rpms/kernel/F-12 linux-2.6.31-copy_from_user-bounds.patch, NONE, 1.1 kernel.spec, 1.1837, 1.1838
Dave Jones
davej at fedoraproject.org
Mon Sep 28 21:01:13 UTC 2009
Author: davej
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18582
Modified Files:
kernel.spec
Added Files:
linux-2.6.31-copy_from_user-bounds.patch
Log Message:
Use __builtin_object_size to validate the buffer size for copy_from_user
+ associated fixes to various copy_from_user invocations.
linux-2.6.31-copy_from_user-bounds.patch:
b/arch/x86/include/asm/uaccess_32.h | 19 ++++++++
b/arch/x86/include/asm/uaccess_64.h | 19 ++++++++
b/arch/x86/kernel/x8664_ksyms_64.c | 2
b/arch/x86/lib/copy_user_64.S | 4 -
b/arch/x86/lib/usercopy_32.c | 4 -
b/drivers/acpi/proc.c | 4 -
b/drivers/acpi/video.c | 20 ++++++---
b/drivers/char/nvram.c | 12 ++++-
b/fs/cifs/cifs_debug.c | 10 ++--
b/include/linux/compiler-gcc4.h | 2
b/include/linux/compiler.h | 8 +--
b/kernel/capability.c | 11 ++---
b/mm/migrate.c | 47 ++++++++++++++++++++--
b/net/socket.c | 9 ++--
b/net/wireless/wext.c | 11 ++---
linux-2.6.31.noarch/arch/x86/kernel/cpu/mtrr/if.c | 21 ++++++---
16 files changed, 152 insertions(+), 51 deletions(-)
--- NEW FILE linux-2.6.31-copy_from_user-bounds.patch ---
>From davej Sat Sep 26 11:56:25 2009
Return-Path: BATV+801d9f966e814c9eff35+2225+infradead.org+arjan at casper.srs.infradead.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.1 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 11:56:25 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 08:33:07 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id A7DF39E640
for <davej at redhat.com>; Sat, 26 Sep 2009 08:33:07 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hkbfP756iXek for <davej at redhat.com>;
Sat, 26 Sep 2009 08:33:07 -0400 (EDT)
Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 8FFA39E63B
for <davej at mail.corp.redhat.com>; Sat, 26 Sep 2009 08:33:07 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.6])
by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QCX7cQ016845
for <davej at redhat.com>; Sat, 26 Sep 2009 08:33:07 -0400
Received: from casper.infradead.org (casper.infradead.org [85.118.1.10])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QCWsOO027686
for <davej at redhat.com>; Sat, 26 Sep 2009 08:32:55 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrWS9-00025Y-Q2; Sat, 26 Sep 2009 12:32:42 +0000
Date: Sat, 26 Sep 2009 14:33:01 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: linux-kernel at vger.kernel.org
Cc: mingo at elte.hu, tglx at tglx.de, hpa at zytor.com
Subject: [PATCH] x86: Use __builtin_object_size to validate the buffer size
for copy_from_user
Message-ID: <20090926143301.2c396b94 at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
X-RedHat-Spam-Score: -3.884 (AWL,RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.21
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.6
Status: RO
Content-Length: 6453
Lines: 191
=46rom 524a1da3c45683cec77480acc6cab1d33ae8d5cb Mon Sep 17 00:00:00 2001
From: Arjan van de Ven <arjan at linux.intel.com>
Date: Sat, 26 Sep 2009 12:36:21 +0200
Subject: [PATCH] x86: Use __builtin_object_size to validate the buffer size for copy_from_user
gcc (4.x) supports the __builtin_object_size() builtin, which reports the
size of an object that a pointer point to, when known at compile time.
If the buffer size is not known at compile time, a constant -1 is returned.
This patch uses this feature to add a sanity check to copy_from_user();
if the target buffer is known to be smaller than the copy size, the copy
is aborted and a WARNing is emitted in memory debug mode.
