2 * smatch/check_user_data.c
4 * Copyright (C) 2011 Dan Carpenter.
6 * Licensed under the Open Software License version 1.1
11 * There are a couple checks that try to see if a variable
12 * comes from the user. It would be better to unify them
13 * into one place. Also it we should follow the data down
14 * the call paths. Hence this file.
18 #include "smatch_slist.h"
19 #include "smatch_extra.h"
21 void tag_as_user_data(struct expression
*expr
);
26 STATE(user_data_passed
);
34 static int is_user_macro(struct expression
*expr
)
39 static int has_user_data_state(struct expression
*expr
, struct state_list
*my_slist
)
45 expr
= strip_expr(expr
);
46 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
47 expr
= strip_expr(expr
->unop
);
49 name
= expr_to_str_sym(expr
, &sym
);
54 FOR_EACH_PTR(my_slist
, sm
) {
57 } END_FOR_EACH_PTR(sm
);
61 static int passes_user_data(struct expression
*expr
)
63 struct state_list
*slist
;
64 struct expression
*arg
;
66 slist
= get_all_states(my_id
);
67 FOR_EACH_PTR(expr
->args
, arg
) {
68 if (is_user_data(arg
))
70 if (has_user_data_state(arg
, slist
))
72 } END_FOR_EACH_PTR(arg
);
77 static struct expression
*db_expr
;
78 static int db_user_data
;
79 static int db_user_data_callback(void *unused
, int argc
, char **argv
, char **azColName
)
81 if (atoi(argv
[0]) == PASSED_DATA
&& !passes_user_data(db_expr
))
87 static int is_user_fn_db(struct expression
*expr
)
90 static char sql_filter
[1024];
92 if (expr
->fn
->type
!= EXPR_SYMBOL
)
94 sym
= expr
->fn
->symbol
;
98 if (sym
->ctype
.modifiers
& MOD_STATIC
) {
99 snprintf(sql_filter
, 1024, "file = '%s' and function = '%s';",
100 get_filename(), sym
->ident
->name
);
102 snprintf(sql_filter
, 1024, "function = '%s' and static = 0;",
108 run_sql(db_user_data_callback
,
109 "select value from return_states where type=%d and parameter = -1 and key = '$$' and %s",
110 USER_DATA
, sql_filter
);
114 static int is_user_function(struct expression
*expr
)
116 if (expr
->type
!= EXPR_CALL
)
118 if (sym_name_is("kmemdup_user", expr
->fn
))
120 return is_user_fn_db(expr
);
123 static int is_skb_data(struct expression
*expr
)
130 name
= expr_to_var_sym(expr
, &sym
);
134 sym
= get_base_type(sym
);
135 if (!sym
|| sym
->type
!= SYM_PTR
)
137 sym
= get_base_type(sym
);
138 if (!sym
|| sym
->type
!= SYM_STRUCT
|| !sym
->ident
)
140 if (strcmp(sym
->ident
->name
, "sk_buff") != 0)
146 if (strcmp(name
+ len
- 6, "->data") == 0)
154 static int in_container_of_macro(struct expression
*expr
)
158 macro
= get_macro_name(expr
->pos
);
162 if (strcmp(macro
, "container_of") == 0)
167 static int is_user_data_state(struct expression
*expr
)
169 struct state_list
*slist
= NULL
;
170 struct sm_state
*tmp
;
175 tmp
= get_sm_state_expr(my_id
, expr
);
177 if (slist_has_state(tmp
->possible
, &user_data_set
))
179 if (slist_has_state(tmp
->possible
, &user_data_passed
))
184 name
= expr_to_str_sym(expr
, &sym
);
188 slist
= get_all_states(my_id
);
189 FOR_EACH_PTR(slist
, tmp
) {
192 if (!strncmp(tmp
->name
, name
, strlen(tmp
->name
))) {
193 if (slist_has_state(tmp
->possible
, &user_data_set
))
195 else if (slist_has_state(tmp
->possible
, &user_data_passed
))
199 } END_FOR_EACH_PTR(tmp
);
207 int is_user_data(struct expression
*expr
)
216 if (in_container_of_macro(expr
))
219 user_data
= is_user_macro(expr
);
222 user_data
= is_user_function(expr
);
225 user_data
= is_skb_data(expr
);
229 expr
= strip_expr(expr
); /* this has to come after is_user_macro() */
231 if (expr
->type
== EXPR_BINOP
) {
232 user_data
= is_user_data(expr
->left
);
237 user_data
= is_user_data(expr
->right
);
242 if (expr
->type
== EXPR_PREOP
&& (expr
->op
== '&' || expr
->op
== '*'))
243 expr
= strip_expr(expr
->unop
);
