Re: [Cocci] [PATCH 2/2] Coccinelle: extend memdup_user rule with vmemdup_user()

From: Julia Lawall <julia.lawall@inria.fr>
To: Denis Efremov <efremov@linux.com>
Cc: Joe Perches <joe@perches.com>,
	cocci@systeme.lip6.fr, linux-kernel@vger.kernel.org
Subject: Re: [Cocci] [PATCH 2/2] Coccinelle: extend memdup_user rule with vmemdup_user()
Date: Sat, 6 Jun 2020 11:27:59 +0200 (CEST)	[thread overview]
Message-ID: <alpine.DEB.2.21.2006061122400.2578@hadrien> (raw)
In-Reply-To: <20200530205348.5812-3-efremov@linux.com>

On Sat, 30 May 2020, Denis Efremov wrote:

> Add vmemdup_user() transformations to the memdup_user.cocci rule.
> Commit 50fd2f298bef ("new primitive: vmemdup_user()") introduced
> vmemdup_user(). The function uses kvmalloc with GPF_USER flag.
>
> Signed-off-by: Denis Efremov <efremov@linux.com>
> ---
>  scripts/coccinelle/api/memdup_user.cocci | 49 +++++++++++++++++++++++-
>  1 file changed, 47 insertions(+), 2 deletions(-)
>
> diff --git a/scripts/coccinelle/api/memdup_user.cocci b/scripts/coccinelle/api/memdup_user.cocci
> index 49f487e6a5c8..a50def35136e 100644
> --- a/scripts/coccinelle/api/memdup_user.cocci
> +++ b/scripts/coccinelle/api/memdup_user.cocci
> @@ -37,6 +37,28 @@ identifier l1,l2;
>  -    ...+>
>  -  }
>
> +@depends on patch@
> +expression from,to,size;
> +identifier l1,l2;
> +@@
> +
> +-  to = \(kvmalloc\|kvzalloc\)(size,\(GFP_KERNEL\|GFP_USER\));
> ++  to = vmemdup_user(from,size);
> +   if (
> +-      to==NULL
> ++      IS_ERR(to)
> +                 || ...) {
> +   <+... when != goto l1;
> +-  -ENOMEM
> ++  PTR_ERR(to)
> +   ...+>
> +   }
> +-  if (copy_from_user(to, from, size) != 0) {
> +-    <+... when != goto l2;
> +-    -EFAULT
> +-    ...+>
> +-  }
> +

This could protect against modifying vmemdup_user.  Probably the original
rule should protect against modifying memdup_user as well.

julia

>  @r depends on !patch@
>  expression from,to,size;
>  position p;
> @@ -48,14 +70,37 @@ statement S1,S2;
>     if (copy_from_user(to, from, size) != 0)
>     S2
>
> -@script:python depends on org@
> +@rv depends on !patch@
> +expression from,to,size;
> +position p;
> +statement S1,S2;
> +@@
> +
> +*  to = \(kvmalloc@p\|kvzalloc@p\)(size,\(GFP_KERNEL\|GFP_USER\));
> +   if (to==NULL || ...) S1
> +   if (copy_from_user(to, from, size) != 0)
> +   S2
> +
> +@script:python depends on org && r@
>  p << r.p;
>  @@
>
>  coccilib.org.print_todo(p[0], "WARNING opportunity for memdup_user")
>
> -@script:python depends on report@
> +@script:python depends on report && r@
>  p << r.p;
>  @@
>
>  coccilib.report.print_report(p[0], "WARNING opportunity for memdup_user")
> +
> +@script:python depends on org && rv@
> +p << rv.p;
> +@@
> +
> +coccilib.org.print_todo(p[0], "WARNING opportunity for vmemdup_user")
> +
> +@script:python depends on report && rv@
> +p << rv.p;
> +@@
> +
> +coccilib.report.print_report(p[0], "WARNING opportunity for vmemdup_user")
> --
> 2.26.2
>
> _______________________________________________
> Cocci mailing list
> Cocci@systeme.lip6.fr
> https://systeme.lip6.fr/mailman/listinfo/cocci
>