Machiry
commented
5 years ago You should provide -n 1 flag to the run_all.py script. Can you give me more details on which kernel you are trying to compile and how?
Closed leiwen83 closed 5 years ago
Machiry
commented
5 years ago You should provide -n 1 flag to the run_all.py script. Can you give me more details on which kernel you are trying to compile and how?
leiwen83
commented
5 years ago The kernel I am try to compile comes from rockchip but not mainlined yet. After change to "-n 1", things goes fine now.
There are some other error warning during helper_scripts runs: clang-3.8: error: the clang compiler does not support '-Wa,-mfpu=softvfp+vfp' clang-3.8: error: the clang compiler does not support '-Wa,-mfpu=softvfp+vfp'
clang-3.8: error: the clang compiler does not support '-Wa,-march=armv7-a+sec'
Machiry
commented
5 years ago The compilation errors for .S files are expected. They should not affect the analysis.
For the visualization, if you have followed all the instruction as listed in: https://github.com/ucsb-seclab/dr_checker/blob/speedy/docs/docker.md#visualizing-the-results ?
Then could you check if the path given to RESULTS_DIR contains any JSON files?
It would be much easier to debug, if you can share the rockchip kernel you are using.
leiwen83
commented
5 years ago The rockchip kernel is current unavaible to the public... While it use similar gpu driver as mtk online: https://android.googlesource.com/kernel/mediatek/+/android-mtk-3.18/drivers/misc/mediatek/gpu/gpu_mali/mali_utgard/mali/mali/linux/mali_kernel_sysfs.c?autodive=0%2F%2F%2F%2F%2F%2F%2F
In this file, drcheck report "Trying to write to a user pointer." "warn_data": { "at": " store i8 0, i8 %arrayidx, align 1, !dbg !92353", "at_file": "/drivers/gpu/arm/mali400/mali/linux/mali_kernel_sysfs.c", "at_func": "power_always_on_write", "at_line": 492, "by": "TaintedPointerDereferenceChecker says:", "inst_trace": [ { "instr": " %val = alloca i32, align 4", "instr_func": "power_always_on_write", "instr_loc": -1 }, { "instr": " store i32 %cnt, i32 %_min1, align 4, !dbg !92306", "instr_file": "/drivers/gpu/arm/mali400/mali/linux/mali_kernel_sysfs.c", "instr_func": "power_always_on_write", "instr_loc": 488 }, { "instr": " %2 = load i32, i32 %_min1, align 4, !dbg !92308", "instr_file": "drivers/gpu/arm/mali400/mali/linux/mali_kernel_sysfs.c", "instr_func": "power_always_on_write", "instr_loc": 488 }, { "instr": " %cond = phi i32 [ %2, %cond.true ], [ %3, %cond.false ], !dbg !92312", "instr_file": "//drivers/gpu/arm/mali400/mali/linux/mali_kernel_sysfs.c", "instr_func": "power_always_on_write", "instr_loc": 488 }, { "instr": " %arrayidx = getelementptr [32 x i8], [32 x i8] %buf, i32 0, i32 %cond, !dbg !92352", "instr_file": "/drivers/gpu/arm/mali400/mali/linux/mali_kernel_sysfs.c", "instr_func": "power_always_on_write", "instr_loc": 492 } ], "warn_str": "Trying to write to a user pointer." },
static ssize_t power_always_on_write(struct file filp, const char __user ubuf, size_t cnt, loff_t *ppos) { unsigned long val; int ret; char buf[32];
cnt = min(cnt, sizeof(buf) - 1);
if (copy_from_user(buf, ubuf, cnt)) {
return -EFAULT;
}
buf[cnt] = '\0';
ret = kstrtoul(buf, 10, &val);
if (0 != ret) {
return ret;It is because, cnt could potentially come from user space and you are using it as index into buf, which could a potential arbitrary memory write.
Note that, DR.CHECKER as of now does not support untainting and it is flow-sensitive i.e., merge all the values across different paths.
In short, DR.CHECKER does not know that cnt is vetted before.
I see ARCH64 is supported in the docker. How could I check arm32 kernel? LLVM complain for "does not support '-march=armv7-a". Do I need to reconfig the LLVM? Do you have recommend steps to do the configuration?