[PATCH] parisc: add strict copy size checks

Linux PARISC architecture development
 help / color / mirror / Atom feed

* [PATCH] parisc: add strict copy size checks
@ 2009-12-22 22:56 Helge Deller
  2009-12-22 23:21 ` Helge Deller
  2010-02-01 19:56 ` [PATCH] parisc: add strict copy size checks (v2) Helge Deller
  0 siblings, 2 replies; 4+ messages in thread
From: Helge Deller @ 2009-12-22 22:56 UTC (permalink / raw)
  To: linux-parisc, Kyle McMartin

Add CONFIG_DEBUG_STRICT_USER_COPY_CHECKS, copied from the x86
implementation.

Signed-off-by: Helge Deller <deller@gmx.de>


diff --git a/arch/parisc/Kconfig.debug b/arch/parisc/Kconfig.debug
--- a/arch/parisc/Kconfig.debug
+++ b/arch/parisc/Kconfig.debug
@@ -12,4 +12,18 @@ config DEBUG_RODATA
          portion of the kernel code won't be covered by a TLB anymore.
          If in doubt, say "N".
 
+config DEBUG_STRICT_USER_COPY_CHECKS
+	bool "Strict copy size checks"
+	depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING
+	---help---
+	  Enabling this option turns a certain set of sanity checks for user
+	  copy operations into compile time failures.
+
+	  The copy_from_user() etc checks are there to help test if there
+	  are sufficient security checks on the length argument of
+	  the copy operation, by having gcc prove that the argument is
+	  within bounds.
+
+	  If unsure, or if you run an older (pre 4.4) gcc, say N.
+
 endmenu
diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -7,6 +7,7 @@
 #include <asm/page.h>
 #include <asm/system.h>
 #include <asm/cache.h>
+#include <asm/errno.h>
 #include <asm-generic/uaccess-unaligned.h>
 
 #define VERIFY_READ 0
@@ -234,13 +235,35 @@ extern long lstrnlen_user(const char __user *,long);
 
 unsigned long copy_to_user(void __user *dst, const void *src, unsigned long len);
 #define __copy_to_user copy_to_user
-unsigned long copy_from_user(void *dst, const void __user *src, unsigned long len);
-#define __copy_from_user copy_from_user
+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long len);
 unsigned long copy_in_user(void __user *dst, const void __user *src, unsigned long len);
 #define __copy_in_user copy_in_user
 #define __copy_to_user_inatomic __copy_to_user
 #define __copy_from_user_inatomic __copy_from_user
 
+extern void copy_from_user_overflow(void)
+#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
+        __compiletime_error("copy_from_user() buffer size is not provably correct")
+#else
+        __compiletime_warning("copy_from_user() buffer size is not provably correct")
+#endif
+;
+
+static inline unsigned long __must_check copy_from_user(void *to,
+                                          const void __user *from,
+                                          unsigned long n)
+{
+        int sz = __compiletime_object_size(to);
+        int ret = -EFAULT;
+
+        if (likely(sz == -1 || sz >= n))
+                ret = __copy_from_user(to, from, n);
+        else
+                copy_from_user_overflow();
+
+        return ret;
+}
+
 struct pt_regs;
 int fixup_exception(struct pt_regs *regs);
 
diff --git a/arch/parisc/lib/memcpy.c b/arch/parisc/lib/memcpy.c
--- a/arch/parisc/lib/memcpy.c
+++ b/arch/parisc/lib/memcpy.c
@@ -475,7 +475,8 @@ unsigned long copy_to_user(void __user *dst, const void *src, unsigned long len)
 	return pa_memcpy((void __force *)dst, src, len);
 }
 
-unsigned long copy_from_user(void *dst, const void __user *src, unsigned long len)
+EXPORT_SYMBOL(__copy_from_user);
+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long len)
 {
 	mtsp(get_user_space(), 1);
 	mtsp(get_kernel_space(), 2);


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] parisc: add strict copy size checks
  2009-12-22 22:56 [PATCH] parisc: add strict copy size checks Helge Deller
@ 2009-12-22 23:21 ` Helge Deller
  2009-12-26 17:32   ` Kyle McMartin
  2010-02-01 19:56 ` [PATCH] parisc: add strict copy size checks (v2) Helge Deller
  1 sibling, 1 reply; 4+ messages in thread
From: Helge Deller @ 2009-12-22 23:21 UTC (permalink / raw)
  To: linux-parisc, Kyle McMartin

On 12/22/2009 11:56 PM, Helge Deller wrote:
> Add CONFIG_DEBUG_STRICT_USER_COPY_CHECKS, copied from the x86
> implementation.
> [...PATCH...]

Kyle,

please don't apply yet.
It will break the 64bit build.
Nevertheless, it brings up some code areas which would need
investigation...

