From: Pavel Skripkin <paskripkin@gmail.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: smatch@vger.kernel.org
Subject: Re: [PATCH] check_netdev_priv: warn about using netdev priv data after free_netdev
Date: Tue, 3 Aug 2021 19:03:59 +0300 [thread overview]
Message-ID: <41b1499c-3715-30df-b083-159c7d71efcb@gmail.com> (raw)
In-Reply-To: <20210803150826.GC1931@kadam>
Hi, Dan!
On 8/3/21 6:08 PM, Dan Carpenter wrote:
> Thanks Pavel!
>
> It looks really nice. I've applied it. I'll test it tonight and push
> tomorrow.
>
> I don't see any major issues with the check at all, but I have a few
> comments below.
>
> On Tue, Aug 03, 2021 at 12:00:22AM +0300, Pavel Skripkin wrote:
>> +static void match_free_netdev(const char *fn, struct expression *expr, void *_arg_no)
>> +{
>> + struct expression *arg;
>> + const char *name;
>> +
>> + arg = get_argument_from_call_expr(expr->args, PTR_INT(_arg_no));
>> + if (!arg)
>> + return;
>> +
>> + name = expr_to_var(arg);
>> + if (!name)
>> + return;
>> +
>> + set_state(my_id, name, NULL, &freed);
>> +}
>
> There is a new param_key API which would make this function shorter.
>
> static void free_netdev(struct expression *expr, const char *name, struct symbol *sym, void *data)
> {
> set_state(my_id, name, NULL, &freed);
> }
>
> Then in the register function you'd add a hooks like this:
>
> add_function_param_key_hook("free_netdev", &free_netdev, 0, "$", NULL);
> add_function_param_key_hook("free_candev", &free_netdev, 0, "$", NULL);
>
I guess, I missed that API, sorry :( Next time I will use it instead.
> Of course, you've already written your own code which works so it's
> fine. But that param_key API is really the most awesome thing.
>
>> +
>> +static void match_symbol(struct expression *expr)
>> +{
>> + const char *parent_netdev, *name;
>> + struct smatch_state *state;
>> +
>
> This hook is run for every variable so it's tempting to add a shortcut
> here:
>
> if (!has_states(my_id))
> return;
>
>> + name = expr_to_var(expr);
>> + if (!name)
>> + return;
>> +
>> + parent_netdev = get_parent_netdev_name(expr);
>> + if (!parent_netdev)
>> + return;
>> +
>> + state = get_state(my_id, parent_netdev, NULL);
>> + if (state == &freed)
>> + sm_error("Using %s after free_{netdev,candev}(%s);\n", name, parent_netdev);
>> +}
>> +
>> +void check_uaf_netdev_priv(int id)
>> +{
>> + if (option_project != PROJ_KERNEL)
>> + return;
>> +
>> + my_id = id;
>> +
>> + add_function_hook("free_netdev", &match_free_netdev, NULL);
>
> NULL works but INT_PTR(0) is nicer. ;)
>
>> + add_function_hook("free_candev", &match_free_netdev, NULL);
>> + add_modification_hook(my_id, &ok_to_use);
>> + add_hook(&match_symbol, SYM_HOOK);
>> +}
>
> Anyway, I think I will probably add the has_states() check but the
> rest isn't important.
Thank you for applying and your guidelines, I appreciate it :)
With regards,
Pavel Skripkin
next prev parent reply other threads:[~2021-08-03 16:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-02 21:00 [PATCH] check_netdev_priv: warn about using netdev priv data after free_netdev Pavel Skripkin
2021-08-03 15:08 ` Dan Carpenter
2021-08-03 16:03 ` Pavel Skripkin [this message]
2021-08-04 7:05 ` Dan Carpenter
2021-08-04 14:35 ` Dan Carpenter
2021-08-04 14:40 ` Pavel Skripkin
2021-08-04 14:44 ` Pavel Skripkin
2021-08-04 14:55 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41b1499c-3715-30df-b083-159c7d71efcb@gmail.com \
--to=paskripkin@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=smatch@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox