On Tue, Jan 10, 2017 at 1:14 PM, Julia Lawall <julia.law...@lip6.fr> wrote: > OK, I have the impression that what you are looking for is the following, > that currently does not seem to work well. Still maybe it gives an idea. > > The basic pattern is the following sequence: > > 1. copy_from_user > 2. test on a field of the copied value > 3. another copy_from_user > 4. a use of the same field as tested in step 2 from the structure obtained > by the second copy_from_user or a function call with the structure as an > argument
This looks pretty good! > In the case where the second copy_from_user stores the result in a > pointer, then a return with no reference of the tested field is also a > concern, unless, the pointer was already kfreed. I think sequence "2" above missing just looking at a direct value, like if instead of a field it was a u32. Also, should binop include "=="? And we need to add back in get_user() too... hmmm -Kees -- Kees Cook Nexus Security
