Powered by Linux
[PATCH] db: Avoid dereferencing null pointer — Semantic Matching Tool

[PATCH] db: Avoid dereferencing null pointer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If arg is null we return immediately.

Signed-off-by: Silvan Jegen <s.jegen@xxxxxxxxx>
---
When running tip on the kernel on my machine I get a lot of SIGSEGVs
like the following.

Starting program: /home/silvan/build/smatch/bak.smatch -p=kernel
--file-output --call-tree --info --param-mapper --spammy
--data=../smatch/smatch_scripts/../smatch_data -D__linux__ -Dlinux
-D__STDC__ -Dunix -D__unix__ -Wbitwise -Wno-return-void -D__x86_64__ -m64
-nostdinc -isystem /usr/lib/gcc/x86_64-unknown-linux-gnu/4.9.2/include
-Wp,-MD,mm/.mm_init.o.d -nostdinc -isystem
/usr/lib/gcc/x86_64-unknown-linux-gnu/4.9.2/include -I./arch/x86/include
-Iarch/x86/include/generated/uapi -Iarch/x86/include/generated -Iinclude
-I./arch/x86/include/uapi -Iarch/x86/include/generated/uapi
-I./include/uapi -Iinclude/generated/uapi -include
./include/linux/kconfig.h -D__KERNEL__ -Wall -Wundef
-Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common
-Werror-implicit-function-declaration -Wno-format-security -std=gnu89 -m64
-mno-80387 -mno-fp-ret-in-387 -mtune=generic -mno-red-zone -mcmodel=kernel
-funit-at-a-time -maccumulate-outgoing-args -DCONFIG_AS_CFI=1
-DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1
-DCONFIG_AS_FXSAVEQ=1 -DCONFIG_AS_SSSE3=1 -DCONFIG_AS_CRC32=1
-DCONFIG_AS_AVX=1 -DCONFIG_AS_AVX2=1 -pipe -Wno-sign-compare
-fno-asynchronous-unwind-tables -mno-sse -mno-mmx -mno-sse2
-mno-3dnow -mno-avx -fno-delete-null-pointer-checks -O2
--param=allow-store-data-races=0 -Wframe-larger-than=2048
-fstack-protector-strong -Wno-unused-but-set-variable
-fno-omit-frame-pointer -fno-optimize-sibling-calls
-fno-var-tracking-assignments -pg -mfentry -DCC_USING_FENTRY
-Wdeclaration-after-statement -Wno-pointer-sign
-fno-strict-overflow -fconserve-stack -Werror=implicit-int
-Werror=strict-prototypes -Werror=date-time -DCC_HAVE_ASM_GOTO
-D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(mm_init)"
-D"KBUILD_MODNAME=KBUILD_STR(mm_init)" mm/mm_init.c
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000433350 in get_variable_from_key (arg=0x0, key=0x71b548 "$->_zonerefs", sym=sym@entry=0x7fffffffcfe8) at smatch_db.c:1414
1414if (arg->type == EXPR_PREOP && arg->op == '&') {
(gdb) bt
#		0  0x0000000000433350 in get_variable_from_key (arg=0x0, key=0x71b548 "$->_zonerefs", sym=sym@entry=0x7fffffffcfe8) at smatch_db.c:1414
#1  0x0000000000443c5f in set_param_used (arg=<optimized out>, key=<optimized out>, unused=<optimized out>) at smatch_param_used.c:52
#2  0x000000000042eaf3 in call_implies_callbacks (unused=<optimized out>, argc=<optimized out>, argv=0x71c5f0, azColName=<optimized out>) at smatch_db.c:751
#3  0x00007ffff7884770 in sqlite3_exec () from /usr/lib/libsqlite3.so.0
#4  0x0000000000432754 in sql_exec (sql=<optimized out>, data=<optimized out>, callback=<optimized out>) at smatch_db.c:135
#5  sql_select_call_implies (cols=0x49b2f8 "function, type, parameter, key, value", call=<optimized out>, callback=0x42ea20 <call_implies_callbacks>) at smatch_db.c:345
#6  0x0000000000414026 in pass_sym_list_to_client (data=0x7ffff5c47c10, fn=<optimized out>) at smatch_hooks.c:211
#7  __pass_to_client (data=data@entry=0x7ffff5c47c10, type=type@entry=CALL_HOOK_AFTER_INLINE) at smatch_hooks.c:231
#8  0x0000000000404a40 in __split_expr (expr=0x7ffff5c47c10) at smatch_flow.c:379
#9  0x0000000000404b5e in __split_expr (expr=0x7ffff5c47b90) at smatch_flow.c:305
#10 0x0000000000403799 in __split_stmt (stmt=stmt@entry=0x7ffff5ca58a0) at smatch_flow.c:803
#11 0x0000000000403ed1 in split_compound (stmt=0x7ffff5ca5800) at smatch_flow.c:753
#12 __split_stmt (stmt=0x7ffff5ca5800) at smatch_flow.c:806
#13 0x0000000000405a11 in split_function (sym=0x7ffff5c2db20) at smatch_flow.c:1324
#14 0x0000000000407bec in process_inlines () at smatch_flow.c:1413
#15 split_functions (sym_list=0x7ffff6947810) at smatch_flow.c:1505
#16 smatch (argc=<optimized out>, argv=<optimized out>) at smatch_flow.c:1536
#17 0x0000000000402767 in main ()}

Returning from the function when arg is null is an easy fix but it could
very well be the wrong way to handle this case. Consider this to be a
bug report :)


Cheers,

Silvan

 smatch_db.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/smatch_db.c b/smatch_db.c
index b096728..2685bcd 100644
--- a/smatch_db.c
+++ b/smatch_db.c
@@ -1392,6 +1392,9 @@ char *get_variable_from_key(struct expression *arg, char *key, struct symbol **s
 	char buf[256];
 	char *tmp;
 
+	if (!arg)
+			return NULL;
+
 	arg = strip_expr(arg);
 
 	if (strcmp(key, "$") == 0)
-- 
2.3.4

--
To unsubscribe from this list: send the line "unsubscribe smatch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux