Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Aug 2019 18:05:17 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Julia Lawall <julia.lawall@...6.fr>, Jann Horn <jannh@...gle.com>
Cc: Jens Axboe <axboe@...nel.dk>, Jiri Kosina <jikos@...nel.org>,
 linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
 Al Viro <viro@...iv.linux.org.uk>, Mukesh Ojha <mojha@...eaurora.org>,
 "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
 Denis Efremov <efremov@...ux.com>, Gilles Muller <Gilles.Muller@...6.fr>,
 Nicolas Palix <nicolas.palix@...g.fr>, Michal Marek
 <michal.lkml@...kovi.net>, cocci@...teme.lip6.fr
Subject: Re: [PATCH] floppy: fix usercopy direction

On 09.08.2019 16:56, Julia Lawall wrote:
> On Fri, 9 Aug 2019, Alexander Popov wrote:
>> On 27.03.2019 1:03, Jann Horn wrote:
>>> As sparse points out, these two copy_from_user() should actually be
>>> copy_to_user().
>>
>> I also wrote a coccinelle rule for detecting similar bugs (adding coccinelle
>> experts to CC).
>>
>>
>> virtual report
>>
>> @cfu@
> 
> You can replace the above line with @cfu exists@.  You want to find the
> existence of such a call, not ensure that the call occurs on every
> control-flow path, which is the default.

Thanks Julia, I see `exists` allows to drop `<+ +>`, right?

> Do you want this rule to go into the kernel?

It turned out that sparse already can find these bugs.
Is this rule useful anyway? If so, I can prepare a patch.

>> identifier f;
>> type t;
>> identifier v;
>> position decl_p;
>> position copy_p;
>> @@
>>
>> f(..., t v@...l_p, ...)
>> {
>> <+...
>> copy_from_user@...y_p(v, ...)
>> ...+>
>> }
>>
>> @script:python@
>> f << cfu.f;
>> t << cfu.t;
>> v << cfu.v;
>> decl_p << cfu.decl_p;
>> copy_p << cfu.copy_p;
>> @@
>>
>> if '__user' in t:
>>   msg0 = "function \"" + f + "\" has arg \"" + v + "\" of type \"" + t + "\""
>>   coccilib.report.print_report(decl_p[0], msg0)
>>   msg1 = "copy_from_user uses \"" + v + "\" as the destination. What a shame!\n"
>>   coccilib.report.print_report(copy_p[0], msg1)
>>
>>
>> The rule output:
>>
>> ./drivers/block/floppy.c:3756:49-52: function "compat_getdrvprm" has arg "arg"
>> of type "struct compat_floppy_drive_params __user *"
>> ./drivers/block/floppy.c:3783:5-19: copy_from_user uses "arg" as the
>> destination. What a shame!
>>
>> ./drivers/block/floppy.c:3789:49-52: function "compat_getdrvstat" has arg "arg"
>> of type "struct compat_floppy_drive_struct __user *"
>> ./drivers/block/floppy.c:3819:5-19: copy_from_user uses "arg" as the
>> destination. What a shame!

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.