These extra checks compile away when the object size is not known,
or if both the buffer size and the copy length are constants.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
Reviewed-by: Ingo Molnar <mingo at elte.hu>
---
arch/x86/include/asm/uaccess_32.h | 19 ++++++++++++++++++-
arch/x86/include/asm/uaccess_64.h | 19 ++++++++++++++++++-
arch/x86/kernel/x8664_ksyms_64.c | 2 +-
arch/x86/lib/copy_user_64.S | 4 ++--
arch/x86/lib/usercopy_32.c | 4 ++--
include/linux/compiler-gcc4.h | 2 ++
include/linux/compiler.h | 4 ++++
7 files changed, 47 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
index 632fb44..582d6ae 100644
--- a/arch/x86/include/asm/uaccess_32.h
+++ b/arch/x86/include/asm/uaccess_32.h
@@ -187,9 +187,26 @@ __copy_from_user_inatomic_nocache(void *to, const void __user *from,
unsigned long __must_check copy_to_user(void __user *to,
const void *from, unsigned long n);
-unsigned long __must_check copy_from_user(void *to,
+unsigned long __must_check _copy_from_user(void *to,
const void __user *from,
unsigned long n);
+
+static inline unsigned long __must_check copy_from_user(void *to,
+ const void __user *from,
+ unsigned long n)
+{
+ int sz = __compiletime_object_size(to);
+ int ret = -EFAULT;
+
+ if (likely(sz == -1 || sz >= n))
+ ret = _copy_from_user(to, from, n);
+#ifdef CONFIG_DEBUG_VM
+ else
+ WARN(1, "Buffer overflow detected!\n");
+#endif
+ return ret;
+}
+
long __must_check strncpy_from_user(char *dst, const char __user *src,
long count);
long __must_check __strncpy_from_user(char *dst,
diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index db24b21..ce6fec7 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -21,10 +21,27 @@ copy_user_generic(void *to, const void *from, unsigned len);
__must_check unsigned long
copy_to_user(void __user *to, const void *from, unsigned len);
__must_check unsigned long
-copy_from_user(void *to, const void __user *from, unsigned len);
+_copy_from_user(void *to, const void __user *from, unsigned len);
__must_check unsigned long
copy_in_user(void __user *to, const void __user *from, unsigned len);
+static inline unsigned long __must_check copy_from_user(void *to,
+ const void __user *from,
+ unsigned long n)
+{
+ int sz = __compiletime_object_size(to);
+ int ret = -EFAULT;
+
+ if (likely(sz == -1 || sz >= n))
+ ret = _copy_from_user(to, from, n);
+#ifdef CONFIG_DEBUG_VM
+ else
+ WARN(1, "Buffer overflow detected!\n");
+#endif
+ return ret;
+}
+
+
static __always_inline __must_check
int __copy_from_user(void *dst, const void __user *src, unsigned size)
{
diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
index 3909e3b..a0cdd8c 100644
--- a/arch/x86/kernel/x8664_ksyms_64.c
+++ b/arch/x86/kernel/x8664_ksyms_64.c
@@ -30,7 +30,7 @@ EXPORT_SYMBOL(__put_user_8);
EXPORT_SYMBOL(copy_user_generic);
EXPORT_SYMBOL(__copy_user_nocache);
-EXPORT_SYMBOL(copy_from_user);
+EXPORT_SYMBOL(_copy_from_user);
EXPORT_SYMBOL(copy_to_user);
EXPORT_SYMBOL(__copy_from_user_inatomic);
diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
index 6ba0f7b..4be3c41 100644
--- a/arch/x86/lib/copy_user_64.S
+++ b/arch/x86/lib/copy_user_64.S
@@ -78,7 +78,7 @@ ENTRY(copy_to_user)
ENDPROC(copy_to_user)
/* Standard copy_from_user with segment limit checking */
-ENTRY(copy_from_user)
+ENTRY(_copy_from_user)
CFI_STARTPROC
GET_THREAD_INFO(%rax)
movq %rsi,%rcx
@@ -88,7 +88,7 @@ ENTRY(copy_from_user)
jae bad_from_user
ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
CFI_ENDPROC
-ENDPROC(copy_from_user)
+ENDPROC(_copy_from_user)
ENTRY(copy_user_generic)
CFI_STARTPROC
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
index 1f118d4..8498684 100644
--- a/arch/x86/lib/usercopy_32.c
+++ b/arch/x86/lib/usercopy_32.c
@@ -874,7 +874,7 @@ EXPORT_SYMBOL(copy_to_user);
* data to the requested size using zero bytes.
*/
unsigned long
-copy_from_user(void *to, const void __user *from, unsigned long n)
+_copy_from_user(void *to, const void __user *from, unsigned long n)
{
if (access_ok(VERIFY_READ, from, n))
n = __copy_from_user(to, from, n);
@@ -882,4 +882,4 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
memset(to, 0, n);
return n;
}
-EXPORT_SYMBOL(copy_from_user);
+EXPORT_SYMBOL(_copy_from_user);
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
index 450fa59..a3aef5d 100644
--- a/include/linux/compiler-gcc4.h
+++ b/include/linux/compiler-gcc4.h
@@ -37,3 +37,5 @@
#define __cold __attribute__((__cold__))
#endif
+
+#define __compiletime_object_size(obj) __builtin_object_size(obj, 0)
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 9d4c4b0..9c42853 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -185,6 +185,10 @@ extern void __chk_io_ptr(const volatile void __iomem *);
# define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
#endif
+/* Compile time object size, -1 for unknown */
+#ifndef __compiletime_object_size
+# define __compiletime_object_size(obj) -1
+#endif
/*
* Prevent the compiler from merging or refetching accesses. The compiler
* is also forbidden from reordering successive instances of ACCESS_ONCE(),
--
1.6.0.6
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
>From davej Sat Sep 26 14:57:33 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:33 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:56:34 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 13A2C9C7CF;
Sat, 26 Sep 2009 14:56:34 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 4zEaK-kQ3gyD; Sat, 26 Sep 2009 14:56:33 -0400 (EDT)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id CEC9D9CE2F;
Sat, 26 Sep 2009 14:56:33 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.11])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIuR4l002317;
Sat, 26 Sep 2009 14:56:27 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QImrPK007277;
Sat, 26 Sep 2009 14:56:14 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1752513AbZIZSyU (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:54:20 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1751887AbZIZSyT
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:19 -0400
Received: from casper.infradead.org ([85.118.1.10]:36387 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1750795AbZIZSyS (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:18 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPU-0002Uh-8u; Sat, 26 Sep 2009 18:54:20 +0000
Date: Sat, 26 Sep 2009 20:49:51 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: linux-kernel at vger.kernel.org
Cc: torvalds at linux-foundation.org, mingo at elte.hu
Subject: [PATCH 0/9] Series to make copy_from_user to a stack slot provable
right
Message-ID: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.11
Status: RO
Content-Length: 1430
Lines: 32
[PATCH 0/9] Series to make copy_from_user to a stack slot provable right
This series contains a series of patches that, when applied, make every
copy_from_user() in a make allyesconfig to a (direct) stack slot
provable-by-gcc to have a correct size.
