BLASTing Linux Code

Jan Tobias Mühlberg and Gerald Lüttgen
Department of Computer Science, University of York, York YO10 5DD, U.K.

main page | next example

Commit Overview | Files | Comments

Checking Memory Safety: Example 6

Commit Overview

Commit Key 3fd1bb9baa394856b112e5edbfd3893d92dd1149
Subject [PATCH] hwmon: Off-by-one error in fscpos driver
Description Coverity uncovered an off-by-one error in the fscpos driver, in function set_temp_reset(). Writing to the temp3_reset sysfs file will lead to an array overrun, in turn causing an I2C write to a random register of the FSC Poseidon chip. Additionally, writing to temp1_reset and temp2_reset will not work as expected. The fix is straightforward.
Requires Linux 2.6.13 kernel source as from git://

--- a/drivers/hwmon/fscpos.c
+++ b/drivers/hwmon/fscpos.c
@@ -167,7 +167,7 @@ static ssize_t set_temp_reset(struct i2c
"experience to the module author.\n");
/* Supported value: 2 (clears the status) */
- fscpos_write_value(client, FSCPOS_REG_TEMP_STATE[nr], 2);
+ fscpos_write_value(client, FSCPOS_REG_TEMP_STATE[nr - 1], 2);
return count;

(purple: line numbers and function names; red: line removed; green: line added)


Unmodified sources


Despite the simple patch, this bug is not easily understood due to the structure of the source file. The function set_temp_reset() operates on the array FSCPOS_REG_TEMP_STATE, containing three values. Therefore, calls of set_temp_reset() must have the parameter nr be in the range of 0 to 2. Unfortunately, there are no such calls visible since they are generated during macro expansion by the preprocessor. To fully understand the bug you may want to look at preprocessed code.

This bug can be easily found using BLAST by introducing an an additional check for the value of the nr argument passed to set_temp_reset() in the preprocessed source file. Fully automatic discovery of the bug seems to be impossible.


Jan Tobias Mühlberg, $Date$