* [PATCH 0/4] strict user copy checks on x86_64 @ 2011-05-31 18:14 Stephen Boyd 2011-05-31 18:14 ` [PATCH 1/4] [SCSI] lpfc: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning Stephen Boyd ` (3 more replies) 0 siblings, 4 replies; 11+ messages in thread From: Stephen Boyd @ 2011-05-31 18:14 UTC (permalink / raw) To: Andrew Morton; +Cc: linux-kernel Andrew, I'm sending this to you because these weren't picked up last round and the final patch is cross architecture. Backstory --------- It turns out that strict user copy checks (also known as CONFIG_DEBUG_STRICT_USER_COPY_CHECKS) isn't actually implemented on x86_64 and thus we aren't catching potential security holes at compile time. This series adds support for strict user copy checks on x86_64 and silences all the benign warnings in the x86_64 allyesconfig for linux-next 20110531. The final patch consolidates the config option as its duplicated across mutliple arches. Stephen Boyd (4): lpfc: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning kprobes: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning x86: Implement strict user copy checks for x86_64 Consolidate CONFIG_DEBUG_STRICT_USER_COPY_CHECKS arch/parisc/Kconfig | 1 + arch/parisc/Kconfig.debug | 14 -------------- arch/s390/Kconfig | 1 + arch/s390/Kconfig.debug | 14 -------------- arch/s390/lib/Makefile | 1 - arch/s390/lib/usercopy.c | 8 -------- arch/sparc/lib/Makefile | 1 - arch/sparc/lib/usercopy.c | 8 -------- arch/tile/Kconfig | 8 +------- arch/tile/include/asm/uaccess.h | 7 ++++++- arch/tile/lib/uaccess.c | 8 -------- arch/x86/Kconfig | 1 + arch/x86/Kconfig.debug | 14 -------------- arch/x86/include/asm/uaccess_64.h | 12 +++++++++--- arch/x86/lib/usercopy_32.c | 6 ------ drivers/scsi/lpfc/lpfc_debugfs.c | 3 ++- kernel/kprobes.c | 2 +- lib/Kconfig.debug | 18 ++++++++++++++++++ lib/Makefile | 1 + lib/usercopy.c | 8 ++++++++ 20 files changed, 49 insertions(+), 87 deletions(-) delete mode 100644 arch/s390/lib/usercopy.c delete mode 100644 arch/sparc/lib/usercopy.c create mode 100644 lib/usercopy.c -- Sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 1/4] [SCSI] lpfc: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning 2011-05-31 18:14 [PATCH 0/4] strict user copy checks on x86_64 Stephen Boyd @ 2011-05-31 18:14 ` Stephen Boyd 2011-05-31 18:14 ` [PATCH 2/4] kprobes: " Stephen Boyd ` (2 subsequent siblings) 3 siblings, 0 replies; 11+ messages in thread From: Stephen Boyd @ 2011-05-31 18:14 UTC (permalink / raw) To: Andrew Morton; +Cc: linux-kernel, linux-scsi, James E.J. Bottomley Enabling DEBUG_STRICT_USER_COPY_CHECKS causes the following warning: In file included from arch/x86/include/asm/uaccess.h:573, from include/linux/uaccess.h:5, from include/linux/highmem.h:7, from include/linux/pagemap.h:10, from include/linux/blkdev.h:12, from drivers/scsi/lpfc/lpfc_debugfs.c:21: In function 'copy_from_user': arch/x86/include/asm/uaccess_64.h:65: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct presumably due to buf_size being signed causing GCC to fail to see that buf_size can't become negative. Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> Acked-by: James Smart <james.smart@emulex.com> --- drivers/scsi/lpfc/lpfc_debugfs.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c index ffe82d1..30b25c5 100644 --- a/drivers/scsi/lpfc/lpfc_debugfs.c +++ b/drivers/scsi/lpfc/lpfc_debugfs.c @@ -1147,7 +1147,8 @@ static int lpfc_idiag_cmd_get(const char __user *buf, size_t nbytes, { char mybuf[64]; char *pbuf, *step_str; - int bsize, i; + int i; + size_t bsize; /* Protect copy from user */ if (!access_ok(VERIFY_READ, buf, nbytes)) -- Sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum. ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 2/4] kprobes: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning 2011-05-31 18:14 [PATCH 0/4] strict user copy checks on x86_64 Stephen Boyd 2011-05-31 18:14 ` [PATCH 1/4] [SCSI] lpfc: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning Stephen Boyd @ 2011-05-31 18:14 ` Stephen Boyd 2011-05-31 18:14 ` [PATCH 3/4] x86: Implement strict user copy checks for x86_64 Stephen Boyd 2011-05-31 18:14 ` [PATCH 4/4] Consolidate CONFIG_DEBUG_STRICT_USER_COPY_CHECKS Stephen Boyd 3 siblings, 0 replies; 11+ messages in thread From: Stephen Boyd @ 2011-05-31 18:14 UTC (permalink / raw) To: Andrew Morton Cc: linux-kernel, Ananth N Mavinakayanahalli, Anil S Keshavamurthy, David S. Miller Enabling DEBUG_STRICT_USER_COPY_CHECKS causes the following warning: In file included from arch/x86/include/asm/uaccess.h:573, from kernel/kprobes.c:55: In function 'copy_from_user', inlined from 'write_enabled_file_bool' at kernel/kprobes.c:2191: arch/x86/include/asm/uaccess_64.h:65: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct presumably due to buf_size being signed causing GCC to fail to see that buf_size can't become negative. Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com> Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com> Cc: David S. Miller <davem@davemloft.net> Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> --- kernel/kprobes.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index 7798181..1938187 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -2185,7 +2185,7 @@ static ssize_t write_enabled_file_bool(struct file *file, const char __user *user_buf, size_t count, loff_t *ppos) { char buf[32]; - int buf_size; + size_t buf_size; buf_size = min(count, (sizeof(buf)-1)); if (copy_from_user(buf, user_buf, buf_size)) -- Sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum. ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 3/4] x86: Implement strict user copy checks for x86_64 2011-05-31 18:14 [PATCH 0/4] strict user copy checks on x86_64 Stephen Boyd 2011-05-31 18:14 ` [PATCH 1/4] [SCSI] lpfc: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning Stephen Boyd 2011-05-31 18:14 ` [PATCH 2/4] kprobes: " Stephen Boyd @ 2011-05-31 18:14 ` Stephen Boyd 2011-06-30 19:19 ` Andrew Morton 2011-07-07 21:54 ` Andrew Morton 2011-05-31 18:14 ` [PATCH 4/4] Consolidate CONFIG_DEBUG_STRICT_USER_COPY_CHECKS Stephen Boyd 3 siblings, 2 replies; 11+ messages in thread From: Stephen Boyd @ 2011-05-31 18:14 UTC (permalink / raw) To: Andrew Morton; +Cc: linux-kernel Strict user copy checks are only really supported on x86_32 even though the config option is selectable on x86_64. Add the necessary support to the 64 bit code to trigger copy_from_user() warnings at compile time. Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> Acked-by: Ingo Molnar <mingo@elte.hu> Acked-by: H. Peter Anvin <hpa@zytor.com> --- arch/x86/include/asm/uaccess_64.h | 12 +++++++++--- arch/x86/lib/usercopy_64.c | 6 ++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h index 1c66d30..6ca53e5 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -43,6 +43,14 @@ _copy_from_user(void *to, const void __user *from, unsigned len); __must_check unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len); +extern void copy_from_user_overflow(void) +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS + __compiletime_error("copy_from_user() buffer size is not provably correct") +#else + __compiletime_warning("copy_from_user() buffer size is not provably correct") +#endif +; + static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) @@ -52,10 +60,8 @@ static inline unsigned long __must_check copy_from_user(void *to, might_fault(); if (likely(sz == -1 || sz >= n)) n = _copy_from_user(to, from, n); -#ifdef CONFIG_DEBUG_VM else - WARN(1, "Buffer overflow detected!\n"); -#endif + copy_from_user_overflow(); return n; } diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c index b7c2849..d7a5d9a 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c @@ -181,3 +181,9 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) break; return len; } + +void copy_from_user_overflow(void) +{ + WARN(1, "Buffer overflow detected!\n"); +} +EXPORT_SYMBOL(copy_from_user_overflow); -- Sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum. ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 3/4] x86: Implement strict user copy checks for x86_64 2011-05-31 18:14 ` [PATCH 3/4] x86: Implement strict user copy checks for x86_64 Stephen Boyd @ 2011-06-30 19:19 ` Andrew Morton 2011-06-30 19:23 ` Stephen Boyd 2011-07-07 21:54 ` Andrew Morton 1 sibling, 1 reply; 11+ messages in thread From: Andrew Morton @ 2011-06-30 19:19 UTC (permalink / raw) To: Stephen Boyd; +Cc: linux-kernel On Tue, 31 May 2011 11:14:32 -0700 Stephen Boyd <sboyd@codeaurora.org> wrote: > Strict user copy checks are only really supported on x86_32 even > though the config option is selectable on x86_64. Add the > necessary support to the 64 bit code to trigger copy_from_user() > warnings at compile time. So I'm getting 20-30 warnings from an x86_64 allmodconfig build. I don't think we want a million other people to have to put up with those warnings too. Can you please take a look at fixing these up? ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 3/4] x86: Implement strict user copy checks for x86_64 2011-06-30 19:19 ` Andrew Morton @ 2011-06-30 19:23 ` Stephen Boyd 2011-06-30 19:36 ` Andrew Morton 0 siblings, 1 reply; 11+ messages in thread From: Stephen Boyd @ 2011-06-30 19:23 UTC (permalink / raw) To: Andrew Morton; +Cc: linux-kernel On 06/30/2011 12:19 PM, Andrew Morton wrote: > On Tue, 31 May 2011 11:14:32 -0700 > Stephen Boyd <sboyd@codeaurora.org> wrote: > >> Strict user copy checks are only really supported on x86_32 even >> though the config option is selectable on x86_64. Add the >> necessary support to the 64 bit code to trigger copy_from_user() >> warnings at compile time. > > So I'm getting 20-30 warnings from an x86_64 allmodconfig build. > > I don't think we want a million other people to have to put up with > those warnings too. Can you please take a look at fixing these up? > Care to share the warnings? I'll run a build again and fix any new warnings I find. -- Sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 3/4] x86: Implement strict user copy checks for x86_64 2011-06-30 19:23 ` Stephen Boyd @ 2011-06-30 19:36 ` Andrew Morton 2011-07-06 4:33 ` Stephen Boyd 0 siblings, 1 reply; 11+ messages in thread From: Andrew Morton @ 2011-06-30 19:36 UTC (permalink / raw) To: Stephen Boyd; +Cc: linux-kernel On Thu, 30 Jun 2011 12:23:56 -0700 Stephen Boyd <sboyd@codeaurora.org> wrote: > On 06/30/2011 12:19 PM, Andrew Morton wrote: > > On Tue, 31 May 2011 11:14:32 -0700 > > Stephen Boyd <sboyd@codeaurora.org> wrote: > > > >> Strict user copy checks are only really supported on x86_32 even > >> though the config option is selectable on x86_64. Add the > >> necessary support to the 64 bit code to trigger copy_from_user() > >> warnings at compile time. > > > > So I'm getting 20-30 warnings from an x86_64 allmodconfig build. > > > > I don't think we want a million other people to have to put up with > > those warnings too. Can you please take a look at fixing these up? > > > > Care to share the warnings? I'll run a build again and fix any new > warnings I find. init/calibrate.c: In function 'calibrate_delay': init/calibrate.c:251: warning: 'lpj' may be used uninitialized in this function In file included from /usr/src/devel/arch/x86/include/asm/uaccess.h:572, from include/linux/uaccess.h:5, from include/linux/highmem.h:7, from include/linux/pagemap.h:10, from include/linux/mempolicy.h:70, from mm/mempolicy.c:68: In function 'copy_from_user', inlined from 'compat_sys_get_mempolicy' at mm/mempolicy.c:1415: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct crypto/anubis.c: In function 'anubis_crypt': crypto/anubis.c:581: warning: 'inter' is used uninitialized in this function In file included from /usr/src/devel/arch/x86/include/asm/uaccess.h:572, from include/drm/drmP.h:65, from drivers/gpu/drm/radeon/radeon_state.c:30: In function 'copy_from_user', inlined from 'radeon_cp_clear' at drivers/gpu/drm/radeon/radeon_state.c:2171: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In file included from drivers/message/i2o/config-osm.c:39: drivers/message/i2o/i2o_config.c: In function 'i2o_cfg_passthru': drivers/message/i2o/i2o_config.c:881: warning: cast to pointer from integer of different size drivers/message/i2o/i2o_config.c:936: warning: cast to pointer from integer of different size In file included from /usr/src/devel/arch/x86/include/asm/uaccess.h:572, from drivers/message/i2o/config-osm.c:22: In function 'copy_from_user', inlined from 'i2o_cfg_passthru32' at drivers/message/i2o/i2o_config.c:684: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'i2o_cfg_passthru' at drivers/message/i2o/i2o_config.c:919: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In file included from /usr/src/devel/arch/x86/include/asm/uaccess.h:572, from /usr/src/devel/arch/x86/include/asm/sections.h:5, from /usr/src/devel/arch/x86/include/asm/hw_irq.h:26, from include/linux/irq.h:351, from /usr/src/devel/arch/x86/include/asm/hardirq.h:5, from include/linux/hardirq.h:7, from include/linux/interrupt.h:12, from net/core/pktgen.c:135: In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:877: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1145: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1252: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1274: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1298: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1321: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1344: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1365: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1386: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1407: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1429: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1446: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_thread_write' at net/core/pktgen.c:1769: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_thread_write' at net/core/pktgen.c:1800: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In file included from /usr/src/devel/arch/x86/include/asm/uaccess.h:572, from include/net/checksum.h:25, from include/linux/skbuff.h:28, from include/linux/icmpv6.h:82, from net/compat.c:19: In function 'copy_from_user', inlined from 'compat_sys_socketcall' at net/compat.c:792: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct drivers/net/pcmcia/nmclan_cs.c: In function 'nmclan_config': drivers/net/pcmcia/nmclan_cs.c:628: warning: 'pcmcia_request_exclusive_irq' is deprecated (declared at include/pcmcia/ds.h:201) In file included from /usr/src/devel/arch/x86/include/asm/uaccess.h:572, from include/linux/poll.h:14, from drivers/scsi/sg.c:44: In function 'copy_from_user', inlined from 'sg_proc_write_dressz' at drivers/scsi/sg.c:2399: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'sg_proc_write_adio' at drivers/scsi/sg.c:2376: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In file included from /usr/src/devel/arch/x86/include/asm/uaccess.h:572, from include/linux/poll.h:14, from drivers/net/tun.c:49: In function 'copy_from_user', inlined from '__tun_chr_ioctl' at drivers/net/tun.c:1246: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 3/4] x86: Implement strict user copy checks for x86_64 2011-06-30 19:36 ` Andrew Morton @ 2011-07-06 4:33 ` Stephen Boyd 0 siblings, 0 replies; 11+ messages in thread From: Stephen Boyd @ 2011-07-06 4:33 UTC (permalink / raw) To: Andrew Morton; +Cc: linux-kernel On 6/30/2011 12:36 PM, Andrew Morton wrote: > On Thu, 30 Jun 2011 12:23:56 -0700 > Stephen Boyd <sboyd@codeaurora.org> wrote: > >> Care to share the warnings? I'll run a build again and fix any new >> warnings I find. I only get one warning In file included from /local/mnt2/workspace2/android/kernel/arch/x86/include/asm/uaccess.h:572, from /local/mnt2/workspace2/android/kernel/include/linux/uaccess.h:5, from /local/mnt2/workspace2/android/kernel/drivers/staging/speakup/devsynth.c:4: In function 'copy_from_user', inlined from 'speakup_file_write' at /local/mnt2/workspace2/android/kernel/drivers/staging/speakup/devsynth.c:28: /local/mnt2/workspace2/android/kernel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct But that's probably due to my compiler's age more than anything else (and it seems you fixed it last Friday). I did notice that I need to do an obj-y instead of a lib-y in the Makefile. Can you please squash this into the patch titled "consolidate-config_debug_strict_user_copy_checks.patch"? ----8<----->8------ diff --git a/lib/Makefile b/lib/Makefile index 785f9b0..9ca779a 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -14,7 +14,7 @@ lib-y := ctype.o string.o vsprintf.o cmdline.o \ proportions.o prio_heap.o ratelimit.o show_mem.o \ is_single_threaded.o plist.o decompress.o find_next_bit.o -lib-$(CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS) += usercopy.o +obj-$(CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS) += usercopy.o lib-$(CONFIG_MMU) += ioremap.o lib-$(CONFIG_SMP) += cpumask.o > In file included from /usr/src/devel/arch/x86/include/asm/uaccess.h:572, > from include/linux/uaccess.h:5, > from include/linux/highmem.h:7, > from include/linux/pagemap.h:10, > from include/linux/mempolicy.h:70, > from mm/mempolicy.c:68: > [snip] > In function 'copy_from_user', > inlined from '__tun_chr_ioctl' at drivers/net/tun.c:1246: > /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct > Does this help at all? -----8<------->8------- diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c index 92e7ea7..5c8f53c 100644 --- a/drivers/gpu/drm/radeon/radeon_state.c +++ b/drivers/gpu/drm/radeon/radeon_state.c @@ -2169,7 +2169,7 @@ static int radeon_cp_clear(struct drm_device *dev, void *data, struct drm_file * sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS; if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes, - sarea_priv->nbox * sizeof(depth_boxes[0]))) + (size_t)sarea_priv->nbox * sizeof(depth_boxes[0]))) return -EFAULT; radeon_cp_dispatch_clear(dev, file_priv->master, clear, depth_boxes); diff --git a/drivers/message/i2o/i2o_config.c b/drivers/message/i2o/i2o_config.c index 098de2b..4dcdc3d 100644 --- a/drivers/message/i2o/i2o_config.c +++ b/drivers/message/i2o/i2o_config.c @@ -680,6 +680,10 @@ static int i2o_cfg_passthru32(struct file *file, unsigned cmnd, } size = size >> 16; size *= 4; + if (size > sizeof(rmsg)) { + rcode = -EINVAL; + goto sg_list_cleanup; + } /* Copy in the user's I2O command */ if (copy_from_user(rmsg, user_msg, size)) { rcode = -EFAULT; diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 909ed9e..ce76d0c 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2367,16 +2367,15 @@ static ssize_t sg_proc_write_adio(struct file *filp, const char __user *buffer, size_t count, loff_t *off) { - int num; - char buff[11]; + int err; + unsigned long num; if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES; - num = (count < 10) ? count : 10; - if (copy_from_user(buff, buffer, num)) - return -EFAULT; - buff[num] = '\0'; - sg_allow_dio = simple_strtoul(buff, NULL, 10) ? 1 : 0; + err = kstrtoul_from_user(buffer, count, 0, &num); + if (err) + return err; + sg_allow_dio = num ? 