As the possible failure of the kmalloc(), the not_checked and checked
could be NULL pointer.
Therefore, it should be better to check it in order to avoid the
dereference of the NULL pointer.
And since it is just a test, it may directly return without error
number.
Fixes: ae2e1aad3e48 ("drivers/misc/lkdtm/bugs.c: add arithmetic overflow and array bounds checks")
Signed-off-by: Jiasheng Jiang <[email protected]>
---
drivers/misc/lkdtm/bugs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index f4cb94a9aa9c..12c474a38494 100644
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -325,6 +325,8 @@ void lkdtm_ARRAY_BOUNDS(void)
not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL);
checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL);
+ if (!not_checked || !checked)
+ return;
pr_info("Array access within bounds ...\n");
/* For both, touch all bytes in the actual member size. */
--
2.25.1
Hi Jiasheng,
url: https://github.com/0day-ci/linux/commits/Jiasheng-Jiang/lkdtm-bugs-Check-for-the-NULL-pointer-after-calling-kmalloc/20220114-162452
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git d47c7407b4c88cf66098eba8893bc38279f301fc
config: arm-randconfig-m031-20220113 (https://download.01.org/0day-ci/archive/20220115/[email protected]/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
New smatch warnings:
drivers/misc/lkdtm/bugs.c:331 lkdtm_ARRAY_BOUNDS() warn: possible memory leak of 'checked'
drivers/misc/lkdtm/bugs.c:331 lkdtm_ARRAY_BOUNDS() warn: possible memory leak of 'not_checked'
Old smatch warnings:
drivers/misc/lkdtm/bugs.c:346 lkdtm_ARRAY_BOUNDS() error: buffer overflow 'checked->data' 8 <= 8
vim +/checked +331 drivers/misc/lkdtm/bugs.c
ae2e1aad3e48e4 Kees Cook 2020-04-06 322 void lkdtm_ARRAY_BOUNDS(void)
ae2e1aad3e48e4 Kees Cook 2020-04-06 323 {
ae2e1aad3e48e4 Kees Cook 2020-04-06 324 struct array_bounds_flex_array *not_checked;
ae2e1aad3e48e4 Kees Cook 2020-04-06 325 struct array_bounds *checked;
ae2e1aad3e48e4 Kees Cook 2020-04-06 326 volatile int i;
ae2e1aad3e48e4 Kees Cook 2020-04-06 327
ae2e1aad3e48e4 Kees Cook 2020-04-06 328 not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL);
ae2e1aad3e48e4 Kees Cook 2020-04-06 329 checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL);
6ac33daa73b3fe Jiasheng Jiang 2022-01-14 330 if (!not_checked || !checked)
6ac33daa73b3fe Jiasheng Jiang 2022-01-14 @331 return;
We've just changed one static checker warning for another. Plus these
functions are *supposed* to be buggy.
ae2e1aad3e48e4 Kees Cook 2020-04-06 332
ae2e1aad3e48e4 Kees Cook 2020-04-06 333 pr_info("Array access within bounds ...\n");
ae2e1aad3e48e4 Kees Cook 2020-04-06 334 /* For both, touch all bytes in the actual member size. */
ae2e1aad3e48e4 Kees Cook 2020-04-06 335 for (i = 0; i < sizeof(checked->data); i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 336 checked->data[i] = 'A';
ae2e1aad3e48e4 Kees Cook 2020-04-06 337 /*
ae2e1aad3e48e4 Kees Cook 2020-04-06 338 * For the uninstrumented flex array member, also touch 1 byte
ae2e1aad3e48e4 Kees Cook 2020-04-06 339 * beyond to verify it is correctly uninstrumented.
ae2e1aad3e48e4 Kees Cook 2020-04-06 340 */
ae2e1aad3e48e4 Kees Cook 2020-04-06 341 for (i = 0; i < sizeof(not_checked->data) + 1; i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 342 not_checked->data[i] = 'A';
ae2e1aad3e48e4 Kees Cook 2020-04-06 343
ae2e1aad3e48e4 Kees Cook 2020-04-06 344 pr_info("Array access beyond bounds ...\n");
ae2e1aad3e48e4 Kees Cook 2020-04-06 345 for (i = 0; i < sizeof(checked->data) + 1; i++)
ae2e1aad3e48e4 Kees Cook 2020-04-06 346 checked->data[i] = 'B';
ae2e1aad3e48e4 Kees Cook 2020-04-06 347
ae2e1aad3e48e4 Kees Cook 2020-04-06 348 kfree(not_checked);
ae2e1aad3e48e4 Kees Cook 2020-04-06 349 kfree(checked);
464e86b4abadfc Kees Cook 2020-06-25 350 pr_err("FAIL: survived array bounds overflow!\n");
c75be56e35b2ee Kees Cook 2021-08-18 351 pr_expected_config(CONFIG_UBSAN_BOUNDS);
ae2e1aad3e48e4 Kees Cook 2020-04-06 352 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]