This is useful because if we fix all of these, we can make the non-provable
case an error, as an indication of a possible security hole.
Now the series has 4 types of patches
1) changes where the original code really was missing checks
2) changes where the checks were coded so complex and games were played with
types, that I (and the compiler) couldn't be sure if it was correct or
not
3) changes where we're hitting a small gcc missing optimization, but where
a simplification of the code allows gcc to prove things anyway.
(http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41477 is filed for this)
4) a case in sys_socketcall where Dave Miller and co were very smart in
optimizing the code to the point where it's not reasonable for gcc
to realize the result is ok.
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 14:57:34 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:34 -0400 (EDT)
Received: from zmta01.collab.prod.int.phx2.redhat.com (LHLO
zmta01.collab.prod.int.phx2.redhat.com) (10.5.5.31) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:56:39 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 54BEB92827;
Sat, 26 Sep 2009 14:56:39 -0400 (EDT)
Received: from zmta01.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta01.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id UtrSlSnoRSKJ; Sat, 26 Sep 2009 14:56:39 -0400 (EDT)
Received: from int-mx05.intmail.prod.int.phx2.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.18])
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 1994391AC5;
Sat, 26 Sep 2009 14:56:39 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.5])
by int-mx05.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIuWCe012052;
Sat, 26 Sep 2009 14:56:32 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIiTd1002301;
Sat, 26 Sep 2009 14:56:26 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1752887AbZIZS4M (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:56:12 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752401AbZIZSyU
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:20 -0400
Received: from casper.infradead.org ([85.118.1.10]:36390 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1750867AbZIZSyT (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:19 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPU-0002Uh-MA; Sat, 26 Sep 2009 18:54:20 +0000
Date: Sat, 26 Sep 2009 20:50:25 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Arjan van de Ven <arjan at infradead.org>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu,
lenb at kernel.org
Subject: [PATCH 1/9] Fix bound checks for copy_from_user in the acpi /proc
code
Message-ID: <20090926205025.3befecf6 at infradead.org>
In-Reply-To: <20090926204951.424e567e at infradead.org>
References: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.18
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.5
Status: RO
Content-Length: 1269
Lines: 38
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 1/9] Fix bound checks for copy_from_user in the acpi /proc code
CC: Len Brown <lenb at kernel.org>
The ACPI /proc write() code takes an unsigned length argument like any write()
function, but then assigned it to a *signed* integer called "len".
Only after this is a sanity check for len done to make it not larger than 4.
Due to the type change a len < 0 is in principle also possible; this patch
adds a check for this.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
diff --git a/drivers/acpi/proc.c b/drivers/acpi/proc.c
index d0d550d..f8b6f55 100644
--- a/drivers/acpi/proc.c
+++ b/drivers/acpi/proc.c
@@ -398,6 +398,8 @@ acpi_system_write_wakeup_device(struct file *file,
if (len > 4)
len = 4;
+ if (len < 0)
+ return -EFAULT;
if (copy_from_user(strbuf, buffer, len))
return -EFAULT;
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 14:57:19 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:19 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:55:08 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 1CF509E536;
Sat, 26 Sep 2009 14:55:08 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 3zTyP7cuh4ce; Sat, 26 Sep 2009 14:55:07 -0400 (EDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id D77239DB9F;
Sat, 26 Sep 2009 14:55:07 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.11])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIt1Ks015507;
Sat, 26 Sep 2009 14:55:01 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QImrPD007277;
Sat, 26 Sep 2009 14:54:56 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1753121AbZIZSyo (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:54:44 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752997AbZIZSye
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:34 -0400
Received: from casper.infradead.org ([85.118.1.10]:36421 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1752837AbZIZSyZ (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:25 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPV-0002Uh-2m; Sat, 26 Sep 2009 18:54:21 +0000
Date: Sat, 26 Sep 2009 20:50:49 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Arjan van de Ven <arjan at infradead.org>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu
Subject: [PATCH 2/9] Simplify bound checks in nvram for copy_from_user
Message-ID: <20090926205049.33703eea at infradead.org>
In-Reply-To: <20090926204951.424e567e at infradead.org>
References: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.11
Status: RO
Content-Length: 1655
Lines: 52
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 2/9] Simplify bound checks in nvram for copy_from_user
The nvram driver's write() function has an interesting bound check.
