From patchwork Thu Dec 20 19:59:27 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tycho Andersen <tycho@tycho.ws>
X-Patchwork-Id: 10739529
Return-Path: 
 <kernel-hardening-return-14771-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 143EF924
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 20 Dec 2018 19:59:56 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 030D328BB8
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 20 Dec 2018 19:59:56 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E585328BBA; Thu, 20 Dec 2018 19:59:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 10D9728BB9
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Thu, 20 Dec 2018 19:59:54 +0000 (UTC)
Received: (qmail 17694 invoked by uid 550); 20 Dec 2018 19:59:53 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 17659 invoked from network); 20 Dec 2018 19:59:52 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tycho-ws.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ePEyuTt0uOjbTZJSAeMWqP4ZVKuftaI+KTjidEORftc=;
        b=PcNSFJfXyqKfGjvZ/QJgKesPqUmAp6ywVGvO3qIFncYgYP6QS7LuNkhUH6vWRbbPzz
         hKFa1HcUbvaynO/PlTcj1ug3FvsQMTgAu+98Zi1gE554LjOeSqTx9xdCoDyT0/VU+aM2
         cJNOPg9s0hK0i/DW7UHEeBz2CrSjf7xuDK9Styy4YKwaJaaWqBYrT4MDkqTT3hGHDIzC
         8WfFCQQmD95lnCBtzILCa+6m2x4AvGm3j/PnxU1Wr9PfJgF4rOswamhRDoeZbCusgGL6
         Ylj1c94zMvw2ZN8ZbvBdbiiyN3Lx8sdVsxcUwXJxcmm2nOVzJ3L1/eEo3Kden6UUiU6n
         rQbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ePEyuTt0uOjbTZJSAeMWqP4ZVKuftaI+KTjidEORftc=;
        b=h6F0RA3SzNrj0I+lUUUOAA+UfidEDfAU+FKfaKP2YSeG/Ob8OLWLR99TGlnrebna6d
         n55RsVmYhAJ2PLnNUKBRTAVaKNmc9AAlvkOaaRavliyclvd+18hpfZ2ECpovoUj6MfAk
         jQ7mZxaFmiDyuXnbj9FQN8O5DWgQjOmVLBdkKMR4tGfM621798EahiJ0YVQzegDEo5k4
         pTlIeuKzT20KN0rrKcdS2oSmDBZuFXyTRQdAW+iU1TqELnu4qTwMIvYdb6pfrfcaVOw6
         Y6TxyVpXpCTdPftEQPrEeyEx61Plw+ry9Yd32S/rZv/ipGJNRLIzLiA7qroKYI0HyUvw
         a09w==
X-Gm-Message-State: AA+aEWZAFr4qf4q6aA2ok73AO5k5wwCvBP3zW0e/eG/oKF1ZpgBkA7Ri
	6HLw0BiyFZlbqv3pA29m5qK/Vw==
X-Google-Smtp-Source: 
 AFSGD/WwvUxCF3nWkmLo5J4fljWsdOmbu7D7bI6cz0w2YswdGqFub4JD8ViTHdjdVohoTJwOQdgCEg==
X-Received: by 2002:a02:660f:: with SMTP id k15mr24911307jac.38.1545335980640;
        Thu, 20 Dec 2018 11:59:40 -0800 (PST)
From: Tycho Andersen <tycho@tycho.ws>
To: linux-sparse@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Cc: Tycho Andersen <tycho@tycho.ws>
Subject: [RFC v1 0/4] static analysis of copy_to_user()
Date: Thu, 20 Dec 2018 12:59:27 -0700
Message-Id: <20181220195931.20331-1-tycho@tycho.ws>
X-Mailer: git-send-email 2.19.1
MIME-Version: 1.0
X-Virus-Scanned: ClamAV using ClamSMTP

Hi all,

A while ago I talked with various people about whether some static
analsys of copy_to_user() could be productive in finding infoleaks.
Unfortunately, due to the various issues outlined in the patch notes, it
doesn't seem like it is. Perhaps these checks are useful to put in just
to future proof ourselves against these sorts of issues, though.

Anyway, here's the code. Thoughts welcome!

Tycho

Tycho Andersen (4):
  expression.h: update comment to include other cast types
  move name-based analysis before linearization
  add a check for copy_to_user() address spaces
  check copy_to_user() sizes

 expression.h                           |   2 +-
 sparse.c                               | 327 ++++++++++++++++++++++---
 validation/copy_to_user.c              |  31 +++
 validation/copy_to_user_sizes.c        |  53 ++++
 validation/copy_to_user_sizes_inline.c |  29 +++
 5 files changed, 405 insertions(+), 37 deletions(-)
 create mode 100644 validation/copy_to_user.c
 create mode 100644 validation/copy_to_user_sizes.c
 create mode 100644 validation/copy_to_user_sizes_inline.c