| Message ID | 20180515160033.156f119c@vento.lan (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, May 15, 2018 at 04:00:33PM -0300, Mauro Carvalho Chehab wrote: > Yeah, that's the same I'm getting from media upstream. > > > drivers/media/cec/cec-pin-error-inj.c:170 cec_pin_error_inj_parse_line() > > warn: potential spectre issue 'pin->error_inj_args' > > This one seems a false positive, as the index var is u8 and the > array has 256 elements, as the userspace input from 'op' is > initialized with: > > u8 v; > u32 op; > > if (!kstrtou8(token, 0, &v)) > op = v; > It's hard to silence this because Smatch stores the current user controlled range list, not what it was initially. I wrote all this code to detect bounds checking errors, so there wasn't any need to save the range list before the bounds check. Since "op" is a u32, I can't even go by the type of the index.... > > drivers/media/dvb-core/dvb_ca_en50221.c:1479 dvb_ca_en50221_io_write() > > warn: potential spectre issue 'ca->slot_info' (local cap) > > This one seems a real issue to me. Sent a patch for it. > > > drivers/media/dvb-core/dvb_net.c:252 handle_one_ule_extension() warn: > > potential spectre issue 'p->ule_next_hdr' > > I failed to see what's wrong here, or if this is exploited. Oh... Huh. This is a bug in smatch. That line looks like: p->ule_sndu_type = ntohs(*(__be16 *)(p->ule_next_hdr + ((p->ule_dbit ? 2 : 3) * ETH_ALEN))); Smatch see the ntohs() and marks everything inside it as untrusted network data. I'll fix this. regards, dan carpenter
Em Wed, 16 May 2018 16:11:08 +0300 Dan Carpenter <dan.carpenter@oracle.com> escreveu: > On Tue, May 15, 2018 at 04:00:33PM -0300, Mauro Carvalho Chehab wrote: > > Yeah, that's the same I'm getting from media upstream. > > > > > drivers/media/cec/cec-pin-error-inj.c:170 cec_pin_error_inj_parse_line() > > > warn: potential spectre issue 'pin->error_inj_args' > > > > This one seems a false positive, as the index var is u8 and the > > array has 256 elements, as the userspace input from 'op' is > > initialized with: > > > > u8 v; > > u32 op; > > > > if (!kstrtou8(token, 0, &v)) > > op = v; > > > > It's hard to silence this because Smatch stores the current user > controlled range list, not what it was initially. I wrote all this code > to detect bounds checking errors, so there wasn't any need to save the > range list before the bounds check. Since "op" is a u32, I can't even > go by the type of the index.... Yeah, I was thinking that is would be harder to clean this up on smatch. I proposed a patch to the ML that simplifies the logic, making easier for both humans and Smatch to better understand how the arrays are indexed. > > > > drivers/media/dvb-core/dvb_ca_en50221.c:1479 dvb_ca_en50221_io_write() > > > warn: potential spectre issue 'ca->slot_info' (local cap) > > > > This one seems a real issue to me. Sent a patch for it. > > > > > drivers/media/dvb-core/dvb_net.c:252 handle_one_ule_extension() warn: > > > potential spectre issue 'p->ule_next_hdr' > > > > I failed to see what's wrong here, or if this is exploited. > > Oh... Huh. This is a bug in smatch. That line looks like: > > p->ule_sndu_type = ntohs(*(__be16 *)(p->ule_next_hdr + ((p->ule_dbit ? 2 : 3) * ETH_ALEN))); > > Smatch see the ntohs() and marks everything inside it as untrusted > network data. I'll fix this. Thanks! Regards, Mauro
diff --git a/check_missing_break.c b/check_missing_break.c index 434b7283fc94..5bba6e919521 100644 --- a/check_missing_break.c +++ b/check_missing_break.c @@ -73,7 +73,7 @@ static void print_missing_break(struct expression *expr) last_print_expr = get_switch_expr(); name = expr_to_var(expr); - sm_msg("warn: missing break? reassigning '%s'", name); +// sm_msg("warn: missing break? reassigning '%s'", name); free_string(name); } diff --git a/smatch_flow.c b/smatch_flow.c index dc0e78824370..cd72a9ded375 100644 --- a/smatch_flow.c +++ b/smatch_flow.c @@ -1005,8 +1005,7 @@ void __split_stmt(struct statement *stmt) __bail_on_rest_of_function = 1; final_pass = 1; - sm_msg("Function too hairy. Giving up. %lu seconds", - stop.tv_sec - fn_start_time.tv_sec); + sm_msg("__split_smt: function too hairy. Giving up."); fake_a_return(); final_pass = 0; /* turn off sm_msg() from here */ return; diff --git a/smatch_implied.c b/smatch_implied.c index 3588816361fe..f3ccd4b6d79e 100644 --- a/smatch_implied.c +++ b/smatch_implied.c @@ -594,7 +594,7 @@ static void separate_and_filter(struct sm_state *sm, int comparison, struct rang gettimeofday(&time_after, NULL); sec = time_after.tv_sec - time_before.tv_sec; - if (sec > 20) { + if (sec > 60) { sm->nr_children = 4000; sm_msg("Function too hairy. Ignoring implications after %d seconds.", sec); } diff --git a/smatch_slist.c b/smatch_slist.c index e1eb1b999b2a..2f8ba34a4b9a 100644 --- a/smatch_slist.c +++ b/smatch_slist.c @@ -237,12 +237,14 @@ char *alloc_sname(const char *str) int out_of_memory(void) { /* - * I decided to use 50M here based on trial and error. + * I decided to use 6GB here based on trial and error. * It works out OK for the kernel and so it should work * for most other projects as well. */ - if (sm_state_counter * sizeof(struct sm_state) >= 100000000) + if (sm_state_counter * sizeof(struct sm_state) >= 6000000000) { + sm_msg("Out of memory"); return 1; + } return 0; }