Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user

From: Pengfei Wang
Date: Wed Jan 11 2017 - 08:44:13 EST

Next message: Arnd Bergmann: "[PATCH] afs: correctly use 64-bit time for UUID"
Previous message: Linus Walleij: "Re: pca953x: lockdep warning since 4.10"
In reply to: Julia Lawall: "Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user"
Next in thread: Kees Cook: "Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 在 2017年1月11日，下午2:12，Julia Lawall <julia.lawall@xxxxxxx> 写道：
>
> I looked at the get_user part of the original script. It looks like most
> of the complexity is to deal with the possibility of the src location
> being expressed in two different ways between the two calls.

Yes, in addition to pointer alias and the “field-whole” double-fetch type
as we mentioned previously, we also need to take into consideration of
the explicit data type conversion of the src pointer, such as:
get_user(dst, src)
…
get_user(dst, (int*)src)

Also the embedded computation at the argument position, such as
get_user(dst, ++src) , get_user(dst, align(src)), or get_user(dst, src[i]),
which could cause false positives. Loops also cause false positives.

> Even if this
> happens in practice only for get_user, it would seem that it could happen
> for copy_from_user as well. So I think we could just throw both get_user
> and copy_from_user into the same rule?
>
Agreed.

> I'm also not sure to understand why there are cases for things like
>
> get_user(exp1, src->f1)
> ...
> get_user(exp2,src)
>
> Can this happen? The types seem wrong.
I think it is unreasonable. It doesn’t work in practice. It exists in my script
because I combined different situations with disjunction but forgot to remove
the infeasible ones. Please remove it. A practical one should be:
get_user(exp1, src->f1)
…
copy_from_user(exp2, src ,size)

> Likewise, I see the need to take into account a second argument of src++,
> but not the need to take into account a second argument of src+4. Either
> there is src+4 in both calls or the addresses involved are just different.

src++ or src+4 are used when handling long messages byte by byte or word
by word by means of a loop. I paid attention to these because they cause
false positives as src pointers have changed for the double fetches. I remember
both of these two situations when examining the source code but I cannot
guarantee the src+4 situation exists as I don’t have an example in hand now. I suggest
we focus on the src++ for now. If src+4 cause any false positives, we’ll add it, too.

Regards
Pengfei

>
> Perhaps I'm missing something, though.
>
> julia
>

Next message: Arnd Bergmann: "[PATCH] afs: correctly use 64-bit time for UUID"
Previous message: Linus Walleij: "Re: pca953x: lockdep warning since 4.10"
In reply to: Julia Lawall: "Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user"
Next in thread: Kees Cook: "Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]