This is usually a sign of a resized request. This adds a check for
potential races or confusions. The check isn't 100% accurate, so it
needs some manual review.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
scripts/coccinelle/tests/reusercopy.cocci | 36
On Tue, Apr 26, 2016 at 3:24 PM, Kees Cook <keesc...@chromium.org> wrote:
> This is usually a sign of a resized request. This adds a check for
> potential races or confusions. The check isn't 100% accurate, so it
> needs some manual review.
>
> Signed-off-by: Kees Cook &
By default, "seq" counts from 1, but processes were starting counting
from 0, so when interrupted, coccicheck would leave the 0th process
running.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
scripts/coccicheck | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
On Tue, Jan 10, 2017 at 11:30 AM, Julia Lawall <julia.law...@lip6.fr> wrote:
>
>
> On Tue, 10 Jan 2017, Kees Cook wrote:
>
>> On Tue, Jan 10, 2017 at 10:28 AM, Julia Lawall <julia.law...@lip6.fr> wrote:
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3
eld it was a u32. Also, should binop include
"=="?
And we need to add back in get_user() too... hmmm
-Kees
--
Kees Cook
Nexus Security
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
On Mon, Jan 9, 2017 at 12:56 PM, Kees Cook <keesc...@chromium.org> wrote:
> On Mon, Jan 9, 2017 at 11:08 AM, Julia Lawall <julia.law...@lip6.fr> wrote:
>>
>> On Mon, 9 Jan 2017, Vaishali Thakkar wrote:
>>
>>> Here, may be we should add few more lines from
;> > resurrecting it.
>> >
>> > Some changes are suggested below.
>> >
>> > On Tue, 26 Apr 2016, Kees Cook wrote:
>> >
>> > > This is usually a sign of a resized request. This adds a check for
>> > > potential races or confusion
this. Many thanks to Vaishali for
> resurrecting it.
>
> Some changes are suggested below.
>
> On Tue, 26 Apr 2016, Kees Cook wrote:
>
> This is usually a sign of a resized request. This adds a check for
> potential races or confusions. The check isn't 100% accurate, so it
> need
Tuesday 27 December 2016 11:51 PM, Julia Lawall wrote:
>>>>
>>>> I totally dropped the ball on this. Many thanks to Vaishali for
>>>> resurrecting it.
>>>>
>>>> Some changes are suggested below.
>>>>
>>>> On Tue, 26 Ap
return -EFAULT;
If there is any logic that examines cmd (u32) and operates on t
(struct ch_qset_params), there could be a flaw. It doesn't look like
it here, but a "correct" version of this would be:
if (copy_from_user(, useraddr, sizeof(t)))
On Tue, Jan 10, 2017 at 11:23 AM, Kees Cook <keesc...@chromium.org> wrote:
> On Tue, Jan 10, 2017 at 10:28 AM, Julia Lawall <julia.law...@lip6.fr> wrote:
>>> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2159
>>> +./drivers/net/ethernet/chelsio/cxgb3/cxg
k, this "?y=a" catches the seccomp case I pointed out?
while (orig && atomic_dec_and_test(>usage)) {
struct seccomp_filter *freeme = orig;
orig = orig->prev;
seccomp_filter_free(freeme);
}
Seems like it should match. Did this find anything else besides seccomp?
-Kees
--
Kees Cook
Pixel Security
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
ees
--
Kees Cook
Pixel Security
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
On Fri, Aug 18, 2017 at 10:08 AM, Julia Lawall <julia.law...@lip6.fr> wrote:
>
>
> On Fri, 18 Aug 2017, Kees Cook wrote:
>
>> I'd like to have a rule that would match both:
>>
>> function(ptr);
>> ptr->field = 7;
>>
>> and
>>
>&g
On Sat, Sep 16, 2017 at 10:25 PM, Julia Lawall <julia.law...@lip6.fr> wrote:
>
>
> On Sat, 16 Sep 2017, Kees Cook wrote:
>
>> Hi,
>>
>> If I have several structures inline, "identifier" doesn't match it. For
>> example:
>>
.@lip6.fr>
Cc: Gilles Muller <gilles.mul...@lip6.fr>
Cc: Nicolas Palix <nicolas.pa...@imag.fr>
Cc: Michal Marek <mma...@suse.com>
Cc: cocci@systeme.lip6.fr
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
scripts/coccinelle/api/setup_timer.cocci | 129 ++
to match
all of these with a single type of metavariable:
setup_timer(>timer, ...);
setup_timer(>struct1.timer, ...);
setup_timer(>struct1.struct2.timer, ...);
etc
Thanks!