Not only does it use the always-hard-to-read ? C operator, it also
has a magic "i" in there, which comes from the file position of
the file.
On first sight the check looks sane, however the value of "i" is not
checked at all and I as human don't know if the C type rules guarantee
that the result is always within bounds.. and neither does gcc seem to
know.
This patch simplifies the checks and guarantees that the copy will not
overflow the destination buffer.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
index 88cee40..b2a7eaf 100644
--- a/drivers/char/nvram.c
+++ b/drivers/char/nvram.c
@@ -267,7 +267,15 @@ static ssize_t nvram_write(struct file *file, const char __user *buf,
unsigned char *tmp;
int len;
- len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
+ len = count;
+ if (count > NVRAM_BYTES - i)
+ len = NVRAM_BYTES - i;
+
+ if (len > NVRAM_BYTES)
+ len = NVRAM_BYTES;
+ if (len < 0)
+ return -EINVAL;
+
if (copy_from_user(contents, buf, len))
return -EFAULT;
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 14:57:18 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:18 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:55:04 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id A27AB9E536;
Sat, 26 Sep 2009 14:55:04 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id qOnejO9jCrDH; Sat, 26 Sep 2009 14:55:04 -0400 (EDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 675CA9DB9F;
Sat, 26 Sep 2009 14:55:04 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.5])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIsw7o015502;
Sat, 26 Sep 2009 14:54:58 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIiTcx002301;
Sat, 26 Sep 2009 14:54:45 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1753027AbZIZSye (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:54:34 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752975AbZIZSyc
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:32 -0400
Received: from casper.infradead.org ([85.118.1.10]:36410 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1752691AbZIZSyW (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:22 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPV-0002Uh-GY; Sat, 26 Sep 2009 18:54:21 +0000
Date: Sat, 26 Sep 2009 20:51:14 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Arjan van de Ven <arjan at infradead.org>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu,
linux-wireless at vger.kernel.org
Subject: [PATCH 3/9] Add bound checks in wext for copy_from_user
Message-ID: <20090926205114.4ec62382 at infradead.org>
In-Reply-To: <20090926204951.424e567e at infradead.org>
References: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.5
Status: RO
Content-Length: 1551
Lines: 47
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 3/9] Add bound checks in wext for copy_from_user
CC: linux-wireless at vger.kernel.org
The wireless extensions have a copy_from_user to a local stack
array "essid", but both me and gcc have failed to find where
the bounds for this copy are located in the code.
This patch adds some basic sanity checks for the copy length
to make sure that we don't overflow the stack buffer.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
diff --git a/net/wireless/wext.c b/net/wireless/wext.c
index 5b4a0ce..34beae6 100644
--- a/net/wireless/wext.c
+++ b/net/wireless/wext.c
@@ -773,10 +773,13 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
essid_compat = 1;
else if (IW_IS_SET(cmd) && (iwp->length != 0)) {
char essid[IW_ESSID_MAX_SIZE + 1];
+ unsigned int len;
+ len = iwp->length * descr->token_size;
- err = copy_from_user(essid, iwp->pointer,
- iwp->length *
- descr->token_size);
+ if (len > IW_ESSID_MAX_SIZE)
+ return -EFAULT;
+
+ err = copy_from_user(essid, iwp->pointer, len);
if (err)
return -EFAULT;
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 14:57:15 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:15 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:54:53 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 089D89E536;
Sat, 26 Sep 2009 14:54:53 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 42yBhVM1-bIT; Sat, 26 Sep 2009 14:54:52 -0400 (EDT)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id C205B9DB9F;
Sat, 26 Sep 2009 14:54:52 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.5])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIsj7c001906;
Sat, 26 Sep 2009 14:54:46 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIiTcw002301;
Sat, 26 Sep 2009 14:54:33 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1752928AbZIZSy1 (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:54:27 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752675AbZIZSy0
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:26 -0400
Received: from casper.infradead.org ([85.118.1.10]:36396 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1750795AbZIZSyT (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:19 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPW-0002Uh-1I; Sat, 26 Sep 2009 18:54:22 +0000
Date: Sat, 26 Sep 2009 20:51:50 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Arjan van de Ven <arjan at infradead.org>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu,
hpa at zytor.com, tglx at tglx.de
Subject: [PATCH 4/9] Simplify bound checks in the MTRR code
Message-ID: <20090926205150.30797709 at infradead.org>
In-Reply-To: <20090926204951.424e567e at infradead.org>
References: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.5
Status: RO
Content-Length: 1683
Lines: 61
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 4/9] Simplify bound checks in the MTRR code
CC: mingo at elte.hu
CC: hpa at zytor.com
CC: tglx at tglx.de
The current bound checks for copy_from_user in the MTRR driver
are not as obvious as they could be, and gcc agrees with that.
