diff options
author | Arjan van de Ven <arjan@infradead.org> | 2009-10-02 10:50:50 -0400 |
---|---|---|
committer | Ingo Molnar <mingo@elte.hu> | 2009-10-02 13:01:42 -0400 |
commit | 63312b6a6faae3f2e5577f2b001e3b504f10a2aa (patch) | |
tree | 5ef6f8449d844652c7046c2659409ef8297f3e0b | |
parent | 4a3127693001c61a21d1ce680db6340623f52e93 (diff) |
x86: Add a Kconfig option to turn the copy_from_user warnings into errors
For automated testing it is useful to have the option to turn
the warnings on copy_from_user() etc checks into errors:
In function ‘copy_from_user’,
inlined from ‘fd_copyin’ at drivers/block/floppy.c:3080,
inlined from ‘fd_ioctl’ at drivers/block/floppy.c:3503:
linux/arch/x86/include/asm/uaccess_32.h:213:
error: call to ‘copy_from_user_overflow’ declared with attribute error:
copy_from_user buffer size is not provably correct
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
LKML-Reference: <20091002075050.4e9f7641@infradead.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
-rw-r--r-- | arch/x86/Kconfig.debug | 14 | ||||
-rw-r--r-- | arch/x86/include/asm/uaccess_32.h | 4 | ||||
-rw-r--r-- | include/linux/compiler-gcc4.h | 1 | ||||
-rw-r--r-- | include/linux/compiler.h | 3 |
4 files changed, 21 insertions, 1 deletions
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug index d105f29bb6bb..1bd2e36f1538 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug | |||
@@ -287,4 +287,18 @@ config OPTIMIZE_INLINING | |||
287 | 287 | ||
288 | If unsure, say N. | 288 | If unsure, say N. |
289 | 289 | ||
290 | config DEBUG_STRICT_USER_COPY_CHECKS | ||
291 | bool "Strict copy size checks" | ||
292 | depends on DEBUG_KERNEL | ||
293 | ---help--- | ||
294 | Enabling this option turns a certain set of sanity checks for user | ||
295 | copy operations into compile time failures. | ||
296 | |||
297 | The copy_from_user() etc checks are there to help test if there | ||
298 | are sufficient security checks on the length argument of | ||
299 | the copy operation, by having gcc prove that the argument is | ||
300 | within bounds. | ||
301 | |||
302 | If unsure, or if you run an older (pre 4.4) gcc, say N. | ||
303 | |||
290 | endmenu | 304 | endmenu |
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h index 952f9e793c3e..0c9825e97f36 100644 --- a/arch/x86/include/asm/uaccess_32.h +++ b/arch/x86/include/asm/uaccess_32.h | |||
@@ -193,7 +193,9 @@ unsigned long __must_check _copy_from_user(void *to, | |||
193 | 193 | ||
194 | 194 | ||
195 | extern void copy_from_user_overflow(void) | 195 | extern void copy_from_user_overflow(void) |
196 | #ifdef CONFIG_DEBUG_STACKOVERFLOW | 196 | #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS |
197 | __compiletime_error("copy_from_user() buffer size is not provably correct") | ||
198 | #else | ||
197 | __compiletime_warning("copy_from_user() buffer size is not provably correct") | 199 | __compiletime_warning("copy_from_user() buffer size is not provably correct") |
198 | #endif | 200 | #endif |
199 | ; | 201 | ; |
diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h index f1709c1f9eae..77542c57e20a 100644 --- a/include/linux/compiler-gcc4.h +++ b/include/linux/compiler-gcc4.h | |||
@@ -41,4 +41,5 @@ | |||
41 | #define __compiletime_object_size(obj) __builtin_object_size(obj, 0) | 41 | #define __compiletime_object_size(obj) __builtin_object_size(obj, 0) |
42 | #if __GNUC_MINOR__ >= 4 | 42 | #if __GNUC_MINOR__ >= 4 |
43 | #define __compiletime_warning(message) __attribute__((warning(message))) | 43 | #define __compiletime_warning(message) __attribute__((warning(message))) |
44 | #define __compiletime_error(message) __attribute__((error(message))) | ||
44 | #endif | 45 | #endif |
diff --git a/include/linux/compiler.h b/include/linux/compiler.h index 950356311f12..88fd4b673cb4 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h | |||
@@ -273,6 +273,9 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); | |||
273 | #ifndef __compiletime_warning | 273 | #ifndef __compiletime_warning |
274 | # define __compiletime_warning(message) | 274 | # define __compiletime_warning(message) |
275 | #endif | 275 | #endif |
276 | #ifndef __compiletime_error | ||
277 | # define __compiletime_error(message) | ||
278 | #endif | ||
276 | 279 | ||
277 | /* | 280 | /* |
278 | * Prevent the compiler from merging or refetching accesses. The compiler | 281 | * Prevent the compiler from merging or refetching accesses. The compiler |