BLASTing Linux Code

Jan Tobias Mühlberg and Gerald Lüttgen
Department of Computer Science, University of York, York YO10 5DD, U.K.

main page | next example

Commit Overview | Files | Comments

Checking Memory Safety: Example 4

Commit Overview

Commit Key 6968ecfca8822055cfe121214c0786e4eecc038e
Subject [PATCH] apci: fix NULL deref in video/lcd/brightness
Description Fix Null pointer deref in video/lcd/brightness
Requires Linux 2.6.14 kernel source as from git://

--- a/drivers/acpi/video.c
+++ b/drivers/acpi/video.c
@@ -813,7 +813,7 @@ acpi_video_device_write_brightness(struc
- if (!dev || count + 1 > sizeof str)
+ if (!dev || !dev->brightness || count + 1 > sizeof str)
if (copy_from_user(str, buffer, count))

(purple: line numbers and function names; red: line removed; green: line added)


Unmodified sources


This is a classical example for a function that does not properly check whether its parameters are valid. While line 816 of acpi_video_device_write_brightness() contains a test ensuring that file->private_data->private does not equal NULL, there is no such test for the component file->private_data->private->brightness, which is de-referenced in line 829 of the listing.

Finding this problem using BLAST is rather difficult since BLAST does not provide a way to specify that "whenever a pointer is de-referenced, it must not equal NULL". In "Checking Memory Safety with Blast" by Beyer et al. the problem is addressed by automatically inserting runtime tests into the source code under consideration and then using BLAST to check whether the newly introduced code is reachable. However, our case is more difficult since acpi_video_device_write_brightness() is not called directly but via a function pointer assigned in line 939 of the source file.


Jan Tobias Mühlberg, $Date$