On Mon, Jun 10, 2019 at 05:19:17PM +0000, Khajapasha, Mohammed wrote:
> As discussed over IRC, could you please provide some point on "add detection for double-reads".
Hi!
This was about following up on building a good Coccinelle script that
would warn about cases where the kernel reads from userspace twice at
the same location which may result in bugs like reading the size of a
structure at the start of a structure, allocating a size, then filling
the structure with a second read (at which point the size may have
changed). For example:
struct example {
unsigned int bytes;
unsigned int flags;
u8 data[];
}
int do_user_interface(struct example __user *user_instance)
{
struct example *instance;
unsigned int size;
copy_from_user(&size, user_instance, sizeof(size));
instance = kmalloc(size, GFP_KERNEL);
if (!instance)
return -EINVAL;
copy_from_user(instance, user_instance, size);
perform_actions(instance);
}
The "bytes" field of the instance passed to perform_actions() may not
contain the right value, leading to possible heap overflows when
accessing instance->data[]...
What's needed after the second copy_from_user() is:
if (instance.bytes != size) {
kfree(instance);
return -EINVAL;
}
But _finding_ the cases is what I'd like to nail down and get into the
kernel scripts. The thread that needs following up is here:
https://lore.kernel.org/lkml/20160426222442.GA8104@xxxxxxxxxxxxxxx
--
Kees Cook
