27-Aug-2017: Finding bugs related to the memory errors in Linux kernel

Submitted by Vadim Mutilin on Sun, 27/08/2017 - 05:05

Anton Vasilyev has finished Google Summer of Code 2017 project "Finding bugs related to the memory errors in Linux kernel" for The Linux Foundation.
Memory errors at the kernel of operation system are a kind of bugs that lead to grave consequences but are hard to detect. Debug and disclose of kernel memory corruptions often requires specially compiled kernel.

The KLEVER static verification framework (a new version of LDV Tools) performs the analysis of Linux kernel modules and detects both errors of incorrect usages of API between modules and kernel core and memory errors - null pointer dereference, memory leak, double free, use after free, buffer over-read or over-write.

As the result KLEVER reports a number of warnings for a kernel module. Not all warning are bugs, because of inaccuracy of KLEVER in both analysis of module itself and assumptions about an environment of the module. The Anton's task was to analyse warnings for the Linux kernel and to report found bugs to kernel developers.

Anton launched the tool on all drivers from the Linux kernel 4.11. The tool reported potential error for about 640 kernel modules. During participation in GSOC 2017 Anton managed to analyse about 570 modules and found that many warnings are due to inaccuracies in assumptions about the module environment, path conditions, etc. He classified about 26 warnings as real memory issues, but not all were reported, because some of them were detected in old unsupported modules or were already fixed.

Total list of reported bugs is presented below (Linux Kernel Mailing List):

  1. 2017/8/1/615 ("Buffer overread in pv88090-regulator.ko")
  2. 2017/8/10/693 ("hwmon:(stts751) buffer overread on wrong chip")
  3. 2017/8/10/597 ("dmaengine: qcom_hidma: avoid freeing an uninitialized pointer")
  4. 2017/8/15/322 ("ASoC: samsung: i2s: Null pointer dereference on samsung_i2s_remove")
  5. 2017/8/10/535 ("i2c: use release_mem_region instead of release_resource")
  6. 2017/8/16/493 ("mtd: plat-ram: Replace manual resource management by devm")
  7. 2017/8/11/366 ("mISDN: Fix null pointer dereference at mISDN_FsmNew")
  8. 2017/8/10/522 ("parport: use release_mem_region instead of release_resource")
  9. 2017/8/11/368 ("video: fbdev: udlfb: Fix use after free on dlfb_usb_probe error path")
  10. 2017/8/10/550 ("dvb-usb: Add memory free on error path in dw2102_probe()")
  11. 2017/8/16/345 ("udc: Memory leak on error path and use after free")