lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200907262340.57339.bzolnier@gmail.com>
Date:	Sun, 26 Jul 2009 23:40:57 +0200
From:	Bartlomiej Zolnierkiewicz <bzolnier@...il.com>
To:	Dan Carpenter <error27@...il.com>
Cc:	linux-kernel@...r.kernel.org, corbet@....net, eteo@...hat.com
Subject: Re: smatch and tun.c

On Saturday 25 July 2009 14:21:54 Dan Carpenter wrote:
> Jonathan Corbet from lwn.net suggested that I write a smatch 
> (http://repo.or.cz/w/smatch.git) script to prevent the tun.c type bugs 
> from happening again.
> 
> I wrote two scripts.  One just looks for bugs where a variable is 
> dereferenced while initializing a local variable and checked for NULL like 
> this:
> 	int x = foo->bar;
> 	BUG_ON(!foo);  
> I have a theory that sometimes peoople are sloppy when they initialize 
> variables.  This script printed 96 warnings.  The other script prints 
> those messages along with every other time a variable is dereferenced and 
> then checked for NULL.  This script printed 685 messages.
> 
> Smatch scripts tends to have a lot of false positives.  The script that 
> only printed problems with variable initialization was maybe 40% actual 
> bugs but the one that checked everything was maybe 15% actual bugs.  I 
> guess my theory is correct.
> 
> One thing that causes false positives is that some macros need to 
> check for NULL pointers.  Also smatch doesn't handle loops correctly yet.  
> Sometimes variables get changed inside another function and that isn't 
> handled correctly yet.

Indeed there is still a lot of false positives but the functionality
is already very useful so big thanks for doing it!

> By bugs, I don't mean security bugs, I mean picky little things.  Quite 
> often places have useless checks for NULL.  But still it's worth fixing.

Yes, moreover they are a "noise" which makes discovery of real issues more
time consuming and difficult. 

> I feel bad for just sending this email instead of proper bug reports and 
> patches, but the truth is that I'm cycling through Africa on a bycicle.  I 
> sleep in a tent.  It took me days to scrape together enough electricity 
> and internet to send this one email...

You've just became my personal when it comes to the best use of available
resources! ;)

> I have attached a zip file with the warnings from 2.6.31-rc3 allmodconfig.
> Here are the instructions if you want to use a different config.
>     git clone git://repo.or.cz/smatch.git
>     cd smatch
>     make
>     cd /usr/src/linux
>     make C=1 CHECK=/path/to/smatch modules bzImage | tee warns.txt 
>     egrep '(warn|error):' warns.txt | egrep '(before|initializer)'

The last line needs to be:

	egrep '(warn|warning|error):' warns.txt | egrep '(before|initializer)'

to make it work, also if somebody wants to see the same list but against
current -next kernel it is here:

http://www.kernel.org/pub/linux/kernel/people/bart/null-pointer-err-list-next-0724.gz

[ some issues have been fixed already and some line numbers have changed ]

PS I'll also post a "filtered" list (without false positives) in a few days
(I've verified ~50% of entries till now).
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