Re: [RFC] coccicheck: add a test for repeat memory fetches

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Julia Lawall <julia.lawall@lip6.fr>
To: Kees Cook <keescook@chromium.org>
Cc: cocci@systeme.lip6.fr, Pengfei Wang <wpengfeinudt@gmail.com>,
	Vaishali Thakkar <vthakkar1994@gmail.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] coccicheck: add a test for repeat memory fetches
Date: Tue, 10 Jan 2017 20:30:29 +0100 (CET)	[thread overview]
Message-ID: <alpine.DEB.2.20.1701102028300.1981@hadrien> (raw)
In-Reply-To: <CAGXu5j+Nk9r7K=FJe4v5b8mX_Fn411JMGks2sueyOFS2aTo1Ow@mail.gmail.com>



On Tue, 10 Jan 2017, Kees Cook wrote:

> On Tue, Jan 10, 2017 at 10:28 AM, Julia Lawall <julia.lawall@lip6.fr> wrote:
> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2159
> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2257
> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2302
> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2342
> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2365
> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2406
> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2439
> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2491
> >
> > Do you want the above results?  They have the form:
> >
> > if (copy_from_user(&t, useraddr, sizeof(t)))
> >
> > My reasoning was that there could be no problem here, because the size is
> > the size of the destination structure.  It doesn't depend on user level data.
>
> They're likely false positives, but it does follow the pattern of
> reading the same userspace location twice:
>
>         if (copy_from_user(&cmd, useraddr, sizeof(cmd)))
>                 return -EFAULT;
>
>         switch (cmd) {
>         case CHELSIO_SET_QSET_PARAMS:{
>                 int i;
>                 struct qset_params *q;
>                 struct ch_qset_params t;
>                 int q1 = pi->first_qset;
>                 int nqsets = pi->nqsets;
>
>                 if (!capable(CAP_NET_ADMIN))
>                         return -EPERM;
>                 if (copy_from_user(&t, useraddr, sizeof(t)))
>                         return -EFAULT;
>
> If there is any logic that examines cmd (u32) and operates on t
> (struct ch_qset_params), there could be a flaw. It doesn't look like
> it here, but a "correct" version of this would be:
>
>                 if (copy_from_user(&t, useraddr, sizeof(t)))
>                         return -EFAULT;
>                 t.cmd = cmd;

OK, I'm fine with putting them all back.

For another issue, what about code like the following:

        if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
                return -EFAULT;

        if ((u_cmd.outsize > EC_MAX_MSG_BYTES) ||
	    (u_cmd.insize > EC_MAX_MSG_BYTES))
		return -EINVAL;

        s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
                        GFP_KERNEL);
        if (!s_cmd)
                return -ENOMEM;

        if (copy_from_user(s_cmd, arg, sizeof(*s_cmd) + u_cmd.outsize)) {
		ret = -EFAULT;
                goto exit;
        }

It doesn't actually test sizeof(*s_cmd) + u_cmd.outsize, but it does test
u_cmd.outsize > EC_MAX_MSG_BYTES, and presumably that test accounts for
the extra sizeof(*s_cmd) value.

julia

next prev parent reply	other threads:[~2017-01-10 19:31 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-09 23:13 [RFC] coccicheck: add a test for repeat memory fetches Kees Cook
2017-01-10  6:06 ` Julia Lawall
2017-01-10  7:57   ` Pengfei Wang
2017-01-10  8:01     ` Julia Lawall
2017-01-10  8:18       ` Vaishali Thakkar
2017-01-10 18:28 ` Julia Lawall
2017-01-10 19:23   ` Kees Cook
2017-01-10 19:27     ` Kees Cook
2017-01-10 19:30     ` Julia Lawall [this message]
2017-01-10 20:04       ` Kees Cook
2017-01-10 21:14         ` Julia Lawall
2017-01-11  0:04           ` Kees Cook
2017-01-11  5:23             ` [Cocci] " Vaishali Thakkar
2017-01-11  5:49             ` Julia Lawall

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.20.1701102028300.1981@hadrien \
    --to=julia.lawall@lip6.fr \
    --cc=cocci@systeme.lip6.fr \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=vthakkar1994@gmail.com \
    --cc=wpengfeinudt@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox