From: "Paul E. McKenney" <paulmck@kernel.org>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: ksummit@lists.linux.dev, Julia Lawall <julia.lawall@inria.fr>
Subject: Re: Potential static analysis ideas
Date: Tue, 27 Jul 2021 09:06:37 -0700 [thread overview]
Message-ID: <20210727160637.GW4397@paulmck-ThinkPad-P17-Gen-1> (raw)
In-Reply-To: <20210727093808.GO25548@kadam>
On Tue, Jul 27, 2021 at 12:38:08PM +0300, Dan Carpenter wrote:
> On Mon, Jul 26, 2021 at 08:50:39AM -0700, Paul E. McKenney wrote:
> > On Fri, Jul 23, 2021 at 10:10:23PM +0300, Dan Carpenter wrote:
> > > Rust has many good static analysis features but if we wanted we could
> > > implement a number of stricter rules in C. With Smatch I have tried to
> > > focus on exclusively on finding bugs because everyone can agree that
> > > bugs are bad. But if some subsystems wanted to implement stricter rules
> > > just as a hardenning measure then that's a doable thing.
> > >
> > > For example, I've tried a bunch of approaches to warning about when the
> > > user can trigger an integer overflow. The challenge is that most
> > > integer overflows are harmless and do not cause a real life bug.
> >
> > I would not want overflow checks for unsigned integers, but it might
> > be helpful for signed integers. But yes, most of us rely on fwrapv,
> > so that kernelwide checks for signed integer overflow will be quite noisy.
>
> Since we use -fwrapv then even signed integer overflows are defined and
> I haven't seen a way that checking for signed integer overflows can be
> useful.
Just because the compiler defines something does not mean that it cannot
be involved in a bug. ;-)
> With integer overflows I'm more talking about integer overflows from the
> user. And I imagine a subsystem specific thing as a kind of "We want
> extra security but aren't ready to port everything to Rust" type option.
Which was what I was also imagining, but along different lines.
But I agree that what you are proposing might be useful.
Thanx, Paul
> I have almost 2 thousand of these warnings. This first example is from
> the ioctl and probably root only. Plus commit 6d13de1489b6 ("uaccess:
> disallow > INT_MAX copy sizes") really improved security.
>
> drivers/fpga/dfl-fme-pr.c
> 83 if (copy_from_user(&port_pr, argp, minsz))
> 84 return -EFAULT;
> 85
> 86 if (port_pr.argsz < minsz || port_pr.flags)
> 87 return -EINVAL;
> 88
> 89 /* get fme header region */
> 90 fme_hdr = dfl_get_feature_ioaddr_by_id(&pdev->dev,
> 91 FME_FEATURE_ID_HEADER);
> 92
> 93 /* check port id */
> 94 v = readq(fme_hdr + FME_HDR_CAP);
> 95 if (port_pr.port_id >= FIELD_GET(FME_CAP_NUM_PORTS, v)) {
> 96 dev_dbg(&pdev->dev, "port number more than maximum\n");
> 97 return -EINVAL;
> 98 }
> 99
> 100 /*
> 101 * align PR buffer per PR bandwidth, as HW ignores the extra padding
> 102 * data automatically.
> 103 */
> 104 length = ALIGN(port_pr.buffer_size, 4);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This ALIGN() operation can overflow but only to zero.
>
> 105
> 106 buf = vmalloc(length);
>
> kmalloc(() allows zero size allocations but vmalloc() will return NULL.
> And actually, in April, Nicholas Piggin made it trigger a WARN_ONCE().
>
> 107 if (!buf)
> 108 return -ENOMEM;
> 109
> 110 if (copy_from_user(buf,
> 111 (void __user *)(unsigned long)port_pr.buffer_address,
> 112 port_pr.buffer_size)) {
> ^^^^^^^^^^^^^^^^^^^
> So this can't corrupt memory for the reasons given above.
>
> (It's still buggy because it doesn't zero out the last three bytes
> between port_pr.buffer_size and length, but that's a different issue).
>
> regards,
> dan carpenter
prev parent reply other threads:[~2021-07-27 16:06 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-23 19:10 Potential static analysis ideas Dan Carpenter
2021-07-24 13:33 ` Geert Uytterhoeven
2021-07-24 13:40 ` Julia Lawall
2021-07-24 14:08 ` Arnd Bergmann
2021-07-24 23:18 ` Laurent Pinchart
2021-07-24 23:45 ` NeilBrown
2021-07-26 7:25 ` Arnd Bergmann
2021-07-26 7:53 ` Geert Uytterhoeven
2021-07-26 8:20 ` Arnd Bergmann
2021-07-26 8:39 ` Geert Uytterhoeven
2021-07-26 8:52 ` Arnd Bergmann
2021-07-26 9:11 ` Geert Uytterhoeven
2021-07-26 8:55 ` Julia Lawall
2021-07-26 9:08 ` Hannes Reinecke
2021-07-26 9:16 ` Geert Uytterhoeven
2021-07-26 9:28 ` Julia Lawall
2021-07-26 9:35 ` Hannes Reinecke
2021-07-26 10:03 ` Julia Lawall
2021-07-26 17:54 ` James Bottomley
2021-07-26 18:16 ` Linus Torvalds
2021-07-26 21:53 ` NeilBrown
2021-07-26 18:31 ` Laurent Pinchart
2021-07-26 9:17 ` Dan Carpenter
2021-07-26 9:13 ` Dan Carpenter
2021-07-26 21:43 ` NeilBrown
2021-07-26 7:05 ` Dan Carpenter
2021-07-26 15:50 ` Paul E. McKenney
2021-07-27 9:38 ` Dan Carpenter
2021-07-27 9:50 ` Geert Uytterhoeven
2021-07-27 16:06 ` Paul E. McKenney [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210727160637.GW4397@paulmck-ThinkPad-P17-Gen-1 \
--to=paulmck@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=julia.lawall@inria.fr \
--cc=ksummit@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).