Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2250267ybf; Mon, 2 Mar 2020 05:05:56 -0800 (PST) X-Google-Smtp-Source: APXvYqzhdtnZapo9EXlC5JRGoGmjEAPR6yHByNYurxTv3kdWGXzfpF/dg6PZf4rMufRyjfh559kP X-Received: by 2002:a9d:7a47:: with SMTP id z7mr13379758otm.179.1583154355993; Mon, 02 Mar 2020 05:05:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583154355; cv=none; d=google.com; s=arc-20160816; b=05vP0lsHTeKL5vwFQlVTzf6Fww50KVaV6aVOtwjBGD1WSV3K+X+XShNF0W8onxX7GL PyK12Rwyb66vpAqromk/eokYyIRWLsQf6w4517u6HL8KCbz5J49wtjxOZp12Ogq1Fb1g 4XHvKR0P7LVISyULbLwjsKQe5oqiITFMwLA24EUGvQd535E6d7ndlL0JDoxg3N1fg1P4 8XBZV6me7XbbXX7WdBp4jeHPlE8n5ab/8E3LNbPPT5SoS7Z94xbIi64vrwFpxjqqQedu 0QIpVc6hXZV96L0QZUvlEli+Rs6RjNTownBIG2fmgzrms9jU7lrUHxCNe8C0IZ61gpoz /B7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=JEYVQ/93cUIIc6BO5V/NQlPPY1ArQwYADsRJbFdijd8=; b=qoIKIySQKvgcFCWx7LGeS4F977UzRXtUch7qTl3h3N7oGyekDCELlovsyW9smflV1G tVuX/XfRSyV/N0vT8yZrOf7Fabchmkyxl/D3iBkNf1fU7pJ03Qv5Rct6CyCkKpk/hEzE fA4exKdzPxi3OkNScQ1+6/fbVXUNe+4ur3OgbfspzhGbFuhYwkYD/4iWUVnAxGPrz76O ieS25xhuzFeS7baM3UJg7sBrGibtJhoEEB/ZlQbtiDUivtEcYXKJqsqHU/S1B9luEpQU IS7gA9sOSiZgYRzZYQi5cX/EDktSk7BRrh6O+/P4DYFRga3h4P4G831MSKu7bKAYGuih Ra8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="ifY/Bd7g"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j10si748351otr.268.2020.03.02.05.05.42; Mon, 02 Mar 2020 05:05:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="ifY/Bd7g"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727935AbgCBNEq (ORCPT + 99 others); Mon, 2 Mar 2020 08:04:46 -0500 Received: from mail-wr1-f73.google.com ([209.85.221.73]:52712 "EHLO mail-wr1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725802AbgCBNEp (ORCPT ); Mon, 2 Mar 2020 08:04:45 -0500 Received: by mail-wr1-f73.google.com with SMTP id n12so5758472wrp.19 for ; Mon, 02 Mar 2020 05:04:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=JEYVQ/93cUIIc6BO5V/NQlPPY1ArQwYADsRJbFdijd8=; b=ifY/Bd7g+2OhtayWGvfN9k47hFCAyCdcGk5ycHkoHFt8uMYtYWW/iEampGrQfd00jA NhMrguaHSkQJVtHIyOtncYN4AdA6RkzmuDiqALK2XONIpaXftSzaORyPsma/X0e67210 2dp05VBpxYq6vTcF0b1otLbf7BCFz9tusGS262gHtr0F/jJohXRbyDV4UjhwEi8yQLym vy/+nvRVT/VDr3kOvQvqK7WXNln1+VG7JUtD4IYmrtd+F2GzFBp2099skMDQBOZBaCnR c7Z3ayvTiUb+Azio8W+ZoGneaD7wE3R3dm0UcEJD5Ab5vt3Cd9s+PflF5vkgxSCgRqk2 R2Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=JEYVQ/93cUIIc6BO5V/NQlPPY1ArQwYADsRJbFdijd8=; b=X9F9glRE/6R7FxDWEPqHfwnTQA906EivAJwv4GX+aV3WvxGS5u3QM6NR36rx2Fg4nm kTwUflhvSmgra+IrwOPTbMsM9LuRshenlf5eiJ2DMK+4hWyYVNHJKElO5fOX0TYBUB7+ qnEyAdkERz85EF256o9qCGHJX66s6df98paTJIdxYxYlA7aRGt3uxyqlmPdIzBiaO5k9 u8eMC7SNGu6NXJss0wjeT4wa/8FTKVNQeN6X/pCRp5eoqu9OgbGA+C5sEoczcg/ll/Rv iA6RTFgN4cVsRYUnOWnsLH808CL+E2gN0LcI/WJ19SMxbMS3Fe6KLnKLbHDIML1MQajh buLw== X-Gm-Message-State: APjAAAUd6iSyTpYU/E9F1XYFxab8kXSdDh16mD0HBEFv0gQDAd0huh+V amGk3QII7wAZTD1N8giOkNq/Rh8mXjQ= X-Received: by 2002:a5d:5286:: with SMTP id c6mr15916314wrv.418.1583154283684; Mon, 02 Mar 2020 05:04:43 -0800 (PST) Date: Mon, 2 Mar 2020 14:04:29 +0100 In-Reply-To: <20200302130430.201037-1-glider@google.com> Message-Id: <20200302130430.201037-2-glider@google.com> Mime-Version: 1.0 References: <20200302130430.201037-1-glider@google.com> X-Mailer: git-send-email 2.25.0.265.gbab2e86ba0-goog Subject: [PATCH v2 2/3] binder: do not initialize locals passed to copy_from_user() From: glider@google.com To: tkjos@google.com, keescook@chromium.org, gregkh@linuxfoundation.org, arve@android.com, mingo@redhat.com Cc: dvyukov@google.com, jannh@google.com, devel@driverdev.osuosl.org, peterz@infradead.org, linux-kernel@vger.kernel.org, Alexander Potapenko Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Certain copy_from_user() invocations in binder.c are known to unconditionally initialize locals before their first use, like e.g. in the following case: struct binder_transaction_data tr; if (copy_from_user(&tr, ptr, sizeof(tr))) return -EFAULT; In such cases enabling CONFIG_INIT_STACK_ALL leads to insertion of redundant locals initialization that the compiler fails to remove. To work around this problem till Clang can deal with it, we apply __no_initialize to local Binder structures. This patch was generated using the following Coccinelle script: @match@ type T; identifier var; position p0, p1; @@ T var@p0; ... copy_from_user(&var,..., sizeof(var))@p1 @escapes depends on match@ type match.T; identifier match.var; position match.p0,match.p1; @@ T var@p0; ... var ... copy_from_user(&var,..., sizeof(var))@p1 @local_inited_by_cfu depends on !escapes@ type T; identifier var; position match.p0,match.p1; fresh identifier var_noinit = var##" __no_initialize"; @@ -T var@p0; +T var_noinit; ... copy_from_user(&var,..., sizeof(var))@p1 Cc: Kees Cook Cc: Greg Kroah-Hartman Signed-off-by: Alexander Potapenko --- v2: - changed __do_not_initialize to __no_initialize as requested by Kees Cook - wrote a Coccinelle script to generate the patch --- drivers/android/binder.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a6b2082c24f8f..a59871532ff6b 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3788,7 +3788,7 @@ static int binder_thread_write(struct binder_proc *proc, case BC_TRANSACTION_SG: case BC_REPLY_SG: { - struct binder_transaction_data_sg tr; + struct binder_transaction_data_sg tr __no_initialize; if (copy_from_user(&tr, ptr, sizeof(tr))) return -EFAULT; @@ -3799,7 +3799,7 @@ static int binder_thread_write(struct binder_proc *proc, } case BC_TRANSACTION: case BC_REPLY: { - struct binder_transaction_data tr; + struct binder_transaction_data tr __no_initialize; if (copy_from_user(&tr, ptr, sizeof(tr))) return -EFAULT; @@ -4827,7 +4827,7 @@ static int binder_ioctl_write_read(struct file *filp, struct binder_proc *proc = filp->private_data; unsigned int size = _IOC_SIZE(cmd); void __user *ubuf = (void __user *)arg; - struct binder_write_read bwr; + struct binder_write_read bwr __no_initialize; if (size != sizeof(struct binder_write_read)) { ret = -EINVAL; @@ -5039,7 +5039,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) break; } case BINDER_SET_CONTEXT_MGR_EXT: { - struct flat_binder_object fbo; + struct flat_binder_object fbo __no_initialize; if (copy_from_user(&fbo, ubuf, sizeof(fbo))) { ret = -EINVAL; @@ -5076,7 +5076,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) break; } case BINDER_GET_NODE_INFO_FOR_REF: { - struct binder_node_info_for_ref info; + struct binder_node_info_for_ref info __no_initialize; if (copy_from_user(&info, ubuf, sizeof(info))) { ret = -EFAULT; @@ -5095,7 +5095,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) break; } case BINDER_GET_NODE_DEBUG_INFO: { - struct binder_node_debug_info info; + struct binder_node_debug_info info __no_initialize; if (copy_from_user(&info, ubuf, sizeof(info))) { ret = -EFAULT; -- 2.25.0.265.gbab2e86ba0-goog