LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

False positives...

False positives...

Posted Aug 1, 2009 11:44 UTC (Sat) by error27 (subscriber, #8346)
Parent article: Finding buffer overflows with Parfait

False positives are not so bad. I can go through search through over 100 error messages in an hour. The next time an RC1 kernel is released I ignore all the messages I checked last time.

If a tool prints 1000 error messages with a 99% false positive rate it would take me 2 days to find 10 bugs. Of course, it is dreary work, but the bad guys are willing to do it.

Blatant Self Promotion: smatch takes about 4 hours to check a kernel on my eee. Smatch has an array overflow check but it sucks. I will improve it to find the bug described in the article.

Basically, once you understand the possible values of variables it is easy to check for things like this. Smatch tries to track all the possible values at any point. Once you have that, looking for bugs is much easier.

(Log in to post comments)

False positives...

Posted Aug 7, 2009 12:21 UTC (Fri) by error27 (subscriber, #8346) [Link]

I've pushed the changes to smatch. It now will find the error from the article. I found a few other array out of bounds errors in the 2.6.31-rc3 kernel but not 54.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds