linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] lkdtm/bugs: Check for the NULL pointer after calling kmalloc
@ 2022-01-14  8:21 Jiasheng Jiang
  2022-01-18 12:33 ` Dan Carpenter
  0 siblings, 1 reply; 2+ messages in thread
From: Jiasheng Jiang @ 2022-01-14  8:21 UTC (permalink / raw)
  To: keescook, arnd, gregkh; +Cc: linux-kernel, Jiasheng Jiang

As the possible failure of the kmalloc(), the not_checked and checked
could be NULL pointer.
Therefore, it should be better to check it in order to avoid the
dereference of the NULL pointer.
And since it is just a test, it may directly return without error
number.

Fixes: ae2e1aad3e48 ("drivers/misc/lkdtm/bugs.c: add arithmetic overflow and array bounds checks")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
---
 drivers/misc/lkdtm/bugs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index f4cb94a9aa9c..12c474a38494 100644
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -325,6 +325,8 @@ void lkdtm_ARRAY_BOUNDS(void)
 
 	not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL);
 	checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL);
+	if (!not_checked || !checked)
+		return;
 
 	pr_info("Array access within bounds ...\n");
 	/* For both, touch all bytes in the actual member size. */
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] lkdtm/bugs: Check for the NULL pointer after calling kmalloc
  2022-01-14  8:21 [PATCH] lkdtm/bugs: Check for the NULL pointer after calling kmalloc Jiasheng Jiang
@ 2022-01-18 12:33 ` Dan Carpenter
  0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2022-01-18 12:33 UTC (permalink / raw)
  To: kbuild, Jiasheng Jiang, keescook, arnd, gregkh
  Cc: lkp, kbuild-all, linux-kernel, Jiasheng Jiang

Hi Jiasheng,

url:    https://github.com/0day-ci/linux/commits/Jiasheng-Jiang/lkdtm-bugs-Check-for-the-NULL-pointer-after-calling-kmalloc/20220114-162452
base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git d47c7407b4c88cf66098eba8893bc38279f301fc
config: arm-randconfig-m031-20220113 (https://download.01.org/0day-ci/archive/20220115/202201150641.NvpCoUdU-lkp@intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

New smatch warnings:
drivers/misc/lkdtm/bugs.c:331 lkdtm_ARRAY_BOUNDS() warn: possible memory leak of 'checked'
drivers/misc/lkdtm/bugs.c:331 lkdtm_ARRAY_BOUNDS() warn: possible memory leak of 'not_checked'

Old smatch warnings:
drivers/misc/lkdtm/bugs.c:346 lkdtm_ARRAY_BOUNDS() error: buffer overflow 'checked->data' 8 <= 8

vim +/checked +331 drivers/misc/lkdtm/bugs.c

ae2e1aad3e48e4 Kees Cook      2020-04-06  322  void lkdtm_ARRAY_BOUNDS(void)
ae2e1aad3e48e4 Kees Cook      2020-04-06  323  {
ae2e1aad3e48e4 Kees Cook      2020-04-06  324  	struct array_bounds_flex_array *not_checked;
ae2e1aad3e48e4 Kees Cook      2020-04-06  325  	struct array_bounds *checked;
ae2e1aad3e48e4 Kees Cook      2020-04-06  326  	volatile int i;
ae2e1aad3e48e4 Kees Cook      2020-04-06  327  
ae2e1aad3e48e4 Kees Cook      2020-04-06  328  	not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL);
ae2e1aad3e48e4 Kees Cook      2020-04-06  329  	checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL);
6ac33daa73b3fe Jiasheng Jiang 2022-01-14  330  	if (!not_checked || !checked)
6ac33daa73b3fe Jiasheng Jiang 2022-01-14 @331  		return;

We've just changed one static checker warning for another.  Plus these
functions are *supposed* to be buggy.

ae2e1aad3e48e4 Kees Cook      2020-04-06  332  
ae2e1aad3e48e4 Kees Cook      2020-04-06  333  	pr_info("Array access within bounds ...\n");
ae2e1aad3e48e4 Kees Cook      2020-04-06  334  	/* For both, touch all bytes in the actual member size. */
ae2e1aad3e48e4 Kees Cook      2020-04-06  335  	for (i = 0; i < sizeof(checked->data); i++)
ae2e1aad3e48e4 Kees Cook      2020-04-06  336  		checked->data[i] = 'A';
ae2e1aad3e48e4 Kees Cook      2020-04-06  337  	/*
ae2e1aad3e48e4 Kees Cook      2020-04-06  338  	 * For the uninstrumented flex array member, also touch 1 byte
ae2e1aad3e48e4 Kees Cook      2020-04-06  339  	 * beyond to verify it is correctly uninstrumented.
ae2e1aad3e48e4 Kees Cook      2020-04-06  340  	 */
ae2e1aad3e48e4 Kees Cook      2020-04-06  341  	for (i = 0; i < sizeof(not_checked->data) + 1; i++)
ae2e1aad3e48e4 Kees Cook      2020-04-06  342  		not_checked->data[i] = 'A';
ae2e1aad3e48e4 Kees Cook      2020-04-06  343  
ae2e1aad3e48e4 Kees Cook      2020-04-06  344  	pr_info("Array access beyond bounds ...\n");
ae2e1aad3e48e4 Kees Cook      2020-04-06  345  	for (i = 0; i < sizeof(checked->data) + 1; i++)
ae2e1aad3e48e4 Kees Cook      2020-04-06  346  		checked->data[i] = 'B';
ae2e1aad3e48e4 Kees Cook      2020-04-06  347  
ae2e1aad3e48e4 Kees Cook      2020-04-06  348  	kfree(not_checked);
ae2e1aad3e48e4 Kees Cook      2020-04-06  349  	kfree(checked);
464e86b4abadfc Kees Cook      2020-06-25  350  	pr_err("FAIL: survived array bounds overflow!\n");
c75be56e35b2ee Kees Cook      2021-08-18  351  	pr_expected_config(CONFIG_UBSAN_BOUNDS);
ae2e1aad3e48e4 Kees Cook      2020-04-06  352  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-01-18 12:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-14  8:21 [PATCH] lkdtm/bugs: Check for the NULL pointer after calling kmalloc Jiasheng Jiang
2022-01-18 12:33 ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).