From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761624AbdAKFYP (ORCPT ); Wed, 11 Jan 2017 00:24:15 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:25319 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1761598AbdAKFYO (ORCPT ); Wed, 11 Jan 2017 00:24:14 -0500 Subject: Re: [Cocci] [RFC] coccicheck: add a test for repeat memory fetches To: Kees Cook , Julia Lawall References: <20170109231323.GA89642@beast> Cc: Vaishali Thakkar , Pengfei Wang , cocci@systeme.lip6.fr, LKML From: Vaishali Thakkar Message-ID: <0ee2451b-79d1-7bc3-208e-d089002a5b76@oracle.com> Date: Wed, 11 Jan 2017 10:53:53 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wednesday 11 January 2017 05:34 AM, Kees Cook wrote: > On Tue, Jan 10, 2017 at 1:14 PM, Julia Lawall wrote: >> OK, I have the impression that what you are looking for is the following, >> that currently does not seem to work well. Still maybe it gives an idea. >> >> The basic pattern is the following sequence: >> >> 1. copy_from_user >> 2. test on a field of the copied value >> 3. another copy_from_user >> 4. a use of the same field as tested in step 2 from the structure obtained >> by the second copy_from_user or a function call with the structure as an >> argument > > This looks pretty good! > >> In the case where the second copy_from_user stores the result in a >> pointer, then a return with no reference of the tested field is also a >> concern, unless, the pointer was already kfreed. > > I think sequence "2" above missing just looking at a direct value, > like if instead of a field it was a u32. Also, should binop include > "=="? > > And we need to add back in get_user() too... hmmm May be having a separate script for get_user would be a good idea. get_user needs few more tests than copy_from_user. Also, for the both cases we can later add multi-function handling rules. And for the get_user, may be combinational usage rule as well. > -Kees > From mboxrd@z Thu Jan 1 00:00:00 1970 From: vaishali.thakkar@oracle.com (Vaishali Thakkar) Date: Wed, 11 Jan 2017 10:53:53 +0530 Subject: [Cocci] [RFC] coccicheck: add a test for repeat memory fetches In-Reply-To: References: <20170109231323.GA89642@beast> Message-ID: <0ee2451b-79d1-7bc3-208e-d089002a5b76@oracle.com> To: cocci@systeme.lip6.fr List-Id: cocci@systeme.lip6.fr On Wednesday 11 January 2017 05:34 AM, Kees Cook wrote: > On Tue, Jan 10, 2017 at 1:14 PM, Julia Lawall wrote: >> OK, I have the impression that what you are looking for is the following, >> that currently does not seem to work well. Still maybe it gives an idea. >> >> The basic pattern is the following sequence: >> >> 1. copy_from_user >> 2. test on a field of the copied value >> 3. another copy_from_user >> 4. a use of the same field as tested in step 2 from the structure obtained >> by the second copy_from_user or a function call with the structure as an >> argument > > This looks pretty good! > >> In the case where the second copy_from_user stores the result in a >> pointer, then a return with no reference of the tested field is also a >> concern, unless, the pointer was already kfreed. > > I think sequence "2" above missing just looking at a direct value, > like if instead of a field it was a u32. Also, should binop include > "=="? > > And we need to add back in get_user() too... hmmm May be having a separate script for get_user would be a good idea. get_user needs few more tests than copy_from_user. Also, for the both cases we can later add multi-function handling rules. And for the get_user, may be combinational usage rule as well. > -Kees >