Defective Error/Pointer Interactions in the Linux Kernel
Linux run-time errors are represented by integer values referred to as error codes. These values propagate across long function-call chains before being handled. As these error codes propagate, they are often temporarily or permanently encoded into pointer values. Error-valued pointers are not valid memory addresses, and therefore require special care by programmers. Misuse of pointer variables that store error codes can lead to serious problems such as system crashes, data corruption, unexpected results, etc. The authors use static program analysis to find three classes of bugs relating error-valued pointers: bad dereferences, bad pointer arithmetic, and bad overwrites.