1 : 0; return count; } @@ -2389,17 +2388,15 @@ static ssize_t sg_proc_write_dressz(struct file *filp, const char __user *buffer, size_t count, loff_t *off) { - int num; + int err; unsigned long k = ULONG_MAX; - char buff[11]; if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES; - num = (count < 10) ? count : 10; - if (copy_from_user(buff, buffer, num)) - return -EFAULT; - buff[num] = '\0'; - k = simple_strtoul(buff, NULL, 10); + + err = kstrtoul_from_user(buffer, count, 0, &k); + if (err) + return err; if (k <= 1048576) { /* limit "big buff" to 1 MB */ sg_big_buff = k; return count; diff --git a/lib/Makefile b/lib/Makefile index 785f9b0..9ca779a 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -14,7 +14,7 @@ lib-y := ctype.o string.o vsprintf.o cmdline.o \ proportions.o prio_heap.o ratelimit.o show_mem.o \ is_single_threaded.o plist.o decompress.o find_next_bit.o -lib-$(CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS) += usercopy.o +obj-$(CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS) += usercopy.o lib-$(CONFIG_MMU) += ioremap.o lib-$(CONFIG_SMP) += cpumask.o diff --git a/mm/mempolicy.c b/mm/mempolicy.c index e7fb9d2..e9d4987 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -1405,8 +1405,14 @@ asmlinkage long compat_sys_get_mempolicy(int __user *policy, nr_bits = min_t(unsigned long, maxnode-1, MAX_NUMNODES); alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8; - if (nmask) + if (alloc_size > sizeof(bm)) + return -EINVAL; + + if (nmask) { nm = compat_alloc_user_space(alloc_size); + if (!nm) + return -ENOMEM; + } err = sys_get_mempolicy(policy, nm, nr_bits+1, addr, flags); diff --git a/net/compat.c b/net/compat.c index c578d93..b769233 100644 --- a/net/compat.c +++ b/net/compat.c @@ -789,6 +789,8 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; + if (nas[call] > sizeof(a)) + return -EINVAL; if (copy_from_user(a, args, nas[call])) return -EFAULT; a0 = a[0]; diff --git a/net/core/pktgen.c b/net/core/pktgen.c index f76079c..2f4ea06 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -1382,6 +1382,8 @@ static ssize_t pktgen_if_write(struct file *file, len = strn_len(&user_buffer[i], sizeof(pkt_dev->src_min) - 1); if (len < 0) return len; + if (len > sizeof(buf)) + return -EINVAL; if (copy_from_user(buf, &user_buffer[i], len)) return -EFAULT; -- Sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum. ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 3/4] x86: Implement strict user copy checks for x86_64 2011-05-31 18:14 ` [PATCH 3/4] x86: Implement strict user copy checks for x86_64 Stephen Boyd 2011-06-30 19:19 ` Andrew Morton @ 2011-07-07 21:54 ` Andrew Morton 2011-07-08 1:15 ` Stephen Boyd 1 sibling, 1 reply; 11+ messages in thread From: Andrew Morton @ 2011-07-07 21:54 UTC (permalink / raw) To: Stephen Boyd; +Cc: linux-kernel, netdev On Tue, 31 May 2011 11:14:32 -0700 Stephen Boyd <sboyd@codeaurora.org> wrote: > Strict user copy checks are only really supported on x86_32 even > though the config option is selectable on x86_64. Add the > necessary support to the 64 bit code to trigger copy_from_user() > warnings at compile time. I'm still reluctant to go and throw a pile of warnings into many people's faces without having made an attempt to fix them. We get a screen full of these: inlined from 'pktgen_if_write' at net/core/pktgen.c:877: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', inlined from 'pktgen_if_write' at net/core/pktgen.c:1145: /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct In function 'copy_from_user', ... and I don't immediately see a way of suppressing them without adding additional code. Ideas? ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 3/4] x86: Implement strict user copy checks for x86_64 2011-07-07 21:54 ` Andrew Morton @ 2011-07-08 1:15 ` Stephen Boyd 0 siblings, 0 replies; 11+ messages in thread From: Stephen Boyd @ 2011-07-08 1:15 UTC (permalink / raw) To: Andrew Morton; +Cc: linux-kernel, netdev On 07/07/2011 02:54 PM, Andrew Morton wrote: > On Tue, 31 May 2011 11:14:32 -0700 > Stephen Boyd <sboyd@codeaurora.org> wrote: > >> Strict user copy checks are only really supported on x86_32 even >> though the config option is selectable on x86_64. Add the >> necessary support to the 64 bit code to trigger copy_from_user() >> warnings at compile time. > > I'm still reluctant to go and throw a pile of warnings into many > people's faces without having made an attempt to fix them. > > I agree. > We get a screen full of these: > > inlined from 'pktgen_if_write' at net/core/pktgen.c:877: > /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct > In function 'copy_from_user', > inlined from 'pktgen_if_write' at net/core/pktgen.c:1145: > /usr/src/devel/arch/x86/include/asm/uaccess_64.h:64: warning: call to 'copy_from_user_overflow' declared with attribute warning: copy_from_user() buffer size is not provably correct > In function 'copy_from_user', > ... > > and I don't immediately see a way of suppressing them without adding > additional code. > > Ideas? I think your compiler is newer than mine. I tried the 4.6.0 compilers from kernel.org and only got the mempolicy warning. Ugh. When I sent the series I was using a 4.4.1 gcc. What happens if you inline strn_len()? I believe gcc can't prove to itself that the function returns an int that is always less than the size of f (or buf). This in turn requires it to generate the code for a buffer overflow possibility (even though we can tell its never possible). That's the thing with these strict user copy checks. First off we're relying on aggressive dead code optimization. Second, the compiler can easily get confused about constraints when function calls aren't inlined. I'm tempted to say we should rewrite it from char f[32]; memset(f, 0, 32); len = strn_len(&user_buffer[i], sizeof(f) - 1); if (len < 0) return len; if (copy_from_user(f, &user_buffer[i], len)) to int len = strn_len(&user_buffer[i], 31); char f[len + 1]; memset(f, 0, sizeof(f)); if (len < 0) return len; if (copy_from_user(f, &user_buffer[i], len)) so that gcc can easily see that f is always 1 more than len. But I can't convince myself that is better (and it's actually broken with regards to negative return values but you get the idea). -- Sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 4/4] Consolidate CONFIG_DEBUG_STRICT_USER_COPY_CHECKS 2011-05-31 18:14 [PATCH 0/4] strict user copy checks on x86_64 Stephen Boyd ` (2 preceding siblings ...) 2011-05-31 18:14 ` [PATCH 3/4] x86: Implement strict user copy checks for x86_64 Stephen Boyd @ 2011-05-31 18:14 ` Stephen Boyd 3 siblings, 0 replies; 11+ messages in thread From: Stephen Boyd @ 2011-05-31 18:14 UTC (permalink / raw) To: Andrew Morton Cc: linux-kernel, linux-parisc, linux-s390, Arjan van de Ven, Helge Deller, Heiko Carstens, Stephen Rothwell The help text for this config is duplicated across the x86, parisc, and s390 Kconfig.debug files. Arnd Bergman noted that the help text was slightly misleading and should be fixed to state that enabling this option isn't a problem when using pre 4.4 gcc. To simplify the rewording, consolidate the text into lib/Kconfig.debug and modify it there to be more explicit about when you should say N to this config. Also, make the text a bit more generic by stating that this option enables compile time checks so we can cover architectures which emit warnings vs. ones which emit errors. The details of how an architecture decided to implement the checks isn't as important as the concept of compile time checking of copy_from_user() calls. While we're doing this, remove all the copy_from_user_overflow() code that's duplicated many times and place it into lib/ so that any architecture supporting this option can get the function for free. Signed-off-by: Stephen Boyd <sboyd@codeaurora.org> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Ingo Molnar <mingo@elte.hu> Acked-by: H. Peter Anvin <hpa@zytor.com> Cc: linux-parisc@vger.kernel.org Cc: linux-s390@vger.kernel.org Cc: Arjan van de Ven <arjan@linux.intel.com> Cc: Helge Deller <deller@gmx.de> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Acked-by: Chris Metcalf <cmetcalf@tilera.com> --- arch/parisc/Kconfig | 1 + arch/parisc/Kconfig.debug | 14 -------------- arch/s390/Kconfig | 1 + arch/s390/Kconfig.debug | 14 -------------- arch/s390/lib/Makefile | 1 - arch/s390/lib/usercopy.c | 8 -------- arch/sparc/lib/Makefile | 1 - arch/sparc/lib/usercopy.c | 8 -------- arch/tile/Kconfig | 8 +------- arch/tile/include/asm/uaccess.h | 7 ++++++- arch/tile/lib/uaccess.c | 8 -------- arch/x86/Kconfig | 1 + arch/x86/Kconfig.debug | 14 -------------- arch/x86/lib/usercopy_32.c | 6 ------ arch/x86/lib/usercopy_64.c | 6 ------ lib/Kconfig.debug | 18 ++++++++++++++++++ lib/Makefile | 1 + lib/usercopy.c | 8 ++++++++ 18 files changed, 37 insertions(+), 88 deletions(-) delete mode 100644 arch/s390/lib/usercopy.c delete mode 100644 arch/sparc/lib/usercopy.c create mode 100644 lib/usercopy.c diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index 65adc86..3385982 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig @@ -15,6 +15,7 @@ config PARISC select HAVE_GENERIC_HARDIRQS select GENERIC_IRQ_PROBE select IRQ_PER_CPU + select ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS help The PA-RISC microprocessor is designed by Hewlett-Packard and used diff --git a/arch/parisc/Kconfig.debug b/arch/parisc/Kconfig.debug index 7305ac8..bc989e5 100644 --- a/arch/parisc/Kconfig.debug +++ b/arch/parisc/Kconfig.debug @@ -12,18 +12,4 @@ config DEBUG_RODATA portion of the kernel code won't be covered by a TLB anymore. If in doubt, say "N". -config DEBUG_STRICT_USER_COPY_CHECKS - bool "Strict copy size checks" - depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING - ---help--- - Enabling this option turns a certain set of sanity checks for user - copy operations into compile time failures. - - The copy_from_user() etc checks are there to help test if there - are sufficient security checks on the length argument of - the copy operation, by having gcc prove that the argument is - within bounds. - - If unsure, or if you run an older (pre 4.4) gcc, say N. - endmenu diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 9fab2aa..9726a23 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -117,6 +117,7 @@ config S390 select ARCH_INLINE_WRITE_UNLOCK_BH select ARCH_INLINE_WRITE_UNLOCK_IRQ select ARCH_INLINE_WRITE_UNLOCK_IRQRESTORE + select ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS config SCHED_OMIT_FRAME_POINTER def_bool y diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug index d76cef3..aa1796c 100644 --- a/arch/s390/Kconfig.debug +++ b/arch/s390/Kconfig.debug @@ -17,20 +17,6 @@ config STRICT_DEVMEM If you are unsure, say Y. -config DEBUG_STRICT_USER_COPY_CHECKS - def_bool n - prompt "Strict user copy size checks" - ---help--- - Enabling this option turns a certain set of sanity checks for user - copy operations into compile time warnings. - - The copy_from_user() etc checks are there to help test if there - are sufficient security checks on the length argument of - the copy operation, by having gcc prove that the argument is - within bounds. - - If unsure, or if you run an older (pre 4.4) gcc, say N. - config DEBUG_SET_MODULE_RONX def_bool y depends on MODULES diff --git a/arch/s390/lib/Makefile b/arch/s390/lib/Makefile index 761ab8b..97975ec 100644 --- a/arch/s390/lib/Makefile +++ b/arch/s390/lib/Makefile @@ -3,7 +3,6 @@ # lib-y += delay.o string.o uaccess_std.o uaccess_pt.o -obj-y += usercopy.o obj-$(CONFIG_32BIT) += div64.o qrnnd.o ucmpdi2.o lib-$(CONFIG_64BIT) += uaccess_mvcos.o lib-$(CONFIG_SMP) += spinlock.o diff --git a/arch/s390/lib/usercopy.c b/arch/s390/lib/usercopy.c deleted file mode 100644 index 14b363f..0000000 --- a/arch/s390/lib/usercopy.c +++ /dev/null @@ -1,8 +0,0 @@ -#include <linux/module.h> -#include <linux/bug.h> - -void copy_from_user_overflow(void) -{ - WARN(1, "Buffer overflow detected!\n"); -} -EXPORT_SYMBOL(copy_from_user_overflow); diff --git a/arch/sparc/lib/Makefile b/arch/sparc/lib/Makefile index 7f01b8fc..7747e40 100644 --- a/arch/sparc/lib/Makefile +++ b/arch/sparc/lib/Makefile @@ -43,4 +43,3 @@ obj-y += iomap.o obj-$(CONFIG_SPARC32) += atomic32.o obj-y += ksyms.o obj-$(CONFIG_SPARC64) += PeeCeeI.o -obj-y += usercopy.o diff --git a/arch/sparc/lib/usercopy.c b/arch/sparc/lib/usercopy.c deleted file mode 100644 index 14b363f..0000000 --- a/arch/sparc/lib/usercopy.c +++ /dev/null @@ -1,8 +0,0 @@ -#include <linux/module.h> -#include <linux/bug.h> - -void copy_from_user_overflow(void) -{ - WARN(1, "Buffer overflow detected!\n"); -} -EXPORT_SYMBOL(copy_from_user_overflow); diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig index 0249b8b..801fba1 100644 --- a/arch/tile/Kconfig +++ b/arch/tile/Kconfig @@ -12,6 +12,7 @@ config TILE select GENERIC_PENDING_IRQ if SMP select GENERIC_IRQ_SHOW select SYS_HYPERVISOR + select ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS # FIXME: investigate whether we need/want these options. # select HAVE_IOREMAP_PROT @@ -96,13 +97,6 @@ config STRICT_DEVMEM config SMP def_bool y -# Allow checking for compile-time determined overflow errors in -# copy_from_user(). There are still unprovable places in the -# generic code as of 2.6.34, so this option is not really compatible -# with -Werror, which is more useful in general. -config DEBUG_COPY_FROM_USER - def_bool n - config HVC_TILE select HVC_DRIVER def_bool y diff --git a/arch/tile/include/asm/uaccess.h b/arch/tile/include/asm/uaccess.h index ef34d2c..9a540be 100644 --- a/arch/tile/include/asm/uaccess.h +++ b/arch/tile/include/asm/uaccess.h @@ -353,7 +353,12 @@ _copy_from_user(void *to, const void __user *from, unsigned long n) return n; } -#ifdef CONFIG_DEBUG_COPY_FROM_USER +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS +/* + * There are still unprovable places in the generic code as of 2.6.34, so this + * option is not really compatible with -Werror, which is more useful in + * general. + */ extern void copy_from_user_overflow(void) __compiletime_warning("copy_from_user() size is not provably correct"); diff --git a/arch/tile/lib/uaccess.c b/arch/tile/lib/uaccess.c index f8d398c..030abe3 100644 --- a/arch/tile/lib/uaccess.c +++ b/arch/tile/lib/uaccess.c @@ -22,11 +22,3 @@ int __range_ok(unsigned long addr, unsigned long size) is_arch_mappable_range(addr, size)); } EXPORT_SYMBOL(__range_ok); - -#ifdef CONFIG_DEBUG_COPY_FROM_USER -void copy_from_user_overflow(void) -{ - WARN(1, "Buffer overflow detected!