This patch simplifies the boundary checks to the point that gcc
can now prove to itself that the copy_from_user() is never going
past its bounds.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
--- linux-2.6.31.noarch/arch/x86/kernel/cpu/mtrr/if.c~ 2009-09-28 16:51:07.000000000 -0400
+++ linux-2.6.31.noarch/arch/x86/kernel/cpu/mtrr/if.c 2009-09-28 16:52:30.000000000 -0400
@@ -94,17 +94,26 @@ mtrr_write(struct file *file, const char
unsigned long long base, size;
char *ptr;
char line[LINE_SIZE];
+ int length;
size_t linelen;
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
- if (!len)
- return -EINVAL;
+
memset(line, 0, LINE_SIZE);
- if (len > LINE_SIZE)
- len = LINE_SIZE;
- if (copy_from_user(line, buf, len - 1))
+
+ length = len;
+ length--;
+
+ if (length > LINE_SIZE - 1)
+ length = LINE_SIZE - 1;
+
+ if (length < 0)
+ return -EINVAL;
+
+ if (copy_from_user(line, buf, length))
return -EFAULT;
+
linelen = strlen(line);
ptr = line + linelen - 1;
if (linelen && *ptr == '\n')
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 14:57:28 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:28 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:56:09 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 3BB159CE2F;
Sat, 26 Sep 2009 14:56:09 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id w5I9rbKDiOVg; Sat, 26 Sep 2009 14:56:09 -0400 (EDT)
Received: from int-mx04.intmail.prod.int.phx2.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.17])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 00D0E9C7CF;
Sat, 26 Sep 2009 14:56:08 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.11])
by int-mx04.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIu1VY022597;
Sat, 26 Sep 2009 14:56:02 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QImrPI007277;
Sat, 26 Sep 2009 14:55:55 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1752826AbZIZSyY (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:54:24 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752675AbZIZSyW
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:22 -0400
Received: from casper.infradead.org ([85.118.1.10]:36394 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751800AbZIZSyT (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:19 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPW-0002Uh-Ga; Sat, 26 Sep 2009 18:54:22 +0000
Date: Sat, 26 Sep 2009 20:52:23 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Arjan van de Ven <arjan at infradead.org>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu,
lenb at kernel.org
Subject: [PATCH 5/9] Add bound checks in acpi/video for copy_from_user
Message-ID: <20090926205223.61dd0844 at infradead.org>
In-Reply-To: <20090926204951.424e567e at infradead.org>
References: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.17
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.11
Status: RO
Content-Length: 2065
Lines: 75
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 5/9] Add bound checks in acpi/video for copy_from_user
CC: Len Brown <lenb at kernel.org>
The ACPI video driver has a few boundary checks for copy_from_user
that unfortunately confuse the GCC optimizer.
This patch simplifies these boundary checks to the point that
gcc knows they copy_from_user() is always within bounds.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
index 94b1a4c..0dd2cc8 100644
--- a/drivers/acpi/video.c
+++ b/drivers/acpi/video.c
@@ -1218,7 +1218,9 @@ acpi_video_device_write_state(struct file *file,
u32 state = 0;
- if (!dev || count + 1 > sizeof str)
+ if (!dev)
+ return -EINVAL;
+ if (count >= sizeof(str))
return -EINVAL;
if (copy_from_user(str, buffer, count))
@@ -1275,7 +1277,10 @@ acpi_video_device_write_brightness(struct file *file,
int i;
- if (!dev || !dev->brightness || count + 1 > sizeof str)
+ if (!dev || !dev->brightness)
+ return -EINVAL;
+
+ if (count >= sizeof(str))
return -EINVAL;
if (copy_from_user(str, buffer, count))
@@ -1557,7 +1562,10 @@ acpi_video_bus_write_POST(struct file *file,
unsigned long long opt, options;
- if (!video || count + 1 > sizeof str)
+ if (!video)
+ return -EINVAL;
+
+ if (count >= sizeof(str))
return -EINVAL;
status = acpi_video_bus_POST_options(video, &options);
@@ -1597,7 +1605,9 @@ acpi_video_bus_write_DOS(struct file *file,
unsigned long opt;
- if (!video || count + 1 > sizeof str)
+ if (!video)
+ return -EINVAL;
+ if (count >= sizeof(str))
return -EINVAL;
if (copy_from_user(str, buffer, count))
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 14:57:21 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:21 -0400 (EDT)
Received: from zmta01.collab.prod.int.phx2.redhat.com (LHLO
zmta01.collab.prod.int.phx2.redhat.com) (10.5.5.31) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:55:31 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id C573B92827;
Sat, 26 Sep 2009 14:55:31 -0400 (EDT)
Received: from zmta01.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta01.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kOeSnU2O0+Pc; Sat, 26 Sep 2009 14:55:31 -0400 (EDT)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 8614591AC5;
Sat, 26 Sep 2009 14:55:31 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.11])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QItOv6015831;
Sat, 26 Sep 2009 14:55:25 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QImrPE007277;
Sat, 26 Sep 2009 14:55:09 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1753137AbZIZSzA (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:55:00 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752707AbZIZSya
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:30 -0400
Received: from casper.infradead.org ([85.118.1.10]:36400 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1750867AbZIZSyU (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:20 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPX-0002Uh-53; Sat, 26 Sep 2009 18:54:23 +0000
Date: Sat, 26 Sep 2009 20:52:55 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Arjan van de Ven <arjan at infradead.org>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu,
sfrench at samba.org
Subject: [PATCH 6/9] Simplify bound checks in cifs for copy_from_user
Message-ID: <20090926205255.1d9de6c7 at infradead.org>
In-Reply-To: <20090926204951.424e567e at infradead.org>
References: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.11
Status: RO
Content-Length: 1436
Lines: 46
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 6/9] Simplify bound checks in cifs for copy_from_user
CC: Steve French <sfrench at samba.org>
The CIFS code unfortunately hits a missed optimization in gcc
(http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41477)
where gcc can't prove to itself that count will not be larger than 11.
