Hi!

Could we enable this test, just to be safer during compiles? It won't
affect run-time, it just forces the build to be safer, IIUC:

arch/x86/include/asm/uaccess_32.h:

extern void copy_from_user_overflow(void)
#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
__compiletime_error("copy_from_user() buffer size is not provably correct")
#else
__compiletime_warning("copy_from_user() buffer size is not provably correct")
#endif

static inline unsigned long __must_check copy_from_user(void *to,
const void __user *from,
unsigned long n)
{
int sz = __compiletime_object_size(to);

if (likely(sz == -1 || sz >= n))
n = _copy_from_user(to, from, n);
else
copy_from_user_overflow();

return n;
}


--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On Thu, 2010-07-15 at 15:35 -0700, Kees Cook wrote:
> Hi!

Hi Kees,

> Could we enable this test, just to be safer during compiles? It won't
> affect run-time, it just forces the build to be safer, IIUC:

I wouldn't be opposed to enabling this, but at the moment doing so
results in build failures. If you have time, care to send a patch to
fix up this build failures? Otherwise, can you file a bug for us to
track this request.

Thanks,
Leann

> arch/x86/include/asm/uaccess_32.h:
>
> extern void copy_from_user_overflow(void)
> #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
> __compiletime_error("copy_from_user() buffer size is not provably correct")
> #else
> __compiletime_warning("copy_from_user() buffer size is not provably correct")
> #endif
>
> static inline unsigned long __must_check copy_from_user(void *to,
> const void __user *from,
> unsigned long n)
> {
> int sz = __compiletime_object_size(to);
>
> if (likely(sz == -1 || sz >= n))
> n = _copy_from_user(to, from, n);
> else
> copy_from_user_overflow();
>
> return n;
> }
>
>
> --
> Kees Cook
> Ubuntu Security Team
>



--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On Fri, Jul 16, 2010 at 03:40:12PM -0700, Leann Ogasawara wrote:
> On Thu, 2010-07-15 at 15:35 -0700, Kees Cook wrote:
> > Could we enable this test, just to be safer during compiles? It won't
> > affect run-time, it just forces the build to be safer, IIUC:
>
> I wouldn't be opposed to enabling this, but at the moment doing so
> results in build failures. If you have time, care to send a patch to
> fix up this build failures? Otherwise, can you file a bug for us to
> track this request.

Weird. I just did a test build and didn't see any failures (I also didn't
see these warnings in prior released builds -- which is why I asked to turn
it on actually). Can you point me to the failures you ran into?

Thanks!

-Kees

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On Sat, Jul 17, 2010 at 02:20:13PM -0700, Kees Cook wrote:
> Weird. I just did a test build and didn't see any failures (I also didn't
> see these warnings in prior released builds -- which is why I asked to turn
> it on actually). Can you point me to the failures you ran into?

Ah-ha, I found them in the i386 build. Not sure why these drivers aren't
enabled on amd64, but I'll go digging. Thanks!

In function 'copy_from_user',
inlined from 'lirc_write' at
ubuntu/lirc/lirc_it87/lirc_it87.c:228:
arch/x86/include/asm/uaccess_32.h:212: error: call
to 'copy_from_user_overflow' declared with attribute error:
copy_from_user() buffer size is not provably correct
In function 'copy_from_user',
inlined from 'icn_writecmd' at
drivers/isdn/icn/icn.c:1048:
arch/x86/include/asm/uaccess_32.h:212: error: call
to 'copy_from_user_overflow' declared with attribute error:
copy_from_user() buffer size is not provably correct

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team