Helge

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] parisc: add strict copy size checks
  2009-12-22 23:21 ` Helge Deller
@ 2009-12-26 17:32   ` Kyle McMartin
  0 siblings, 0 replies; 4+ messages in thread
From: Kyle McMartin @ 2009-12-26 17:32 UTC (permalink / raw)
  To: Helge Deller; +Cc: linux-parisc, Kyle McMartin

On Wed, Dec 23, 2009 at 12:21:04AM +0100, Helge Deller wrote:
> On 12/22/2009 11:56 PM, Helge Deller wrote:
>> Add CONFIG_DEBUG_STRICT_USER_COPY_CHECKS, copied from the x86
>> implementation.
>> [...PATCH...]
>
> Kyle,
>
> please don't apply yet.
> It will break the 64bit build.
> Nevertheless, it brings up some code areas which would need
> investigation...
>

Ok, cool.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] parisc: add strict copy size checks (v2)
  2009-12-22 22:56 [PATCH] parisc: add strict copy size checks Helge Deller
  2009-12-22 23:21 ` Helge Deller
@ 2010-02-01 19:56 ` Helge Deller
  1 sibling, 0 replies; 4+ messages in thread
From: Helge Deller @ 2010-02-01 19:56 UTC (permalink / raw)
  To: Helge Deller, linux-parisc, Kyle McMartin

Add CONFIG_DEBUG_STRICT_USER_COPY_CHECKS, copied from the x86
implementation. Tested with 32 and 64bit kernel.

Signed-off-by: Helge Deller <deller@gmx.de>

diff --git a/arch/parisc/Kconfig.debug b/arch/parisc/Kconfig.debug
index bc989e5..7305ac8 100644
--- a/arch/parisc/Kconfig.debug
+++ b/arch/parisc/Kconfig.debug
@@ -12,4 +12,18 @@ config DEBUG_RODATA
          portion of the kernel code won't be covered by a TLB anymore.
          If in doubt, say "N".
 
+config DEBUG_STRICT_USER_COPY_CHECKS
+	bool "Strict copy size checks"
+	depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING
+	---help---
+	  Enabling this option turns a certain set of sanity checks for user
+	  copy operations into compile time failures.
+
+	  The copy_from_user() etc checks are there to help test if there
+	  are sufficient security checks on the length argument of
+	  the copy operation, by having gcc prove that the argument is
+	  within bounds.
+
+	  If unsure, or if you run an older (pre 4.4) gcc, say N.
+
 endmenu
diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
index 7cf799d..ff4cf9d 100644
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -7,6 +7,7 @@
 #include <asm/page.h>
 #include <asm/system.h>
 #include <asm/cache.h>
+#include <asm/errno.h>
 #include <asm-generic/uaccess-unaligned.h>
 
 #define VERIFY_READ 0
@@ -234,13 +235,35 @@ extern long lstrnlen_user(const char __user *,long);
 
 unsigned long copy_to_user(void __user *dst, const void *src, unsigned long len);
 #define __copy_to_user copy_to_user
-unsigned long copy_from_user(void *dst, const void __user *src, unsigned long len);
-#define __copy_from_user copy_from_user
+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long len);
 unsigned long copy_in_user(void __user *dst, const void __user *src, unsigned long len);
 #define __copy_in_user copy_in_user
 #define __copy_to_user_inatomic __copy_to_user
 #define __copy_from_user_inatomic __copy_from_user
 
+extern void copy_from_user_overflow(void)
+#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
+        __compiletime_error("copy_from_user() buffer size is not provably correct")
+#else
+        __compiletime_warning("copy_from_user() buffer size is not provably correct")
+#endif
+;
+
+static inline unsigned long __must_check copy_from_user(void *to,
+                                          const void __user *from,
+                                          unsigned long n)
+{
+        int sz = __compiletime_object_size(to);
+        int ret = -EFAULT;
+
+        if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
+                ret = __copy_from_user(to, from, n);
+        else
+                copy_from_user_overflow();
+
+        return ret;
+}
+
 struct pt_regs;
 int fixup_exception(struct pt_regs *regs);
 
diff --git a/arch/parisc/lib/memcpy.c b/arch/parisc/lib/memcpy.c
index abf41f4..1dbca5c 100644
--- a/arch/parisc/lib/memcpy.c
+++ b/arch/parisc/lib/memcpy.c
@@ -475,7 +475,8 @@ unsigned long copy_to_user(void __user *dst, const void *src, unsigned long len)
 	return pa_memcpy((void __force *)dst, src, len);
 }
 
-unsigned long copy_from_user(void *dst, const void __user *src, unsigned long len)
+EXPORT_SYMBOL(__copy_from_user);
+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long len)
 {
 	mtsp(get_user_space(), 1);
 	mtsp(get_kernel_space(), 2);

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-02-01 19:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-22 22:56 [PATCH] parisc: add strict copy size checks Helge Deller
2009-12-22 23:21 ` Helge Deller
2009-12-26 17:32   ` Kyle McMartin
2010-02-01 19:56 ` [PATCH] parisc: add strict copy size checks (v2) Helge Deller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox