From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Paul E. McKenney" <paulmck@kernel.org>
Cc: ksummit@lists.linux.dev, Julia Lawall <julia.lawall@inria.fr>
Subject: Re: Potential static analysis ideas
Date: Tue, 27 Jul 2021 12:38:08 +0300 [thread overview]
Message-ID: <20210727093808.GO25548@kadam> (raw)
In-Reply-To: <20210726155039.GR4397@paulmck-ThinkPad-P17-Gen-1>
On Mon, Jul 26, 2021 at 08:50:39AM -0700, Paul E. McKenney wrote:
> On Fri, Jul 23, 2021 at 10:10:23PM +0300, Dan Carpenter wrote:
> > Rust has many good static analysis features but if we wanted we could
> > implement a number of stricter rules in C. With Smatch I have tried to
> > focus on exclusively on finding bugs because everyone can agree that
> > bugs are bad. But if some subsystems wanted to implement stricter rules
> > just as a hardenning measure then that's a doable thing.
> >
> > For example, I've tried a bunch of approaches to warning about when the
> > user can trigger an integer overflow. The challenge is that most
> > integer overflows are harmless and do not cause a real life bug.
>
> I would not want overflow checks for unsigned integers, but it might
> be helpful for signed integers. But yes, most of us rely on fwrapv,
> so that kernelwide checks for signed integer overflow will be quite noisy.
Since we use -fwrapv then even signed integer overflows are defined and
I haven't seen a way that checking for signed integer overflows can be
useful.
With integer overflows I'm more talking about integer overflows from the
user. And I imagine a subsystem specific thing as a kind of "We want
extra security but aren't ready to port everything to Rust" type option.
I have almost 2 thousand of these warnings. This first example is from
the ioctl and probably root only. Plus commit 6d13de1489b6 ("uaccess:
disallow > INT_MAX copy sizes") really improved security.
drivers/fpga/dfl-fme-pr.c
83 if (copy_from_user(&port_pr, argp, minsz))
84 return -EFAULT;
85
86 if (port_pr.argsz < minsz || port_pr.flags)
87 return -EINVAL;
88
89 /* get fme header region */
90 fme_hdr = dfl_get_feature_ioaddr_by_id(&pdev->dev,
91 FME_FEATURE_ID_HEADER);
92
93 /* check port id */
94 v = readq(fme_hdr + FME_HDR_CAP);
95 if (port_pr.port_id >= FIELD_GET(FME_CAP_NUM_PORTS, v)) {
96 dev_dbg(&pdev->dev, "port number more than maximum\n");
97 return -EINVAL;
98 }
99
100 /*
101 * align PR buffer per PR bandwidth, as HW ignores the extra padding
102 * data automatically.
103 */
104 length = ALIGN(port_pr.buffer_size, 4);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This ALIGN() operation can overflow but only to zero.
105
106 buf = vmalloc(length);
kmalloc(() allows zero size allocations but vmalloc() will return NULL.
And actually, in April, Nicholas Piggin made it trigger a WARN_ONCE().
107 if (!buf)
108 return -ENOMEM;
109
110 if (copy_from_user(buf,
111 (void __user *)(unsigned long)port_pr.buffer_address,
112 port_pr.buffer_size)) {
^^^^^^^^^^^^^^^^^^^
So this can't corrupt memory for the reasons given above.
(It's still buggy because it doesn't zero out the last three bytes
between port_pr.buffer_size and length, but that's a different issue).
regards,
dan carpenter
next prev parent reply other threads:[~2021-07-27 9:38 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-23 19:10 Potential static analysis ideas Dan Carpenter
2021-07-24 13:33 ` Geert Uytterhoeven
2021-07-24 13:40 ` Julia Lawall
2021-07-24 14:08 ` Arnd Bergmann
2021-07-24 23:18 ` Laurent Pinchart
2021-07-24 23:45 ` NeilBrown
2021-07-26 7:25 ` Arnd Bergmann
2021-07-26 7:53 ` Geert Uytterhoeven
2021-07-26 8:20 ` Arnd Bergmann
2021-07-26 8:39 ` Geert Uytterhoeven
2021-07-26 8:52 ` Arnd Bergmann
2021-07-26 9:11 ` Geert Uytterhoeven
2021-07-26 8:55 ` Julia Lawall
2021-07-26 9:08 ` Hannes Reinecke
2021-07-26 9:16 ` Geert Uytterhoeven
2021-07-26 9:28 ` Julia Lawall
2021-07-26 9:35 ` Hannes Reinecke
2021-07-26 10:03 ` Julia Lawall
2021-07-26 17:54 ` James Bottomley
2021-07-26 18:16 ` Linus Torvalds
2021-07-26 21:53 ` NeilBrown
2021-07-26 18:31 ` Laurent Pinchart
2021-07-26 9:17 ` Dan Carpenter
2021-07-26 9:13 ` Dan Carpenter
2021-07-26 21:43 ` NeilBrown
2021-07-26 7:05 ` Dan Carpenter
2021-07-26 15:50 ` Paul E. McKenney
2021-07-27 9:38 ` Dan Carpenter [this message]
2021-07-27 9:50 ` Geert Uytterhoeven
2021-07-27 16:06 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210727093808.GO25548@kadam \
--to=dan.carpenter@oracle.com \
--cc=julia.lawall@inria.fr \
--cc=ksummit@lists.linux.dev \
--cc=paulmck@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.