\n"); -} -EXPORT_SYMBOL(copy_from_user_overflow); -#endif diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index da34972..7714ff6 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -70,6 +70,7 @@ config X86 select IRQ_FORCED_THREADING select USE_GENERIC_SMP_HELPERS if SMP select HAVE_BPF_JIT if (X86_64 && NET) + select ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS config INSTRUCTION_DECODER def_bool (KPROBES || PERF_EVENTS) diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug index c0f8a5c..2b00959 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug @@ -270,18 +270,4 @@ config OPTIMIZE_INLINING If unsure, say N. -config DEBUG_STRICT_USER_COPY_CHECKS - bool "Strict copy size checks" - depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING - ---help--- - Enabling this option turns a certain set of sanity checks for user - copy operations into compile time failures. - - The copy_from_user() etc checks are there to help test if there - are sufficient security checks on the length argument of - the copy operation, by having gcc prove that the argument is - within bounds. - - If unsure, or if you run an older (pre 4.4) gcc, say N. - endmenu diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c index e218d5d..8498684 100644 --- a/arch/x86/lib/usercopy_32.c +++ b/arch/x86/lib/usercopy_32.c @@ -883,9 +883,3 @@ _copy_from_user(void *to, const void __user *from, unsigned long n) return n; } EXPORT_SYMBOL(_copy_from_user); - -void copy_from_user_overflow(void) -{ - WARN(1, "Buffer overflow detected!\n"); -} -EXPORT_SYMBOL(copy_from_user_overflow); diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c index d7a5d9a..b7c2849 100644 --- a/arch/x86/lib/usercopy_64.c +++ b/arch/x86/lib/usercopy_64.c @@ -181,9 +181,3 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest) break; return len; } - -void copy_from_user_overflow(void) -{ - WARN(1, "Buffer overflow detected!\n"); -} -EXPORT_SYMBOL(copy_from_user_overflow); diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 28afa4c..3298385 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -1106,6 +1106,24 @@ config SYSCTL_SYSCALL_CHECK to properly maintain and use. This enables checks that help you to keep things correct. +config ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS + bool + +config DEBUG_STRICT_USER_COPY_CHECKS + bool "Strict user copy size checks" + depends on ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS + depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING + help + Enabling this option turns a certain set of sanity checks for user + copy operations into compile time failures. + + The copy_from_user() etc checks are there to help test if there + are sufficient security checks on the length argument of + the copy operation, by having gcc prove that the argument is + within bounds. + + If unsure, say N. + source mm/Kconfig.debug source kernel/trace/Kconfig diff --git a/lib/Makefile b/lib/Makefile index 6b597fd..8195c5e 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -14,6 +14,7 @@ lib-y := ctype.o string.o vsprintf.o cmdline.o \ proportions.o prio_heap.o ratelimit.o show_mem.o \ is_single_threaded.o plist.o decompress.o find_next_bit.o +lib-$(CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS) += usercopy.o lib-$(CONFIG_MMU) += ioremap.o lib-$(CONFIG_SMP) += cpumask.o diff --git a/lib/usercopy.c b/lib/usercopy.c new file mode 100644 index 0000000..14b363f --- /dev/null +++ b/lib/usercopy.c @@ -0,0 +1,8 @@ +#include <linux/module.h> +#include <linux/bug.h> + +void copy_from_user_overflow(void) +{ + WARN(1, "Buffer overflow detected!\n"); +} +EXPORT_SYMBOL(copy_from_user_overflow); -- Sent by an employee of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum. ^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2011-07-08 1:15 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2011-05-31 18:14 [PATCH 0/4] strict user copy checks on x86_64 Stephen Boyd 2011-05-31 18:14 ` [PATCH 1/4] [SCSI] lpfc: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning Stephen Boyd 2011-05-31 18:14 ` [PATCH 2/4] kprobes: " Stephen Boyd 2011-05-31 18:14 ` [PATCH 3/4] x86: Implement strict user copy checks for x86_64 Stephen Boyd 2011-06-30 19:19 ` Andrew Morton 2011-06-30 19:23 ` Stephen Boyd 2011-06-30 19:36 ` Andrew Morton 2011-07-06 4:33 ` Stephen Boyd 2011-07-07 21:54 ` Andrew Morton 2011-07-08 1:15 ` Stephen Boyd 2011-05-31 18:14 ` [PATCH 4/4] Consolidate CONFIG_DEBUG_STRICT_USER_COPY_CHECKS Stephen Boyd
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).