsigned int bytes;
	unsigned int flags;
	u8 data[];

int do_user_interface(struct example __user *user_instance)
	struct example *instance;
	unsigned int size;

	copy_from_user(&size, user_instance, sizeof(size));
	instance = kmalloc(size, GFP_KERNEL);
	if (!instance)
		return -EINVAL;
	copy_from_user(instance, user_instance, size);

The "bytes" field of the instance passed to perform_actions() may not
contain the right value, leading to possible heap overflows when
accessing instance->data[]...

What's needed after the second copy_from_user() is:

	if (instance.bytes != size) {
		return -EINVAL;

But _finding_ the cases is what I'd like to nail down and get into the
kernel scripts. The thread that needs following up is here:

Kees Cook

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.