This patch simplifies the expression so that GCC does realize this,
giving slightly better code soon when copy_from_user() grows some checks.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
index 42cec2a..94b86da 100644
--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -732,11 +732,13 @@ static ssize_t cifs_security_flags_proc_write(struct file *file,
char flags_string[12];
char c;
- if ((count < 1) || (count > 11))
- return -EINVAL;
-
memset(flags_string, 0, 12);
+ if (count < 1)
+ return -EINVAL;
+ if (count > 11)
+ return -EINVAL;
+
if (copy_from_user(flags_string, buffer, count))
return -EFAULT;
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 14:57:16 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:16 -0400 (EDT)
Received: from zmta03.collab.prod.int.phx2.redhat.com (LHLO
zmta03.collab.prod.int.phx2.redhat.com) (10.5.5.33) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:55:03 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta03.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 76D154E5A4;
Sat, 26 Sep 2009 14:55:03 -0400 (EDT)
Received: from zmta03.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta03.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id UcwzvLLoE+tE; Sat, 26 Sep 2009 14:55:03 -0400 (EDT)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
by zmta03.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 31D294E591;
Sat, 26 Sep 2009 14:55:03 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.11])
by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIsuQR011097;
Sat, 26 Sep 2009 14:54:56 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QImrPC007277;
Sat, 26 Sep 2009 14:54:43 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1752970AbZIZSyb (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:54:31 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752675AbZIZSy3
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:29 -0400
Received: from casper.infradead.org ([85.118.1.10]:36404 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751887AbZIZSyU (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:20 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPX-0002Uh-KU; Sat, 26 Sep 2009 18:54:23 +0000
Date: Sat, 26 Sep 2009 20:53:36 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Arjan van de Ven <arjan at infradead.org>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu,
jmorris at nami.org
Subject: [PATCH 7/9] Simplify bound checks in capabilities for
copy_from_user
Message-ID: <20090926205336.77bc5b21 at infradead.org>
In-Reply-To: <20090926204951.424e567e at infradead.org>
References: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.11
Status: RO
Content-Length: 1883
Lines: 51
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 7/9] Simplify bound checks in capabilities for copy_from_user
CC: James Morris <jmorris at namei.org>
The capabilities syscall has a copy_from_user() call where gcc currently
cannot prove to itself that the copy is always within bounds.
This patch adds a very explicity bound check to prove to gcc that
this copy_from_user cannot overflow its destination buffer.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
diff --git a/kernel/capability.c b/kernel/capability.c
index 4e17041..204f11f 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -238,7 +241,7 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
{
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
- unsigned i, tocopy;
+ unsigned i, tocopy, copybytes;
kernel_cap_t inheritable, permitted, effective;
struct cred *new;
int ret;
@@ -255,8 +258,11 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
if (pid != 0 && pid != task_pid_vnr(current))
return -EPERM;
- if (copy_from_user(&kdata, data,
- tocopy * sizeof(struct __user_cap_data_struct)))
+ copybytes = tocopy * sizeof(struct __user_cap_data_struct);
+ if (copybytes > _KERNEL_CAPABILITY_U32S)
+ return -EFAULT;
+
+ if (copy_from_user(&kdata, data, copybytes))
return -EFAULT;
for (i = 0; i < tocopy; i++) {
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 14:57:23 2009
Return-Path: linux-kernel-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 14:57:23 -0400 (EDT)
Received: from zmta01.collab.prod.int.phx2.redhat.com (LHLO
zmta01.collab.prod.int.phx2.redhat.com) (10.5.5.31) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 14:55:51 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 8839792827;
Sat, 26 Sep 2009 14:55:51 -0400 (EDT)
Received: from zmta01.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta01.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7Yts36SyUiSk; Sat, 26 Sep 2009 14:55:51 -0400 (EDT)
Received: from int-mx04.intmail.prod.int.phx2.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.17])
by zmta01.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 4C9C691AC5;
Sat, 26 Sep 2009 14:55:51 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.11])
by int-mx04.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QItiGJ022579;
Sat, 26 Sep 2009 14:55:44 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QImrPG007277;
Sat, 26 Sep 2009 14:55:31 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1753086AbZIZSzQ (ORCPT <rfc822;mrezanin at redhat.com> + 41 others);
Sat, 26 Sep 2009 14:55:16 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752878AbZIZSy1
(ORCPT <rfc822;linux-kernel-outgoing>);
Sat, 26 Sep 2009 14:54:27 -0400
Received: from casper.infradead.org ([85.118.1.10]:36406 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1752669AbZIZSyV (ORCPT
<rfc822;linux-kernel at vger.kernel.org>);
Sat, 26 Sep 2009 14:54:21 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1MrcPY-0002Uh-56; Sat, 26 Sep 2009 18:54:24 +0000
Date: Sat, 26 Sep 2009 20:54:06 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Arjan van de Ven <arjan at infradead.org>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu,
akpm at linux-foundation.org
Subject: [PATCH 8/9] Add explicit bound checks in mm/migrate.c
Message-ID: <20090926205406.30d55b08 at infradead.org>
In-Reply-To: <20090926204951.424e567e at infradead.org>
References: <20090926204951.424e567e at infradead.org>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner at vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel at vger.kernel.org
X-RedHat-Spam-Score: -4 (RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.17
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.11
Status: RO
Content-Length: 1531
Lines: 47
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 8/9] Add explicit bound checks in mm/migrate.c
CC: akpm at linux-foundation.org
The memory migration code has some curious copy_from_user bounds,
that are likely ok, but are not immediately obvious to me or to GCC.
