[PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: glider@google.com
To: tkjos@google.com, keescook@chromium.org,
	gregkh@linuxfoundation.org, arve@android.com, mingo@redhat.com
Cc: dvyukov@google.com, jannh@google.com, devel@driverdev.osuosl.org,
	peterz@infradead.org, linux-kernel@vger.kernel.org,
	Alexander Potapenko <glider@google.com>
Subject: [PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user()
Date: Mon,  2 Mar 2020 14:04:29 +0100	[thread overview]
Message-ID: <20200302130430.201037-2-glider@google.com> (raw)
In-Reply-To: <20200302130430.201037-1-glider@google.com>

Certain copy_from_user() invocations in binder.c are known to
unconditionally initialize locals before their first use, like e.g. in
the following case:

	struct binder_transaction_data tr;
	if (copy_from_user(&tr, ptr, sizeof(tr)))
		return -EFAULT;

In such cases enabling CONFIG_INIT_STACK_ALL leads to insertion of
redundant locals initialization that the compiler fails to remove.
To work around this problem till Clang can deal with it, we apply
__no_initialize to local Binder structures.

This patch was generated using the following Coccinelle script:

  @match@
  type T;
  identifier var;
  position p0, p1;
  @@
  T var@p0;
  ...
  copy_from_user(&var,..., sizeof(var))@p1

  @escapes depends on match@
  type match.T;
  identifier match.var;
  position match.p0,match.p1;
  @@
  T var@p0;
  ... var ...
  copy_from_user(&var,..., sizeof(var))@p1

  @local_inited_by_cfu depends on !escapes@
  type T;
  identifier var;
  position match.p0,match.p1;
  fresh identifier var_noinit = var##" __no_initialize";
  @@
  -T var@p0;
  +T var_noinit;
  ...
  copy_from_user(&var,..., sizeof(var))@p1

Cc: Kees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Alexander Potapenko <glider@google.com>

---
 v2:
  - changed __do_not_initialize to __no_initialize as requested by Kees
    Cook
  - wrote a Coccinelle script to generate the patch
---
 drivers/android/binder.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index a6b2082c24f8f..a59871532ff6b 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3788,7 +3788,7 @@ static int binder_thread_write(struct binder_proc *proc,
 
 		case BC_TRANSACTION_SG:
 		case BC_REPLY_SG: {
-			struct binder_transaction_data_sg tr;
+			struct binder_transaction_data_sg tr __no_initialize;
 
 			if (copy_from_user(&tr, ptr, sizeof(tr)))
 				return -EFAULT;
@@ -3799,7 +3799,7 @@ static int binder_thread_write(struct binder_proc *proc,
 		}
 		case BC_TRANSACTION:
 		case BC_REPLY: {
-			struct binder_transaction_data tr;
+			struct binder_transaction_data tr __no_initialize;
 
 			if (copy_from_user(&tr, ptr, sizeof(tr)))
 				return -EFAULT;
@@ -4827,7 +4827,7 @@ static int binder_ioctl_write_read(struct file *filp,
 	struct binder_proc *proc = filp->private_data;
 	unsigned int size = _IOC_SIZE(cmd);
 	void __user *ubuf = (void __user *)arg;
-	struct binder_write_read bwr;
+	struct binder_write_read bwr __no_initialize;
 
 	if (size != sizeof(struct binder_write_read)) {
 		ret = -EINVAL;
@@ -5039,7 +5039,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		break;
 	}
 	case BINDER_SET_CONTEXT_MGR_EXT: {
-		struct flat_binder_object fbo;
+		struct flat_binder_object fbo __no_initialize;
 
 		if (copy_from_user(&fbo, ubuf, sizeof(fbo))) {
 			ret = -EINVAL;
@@ -5076,7 +5076,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		break;
 	}
 	case BINDER_GET_NODE_INFO_FOR_REF: {
-		struct binder_node_info_for_ref info;
+		struct binder_node_info_for_ref info __no_initialize;
 
 		if (copy_from_user(&info, ubuf, sizeof(info))) {
 			ret = -EFAULT;
@@ -5095,7 +5095,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		break;
 	}
 	case BINDER_GET_NODE_DEBUG_INFO: {
-		struct binder_node_debug_info info;
+		struct binder_node_debug_info info __no_initialize;
 
 		if (copy_from_user(&info, ubuf, sizeof(info))) {
 			ret = -EFAULT;
-- 
2.25.0.265.gbab2e86ba0-goog

next prev parent reply	other threads:[~2020-03-02 13:04 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-02 13:04 [PATCH v2 1/3] compiler.h: define __no_initialize glider
2020-03-02 13:04 ` glider [this message]
2020-03-02 13:09   ` [PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user() Joe Perches
2020-03-02 13:25     ` Alexander Potapenko
2020-03-02 13:52       ` Dan Carpenter
2020-03-02 13:58       ` Joe Perches
2020-03-02 18:17         ` Alexander Potapenko
2020-03-02 18:31           ` Jann Horn
2020-03-05  9:03             ` Rasmus Villemoes
2020-03-05 12:45               ` Jann Horn
2020-03-06  2:29               ` Al Viro
2020-03-02 18:50           ` Joe Perches
2020-03-03  9:14             ` Alexander Potapenko
2020-03-03  9:38               ` Dan Carpenter
2020-03-03 13:56                 ` Joe Perches
2020-03-03 14:15                   ` Dan Carpenter
2020-03-04 18:13                 ` Kees Cook
2020-03-05  8:07                   ` Dan Carpenter
2020-03-05  8:26                     ` Kees Cook
2020-03-05  8:33                       ` Alexander Potapenko
2020-03-02 17:38   ` Greg KH
2020-03-02 18:28     ` Alexander Potapenko
2020-03-02 13:04 ` [PATCH v2 3/3] sched/wait: avoid double initialization in ___wait_event() glider
2020-03-02 16:56   ` Todd Kjos
2020-03-02 18:03     ` Alexander Potapenko
2020-03-02 18:39       ` Greg Kroah-Hartman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a6b2082c24f8 dfblob:a59871532ff6 )
 OR (
bs:"[PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200302130430.201037-2-glider@google.com \
    --to=glider@google.com \
    --cc=arve@android.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=dvyukov@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=tkjos@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.