On Wed, Jun 05, 2019 at 09:29:26AM +0100, Andrew Murray wrote: > Through this discussion I'm able to detect when annotated function parameters contain > user provided values. The challenge for me is to detect where that data originated > from (i.e. following the parameter up the call tree) to ease debugging. > > My first attempt didn't trace the parameters and just looked at the call tree for any > functions which provided user data, however this resulted in false positives (e.g. > just because a function higher up in the call stack passed user data, it doesn't mean > it was this data that made it to the target function). One of the main causes of this is function pointers that take a void pointer argument. For example, iblock_execute_sync_cache() takes a user controlled "cmd" struct and says "bio->bi_private = cmd;" Then in floppy_rb0_cb() we do: struct rb0_cbdata *cbdata = (struct rb0_cbdata *)bio->bi_private; And smatch says that *cbdata is entirely user controlled... The nice fix for this would be if the mtag code were implimented and we could tie function pointers to their data pointers very accurately. Unfortunately, that's a pretty huge project and it's going to take a while to complete. A quicker fix is to add a line to smatch_data/db/fixup_kernel.sh delete from caller_info where function = '(struct bio)->bi_end_io' and type = 8017; which just deletes the user data from caller_info. regards, dan carpenter
