Weekly Edition
Return to the Kernel page
| |||||||||||||
Finding buffer overflows with ParfaitRecently, Roel Kluin has been proposing patches to fix a number of buffer overflows in the kernel, some of which he credited to "Parfait". It turns out that Parfait is a static source code checking tool that comes out of Sun Labs in Australia. The project reported 54 buffer overflows to the linux-security mailing list in early July, and Kluin has been going through them to get them fixed. It is best to treat buffer overflows as potential security vulnerabilities, even though they may be hard—or impossible—to exploit. Various types of these bugs have been thought to be unexploitable along the way, but then were found to be exploitable, so caution is clearly indicated. The full list was sent to the private kernel security alias, and then passed along to Kluin by Andrew Morton. Kluin has then been posting patches to linux-kernel, as well as the netdev mailing list, to fix them. A number of the fixes have already been picked up by subsystem maintainers, and some have made their way into the mainline. The tool itself is relatively new, first demonstrated as an alpha last October, and takes a multi-layered approach using an "ensemble" of static analysis techniques. Thus the name. One of the goals, from the outset, was to produce something that could analyze a huge codebase—the OpenSolaris or Linux kernel for example—in a matter of minutes rather than the days or weeks that other tools require. As part of a paper [PDF] presented at the Kernel Conference Australia in mid-July, the Parfait developers reported checking 5.7 million lines of code in the 2.6.29 kernel for buffer overflows in 13 minutes. The times for OpenSolaris and OpenBSD were similar when scaled for the number of lines of code checked. Unsurprisingly, for all three kernels, the majority of buffer overflows were found in the driver code. For 2.6.29, Parfait found 12 buffer overflows in the Linux core, and 85 in the drivers (which makes up 71% of the codebase). Some of those were false positives, but the paper does not make it clear just how many. Given that 54 were reported to linux-security, though, it would seem that something approaching half were false positives. Kluin provided an example of the Parfait output:
Bug type: Buffer overflow
File: /usr/src/linux-2.6.29/security/smack/smackfs.c
Line: 777
Function: smk_write_netlbladdr
Code snippet:
0772: if (count < SMK_NETLBLADDRMIN || count > SMK_NETLBLADDRMAX)
0773: return -EINVAL;
0774: if (copy_from_user(data, buf, count) != 0)
0775: return -EFAULT;
0776:
0777: data[count] = '\0';
0778:
0779: rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%d %s",
0780: &host[0], &host[1], &host[2], &host[3], &m, smack);
0781: if (rc != 6) {
0782: rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
Parfait report:
Error: Buffer overflow at
/usr/src/linux-2.6.29/security/smack/smackfs.c:777 in function
'smk_write_netlbladdr' [Symbolic analysis]
In array dereference of data[count] with index 'count'
Array size is 42 bytes, count >= 9 and count <= 42
Comments:
Off-by-one when adding the trailing null on line 777 - data is
declared with size
SMK_NETLBLADDRMAX, and count is allowed to equal SMK_NETLBLADDRMAX
Which shows a buffer overflow that he had already fixed in the kernel prior
to the Parfait report. The paper also describes a GUI tool that collects
up the code and declarations that make Parfait believe there is a problem,
which can help developers determine whether there truly is a problem or not.
Currently, Parfait is not available to those outside of Sun, but a binary release is planned. According to lead developer Cristina Cifuentes, it should be available on the web site within the next month or two: "I estimate it will be end of August (to be optimistic) before the binary release is out, a more pessimistic estimate is end of September." That release will be available for "use on a non-commercial basis", she said. Sun is considering an open source release, but no decision on that has yet been made. In an interview on the Sun Labs web site, Cifuentes gives a broader view of where Parfait is headed—more than just looking for buffer overflows:
At the moment the types of bugs we're finding include other memory-pointer
related bugs. Things like null pointer dereference, double free, use after
free, memory leaks, format string type mismatches — they can all be found
with similar types of analysis. Those are some that we're
putting our emphasis on now.
In many ways, Parfait is similar to the Coverity analysis tool that has been used on the kernel as well as other free software. In both cases, at least for now, the analysis can only be run by the company who owns the tool, or those who have licensed it in the case of Coverity. A free software analysis tool that did these kinds of checks—and didn't depend on the goodwill of various companies—would be a real boon. With luck, perhaps Parfait will some day fill that role. These source analysis tools clearly find real bugs, though there is some evidence that the bug reports resulting from the scans are not being used to their fullest. The Coverity scanner found the tun.c NULL pointer dereference problem long before it was fixed in the kernel, but the report either went unnoticed or was (incorrectly as it turns out) not seen to be a serious problem. More source code analysis—at least any that isn't plagued by too many false positives—can only be a good thing, but the problems found need to be addressed or the value of the effort drops dramatically. It would be awfully nice to have free versions of these kinds of tools as well. (Log in to post comments)
Coccinelle Posted Jul 30, 2009 8:35 UTC (Thu) by w_sang (subscriber, #52415) [Link]
I think Coccinelle should be mentioned here. It probably works differently, but it has a good set of semantic patches covering different areas of programming mistakes. It already helped fixing quite a number of bugs in the kernel.
LLVM Posted Jul 30, 2009 12:54 UTC (Thu) by lfelipe (subscriber, #50478) [Link]
Should also be worthy pointing out that as part of the Clang project, LLVM also has a pretty good static analyzer, which is being actively developed in the open.
http://clang-analyzer.llvm.org/
I've been using it to analyze a bunch of projects, amongst them the Enlightenment Foundation Libraries. I've made a blog post about it here:
Finding buffer overflows with Parfait Posted Jul 31, 2009 14:48 UTC (Fri) by dwheeler (guest, #1216) [Link] Here's a list of various static analyzers: http://www.dwheeler.com/flawfinder/index.html#othertools.
False positives... Posted Aug 1, 2009 11:44 UTC (Sat) by error27 (subscriber, #8346) [Link]
False positives are not so bad. I can go through search through over 100 error messages in an hour. The next time an RC1 kernel is released I ignore all the messages I checked last time.
If a tool prints 1000 error messages with a 99% false positive rate it would take me 2 days to find 10 bugs. Of course, it is dreary work, but the bad guys are willing to do it.
Blatant Self Promotion: smatch takes about 4 hours to check a kernel on my eee. Smatch has an array overflow check but it sucks. I will improve it to find the bug described in the article.
Basically, once you understand the possible values of variables it is easy to check for things like this. Smatch tries to track all the possible values at any point. Once you have that, looking for bugs is much easier.
False positives... Posted Aug 7, 2009 12:21 UTC (Fri) by error27 (subscriber, #8346) [Link]
I've pushed the changes to smatch. It now will find the error from the article. I found a few other array out of bounds errors in the 2.6.31-rc3 kernel but not 54.
It's nice, but Parfait is closed source. Posted Dec 9, 2009 8:43 UTC (Wed) by ineya (guest, #62410) [Link]
Too bad it's closed source, it seems to have potential.
|
|||||||||||||