LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Trusting the hardware too much

Trusting the hardware too much

Posted Feb 16, 2012 23:43 UTC (Thu) by marcH (subscriber, #57642)
In reply to: Trusting the hardware too much by dvrabel
Parent article: Trusting the hardware too much

Could you please post here a simplified version of the code falsely reported as an infinite loop + a link to the real code?

(Log in to post comments)

Trusting the hardware too much

Posted Feb 17, 2012 0:29 UTC (Fri) by corbet (editor, #1) [Link]

I'm not the poster you're responding to, but I did also check out a report in my code. It thinks this function in drivers/media/video/ov7670.c is an infinite loop: 

static int ov7670_write_array(struct v4l2_subdev *sd, struct regval_list *vals)
{
	while (vals->reg_num != 0xff || vals->value != 0xff) {
		int ret = ov7670_write(sd, vals->reg_num, vals->value);
		if (ret < 0)
			return ret;
		vals++;
	}
	return 0;
}

...but it's just reading through a static array, looking for the end marker.

Trusting the hardware too much

Posted Feb 17, 2012 1:47 UTC (Fri) by hummassa (subscriber, #307) [Link]

Why a market, and not the length or an end-pointer?

Trusting the hardware too much

Posted Feb 17, 2012 16:54 UTC (Fri) by hummassa (subscriber, #307) [Link]

obviously the question is "why a MARKER, and not the length or and and-pointer?" ... damn autocorrect.

Trusting the hardware too much

Posted Feb 17, 2012 2:09 UTC (Fri) by asimkadav (guest, #82931) [Link]

Thanks for pointing that out Jon! The one you reported was an issue with our new i2c support - I just fixed them across all results. Most commonly, false positive arise due to counters that we fail to detect though. There were about 8% false positives or so when we reported the results thoroughly for 2.6.18 kernel. There are still about 800+ bugs out there, and many of them occur in larger groups (although there are many one off bugs as well).

Trusting the hardware too much

Posted Feb 20, 2012 17:47 UTC (Mon) by proski (subscriber, #104) [Link]

Well, if the CPU fails to increment vals, then you have an infinite loop ;)

Trusting the hardware too much

Posted Feb 21, 2012 7:30 UTC (Tue) by geuder (subscriber, #62854) [Link]

> ... but it's just reading through a static array, looking for the end marker.

Looking for an end marker, which is not guaranteed to exist. At least not until you do inter function dependency analysis and have all potential callers' code and make sure there is no path your array data origins from some not to be trusted hardware or user input. Could be easy or impossible.

Of course it would not be an endless loop, but still a potentially dangerous construct overreading the allocated array.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds