Re: [PATCHv3] dvb: usb: fix use after free in dvb_usb_device_exit

kbuild test robot <lkp@xxxxxxxxx> · Fri, 3 May 2019 13:10:41 +0800

Hi Oliver,

I love your patch! Yet something to improve:

[auto build test ERROR on linuxtv-media/master]
[also build test ERROR on v5.1-rc7 next-20190502]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Oliver-Neukum/dvb-usb-fix-use-after-free-in-dvb_usb_device_exit/20190503-112248
base:   git://linuxtv.org/media_tree.git master
config: i386-randconfig-x003-201917 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=i386 

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@xxxxxxxxx>

All errors (new ones prefixed by >>):

   Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:fls
   Cyclomatic Complexity 1 include/linux/log2.h:__ilog2_u32
   Cyclomatic Complexity 4 include/linux/string.h:memcpy
   Cyclomatic Complexity 1 include/asm-generic/getorder.h:__get_order
   Cyclomatic Complexity 1 include/linux/device.h:dev_get_drvdata
   Cyclomatic Complexity 1 include/linux/device.h:dev_set_drvdata
   Cyclomatic Complexity 1 include/linux/usb.h:usb_get_intfdata
   Cyclomatic Complexity 1 include/linux/usb.h:usb_set_intfdata
   Cyclomatic Complexity 1 include/linux/usb.h:interface_to_usbdev
   Cyclomatic Complexity 1 include/linux/usb.h:__create_pipe
   Cyclomatic Complexity 3 include/linux/slab.h:kmalloc_type
   Cyclomatic Complexity 28 include/linux/slab.h:kmalloc_index
   Cyclomatic Complexity 67 include/linux/slab.h:kmalloc_large
   Cyclomatic Complexity 4 include/linux/slab.h:kmalloc
   Cyclomatic Complexity 1 include/linux/slab.h:kzalloc
   Cyclomatic Complexity 15 drivers/media/usb/dvb-usb/dvb-usb-init.c:dvb_usb_find_device
   Cyclomatic Complexity 20 drivers/media/usb/dvb-usb/dvb-usb-init.c:dvb_usb_adapter_init
   Cyclomatic Complexity 2 drivers/media/usb/dvb-usb/dvb-usb-init.c:dvb_usb_adapter_exit
   Cyclomatic Complexity 3 drivers/media/usb/dvb-usb/dvb-usb-init.c:dvb_usb_exit
   Cyclomatic Complexity 3 drivers/media/usb/dvb-usb/dvb-usb-init.c:dvb_usb_device_exit
   Cyclomatic Complexity 7 drivers/media/usb/dvb-usb/dvb-usb-init.c:dvb_usb_device_power_ctrl
   Cyclomatic Complexity 6 drivers/media/usb/dvb-usb/dvb-usb-init.c:dvb_usb_init
   Cyclomatic Complexity 10 drivers/media/usb/dvb-usb/dvb-usb-init.c:dvb_usb_device_init
   In file included from arch/x86/include/asm/page_32.h:35:0,
                    from arch/x86/include/asm/page.h:14,
                    from arch/x86/include/asm/thread_info.h:12,
                    from include/linux/thread_info.h:38,
                    from arch/x86/include/asm/preempt.h:7,
                    from include/linux/preempt.h:78,
                    from include/linux/spinlock.h:51,
                    from include/linux/seqlock.h:36,
                    from include/linux/time.h:6,
                    from include/linux/input.h:11,
                    from drivers/media/usb/dvb-usb/dvb-usb.h:14,
                    from drivers/media/usb/dvb-usb/dvb-usb-common.h:13,
                    from drivers/media/usb/dvb-usb/dvb-usb-init.c:14:
   In function 'memcpy',
       inlined from 'dvb_usb_device_exit' at drivers/media/usb/dvb-usb/dvb-usb-init.c:298:3:
>> include/linux/string.h:348:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
       __read_overflow2();
       ^~~~~~~~~~~~~~~~~~
--
   Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:fls
   Cyclomatic Complexity 1 include/linux/log2.h:__ilog2_u32
   Cyclomatic Complexity 4 include/linux/string.h:memcpy
   Cyclomatic Complexity 1 include/asm-generic/getorder.h:__get_order
   Cyclomatic Complexity 1 include/linux/device.h:dev_get_drvdata
   Cyclomatic Complexity 1 include/linux/device.h:dev_set_drvdata
   Cyclomatic Complexity 1 include/linux/usb.h:usb_get_intfdata
   Cyclomatic Complexity 1 include/linux/usb.h:usb_set_intfdata
   Cyclomatic Complexity 1 include/linux/usb.h:interface_to_usbdev
   Cyclomatic Complexity 1 include/linux/usb.h:__create_pipe
   Cyclomatic Complexity 3 include/linux/slab.h:kmalloc_type
   Cyclomatic Complexity 28 include/linux/slab.h:kmalloc_index
   Cyclomatic Complexity 67 include/linux/slab.h:kmalloc_large
   Cyclomatic Complexity 4 include/linux/slab.h:kmalloc
   Cyclomatic Complexity 1 include/linux/slab.h:kzalloc
   Cyclomatic Complexity 15 drivers/media//usb/dvb-usb/dvb-usb-init.c:dvb_usb_find_device
   Cyclomatic Complexity 20 drivers/media//usb/dvb-usb/dvb-usb-init.c:dvb_usb_adapter_init
   Cyclomatic Complexity 2 drivers/media//usb/dvb-usb/dvb-usb-init.c:dvb_usb_adapter_exit
   Cyclomatic Complexity 3 drivers/media//usb/dvb-usb/dvb-usb-init.c:dvb_usb_exit
   Cyclomatic Complexity 3 drivers/media//usb/dvb-usb/dvb-usb-init.c:dvb_usb_device_exit
   Cyclomatic Complexity 7 drivers/media//usb/dvb-usb/dvb-usb-init.c:dvb_usb_device_power_ctrl
   Cyclomatic Complexity 6 drivers/media//usb/dvb-usb/dvb-usb-init.c:dvb_usb_init
   Cyclomatic Complexity 10 drivers/media//usb/dvb-usb/dvb-usb-init.c:dvb_usb_device_init
   In file included from arch/x86/include/asm/page_32.h:35:0,
                    from arch/x86/include/asm/page.h:14,
                    from arch/x86/include/asm/thread_info.h:12,
                    from include/linux/thread_info.h:38,
                    from arch/x86/include/asm/preempt.h:7,
                    from include/linux/preempt.h:78,
                    from include/linux/spinlock.h:51,
                    from include/linux/seqlock.h:36,
                    from include/linux/time.h:6,
                    from include/linux/input.h:11,
                    from drivers/media//usb/dvb-usb/dvb-usb.h:14,
                    from drivers/media//usb/dvb-usb/dvb-usb-common.h:13,
                    from drivers/media//usb/dvb-usb/dvb-usb-init.c:14:
   In function 'memcpy',
       inlined from 'dvb_usb_device_exit' at drivers/media//usb/dvb-usb/dvb-usb-init.c:298:3:
>> include/linux/string.h:348:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
       __read_overflow2();
       ^~~~~~~~~~~~~~~~~~

