13-Aug-2018: Improve environment model for memory safety verification of the Linux kernel and find bugs related to the memory errors in Linux kernel

Anton Vasilyev has finished Google Summer of Code 2018 project "Improve environment model for memory safety verification of the Linux kernel and find bugs related to the memory errors in Linux kernel" for The Linux Foundation.

Programs written in C are prone to memory errors, such as NULL pointer dereference, memory leak, double free, use after free, buffer overflow/underflow read/write. These classes of errors in the operating system kernel can potentially be vulnerabilities that lead to denial of service, unauthorized read or modification of information.

The KLEVER static verification framework was created to analyze the Linux kernel modules. It performs verification of the correctness of the source code with respect to some class of errors and either proves the absence of these errors or provides a warning about the potential reachability of the error. Not all warnings are true errors due to inaccuracies in the analysis and assumptions about the module environment.

Anton was faced with the following tasks:

  • correct the inaccuracies of the environment model of the KLEVER framework;
  • run an static analysis of the modules of one of the latest Linux kernel versions;
  • analyze the warnings for the Linux kernel and report the errors to the kernel developers.

During the GSOC 2018, Anton did the following:

  • fixed memory allocation function specifications in the environment model of the KLEVER framework;
  • added environment specifications for the SCSI and Timer subsystems that correspond to changes in the interface of Linux kernel versions 4.16.10 and 4.18-rc3;
  • run the KLEVER static verification of all Linux kernel modules 4.16.10;
  • analyzed all 292 issued warnings for 3733 kernel modules;
  • detected about 30 real memory usage errors;
  • prepared patches for errors and checked them by the KLEVER static verification on the Linux kernel version 4.18-rc3.

Total list of reported bugs is given below (Linux Kernel Mailing List):

  1. 2018/7/6/412 ("uwb: hwa-rc: fix memory leak at probe")
  2. 2018/7/18/551 ("media: dm1105: Limit number of cards to avoid buffer over read")
  3. 2018/7/23/964 ("media: dw2102: Fix memleak on sequence of probes")
  4. 2018/7/6/389 ("video: goldfishfb: fix memory leak on driver remove")
  5. 2018/7/23/944 ("firmware: vpd: Fix section enabled flag on vpd_section_destroy")
  6. 2018/7/27/764 ("misc: ti-st: Fix memory leak in the error path of probe()")
  7. 2018/7/27/503 ("media: vimc: Remove redundant free")
  8. 2018/7/23/949 ("gpio: ml-ioh: Fix buffer underwrite on probe error path")
  9. 2018/7/27/769 ("can: ems_usb: Fix memory leak on ems_usb_disconnect")
  10. 2018/7/27/661 ("regulator: tps65217: Fix NULL pointer dereference on probe")
  11. 2018/7/27/655 ("scsi: 3ware: fix return 0 on the error path of probe")
  12. 2018/7/27/772 ("net: mdio-mux: bcm-iproc: fix wrong getter and setter pair")
  13. 2018/7/23/1020 ("HID: intel_ish-hid: tx_buf memory leak on probe/remove")
  14. 2018/8/6/572 ("pinctrl: axp209: Fix NULL pointer dereference after allocation")
  15. 2018/7/27/508 ("media: davinci: vpif_display: Mix memory leak on probe error path")
  16. 2018/7/27/512 ("drm: qxl: Fix error handling at qxl_device_init")
  17. 2018/7/27/727 ("fmc: Fix memory leak and NULL pointer dereference")
  18. 2018/7/27/755 ("drm: qxl: Fix NULL pointer dereference at qxl_alloc_client_monitors_config")
  19. 2018/6/9/253 ("staging: rts5208: add error handling into rtsx_probe")
  20. 2018/7/27/644 ("tty: rocket: Fix possible buffer overwrite on register_PCI")
  21. 2018/8/6/615 ("serial: mxs-auart: Fix potential infinite loop")
  22. 2018/8/7/292 ("usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]")