This patch adds a simple explicit bound check; this allows GCC
and me to be more assured that the copy_from_user will never overwrite
its destination buffer.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
diff --git a/mm/migrate.c b/mm/migrate.c
index 1a4bf48..5b9ebc5 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1044,11 +1044,15 @@ static int do_pages_stat(struct mm_struct *mm, unsigned long nr_pages,
int err;
for (i = 0; i < nr_pages; i += chunk_nr) {
+ unsigned int copy;
if (chunk_nr + i > nr_pages)
chunk_nr = nr_pages - i;
- err = copy_from_user(chunk_pages, &pages[i],
- chunk_nr * sizeof(*chunk_pages));
+ copy = chunk_nr * sizeof(*chunk_pages);
+ if (copy > DO_PAGES_STAT_CHUNK_NR)
+ return -EFAULT;
+
+ err = copy_from_user(chunk_pages, &pages[i], copy);
if (err) {
err = -EFAULT;
goto out;
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
>From davej Sat Sep 26 15:24:03 2009
Return-Path: netdev-owner at vger.kernel.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
gelk.kernelslacker.org
X-Spam-Level:
X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,BAYES_00,
RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.2.5
Received: from mail.corp.redhat.com [10.5.5.52]
by gelk.kernelslacker.org with IMAP (fetchmail-6.3.9)
for <davej at localhost> (single-drop); Sat, 26 Sep 2009 15:24:03 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO
zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by
mail04.corp.redhat.com with LMTP; Sat, 26 Sep 2009 15:23:02 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 7BD039D92F;
Sat, 26 Sep 2009 15:23:02 -0400 (EDT)
Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1])
by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id TPGJET5LrlkZ; Sat, 26 Sep 2009 15:23:02 -0400 (EDT)
Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21])
by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 4D4C49D7C8;
Sat, 26 Sep 2009 15:23:02 -0400 (EDT)
Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.12])
by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id n8QJN1Th008926;
Sat, 26 Sep 2009 15:23:01 -0400
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n8QIxDQS027750;
Sat, 26 Sep 2009 15:22:49 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org via listexpand
id S1752510AbZIZTWm (ORCPT <rfc822;dnelson at redhat.com> + 16 others);
Sat, 26 Sep 2009 15:22:42 -0400
Received: (majordomo at vger.kernel.org) by vger.kernel.org id S1752371AbZIZTWl
(ORCPT <rfc822;netdev-outgoing>); Sat, 26 Sep 2009 15:22:41 -0400
Received: from casper.infradead.org ([85.118.1.10]:41083 "EHLO
casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1752224AbZIZTWl (ORCPT
<rfc822;netdev at vger.kernel.org>); Sat, 26 Sep 2009 15:22:41 -0400
Received: from [83.119.188.87] (helo=localhost.localdomain)
by casper.infradead.org with esmtpsa (Exim 4.69 #1 (Red Hat Linux))
id 1Mrcqx-0003Pe-Cb; Sat, 26 Sep 2009 19:22:43 +0000
Date: Sat, 26 Sep 2009 21:23:02 +0200
From: Arjan van de Ven <arjan at infradead.org>
To: Cyrill Gorcunov <gorcunov at gmail.com>
Cc: linux-kernel at vger.kernel.org, torvalds at linux-foundation.org, mingo at elte.hu,
netdev at vger.kernel.org
Subject: Re: [PATCH 9/9] Add explicit bound checks in net/socket.c
Message-ID: <20090926212302.0ce64a5c at infradead.org>
In-Reply-To: <20090926190103.GB4356 at lenovo>
References: <20090926204951.424e567e at infradead.org>
<20090926205432.24aa1023 at infradead.org>
<20090926190103.GB4356 at lenovo>
Organization: Intel
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-SRS-Rewrite: SMTP reverse-path rewritten from <arjan at infradead.org> by casper.infradead.org
See http://www.infradead.org/rpr.html
Sender: netdev-owner at vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev at vger.kernel.org
X-RedHat-Spam-Score: -3.762 (AWL,RCVD_IN_DNSWL_MED)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.21
X-Scanned-By: MIMEDefang 2.67 on 10.5.110.12
Status: RO
Content-Length: 3053
Lines: 93
On Sat, 26 Sep 2009 23:01:03 +0400
Cyrill Gorcunov <gorcunov at gmail.com> wrote:
> [Arjan van de Ven - Sat, Sep 26, 2009 at 08:54:32PM +0200]
> | From: Arjan van de Ven <arjan at linux.intel.com>
> | Subject: [PATCH 9/9] Add explicit bound checks in net/socket.c
> | CC: netdev at vger.kernel.org
> |
> | The sys_socketcall() function has a very clever system for the copy
> | size of its arguments. Unfortunately, gcc cannot deal with this in
> | terms of proving that the copy_from_user() is then always in bounds.
