On Fri, 9 Aug 2019, Alexander Popov wrote: > On 09.08.2019 16:56, Julia Lawall wrote: > > On Fri, 9 Aug 2019, Alexander Popov wrote: > >> On 27.03.2019 1:03, Jann Horn wrote: > >>> As sparse points out, these two copy_from_user() should actually be > >>> copy_to_user(). > >> > >> I also wrote a coccinelle rule for detecting similar bugs (adding coccinelle > >> experts to CC). > >> > >> > >> virtual report > >> > >> @cfu@ > > > > You can replace the above line with @cfu exists@. You want to find the > > existence of such a call, not ensure that the call occurs on every > > control-flow path, which is the default. > > Thanks Julia, I see `exists` allows to drop `<+ +>`, right? Exists is more efficient when it is possible. It just finds the existence of a path that has the property rather than collecting information about all paths. It is related to <+... ...+> because for that there has to exist at least one match. You could probably do something like ... when any copy_from_user ... when any Then with exists you will consider each call one at a time. > > > Do you want this rule to go into the kernel? > > It turned out that sparse already can find these bugs. If sparse is already doing this, then perhaps that's sufficient. Someone just has to be running it :) julia > Is this rule useful anyway? If so, I can prepare a patch. > > >> identifier f; > >> type t; > >> identifier v; > >> position decl_p; > >> position copy_p; > >> @@ > >> > >> f(..., t v@decl_p, ...) > >> { > >> <+... > >> copy_from_user@copy_p(v, ...) > >> ...+> > >> } > >> > >> @script:python@ > >> f << cfu.f; > >> t << cfu.t; > >> v << cfu.v; > >> decl_p << cfu.decl_p; > >> copy_p << cfu.copy_p; > >> @@ > >> > >> if '__user' in t: > >> msg0 = "function \"" + f + "\" has arg \"" + v + "\" of type \"" + t + "\"" > >> coccilib.report.print_report(decl_p[0], msg0) > >> msg1 = "copy_from_user uses \"" + v + "\" as the destination. What a shame!\n" > >> coccilib.report.print_report(copy_p[0], msg1) > >> > >> > >> The rule output: > >> > >> ./drivers/block/floppy.c:3756:49-52: function "compat_getdrvprm" has arg "arg" > >> of type "struct compat_floppy_drive_params __user *" > >> ./drivers/block/floppy.c:3783:5-19: copy_from_user uses "arg" as the > >> destination. What a shame! > >> > >> ./drivers/block/floppy.c:3789:49-52: function "compat_getdrvstat" has arg "arg" > >> of type "struct compat_floppy_drive_struct __user *" > >> ./drivers/block/floppy.c:3819:5-19: copy_from_user uses "arg" as the > >> destination. What a shame! >