lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 28 Aug 2016 21:38:09 +0200 (CEST)
From:   Julia Lawall <julia.lawall@...6.fr>
To:     Nicolas Iooss <nicolas.iooss_linux@....org>
cc:     Joe Perches <joe@...ches.com>, alsa-devel@...a-project.org,
        Dan Capenter <error27@...il.com>,
        Liam Girdwood <lgirdwood@...il.com>,
        Mark Brown <broonie@...nel.org>, linux-kernel@...r.kernel.org
Subject: Re: Misuses of ** ? (was Re: [PATCH 1/1] ASoC: Intel: Atom: add a
 missing star in a memcpy call)



On Sun, 28 Aug 2016, Nicolas Iooss wrote:

> On 28/08/16 19:50, Joe Perches wrote:
> > On Sun, 2016-08-28 at 19:39 +0200, Nicolas Iooss wrote:
> >> In sst_prepare_and_post_msg(), when a response is received in "block",
> >> the following code gets executed:
> >>
> >>     *data = kzalloc(block->size, GFP_KERNEL);
> >>     memcpy(data, (void *) block->data, block->size);
> >
> > Yuck, thanks.
> >
> > Julia, Dan, could cocci or smatch help find any other
> > similar misuses here?
>
> In fact I have found this bug with a GCC plugin I have written after I
> discovered an issue with a printf format string in brcmfmac driver
> (https://lkml.org/lkml/2016/8/23/193 fixes this one). This GCC plugin
> uses an approach which has many false positives but it helped me detect
> real bugs such as the one you replied to, and
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ae6c33ba6e37eea3012fe2640b22400ef3f2d0f3
> a few days ago.
>
> In case you are curious about what the plugin looks like (it is very
> dirty but might be useful for future work I won't have time to do), I
> published it on
> https://gist.github.com/anonymous/36dd40dcbeeb83964e66b65be7a96136 .
> This huge patch contains the plugin code in
> scripts/gcc-plugins/deref_checker_plugin.c, many dirty work-arounds to
> filter false positive matches, a really-dirty way of handling memcpy
> optimisations done by gcc, and fixes to possible bugs (which can be
> found by searching "/* BUG? */", I have not yet had time to find out
> whether they are real bugs or false positives too).
>
> I hope this will help in the work of eliminating bugs in the kernel :)

I tried the following semantic patch, that is quite general, and the fixed
issue was the only report.

@@
expression x,y,sz;
identifier f,g;
@@

* *x = f(sz,...);
  ...
* g(x,y,sz);

julia

Powered by blists - more mailing lists