245 return is_user_data_state(expr
);
248 int is_capped_user_data(struct expression
*expr
)
252 sm
= get_sm_state_expr(my_id
, expr
);
255 if (slist_has_state(sm
->possible
, &capped
))
260 void set_param_user_data(const char *name
, struct symbol
*sym
, char *key
, char *value
)
264 /* sanity check. this should always be true. */
265 if (strncmp(key
, "$$", 2) != 0)
267 snprintf(fullname
, 256, "%s%s", name
, key
+ 2);
268 set_state(my_id
, fullname
, sym
, &user_data_passed
);
271 static void match_syscall_definition(struct symbol
*sym
)
276 macro
= get_macro_name(sym
->pos
);
279 if (strncmp("SYSCALL_DEFINE", macro
, strlen("SYSCALL_DEFINE")) != 0 &&
280 strncmp("COMPAT_SYSCALL_DEFINE", macro
, strlen("COMPAT_SYSCALL_DEFINE")) != 0)
283 FOR_EACH_PTR(sym
->ctype
.base_type
->arguments
, arg
) {
284 set_state(my_id
, arg
->ident
->name
, arg
, &user_data_set
);
285 } END_FOR_EACH_PTR(arg
);
288 static void match_condition(struct expression
*expr
)
293 case SPECIAL_UNSIGNED_LT
:
294 case SPECIAL_UNSIGNED_LTE
:
295 if (is_user_data(expr
->left
))
296 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
297 if (is_user_data(expr
->right
))
298 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
302 case SPECIAL_UNSIGNED_GT
:
303 case SPECIAL_UNSIGNED_GTE
:
304 if (is_user_data(expr
->right
))
305 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
306 if (is_user_data(expr
->left
))
307 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
310 if (is_user_data(expr
->left
))
311 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
312 if (is_user_data(expr
->right
))
313 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
315 case SPECIAL_NOTEQUAL
:
316 if (is_user_data(expr
->left
))
317 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
318 if (is_user_data(expr
->right
))
319 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
326 static void set_capped(struct sm_state
*sm
, struct expression
*mod_expr
)
328 set_state(my_id
, sm
->name
, sm
->sym
, &capped
);
331 static void match_normal_assign(struct expression
*expr
)
335 user_data
= is_user_data(expr
->right
);
336 if (user_data
== PASSED_DATA
)
337 set_state_expr(my_id
, expr
->left
, &user_data_passed
);
338 if (user_data
== SET_DATA
)
339 set_state_expr(my_id
, expr
->left
, &user_data_set
);
342 static void match_assign(struct expression
*expr
)
346 name
= get_macro_name(expr
->pos
);
347 if (!name
|| strcmp(name
, "get_user") != 0) {
348 match_normal_assign(expr
);
351 name
= expr_to_var(expr
->right
);
352 if (!name
|| strcmp(name
, "__val_gu") != 0)
354 set_state_expr(my_id
, expr
->left
, &user_data_set
);
359 static void tag_struct_members(struct symbol
*type
, struct expression
*expr
)
362 struct expression
*member
;
365 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&') {
366 expr
= strip_expr(expr
->unop
);
370 FOR_EACH_PTR(type
->symbol_list
, tmp
) {
373 member
= member_expression(expr
, op
, tmp
->ident
);
374 set_state_expr(my_id
, member
, &user_data_set
);
375 } END_FOR_EACH_PTR(tmp
);
378 static void tag_base_type(struct expression
*expr
)
380 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
381 expr
= strip_expr(expr
->unop
);
383 expr
= deref_expression(expr
);
384 set_state_expr(my_id
, expr
, &user_data_set
);
387 void tag_as_user_data(struct expression
*expr
)
391 expr
= strip_expr(expr
);
393 type
= get_type(expr
);
394 if (!type
|| type
->type
!= SYM_PTR
)
396 type
= get_real_base_type(type
);
399 if (type
== &void_ctype
) {
400 set_state_expr(my_id
, deref_expression(expr
), &user_data_set
);
403 if (type
->type
== SYM_BASETYPE
)
405 if (type
->type
== SYM_STRUCT
) {
406 if (expr
->type
!= EXPR_PREOP
|| expr
->op
!= '&')
407 expr
= deref_expression(expr
);
