Re: [Cocci] [RFC] coccicheck: add a test for repeat memory fetches

[Vaishali Thakkar]

On Wednesday 11 January 2017 05:34 AM, Kees Cook wrote:
> On Tue, Jan 10, 2017 at 1:14 PM, Julia Lawall <julia.lawall@xxxxxxx> wrote:
> > OK, I have the impression that what you are looking for is the following,
> > that currently does not seem to work well. Still maybe it gives an idea.
> >
> > The basic pattern is the following sequence:
> >
> > 1. copy_from_user
> > 2. test on a field of the copied value
> > 3. another copy_from_user
> > 4. a use of the same field as tested in step 2 from the structure obtained
> > by the second copy_from_user or a function call with the structure as an
> > argument
>
> This looks pretty good!
>
> > In the case where the second copy_from_user stores the result in a
> > pointer, then a return with no reference of the tested field is also a
> > concern, unless, the pointer was already kfreed.
>
> I think sequence "2" above missing just looking at a direct value,
> like if instead of a field it was a u32. Also, should binop include
> "=="?
>
> And we need to add back in get_user() too... hmmm

May be having a separate script for get_user would be a good idea. 
get_user needs few more tests than copy_from_user. Also, for the both 
cases we can later add multi-function handling rules. And for the 
get_user, may be combinational usage rule as well.

> -Kees