[Review] One Simple API Can Cause Hundreds of Bugs: An Analysis of Refcounting Bugs in All Modern Linux Kernels

Link

The paper mainly focuses on the reference counting(refcounting) bugs in Linux Kernel.

1. Analyzes the history of 1,033 refcounting bugs in 753 versions of Linux Kernels from 2005 to 2022, and concludes 9 critical rules to check refcounting bugs.
2. Designs a new tool applying these 9 rules, and detects 351 new bugs, of which 240 are confirmed.

Introduction

Reference counting bugs: the reference count is used to record the reference number of an object(similar to smart pointers in C++).

Potential risks: Memory leakage, UAF.

Implementation

Detailedly analyzes the history information.

Findings:

1. A majority (741/1033, about 71.7%) of the studied refcounting bugs can lead to memory leaks, and more than two-thirds (694/1033, about 67.2%) of all bugs are caused by missing-decreasing problems. More than one-half (590/1033, about 57.1%) of the bugs can be detected by searching unpaired operations within the same functions.
2. The refcounting bugs meet the long-tailed distributions in the Linux kernel. About 82.4% (851/1033) of refcounting bugs could be detected within “drivers”, “net” and “fs” subsystems, among which more than half (588/1033, about 56.9%) of all bugs occurred in “drivers”.

Interestingly, when demonstrating the root cause of the hidden refcounting type, the author shows a table below:

The word vector is used to prove why such kind of bug is easily prone.

The author implements a new tool according to the 9 rules(static analysis).