> | This is the last (well 9th of this series, but last in the kernel)
> such | case around.
> |
> | With this patch, we can turn on code to make having the boundary
> provably | right for the whole kernel, and detect introduction of new
> security | accidents of this type early on.
> |
> | Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
> |
> |
> | diff --git a/net/socket.c b/net/socket.c
> | index 49917a1..13a8d67 100644
> | --- a/net/socket.c
> | +++ b/net/socket.c
> | @@ -2098,12 +2098,17 @@ SYSCALL_DEFINE2(socketcall, int, call,
> unsigned long __user *, args) | unsigned long a[6];
> | unsigned long a0, a1;
> | int err;
> | + unsigned int len;
> |
> | if (call < 1 || call > SYS_ACCEPT4)
> | return -EINVAL;
> |
> | + len = nargs[call];
> | + if (len > 6)
>
> Hi Arjan, wouldn't ARRAY_SIZE suffice beter there?
> Or I miss something?
>
goof once goof twice, make it sizeof.. that's nicer.
From: Arjan van de Ven <arjan at linux.intel.com>
Subject: [PATCH 9/9] Add explicit bound checks in net/socket.c
CC: netdev at vger.kernel.org
The sys_socketcall() function has a very clever system for the copy
size of its arguments. Unfortunately, gcc cannot deal with this in
terms of proving that the copy_from_user() is then always in bounds.
This is the last (well 9th of this series, but last in the kernel) such
case around.
With this patch, we can turn on code to make having the boundary provably
right for the whole kernel, and detect introduction of new security
accidents of this type early on.
Signed-off-by: Arjan van de Ven <arjan at linux.intel.com>
diff --git a/net/socket.c b/net/socket.c
index 49917a1..13a8d67 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2098,12 +2098,17 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
unsigned long a[6];
unsigned long a0, a1;
int err;
+ unsigned int len;
if (call < 1 || call > SYS_ACCEPT4)
return -EINVAL;
+ len = nargs[call];
+ if (len > sizeof(a))
+ return -EINVAL;
+
/* copy_from_user should be SMP safe. */
- if (copy_from_user(a, args, nargs[call]))
+ if (copy_from_user(a, args, len))
return -EFAULT;
audit_socketcall(nargs[call] / sizeof(unsigned long), a);
--
Arjan van de Ven Intel Open Source Technology Centre
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1837
retrieving revision 1.1838
diff -u -p -r1.1837 -r1.1838
--- kernel.spec 28 Sep 2009 19:22:04 -0000 1.1837
+++ kernel.spec 28 Sep 2009 21:01:12 -0000 1.1838
@@ -650,6 +650,8 @@ Patch460: linux-2.6-serial-460800.patch
Patch470: die-floppy-die.patch
+Patch500: linux-2.6.31-copy_from_user-bounds.patch
+
Patch510: linux-2.6-silence-noise.patch
Patch520: linux-2.6.30-hush-rom-warning.patch
Patch530: linux-2.6-silence-fbcon-logo.patch
@@ -1283,6 +1285,9 @@ ApplyPatch linux-2.6-input-kill-stupid-m
# stop floppy.ko from autoloading during udev...
ApplyPatch die-floppy-die.patch
+# make copy_from_user to a stack slot provable right
+ApplyPatch linux-2.6.31-copy_from_user-bounds.patch
+
# Get away from having to poll Toshibas
#ApplyPatch linux-2.6-input-fix-toshiba-hotkeys.patch
@@ -2069,6 +2074,10 @@ fi
# and build.
%changelog
+* Mon Sep 28 2009 Dave Jones <davej at redhat.com> 2.6.31.1-52
+- Use __builtin_object_size to validate the buffer size for copy_from_user
+ + associated fixes to various copy_from_user invocations.
+
* Mon Sep 28 2009 Justin M. Forbes <jmforbes at redhat.com> 2.6.31.1-50
- Increase timeout for xen frontend devices to connect.
More information about the fedora-extras-commits
mailing list