Defective error/pointer interactions in the Linux kernel

Linux run-time errors are represented by integer values referred to as error codes. These values propagate across long function-call chains before being handled. As these error codes propagate, they are often temporarily or permanently encoded into pointer values. Error-valued pointers are not valid memory addresses, and therefore require special care by programmers. Misuse of pointer variables that store error codes can lead to serious problems such as system crashes, data corruption, unexpected results, etc. We use static program analysis to find three classes of bugs relating to error-valued pointers: bad dereferences, bad pointer arithmetic, and bad overwrites. Our tool finds 56 true bugs among 52 different Linux file system implementations, the virtual file system (VFS), the memory management module (mm), and 4 drivers.

[1]  Tayssir Touili,et al.  Interprocedural Analysis of Concurrent Programs Under a Context Bound , 2008, TACAS.

[2]  Alan J. Hu,et al.  Calysto: scalable and precise extended static checking , 2008, ICSE.

[3]  Mangala Gowri Nanda,et al.  Accurate Interprocedural Null-Dereference Analysis for Java , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[4]  Jørn Lind-Nielsen,et al.  BuDDy : A binary decision diagram package. , 1999 .

[5]  S. Karthik,et al.  Static Analysis : C Code Error Checking for Reliable and Secure Programming , 2022 .

[6]  Thomas Reps,et al.  WPDS++: A C++ library for weighted pushdown systems , 2005 .

[7]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[8]  Mark N. Wegman,et al.  Constant propagation with conditional branches , 1985, POPL.

[9]  David Hovemeyer,et al.  Finding more null pointer bugs, but not too many , 2007, PASTE '07.

[10]  Eran Yahav,et al.  Verifying dereference safety via expanding-scope analysis , 2008, ISSTA '08.

[11]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[12]  Julia L. Lawall,et al.  Documenting and automating collateral evolutions in linux device drivers , 2008, Eurosys '08.

[13]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[14]  Tayssir Touili,et al.  Abstract Error Projection , 2007, SAS.

[15]  Randal E. Bryant Binary decision diagrams and beyond: enabling technologies for formal verification , 1995, ICCAD.

[16]  Ben Liblit,et al.  Expect the unexpected: error code mismatches between documentation and the real world , 2010, PASTE '10.

[17]  Andrea C. Arpaci-Dusseau,et al.  Error propagation analysis for file systems , 2009, PLDI '09.

[18]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[19]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2003, Sci. Comput. Program..

[20]  Andrea C. Arpaci-Dusseau,et al.  EIO: Error Handling is Occasionally Correct , 2008, FAST.

[21]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[22]  Ira Pohl,et al.  A book on C (4th ed.): programming in C , 1997 .

[23]  Isil Dillig,et al.  Static error detection using semantic inconsistency inference , 2007, PLDI '07.