From patchwork Sat Feb 11 03:23:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Perches X-Patchwork-Id: 9567821 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E485160231 for ; Sat, 11 Feb 2017 03:24:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C5A65285C5 for ; Sat, 11 Feb 2017 03:24:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B7F30285E5; Sat, 11 Feb 2017 03:24:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 732BE285C5 for ; Sat, 11 Feb 2017 03:24:07 +0000 (UTC) Received: (qmail 10038 invoked by uid 550); 11 Feb 2017 03:24:06 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 10003 invoked from network); 11 Feb 2017 03:24:03 -0000 X-Session-Marker: 6A6F6540706572636865732E636F6D X-HE-Tag: drum96_3e7c473292c54 X-Filterd-Recvd-Size: 7380 Message-ID: <1486783428.2192.44.camel@perches.com> From: Joe Perches To: "Roberts, William C" , "linux-kernel@vger.kernel.org" , "apw@canonical.com" Cc: "kernel-hardening@lists.openwall.com" Date: Fri, 10 Feb 2017 19:23:48 -0800 In-Reply-To: <476DC76E7D1DF2438D32BFADF679FC562305DC7B@ORSMSX103.amr.corp.intel.com> References: <1486755469-21573-1-git-send-email-william.c.roberts@intel.com> <1486757549.2192.20.camel@perches.com> <476DC76E7D1DF2438D32BFADF679FC562305C559@ORSMSX103.amr.corp.intel.com> <476DC76E7D1DF2438D32BFADF679FC562305C5BA@ORSMSX103.amr.corp.intel.com> <1486766996.2192.30.camel@perches.com> <476DC76E7D1DF2438D32BFADF679FC562305DC7B@ORSMSX103.amr.corp.intel.com> X-Mailer: Evolution 3.22.3-0ubuntu0.1 Mime-Version: 1.0 Subject: [kernel-hardening] Re: [PATCH] checkpatch: add warning on %pk instead of %pK usage X-Virus-Scanned: ClamAV using ClamSMTP On Sat, 2017-02-11 at 01:32 +0000, Roberts, William C wrote: > > > > By "normal" I'm referring to things that call into pointer(), just > > > casually looking I see bstr_printf vsnprintf kvasprintf, which would > > > be easy enough to add > > > > > > > What do you think is missing? sn?printf ? That's easy to add. > > > > > > The problem starts to get hairy when we think of how often folks roll > > > their own logging macros (see some small sampling at the end). > > > > > > I think we would want to add DEBUG DBG and sn?printf and maybe > > > consider dropping the \b on the regex so it's a bit more matchy but > > > still shouldn't end up matching on any ASM as you pointed out in the V2 nack. > > > > > > Ill break this down into: > > > 1. the patch as I know you'll take it, as you wrote it :-P 2. Adding > > > to the logging macros 3. exploring making it less matchy > > -Kees and Andrew they likely don't care about the rest of this... > > I have been working up a regex (I suck at these) to match C functions that have an invalid > %p format string and take arguments: > http://www.regexr.com/3f92k > > This could be a way to get better coverage in a more generic approach, thoughts? Maybe this: (attached too because Evolution is a bad email client) It's still kind of hacky, but it does find multiple line statements like: + printf(KERN_INFO + "a %pX", + foo); --- Subject: [PATCH] checkpatch: Add ability to find bad uses of vsprintf %p extensions %pK was at least once misused at %pk in an out-of-tree module. This lead to some security concerns. Add the ability to track single and multiple line statements for misuses of %p. Signed-off-by: Joe Perches --- scripts/checkpatch.pl | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) -- From 3bd6868711efeb587c5c48e060c415a150fccaca Mon Sep 17 00:00:00 2001 Message-Id: <3bd6868711efeb587c5c48e060c415a150fccaca.1486783224.git.joe@perches.com> From: Joe Perches Date: Fri, 10 Feb 2017 19:17:42 -0800 Subject: [PATCH] checkpatch: Add ability to find bad uses of vsprintf %p extensions %pK was at least once misused at %pk in an out-of-tree module. This lead to some security concerns. Add the ability to track single and multiple line statements for misuses of %p. Signed-off-by: Joe Perches --- scripts/checkpatch.pl | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index ad5ea5c545b2..0eaf6b8580d6 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -5676,7 +5676,32 @@ sub process { } } + # check for vsprintf extension %p misuses + if ($^V && $^V ge 5.10.0 && + defined $stat && + $stat =~ /^\+(?![^\{]*\{\s*).*\b(\w+)\s*\(.*$String\s*,/s && + $1 !~ /^_*volatile_*$/) { + my $bad_extension = ""; + my $lc = $stat =~ tr@\n@@; + $lc = $lc + $linenr; + for (my $count = $linenr; $count <= $lc; $count++) { + my $fmt = get_quoted_string($lines[$count - 1], raw_line($count, 0)); + $fmt =~ s/%%//g; + if ($fmt =~ /(\%[\*\d\.]*p(?![\WFfSsBKRraEhMmIiUDdgVCbGN]).)/) { + $bad_extension = $1; + last; + } + } + if ($bad_extension ne "") { + my $stat_real = raw_line($linenr, 0); + for (my $count = $linenr + 1; $count <= $lc; $count++) { + $stat_real = $stat_real . "\n" . raw_line($count, 0); + } + WARN("VSPRINTF_POINTER_EXTENSION", + "Invalid vsprintf pointer extension '$bad_extension'\n" . "$here\n$stat_real\n"); + } + } + # Check for misused memsets if ($^V && $^V ge 5.10.0 && defined $stat && -- 2.10.0.rc2.1.g053435c