Re: [PATCH] lkdtm/bugs: Check for the NULL pointer after calling kmalloc

From: Dan Carpenter
Date: Tue Jan 18 2022 - 07:34:30 EST


Hi Jiasheng,

url: https://github.com/0day-ci/linux/commits/Jiasheng-Jiang/lkdtm-bugs-Check-for-the-NULL-pointer-after-calling-kmalloc/20220114-162452
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git d47c7407b4c88cf66098eba8893bc38279f301fc
config: arm-randconfig-m031-20220113 (https://download.01.org/0day-ci/archive/20220115/202201150641.NvpCoUdU-lkp@xxxxxxxxx/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

New smatch warnings:
drivers/misc/lkdtm/bugs.c:331 lkdtm_ARRAY_BOUNDS() warn: possible memory leak of 'checked'
drivers/misc/lkdtm/bugs.c:331 lkdtm_ARRAY_BOUNDS() warn: possible memory leak of 'not_checked'

Old smatch warnings:
drivers/misc/lkdtm/bugs.c:346 lkdtm_ARRAY_BOUNDS() error: buffer overflow 'checked->data' 8 <= 8

vim +/checked +331 drivers/misc/lkdtm/bugs.c

ae2e1aad3e48e4 Kees Cook 2020-04-06 322 void lkdtm_ARRAY_BOUNDS(void)
ae2e1aad3e48e4 Kees Cook 2020-04-06 323 {
ae2e1aad3e48e4 Kees Cook 2020-04-06 324 struct array_bounds_flex_array *not_checked;
ae2e1aad3e48e4 Kees Cook 2020-04-06 325 struct array_bounds *checked;
ae2e1aad3e48e4 Kees Cook 2020-04-06 326 volatile int i;
ae2e1aad3e48e4 Kees Cook 2020-04-06 327
ae2e1aad3e48e4 Kees Cook 2020-04-06 328 not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL);
ae2e1aad3e48e4 Kees Cook 2020-04-06 329 checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL);
6ac33daa73b3fe Jiasheng Jiang 2022-01-14 330 if (!not_checked || !checked)
6ac33daa73b3fe Jiasheng Jiang 2022-01-14 @331 return;

We've just changed one static checker warning for another. Plus these
functions are *supposed* to be buggy.

ae2e1aad3e48e4 Kees Cook 2020-04-06 332
ae2e1aad3e48e4 Kees Cook 2020-04-06 333 pr_info("Array access within bounds ...\n");
ae2e1aad3e48e4 Kees Cook 2020-04-06 334 /* For both, touch all bytes in the actual member size. */
ae2e1aad3e48e4 Kees Cook 2020-04-06 335 for (i = 0; i < sizeof(checked->data); i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 336 checked->data[i] = 'A';
ae2e1aad3e48e4 Kees Cook 2020-04-06 337 /*
ae2e1aad3e48e4 Kees Cook 2020-04-06 338 * For the uninstrumented flex array member, also touch 1 byte
ae2e1aad3e48e4 Kees Cook 2020-04-06 339 * beyond to verify it is correctly uninstrumented.
ae2e1aad3e48e4 Kees Cook 2020-04-06 340 */
ae2e1aad3e48e4 Kees Cook 2020-04-06 341 for (i = 0; i < sizeof(not_checked->data) + 1; i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 342 not_checked->data[i] = 'A';
ae2e1aad3e48e4 Kees Cook 2020-04-06 343
ae2e1aad3e48e4 Kees Cook 2020-04-06 344 pr_info("Array access beyond bounds ...\n");
ae2e1aad3e48e4 Kees Cook 2020-04-06 345 for (i = 0; i < sizeof(checked->data) + 1; i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 346 checked->data[i] = 'B';
ae2e1aad3e48e4 Kees Cook 2020-04-06 347
ae2e1aad3e48e4 Kees Cook 2020-04-06 348 kfree(not_checked);
ae2e1aad3e48e4 Kees Cook 2020-04-06 349 kfree(checked);
464e86b4abadfc Kees Cook 2020-06-25 350 pr_err("FAIL: survived array bounds overflow!\n");
c75be56e35b2ee Kees Cook 2021-08-18 351 pr_expected_config(CONFIG_UBSAN_BOUNDS);
ae2e1aad3e48e4 Kees Cook 2020-04-06 352 }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx