[U-Boot] [PATCH v2 00/13] Import Undefined Behavior Sanitizer
Eugeniu Rosca
roscaeugeniu at gmail.com
Sun Aug 26 23:13:18 UTC 2018
While certain classes of bugs (e.g. locking related) are totally
irrelevant for U-Boot, undefined behavior is something U-Boot may
experience all over the place and this certainly can lead to hidden
and difficult to debug issues.
As of v4.18, Linux kernel contains roughly 119 UBSAN fixes [1], so it
has been quite a productive and useful tool to play with during
development.
Thanks to UBSAN, this series fixes 11 (+1 in [2]) UB issues, revealed
by simply cold-booting (sometimes by running an existing command on)
sandbox, qemu-system-{arm,ppc,i386} and arm64 R-Car Gen3 targets.
| Undefined Behavior class | Noticed | Fixed | Ref
--|---------------------------------------|---------|-------|-----
A | Signed shift overflow | 8 | 8 |
B | Zero-sized array declaration | 2 | 2 |
C | Read-past-end-of-array | 1 | 1 |
D | Shift by negative value | 1 | 0 | [3]
E | Load of address 'X' with insufficient | | |
| space for an object of type 'Y' | ~20-30 | 0 | [4]
A certain class of UBs (see E above) is reported regularly at runtime
on all architectures and looks to be related to the implementation of
U-Boot linker-generated arrays [4]. I believe some feedback from the
authors/maintainers of those is required to assess if this is a UBSAN
false positive or a real bug.
The "signed shift overflow" (see A above) UB is very common in U-Boot.
Grepping the code for '(1 << 31)' (which is a consistent source of this
type of UB) gives 528 occurrences:
$ git grep -E '1[ ]*<<[ ]*31' | wc -l
528
This series collects the low-hanging fruit, as well as leaves others to
experiment with UBSAN themselves.
Best regards,
Eugeniu.
[1] git log --oneline --no-merges --grep UBSAN v4.18 | wc -l
119
[2] https://patchwork.ozlabs.org/patch/957323/
[3] Example of "shift by negative value" UB
==================================================================
UBSAN: Undefined behaviour in drivers/pci/fsl_pci_init.c:139:17
shift exponent -1 is negative
==================================================================
[4] Either a false-positive or a bug in "include/linker_lists.h":
=================================================================
UBSAN: Undefined behaviour in drivers/core/lists.c:28:26
load of address 000000000075f180 with insufficient space
for an object of type 'char *'
=================================================================
Eugeniu Rosca (13):
UBSAN: run-time undefined behavior sanity checker
mmc: Fix signed shift overflow
armv8: mmu: Fix signed shift overflow
pinctrl: renesas: Fix signed shift overflow
net: phy: Fix signed shift overflow
net: ravb: Fix signed shift overflow
x86: Fix signed shift overflow in MSR_IA32_APICBASE_BASE
disk: part_dos: Fix signed shift overflow
common.h: Fix signed shift overflow in cpumask_next()
mmc: Fix read-past-end-of-array
hashtable: Fix zero-sized array
input: Fix zero-sized array
configs: sandbox*: Enable UBSAN
Makefile | 3 +-
arch/Kconfig | 4 +
arch/arm/Kconfig | 1 +
arch/arm/include/asm/armv8/mmu.h | 42 +--
arch/x86/include/asm/msr-index.h | 2 +-
configs/sandbox64_defconfig | 1 +
configs/sandbox_defconfig | 1 +
configs/sandbox_flattree_defconfig | 1 +
configs/sandbox_noblk_defconfig | 1 +
configs/sandbox_spl_defconfig | 1 +
disk/part_dos.c | 9 +-
drivers/input/input.c | 4 +-
drivers/mmc/mmc.c | 4 +-
drivers/net/phy/phy.c | 4 +-
drivers/net/ravb.c | 16 +-
drivers/pinctrl/renesas/sh_pfc.h | 14 +-
examples/standalone/Makefile | 2 +
include/common.h | 2 +-
include/linux/compat.h | 3 +
include/search.h | 2 +-
lib/Kconfig | 1 +
lib/Kconfig.ubsan | 29 ++
lib/Makefile | 2 +
lib/hashtable.c | 4 +-
lib/linux_compat.c | 3 +
lib/ubsan.c | 461 +++++++++++++++++++++++++++++
lib/ubsan.h | 94 ++++++
scripts/Makefile.lib | 6 +
scripts/Makefile.ubsan | 20 ++
29 files changed, 684 insertions(+), 53 deletions(-)
create mode 100644 lib/Kconfig.ubsan
create mode 100644 lib/ubsan.c
create mode 100644 lib/ubsan.h
create mode 100644 scripts/Makefile.ubsan
--
2.18.0
More information about the U-Boot
mailing list