-Kees
--
Kees Cook
Pixel Security
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
I think I'm getting closer. Here are some specific examples that don't
seem to work:
---match_callback.cocci---
virtual patch
@match_timer_function_usage
depends on patch@
expression _E;
struct timer_list _e;
identifier _timer;
identifier _callback;
type _cast_func, _cast_data;
@@
(
On Wed, Aug 23, 2017 at 2:19 PM, Julia Lawall <julia.law...@lip6.fr> wrote:
>
>
> On Wed, 23 Aug 2017, Kees Cook wrote:
>
>> I think I'm getting closer. Here are some specific examples that don't
>> seem to work:
>>
>> ---match_callback.cocci---
>>
name:
static void authenticate_timeout(u_long);
static void verify_dl_startup(u_long);
Is this a bug, or did I write my rule in some way that excludes these
forward declarations?
Thanks!
-Kees
--
Kees Cook
Pixel Security
___
Cocci mailing list
Cocci
On Mon, Aug 28, 2017 at 4:34 AM, Julia Lawall <julia.law...@lip6.fr> wrote:
>
>
> On Sun, 27 Aug 2017, Kees Cook wrote:
>
>> Hi,
>>
>> So, I noticed that if I replace argument types in a function,
>> coccinelle will normally replace them i
On Wed, Aug 23, 2017 at 6:13 AM, Julia Lawall <julia.law...@lip6.fr> wrote:
>
>
> On Tue, 22 Aug 2017, Kees Cook wrote:
>
>> This improves the patch mode of setup_timer.cocci. Several patterns were
>> missing:
>> - assignments-before-init_timer() cases
&
.@lip6.fr>
Cc: Gilles Muller <gilles.mul...@lip6.fr>
Cc: Nicolas Palix <nicolas.pa...@imag.fr>
Cc: Michal Marek <mma...@suse.com>
Cc: cocci@systeme.lip6.fr
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
scripts/coccinelle/api/setup_timer.cocci | 129 ++
xing it up...
-Kees
--
Kees Cook
Pixel Security
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
On Mon, Jun 11, 2018 at 4:17 PM, Kees Cook wrote:
> Hi,
>
> I've been doing some large treewide changes to the allocators, and I
> notice that Coccinelle does something odd for a specific case. I have
> two scripts, one operating on kmalloc() and one operating on
Hi,
I normally use "--dir ." when doing recursive runs in the kernel tree,
but I want to avoid changes in the tools/ subdirectory. I can't find
anything like --exclude, and --dir can't be specified multiple times.
Is there an existing solution I'm missing?
Thanks!
-Kees
--
Kees
On Fri, Sep 1, 2017 at 2:40 AM, Elena Reshetova
wrote:
> atomic_as_refcounter.cocci script allows detecting
> cases when refcount_t type and API should be used
> instead of atomic_t.
>
> Signed-off-by: Elena Reshetova
> Acked-by: Julia Lawall
Reviewed-by: Kees Cook
Oops
On Mon, Apr 30, 2018 at 1:16 PM, Matthew Wilcox <wi...@infradead.org> wrote:
> On Mon, Apr 30, 2018 at 12:02:14PM -0700, Kees Cook wrote:
>> For any longer multiplications, I've only found[1]:
>>
>> drivers/staging/rtl8188eu/os_dep/osdep_service.c: void **a =
On Mon, Apr 30, 2018 at 2:29 PM, Rasmus Villemoes
<li...@rasmusvillemoes.dk> wrote:
> On 2018-04-30 22:16, Matthew Wilcox wrote:
>> On Mon, Apr 30, 2018 at 12:02:14PM -0700, Kees Cook wrote:
>>>
>>> Getting the constant ordering right could be part of the
On Sun, Apr 29, 2018 at 1:30 PM, Matthew Wilcox <wi...@infradead.org> wrote:
> On Sun, Apr 29, 2018 at 09:59:27AM -0700, Kees Cook wrote:
>> Did this ever happen?
>
> Not yet. I brought it up at LSFMM, and I'll repost the patches soon.
>
>> I'd also like to see kmal
On Thu, May 3, 2018 at 4:00 PM, Rasmus Villemoes
<li...@rasmusvillemoes.dk> wrote:
> On 2018-05-01 19:00, Kees Cook wrote:
>> On Mon, Apr 30, 2018 at 2:29 PM, Rasmus Villemoes
>> <li...@rasmusvillemoes.dk> wrote:
>>>
>>> gcc 5.1+ (I think) have
On Thu, May 3, 2018 at 5:36 PM, Kees Cook <keesc...@chromium.org> wrote:
> On Thu, May 3, 2018 at 4:00 PM, Rasmus Villemoes
> <li...@rasmusvillemoes.dk> wrote:
>> On 2018-05-01 19:00, Kees Cook wrote:
>>> On Mon, Apr 30, 2018 at 2:29 PM, Rasmus Villemoes
>
), gfp)
> +
> extern void kvfree(const void *addr);
>
> static inline atomic_t *compound_mapcount_ptr(struct page *page)
It might be nice to include another patch that replaces some of the
existing/common uses of a*b+c with the new function...
Otherwise, yes, please. We could build a coccinelle rule for
additional replacements...
