Project

General

Profile

Actions
Copy link

Feature #7339

closed

Restrict values of parameter of write callback of file operations

Added by Evgeny Novikov about 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Ilja Zakharov
Category:
Environment models
Target version:
-
Start date:
06/23/2016
Due date:
% Done:

0%

Estimated time:
Published in build:
d382669

Description

In 0f6ff65ed8d3 ZERO_SIZE_PTR (returned by kmalloc called with the 0 size) was avoided by early rejecting the 0 value of the cnt parameter that is passed later as a first kmalloc parameter.

If theoretically that parameter can be huge, adding 1 to it can result in overflow and again to call of kmalloc with 0 (CPAchecker with bit precise analysis could detect that). Indeed its values are limited by the kernel in rw_verify_area called by vfs_write (that is called in system call) prior to the write operation of file operations.

That's why we need to restrict values of parameter of write callback of file operations.

Thanks to Pavel, Vadim, Anton and Ilja for understanding this issue.

Related issues 1 (1 open0 closed)

Related to Klever - Bug #7472: EMG may incorrectly match callbacks parameters with several provided labels parametersNewIlja Zakharov08/15/2016

Actions
Actions
Copy link
 #1

Updated by Evgeny Novikov almost 8 years ago

  • Priority changed from High to Urgent
Actions
Copy link
 #2

Updated by Vadim Mutilin almost 8 years ago

1. count should be not more than MAX_RW_COUNT, expanding to MAX_INT - PAGE_SIZE

557                 if (count > MAX_RW_COUNT)
558                         count =  MAX_RW_COUNT;

2. count should be >=0

Actions
Copy link
 #3

Updated by Evgeny Novikov almost 8 years ago

  • Assignee set to Ilja Zakharov

As far as I know Ilja took care about this feature now.

Actions
Copy link
 #4

Updated by Ilja Zakharov almost 8 years ago

  • Status changed from New to Resolved

Implemented in branch 'emg-fo-spec'.

This branch contains new specification for file operations (it was modelled by a pattern before) and a bug fix. Since the used functionality (parameter restrictions) has been used first time I have found a minor bug and a complicated bug. A minor bug I have fixed in the branch and for the complicated bug the issue has been opened (#7472). By the way it is not critical and can be avoided by a properly written specification.

After all fixes false positives are gone and we have proper transition unsafe->safe now before and after the mentioned commit.

Actions
Copy link
 #5

Updated by Evgeny Novikov almost 8 years ago

  • Status changed from Resolved to Closed
  • Published in build set to d382669

Great! We almost reached the milestone (we will really reach it when we will return back one missed target bug).

I merged the branch to master in d382669.

Actions
Copy link

Also available in: Atom PDF