lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 28 Aug 2016 21:38:09 +0200 (CEST) From: Julia Lawall <julia.lawall@...6.fr> To: Nicolas Iooss <nicolas.iooss_linux@....org> cc: Joe Perches <joe@...ches.com>, alsa-devel@...a-project.org, Dan Capenter <error27@...il.com>, Liam Girdwood <lgirdwood@...il.com>, Mark Brown <broonie@...nel.org>, linux-kernel@...r.kernel.org Subject: Re: Misuses of ** ? (was Re: [PATCH 1/1] ASoC: Intel: Atom: add a missing star in a memcpy call) On Sun, 28 Aug 2016, Nicolas Iooss wrote: > On 28/08/16 19:50, Joe Perches wrote: > > On Sun, 2016-08-28 at 19:39 +0200, Nicolas Iooss wrote: > >> In sst_prepare_and_post_msg(), when a response is received in "block", > >> the following code gets executed: > >> > >> *data = kzalloc(block->size, GFP_KERNEL); > >> memcpy(data, (void *) block->data, block->size); > > > > Yuck, thanks. > > > > Julia, Dan, could cocci or smatch help find any other > > similar misuses here? > > In fact I have found this bug with a GCC plugin I have written after I > discovered an issue with a printf format string in brcmfmac driver > (https://lkml.org/lkml/2016/8/23/193 fixes this one). This GCC plugin > uses an approach which has many false positives but it helped me detect > real bugs such as the one you replied to, and > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ae6c33ba6e37eea3012fe2640b22400ef3f2d0f3 > a few days ago. > > In case you are curious about what the plugin looks like (it is very > dirty but might be useful for future work I won't have time to do), I > published it on > https://gist.github.com/anonymous/36dd40dcbeeb83964e66b65be7a96136 . > This huge patch contains the plugin code in > scripts/gcc-plugins/deref_checker_plugin.c, many dirty work-arounds to > filter false positive matches, a really-dirty way of handling memcpy > optimisations done by gcc, and fixes to possible bugs (which can be > found by searching "/* BUG? */", I have not yet had time to find out > whether they are real bugs or false positives too). > > I hope this will help in the work of eliminating bugs in the kernel :) I tried the following semantic patch, that is quite general, and the fixed issue was the only report. @@ expression x,y,sz; identifier f,g; @@ * *x = f(sz,...); ... * g(x,y,sz); julia
Powered by blists - more mailing lists