From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 875D82F21 for ; Mon, 4 Apr 2022 14:29:52 +0000 (UTC) Received: by mail-ej1-f41.google.com with SMTP id bq8so20299446ejb.10 for ; Mon, 04 Apr 2022 07:29:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=77kGfP4Ekffc+7FFnax+xXuZmbqgY9SJOFJ7fk7iBNw=; b=R9+3Kmy71VGEeFaQozw9sFkyt7mh1KE6j/VenMTAWOCwG4y79Bmo0CUMvbZKIVOxc8 qBLFvawexcjQmHB5ySGecSLnR0DxPIhGmCb9721y6ABB4I6o+gyyf2RuNZduUgqIT8kw HCxxubAi6CmQ91kTTWyOZBP5+m1sqCTQ21gzaJ0utuPWjwiUVdUfPAYGwOCRp6aR/Utp ziS5QeoySUI6inf5z4jKupCNM9pEGP33wTMmu+RkNFsoe8crFXib4OkbXadzY8jqbA5X BbCaqn/GgkptZI0kl7l6XxBiOOGwDjITDLuSVwm9swRnQHwin5jvaeJOZpS6lsk3t69Y ZNdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=77kGfP4Ekffc+7FFnax+xXuZmbqgY9SJOFJ7fk7iBNw=; b=dQuQ9DigXw7e5TlSysodHoTGVp/wkHAxKwETa5rPDZD9+wCtju3STz66EcWKjqg9du 7zp1GTciPOpmv0mzzTCo8aHtLnNZiuFDVQNdPAc3kSxlzqoGOv19NjT5meRmU1s5sBUQ QYRf7l09QL0t78qGBCCHByEP9CbIAwbpob1RH3ygBNcTCWU6QGjDBb0lZr0a701IYmVu 5amxvwAaHmzr3Wj1HkCg9TtYR5/u9d3qT974VXhYu7XTOamMHdmwazoLy/x1LeoF7+xU e3EVSRUID1dyLoIwe6NkXy2/v8l4TWxkDX3846rF10FRp8Fef9RqyUvCNeRJ4jb/qTGU EpYA== X-Gm-Message-State: AOAM533zsSL+cHyf++FdAmZ/aKaMgFu82msctRrjUKW5AnKPX7MS/VdW kKQSYZBbiPtPRLwxV9flGnI= X-Google-Smtp-Source: ABdhPJwa9ZiC1to5cnPURySwUxxNWevW/upManv7R5NdXF0hNZCzTc9waoQbftAOfnZIin1rsXJsEA== X-Received: by 2002:a17:906:c147:b0:6df:f047:1677 with SMTP id dp7-20020a170906c14700b006dff0471677mr351120ejc.4.1649082590837; Mon, 04 Apr 2022 07:29:50 -0700 (PDT) Received: from leap.localnet (host-95-249-145-232.retail.telecomitalia.it. [95.249.145.232]) by smtp.gmail.com with ESMTPSA id da23-20020a056402177700b0041394d8173csm5293015edb.31.2022.04.04.07.29.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 07:29:49 -0700 (PDT) From: "Fabio M. De Francesco" To: Dan Carpenter Cc: Charlie Sands , gregkh@linuxfoundation.org, Larry.Finger@lwfinger.net, phil@philpotter.co.uk, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, paskripkin@gmail.com Subject: Re: [PATCH V2] Fix unsafe memory access by memcmp Date: Mon, 04 Apr 2022 16:29:48 +0200 Message-ID: <1890716.PYKUYFuaPT@leap> In-Reply-To: <20220404120332.GY3293@kadam> References: <4729027.31r3eYUQgx@leap> <20220404120332.GY3293@kadam> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On luned? 4 aprile 2022 14:03:32 CEST Dan Carpenter wrote: > On Mon, Apr 04, 2022 at 01:25:37PM +0200, Fabio M. De Francesco wrote: > > On luned? 4 aprile 2022 12:50:41 CEST Dan Carpenter wrote: > > > On Sun, Apr 03, 2022 at 10:52:07PM -0400, Charlie Sands wrote: > > > > This patch fixes sparse warnings about the memcmp function unsafely > > > > accessing userspace memory without first copying it to kernel space. > > > > > > > > Signed-off-by: Charlie Sands > > > > --- > > > > > > > > V2: Fixed checkpatch.pl warning and changed variable name as suggested > > > > by Greg K. H. and improved error checking on the "copy_from_user" function as > > > > suggested by Pavel Skripkin. > > > > > > > > drivers/staging/r8188eu/os_dep/ioctl_linux.c | 21 ++++++++++++-------- > > > > 1 file changed, 13 insertions(+), 8 deletions(-) > > > > > > > > diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c > > > > index 7df213856d66..4b4eec2bde96 100644 > > > > --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c > > > > +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c > > > > @@ -3233,23 +3233,28 @@ static int rtw_p2p_get(struct net_device *dev, > > > > struct iw_request_info *info, > > > > union iwreq_data *wrqu, char *extra) > > > > { > > > > - if (!memcmp(wrqu->data.pointer, "status", 6)) { > > > > + char wrqu_data[9]; > > > > + > > > > + if (copy_from_user(wrqu_data, wrqu->data.pointer, 9) != 0) > > > > + return 0; > > > > > > return -EFAULT; We can't assume that that user wants to copy 9 bytes > > > especially when they're passing a 4 character + NUL string. > > > > > > This is a custom ioctl. Called from ioctl_private_iw_point(). > > > > > > I think if you try to dereference a user pointer like this then it will > > > cause a crash, right? So that means no one has ever tested or used this > > > code and we hopefully we can just delete it? > > > > After a quick look, I'm pretty confident that we can also delete > > rtw_p2p_get2() and rtw_p2p_set() unless I'm overlooking something. > > What are the problems with rtw_p2p_get2() and rtw_p2p_set()? > > regards, > dan carpenter > Is it safe to access user space pointers without using proper helpers? In those cases I mean: is it safe without using copy_from_user()? As I said, perhaps I'm overlooking something. However my conclusions follow by your own argument. If I understand what you wrote, you asked to delete rtw_p2p_get() because it looks like nobody "has ever tested or used this code". rtw_p2p_get2() and rtw_p2p_set() use the same pattern of rtw_p2p_get() when they access user space without using the proper helpers. Therefore, I thought that, if you suggest to delete rtw_p2p_get(), why not also rtw_p2p_set() and rtw_p2p_get2() that use the same unsafe accesses? What am I still missing? Thanks, Fabio M. De Francesco