Re: Finding user/kernel pointer bugs

[Robert T. Johnson]

On Mon, 2004-06-07 at 17:03, viro@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wrote:
> On Mon, Jun 07, 2004 at 04:48:44PM -0700, Robert T. Johnson wrote:
> > - cqual requires _zero_ annotations in device drivers.
> > 
> >   Once the generic driver interfaces have been annotated, all device
> >   drivers can be checked against these annotations without any further
> >   effort.  This is critical, since annotating the thousands of device
> >   drivers in linux will be extremely difficult and take months.
> 
> Aha, so you have never actually bothered to read the damn things.  Two words:
> ioctl code.

CQual has already found numerous bugs in driver ioctl code, all without
any explicit annotations in that code.  This is possible because cqual
infers the required annotations from a few annotations I gave it.  

While examining these bugs, I had to read _a lot_ of driver code, and I
agree that some of it is very colorful.

> And one more: counting drivers that do not have a single __user in them
> is meaningless for so many reasons it's not even funny.

Maybe sparse has features that I don't know about, but since lots of
device drivers have ioctl functions, doesn't that mean that lots of
device drivers need at least one __user annotation (on the ioctl "arg"
argument)?  If that annotation is missing and the device driver
dereferences arg (after casting it to a pointer), won't this result in a
false negative?  I agree that it's not a perfect metric, but it's a
start.

Best,
Rob


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/