From: Julia Lawall <julia.lawall@lip6.fr>
To: Kees Cook <keescook@chromium.org>
Cc: cocci@systeme.lip6.fr, Pengfei Wang <wpengfeinudt@gmail.com>,
Vaishali Thakkar <vthakkar1994@gmail.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] coccicheck: add a test for repeat memory fetches
Date: Wed, 11 Jan 2017 06:49:43 +0100 (CET) [thread overview]
Message-ID: <alpine.DEB.2.20.1701110646550.2396@hadrien> (raw)
In-Reply-To: <CAGXu5jJ55j1r3H2NP8P4Tv4kqu+DZbj+Q6eor6mUcX8eRj4NTQ@mail.gmail.com>
On Tue, 10 Jan 2017, Kees Cook wrote:
> On Tue, Jan 10, 2017 at 1:14 PM, Julia Lawall <julia.lawall@lip6.fr> wrote:
> > OK, I have the impression that what you are looking for is the following,
> > that currently does not seem to work well. Still maybe it gives an idea.
> >
> > The basic pattern is the following sequence:
> >
> > 1. copy_from_user
> > 2. test on a field of the copied value
> > 3. another copy_from_user
> > 4. a use of the same field as tested in step 2 from the structure obtained
> > by the second copy_from_user or a function call with the structure as an
> > argument
>
> This looks pretty good!
>
> > In the case where the second copy_from_user stores the result in a
> > pointer, then a return with no reference of the tested field is also a
> > concern, unless, the pointer was already kfreed.
>
> I think sequence "2" above missing just looking at a direct value,
> like if instead of a field it was a u32. Also, should binop include
> "=="?
I wasn't sure what to do with a direct value, because one wouldn't know
what field it would correspond to. A solution could be to pull the first
field out of the structure declaration.
I'll add == and !=.
> And we need to add back in get_user() too... hmmm
OK.
julia
prev parent reply other threads:[~2017-01-11 5:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-09 23:13 [RFC] coccicheck: add a test for repeat memory fetches Kees Cook
2017-01-10 6:06 ` Julia Lawall
2017-01-10 7:57 ` Pengfei Wang
2017-01-10 8:01 ` Julia Lawall
2017-01-10 8:18 ` Vaishali Thakkar
2017-01-10 18:28 ` Julia Lawall
2017-01-10 19:23 ` Kees Cook
2017-01-10 19:27 ` Kees Cook
2017-01-10 19:30 ` Julia Lawall
2017-01-10 20:04 ` Kees Cook
2017-01-10 21:14 ` Julia Lawall
2017-01-11 0:04 ` Kees Cook
2017-01-11 5:23 ` [Cocci] " Vaishali Thakkar
2017-01-11 5:49 ` Julia Lawall [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.1701110646550.2396@hadrien \
--to=julia.lawall@lip6.fr \
--cc=cocci@systeme.lip6.fr \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vthakkar1994@gmail.com \
--cc=wpengfeinudt@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox