| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Jan 2022 15:33:26 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: kbuild@...ts.01.org, Jiasheng Jiang <jiasheng@...as.ac.cn>,
keescook@...omium.org, arnd@...db.de, gregkh@...uxfoundation.org
Cc: lkp@...el.com, kbuild-all@...ts.01.org,
linux-kernel@...r.kernel.org, Jiasheng Jiang <jiasheng@...as.ac.cn>
Subject: Re: [PATCH] lkdtm/bugs: Check for the NULL pointer after calling
kmalloc
Hi Jiasheng,
url: https://github.com/0day-ci/linux/commits/Jiasheng-Jiang/lkdtm-bugs-Check-for-the-NULL-pointer-after-calling-kmalloc/20220114-162452
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git d47c7407b4c88cf66098eba8893bc38279f301fc
config: arm-randconfig-m031-20220113 (https://download.01.org/0day-ci/archive/20220115/202201150641.NvpCoUdU-lkp@intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
New smatch warnings:
drivers/misc/lkdtm/bugs.c:331 lkdtm_ARRAY_BOUNDS() warn: possible memory leak of 'checked'
drivers/misc/lkdtm/bugs.c:331 lkdtm_ARRAY_BOUNDS() warn: possible memory leak of 'not_checked'
Old smatch warnings:
drivers/misc/lkdtm/bugs.c:346 lkdtm_ARRAY_BOUNDS() error: buffer overflow 'checked->data' 8 <= 8
vim +/checked +331 drivers/misc/lkdtm/bugs.c
ae2e1aad3e48e4 Kees Cook 2020-04-06 322 void lkdtm_ARRAY_BOUNDS(void)
ae2e1aad3e48e4 Kees Cook 2020-04-06 323 {
ae2e1aad3e48e4 Kees Cook 2020-04-06 324 struct array_bounds_flex_array *not_checked;
ae2e1aad3e48e4 Kees Cook 2020-04-06 325 struct array_bounds *checked;
ae2e1aad3e48e4 Kees Cook 2020-04-06 326 volatile int i;
ae2e1aad3e48e4 Kees Cook 2020-04-06 327
ae2e1aad3e48e4 Kees Cook 2020-04-06 328 not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL);
ae2e1aad3e48e4 Kees Cook 2020-04-06 329 checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL);
6ac33daa73b3fe Jiasheng Jiang 2022-01-14 330 if (!not_checked || !checked)
6ac33daa73b3fe Jiasheng Jiang 2022-01-14 @331 return;
We've just changed one static checker warning for another. Plus these
functions are *supposed* to be buggy.
ae2e1aad3e48e4 Kees Cook 2020-04-06 332
ae2e1aad3e48e4 Kees Cook 2020-04-06 333 pr_info("Array access within bounds ...\n");
ae2e1aad3e48e4 Kees Cook 2020-04-06 334 /* For both, touch all bytes in the actual member size. */
ae2e1aad3e48e4 Kees Cook 2020-04-06 335 for (i = 0; i < sizeof(checked->data); i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 336 checked->data[i] = 'A';
ae2e1aad3e48e4 Kees Cook 2020-04-06 337 /*
ae2e1aad3e48e4 Kees Cook 2020-04-06 338 * For the uninstrumented flex array member, also touch 1 byte
ae2e1aad3e48e4 Kees Cook 2020-04-06 339 * beyond to verify it is correctly uninstrumented.
ae2e1aad3e48e4 Kees Cook 2020-04-06 340 */
ae2e1aad3e48e4 Kees Cook 2020-04-06 341 for (i = 0; i < sizeof(not_checked->data) + 1; i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 342 not_checked->data[i] = 'A';
ae2e1aad3e48e4 Kees Cook 2020-04-06 343
ae2e1aad3e48e4 Kees Cook 2020-04-06 344 pr_info("Array access beyond bounds ...\n");
ae2e1aad3e48e4 Kees Cook 2020-04-06 345 for (i = 0; i < sizeof(checked->data) + 1; i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 346 checked->data[i] = 'B';
ae2e1aad3e48e4 Kees Cook 2020-04-06 347
ae2e1aad3e48e4 Kees Cook 2020-04-06 348 kfree(not_checked);
ae2e1aad3e48e4 Kees Cook 2020-04-06 349 kfree(checked);
464e86b4abadfc Kees Cook 2020-06-25 350 pr_err("FAIL: survived array bounds overflow!\n");
c75be56e35b2ee Kees Cook 2021-08-18 351 pr_expected_config(CONFIG_UBSAN_BOUNDS);
ae2e1aad3e48e4 Kees Cook 2020-04-06 352 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Powered by blists - more mailing lists