-Kees
--
Kees Cook
Pixel Security
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
On Thu, Aug 23, 2018 at 2:48 PM, Joe Perches wrote:
> Forwarding a question about coccinelle and isomorphisms from Kees Cook
>
> -- Forwarded message --
> From: Kees Cook
> To: "Gustavo A. R. Silva"
> Cc: Alessandro Zummo , Alexandre Belloni
> ,
On Thu, Aug 23, 2018 at 3:00 PM, Julia Lawall wrote:
>
>
> On Thu, 23 Aug 2018, Kees Cook wrote:
>
>> On Thu, Aug 23, 2018 at 2:48 PM, Joe Perches wrote:
>> > Forwarding a question about coccinelle and isomorphisms from Kees Cook
>> >
>> > --
On Thu, Aug 23, 2018 at 3:21 PM, Joe Perches wrote:
> On Thu, 2018-08-23 at 18:13 -0400, Julia Lawall wrote:
>>
>> On Thu, 23 Aug 2018, Kees Cook wrote:
>>
>> (a + b) * c
>>
>> It will consider a pattern with the parentheses removed, but that pattern
>
[0]) +
> __must_be_array(arr))
>
> +/**
> + * for_each_array_element - Iterate all items in an array
> + * @elem: pointer of array type for iteration cursor
> + * @array: array to be iterated
> + */
> +#define for_each_array_element(elem, array) \
> + for (elem = &
- PRODUCT = ((ICOUNT)) * ((ISIZE))
+ PRODUCT = array_size(ICOUNT, ISTRIDE, ISIZE)
|
- PRODUCT = ((ICOUNT)) * ((ESIZE))
+ PRODUCT = array_size(ICOUNT, ESIZE)
|
- PRODUCT = ((ECOUNT)) * ((ESIZE))
+ PRODUCT = array_size(ECOUNT, ESIZE)
)
... when != PRODUCT = OTHER
alloc(..., PRODUCT, ...)
Thanks!
-Kees
On Sun, Sep 30, 2018 at 8:40 AM, Julia Lawall wrote:
>
>
> On Sun, 30 Sep 2018, Lars-Peter Clausen wrote:
>
>> On 09/27/2018 08:51 PM, Kees Cook wrote:
>> > Hi,
>> >
>> > This .cocci takes a VERY long time to run against the kernel, and I'd
>&
will report only how much was
/// actually written, keeping any overflows from happening.
///
// Confidence: Moderate
// Copyright: (C) 2018 Kees Cook, Google. GPLv2.
// URL: http://coccinelle.lip6.fr/
// Options: --all-includes --include-headers
virtual patch
@sum_patch depends on patch exists
ng_task panic is set
> as of now and the goal of this patch is give users more flexibility,
> I vote to keep default as 0. I can respin a V3 in case more people
> want to see it enabled by default. Thanks in advance for the review!
Yeah, most things like this we've tried to be conservativ
redundant" boot
params you've noticed in the kernel? I bet there are a lot. :)
--
Kees Cook
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
lude a link in the checkpatch
warning to it? (Feel free to just reuse the text removed from
deprecated.rst)
--
Kees Cook
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
+ return 0;
This can be:
if (WARN(pos < buf, "pos < buf\n") ||
WARN(pos - buf >= PAGE_SIZE, "pos >= PAGE_SIZE (%tu > %lu)\n",
pos - buf, PAGE_SIZE))
return 0;
--
Kees Cook
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
args ...);
remaining -= scnprintf(buf, remaining, "fmt", var args ...);
return PAGE_SIZE - remaining;
}
--
Kees Cook
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci
mISDN/core.c-}
> > > drivers/isdn/mISDN/core.c-static DEVICE_ATTR_RO(name);
> >
> > That form ends up calculating the string length twice.
> > Better would be:
> > len = strlen(msg);
> > memcpy(buf, msg, len);
> > return len;
>
> or give
On Mon, Jun 15, 2020 at 01:20:45PM +0300, Denis Efremov wrote:
> Detect an opencoded expression that is used before or after
> array_size()/array3_size()/struct_size() to compute the same size.
>
> Cc: Kees Cook
> Signed-off-by: Denis Efremov
Oh, very cool! How much does this
ARG1;
expression ARG2;
@@
array_size(ARG1, ARG2);
How do I get something to match A and B but not C and D (i.e. I do not
want to match any operations, function calls, etc, only a variable,
which may be identified through dereference, array index, or struct
member acc
uot; part is to effectively
collect it into E (as in, both the left and right of the & must match).
So to do the matching from earlier:
@@
identifier i, fld;
expression e, ARG1, ARG2;
@@
array_size(\(\(i\|e.fld\|e->fld\) \& ARG1\), ARG2);
?
--
Kees Cook
_
On Wed, Jun 17, 2020 at 08:54:03PM +0200, Julia Lawall wrote:
>
>
> On Wed, 17 Jun 2020, Kees Cook wrote:
>
> > On Mon, Jun 15, 2020 at 01:20:45PM +0300, Denis Efremov wrote:
> > > +@as@
> > > +expression E1, E2;
> > > +@@
> > > +
>
50 matches
Mail list logo