From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Paul E. McKenney" <paulmck@kernel.org>
Cc: ksummit@lists.linux.dev, Julia Lawall <julia.lawall@inria.fr>
Subject: Re: Potential static analysis ideas
Date: Tue, 27 Jul 2021 12:38:08 +0300 [thread overview]
Message-ID: <20210727093808.GO25548@kadam> (raw)
In-Reply-To: <20210726155039.GR4397@paulmck-ThinkPad-P17-Gen-1>
On Mon, Jul 26, 2021 at 08:50:39AM -0700, Paul E. McKenney wrote:
> On Fri, Jul 23, 2021 at 10:10:23PM +0300, Dan Carpenter wrote:
> > Rust has many good static analysis features but if we wanted we could
> > implement a number of stricter rules in C. With Smatch I have tried to
> > focus on exclusively on finding bugs because everyone can agree that
> > bugs are bad. But if some subsystems wanted to implement stricter rules
> > just as a hardenning measure then that's a doable thing.
> >
> > For example, I've tried a bunch of approaches to warning about when the
> > user can trigger an integer overflow. The challenge is that most
> > integer overflows are harmless and do not cause a real life bug.
>
> I would not want overflow checks for unsigned integers, but it might
> be helpful for signed integers. But yes, most of us rely on fwrapv,
> so that kernelwide checks for signed integer overflow will be quite noisy.
Since we use -fwrapv then even signed integer overflows are defined and
I haven't seen a way that checking for signed integer overflows can be
useful.
With integer overflows I'm more talking about integer overflows from the
user. And I imagine a subsystem specific thing as a kind of "We want
extra security but aren't ready to port everything to Rust" type option.
I have almost 2 thousand of these warnings. This first example is from
the ioctl and probably root only. Plus commit 6d13de1489b6 ("uaccess:
disallow > INT_MAX copy sizes") really improved security.
drivers/fpga/dfl-fme-pr.c
83 if (copy_from_user(&port_pr, argp, minsz))
84 return -EFAULT;
85
86 if (port_pr.argsz < minsz || port_pr.flags)
87 return -EINVAL;
88
89 /* get fme header region */
90 fme_hdr = dfl_get_feature_ioaddr_by_id(&pdev->dev,
91 FME_FEATURE_ID_HEADER);
92
93 /* check port id */
94 v = readq(fme_hdr + FME_HDR_CAP);
95 if (port_pr.port_id >= FIELD_GET(FME_CAP_NUM_PORTS, v)) {
96 dev_dbg(&pdev->dev, "port number more than maximum\n");
97 return -EINVAL;
98 }
99
100 /*
101 * align PR buffer per PR bandwidth, as HW ignores the extra padding
102 * data automatically.
103 */
104 length = ALIGN(port_pr.buffer_size, 4);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This ALIGN() operation can overflow but only to zero.
105
106 buf = vmalloc(length);
kmalloc(() allows zero size allocations but vmalloc() will return NULL.
And actually, in April, Nicholas Piggin made it trigger a WARN_ONCE().
107 if (!buf)
108 return -ENOMEM;
109
110 if (copy_from_user(buf,
111 (void __user *)(unsigned long)port_pr.buffer_address,
112 port_pr.buffer_size)) {
^^^^^^^^^^^^^^^^^^^
So this can't corrupt memory for the reasons given above.
(It's still buggy because it doesn't zero out the last three bytes
between port_pr.buffer_size and length, but that's a different issue).
regards,
dan carpenter
next prev parent reply other threads:[~2021-07-27 9:38 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-23 19:10 Dan Carpenter
2021-07-24 13:33 ` Geert Uytterhoeven
2021-07-24 13:40 ` Julia Lawall
2021-07-24 14:08 ` Arnd Bergmann
2021-07-24 23:18 ` Laurent Pinchart
2021-07-24 23:45 ` NeilBrown
2021-07-26 7:25 ` Arnd Bergmann
2021-07-26 7:53 ` Geert Uytterhoeven
2021-07-26 8:20 ` Arnd Bergmann
2021-07-26 8:39 ` Geert Uytterhoeven
2021-07-26 8:52 ` Arnd Bergmann
2021-07-26 9:11 ` Geert Uytterhoeven
2021-07-26 8:55 ` Julia Lawall
2021-07-26 9:08 ` Hannes Reinecke
2021-07-26 9:16 ` Geert Uytterhoeven
2021-07-26 9:28 ` Julia Lawall
2021-07-26 9:35 ` Hannes Reinecke
2021-07-26 10:03 ` Julia Lawall
2021-07-26 17:54 ` James Bottomley
2021-07-26 18:16 ` Linus Torvalds
2021-07-26 21:53 ` NeilBrown
2021-07-26 18:31 ` Laurent Pinchart
2021-07-26 9:17 ` Dan Carpenter
2021-07-26 9:13 ` Dan Carpenter
2021-07-26 21:43 ` NeilBrown
2021-07-26 7:05 ` Dan Carpenter
2021-07-26 15:50 ` Paul E. McKenney
2021-07-27 9:38 ` Dan Carpenter [this message]
2021-07-27 9:50 ` Geert Uytterhoeven
2021-07-27 16:06 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210727093808.GO25548@kadam \
--to=dan.carpenter@oracle.com \
--cc=julia.lawall@inria.fr \
--cc=ksummit@lists.linux.dev \
--cc=paulmck@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox