Re: [kernel-hardening] [PATCH] checkpatch: Add ability to find bad uses of vsprintf %p<foo> extensions

From: Kees Cook
Date: Mon Feb 27 2017 - 16:37:04 EST

Next message: David Ahern: "Re: net/ipv6: null-ptr-deref in ip6_route_del/lock_acquire"
Previous message: Weiny, Ira: "RE: [PATCH] IB/qib: fix false-postive maybe-uninitialized warning"
In reply to: Joe Perches: "[PATCH] checkpatch: Add ability to find bad uses of vsprintf %p<foo> extensions"
Next in thread: Roberts, William C: "RE: [PATCH] checkpatch: Add ability to find bad uses of vsprintf %p<foo> extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 27, 2017 at 12:54 PM, Joe Perches <joe@xxxxxxxxxxx> wrote:
> %pK was at least once misused at %pk in an out-of-tree module.
> This lead to some security concerns. Add the ability to track
> single and multiple line statements for misuses of %p<foo>.
>
> Signed-off-by: Joe Perches <joe@xxxxxxxxxxx>

Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>

-Kees

> ---
>
> Andrew, this has gone back and forth a few times.
>
> It's imperfect as a patch context with just a single
> function addition can be missed, but that's not new
> with $stat tests and just this patch. Perhaps one day
> the $stat identification mechanism can be improved.
>
> Until then, can you please apply this? Thanks.
>
> scripts/checkpatch.pl | 26 ++++++++++++++++++++++++++
> 1 file changed, 26 insertions(+)
>
> diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
> index ad5ea5c545b2..9293b8a1c121 100755
> --- a/scripts/checkpatch.pl
> +++ b/scripts/checkpatch.pl
> @@ -5676,6 +5676,32 @@ sub process {
> }
> }
>
> + # check for vsprintf extension %p<foo> misuses
> + if ($^V && $^V ge 5.10.0 &&
> + defined $stat &&
> + $stat =~ /^\+(?![^\{]*\{\s*).*\b(\w+)\s*\(.*$String\s*,/s &&
> + $1 !~ /^_*volatile_*$/) {
> + my $bad_extension = "";
> + my $lc = $stat =~ tr@\n@@;
> + $lc = $lc + $linenr;
> + for (my $count = $linenr; $count <= $lc; $count++) {
> + my $fmt = get_quoted_string($lines[$count - 1], raw_line($count, 0));
> + $fmt =~ s/%%//g;
> + if ($fmt =~ /(\%[\*\d\.]*p(?![\WFfSsBKRraEhMmIiUDdgVCbGN]).)/) {
> + $bad_extension = $1;
> + last;
> + }
> + }
> + if ($bad_extension ne "") {
> + my $stat_real = raw_line($linenr, 0);
> + for (my $count = $linenr + 1; $count <= $lc; $count++) {
> + $stat_real = $stat_real . "\n" . raw_line($count, 0);
> + }
> + WARN("VSPRINTF_POINTER_EXTENSION",
> + "Invalid vsprintf pointer extension '$bad_extension'\n" . "$here\n$stat_real\n");
> + }
> + }
> +
> # Check for misused memsets
> if ($^V && $^V ge 5.10.0 &&
> defined $stat &&
> --
> 2.10.0.rc2.1.g053435c
>

--
Kees Cook
Pixel Security

Next message: David Ahern: "Re: net/ipv6: null-ptr-deref in ip6_route_del/lock_acquire"
Previous message: Weiny, Ira: "RE: [PATCH] IB/qib: fix false-postive maybe-uninitialized warning"
In reply to: Joe Perches: "[PATCH] checkpatch: Add ability to find bad uses of vsprintf %p<foo> extensions"
Next in thread: Roberts, William C: "RE: [PATCH] checkpatch: Add ability to find bad uses of vsprintf %p<foo> extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]