408 tag_struct_members(type
, expr
);
412 static void match_user_copy(const char *fn
, struct expression
*expr
, void *_param
)
414 int param
= PTR_INT(_param
);
415 struct expression
*dest
;
417 dest
= get_argument_from_call_expr(expr
->args
, param
);
418 dest
= strip_expr(dest
);
421 tag_as_user_data(dest
);
424 static void match_user_assign_function(const char *fn
, struct expression
*expr
, void *unused
)
426 set_state_expr(my_id
, expr
->left
, &user_data_set
);
429 static void match_macro_assign(const char *fn
, struct expression
*expr
, void *_bits
)
433 bits
= nr_bits(expr
->left
);
436 if (bits
> nr_bits(expr
->right
))
438 set_state_expr(my_id
, expr
->left
, &user_data_set
);
441 static void match_caller_info(struct expression
*expr
)
443 struct expression
*tmp
;
447 FOR_EACH_PTR(expr
->args
, tmp
) {
448 if (is_user_data(tmp
))
449 sql_insert_caller_info(expr
, USER_DATA
, i
, "$$", "");
451 } END_FOR_EACH_PTR(tmp
);
454 static void struct_member_callback(struct expression
*call
, int param
, char *printed_name
, struct smatch_state
*state
)
456 if (state
== &capped
)
458 sql_insert_caller_info(call
, USER_DATA
, param
, printed_name
, "");
461 static void returned_member_callback(int return_id
, char *return_ranges
, char *printed_name
, struct smatch_state
*state
)
463 if (state
== &capped
)
465 sql_insert_return_states(return_id
, return_ranges
, USER_DATA
, -1, printed_name
, "");
468 static void print_returned_user_data(int return_id
, char *return_ranges
, struct expression
*expr
)
470 struct state_list
*my_slist
;
471 struct sm_state
*tmp
;
474 const char *passed_or_new
;
476 user_data
= is_user_data(expr
);
477 if (user_data
== PASSED_DATA
) {
478 sql_insert_return_states(return_id
, return_ranges
, USER_DATA
,
481 if (user_data
== SET_DATA
) {
482 sql_insert_return_states(return_id
, return_ranges
, USER_DATA
,
486 my_slist
= get_all_states(my_id
);
488 FOR_EACH_PTR(my_slist
, tmp
) {
489 const char *param_name
;
491 param
= get_param_num_from_sym(tmp
->sym
);
495 if (is_capped_var_sym(tmp
->name
, tmp
->sym
))
497 /* ignore states that were already USER_DATA to begin with */
498 if (get_state_slist(get_start_states(), my_id
, tmp
->name
, tmp
->sym
))
501 param_name
= get_param_name(tmp
);
505 if (slist_has_state(tmp
->possible
, &user_data_set
))
507 if (slist_has_state(tmp
->possible
, &user_data_passed
))
510 sql_insert_return_states(return_id
, return_ranges
, USER_DATA
,
511 param
, param_name
, passed_or_new
);
512 } END_FOR_EACH_PTR(tmp
);
514 free_slist(&my_slist
);
517 static void db_return_states_userdata(struct expression
*expr
, int param
, char *key
, char *value
)
522 name
= return_state_to_var_sym(expr
, param
, key
, &sym
);
526 set_state(my_id
, name
, sym
, &user_data_set
);
531 void check_user_data(int id
)
533 if (option_project
!= PROJ_KERNEL
)
536 select_caller_info_hook(set_param_user_data
, USER_DATA
);
537 add_hook(&match_syscall_definition
, FUNC_DEF_HOOK
);
538 add_hook(&match_condition
, CONDITION_HOOK
);
539 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
540 add_function_hook("copy_from_user", &match_user_copy
, INT_PTR(0));
541 add_function_hook("__copy_from_user", &match_user_copy
, INT_PTR(0));
542 add_function_hook("memcpy_fromiovec", &match_user_copy
, INT_PTR(0));
543 add_function_assign_hook("kmemdup_user", &match_user_assign_function
, NULL
);
545 add_hook(&match_caller_info
, FUNCTION_CALL_HOOK
);
546 add_member_info_callback(my_id
, struct_member_callback
);
547 add_returned_member_callback(my_id
, returned_member_callback
);
548 add_returned_state_callback(print_returned_user_data
);
549 select_return_states_hook(USER_DATA
, &db_return_states_userdata
);
551 add_modification_hook(my_id
, &set_capped
);