Junfeng Yang <yjf@stanford.edu> writes:
> We are the the Stanford Checker team that constantly send error
> reports to the linux kernel mailing list. Enclosed are 10
> dereference of user pointer warnings catched by our checker. We
> started by marking the second parameter of copy_from_user (to, from,
> len), the first parameter of copy_to_user (to, from, len), and all
> parameters of the sys_* functions as tainted, then propogated the
> tainted annotations along call chains. If two functions get assigned
> to the same structure field, we propogate the tainted annotations
> between them, too. An example of such propogation is the warning
> about drivers/media/video/cpia.c::cpia_write_proc and
> drivers/media/usb/media/vicam.c. The error message uses "thru
> struct_name:field_name" to represent such propogations.
Can't pointer-dereference errors be handled directly by any C
compiler. Is CHECKER necessary for this. Use an incomplete
struct pointer and the compiler will complain on all dereferences.
Something like
/* struct user_space should never be defined. */
typedef struct user_space user_space;
int copy_to_user (user_space *to, char *from, size_t len);
int copy_from_user (char *to, user_space *from, size_t len);
/* ... */
#define TREAT_AS_USER_SPACE_POINTER(p) \
({ \
BUG_ON(get_fs() != get_gs()); \
(user_space *)p; \
})
- Hari
-- Raja R Harinath ------------------------------ harinath@cs.umn.edu- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/