vim +/__read_overflow2 +348 include/linux/string.h

6974f0c4 Daniel Micay 2017-07-12  339  
6974f0c4 Daniel Micay 2017-07-12  340  __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size)
6974f0c4 Daniel Micay 2017-07-12  341  {
6974f0c4 Daniel Micay 2017-07-12  342  	size_t p_size = __builtin_object_size(p, 0);
6974f0c4 Daniel Micay 2017-07-12  343  	size_t q_size = __builtin_object_size(q, 0);
6974f0c4 Daniel Micay 2017-07-12  344  	if (__builtin_constant_p(size)) {
6974f0c4 Daniel Micay 2017-07-12  345  		if (p_size < size)
6974f0c4 Daniel Micay 2017-07-12  346  			__write_overflow();
6974f0c4 Daniel Micay 2017-07-12  347  		if (q_size < size)
6974f0c4 Daniel Micay 2017-07-12 @348  			__read_overflow2();
6974f0c4 Daniel Micay 2017-07-12  349  	}
6974f0c4 Daniel Micay 2017-07-12  350  	if (p_size < size || q_size < size)
6974f0c4 Daniel Micay 2017-07-12  351  		fortify_panic(__func__);
6974f0c4 Daniel Micay 2017-07-12  352  	return __builtin_memcpy(p, q, size);
6974f0c4 Daniel Micay 2017-07-12  353  }
6974f0c4 Daniel Micay 2017-07-12  354  

:::::: The code at line 348 was first introduced by commit
:::::: 6974f0c4555e285ab217cee58b6e874f776ff409 include/linux/string.h: add the option of fortified string.h functions

:::::: TO: Daniel Micay <danielmicay@xxxxxxxxx>
:::::: CC: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation
Attachment:
.config.gz

Description: application/gzip