check_spectre.c

   1 /*
   2  * Copyright (C) 2018 Oracle.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 #include "smatch.h"
  19 #include "smatch_extra.h"
  20
  21 static int my_id;
  22
  23 static int suppress_multiple = 1;
  24
  25 static int is_write(struct expression *expr)
  26 {
  27         return 0;
  28 }
  29
  30 static int is_read(struct expression *expr)
  31 {
  32         struct expression *parent, *last_parent;
  33         struct statement *stmt;
  34
  35         if (is_write(expr))
  36                 return 0;
  37
  38         last_parent = expr;
  39         while ((parent = expr_get_parent_expr(expr))){
  40
  41                 last_parent = parent;
  42
  43                 /* If we pass a value as a parameter that's a read, probably? */
  44 //              if (parent->type == EXPR_CALL)
  45 //                      return 1;
  46
  47                 if (parent->type == EXPR_ASSIGNMENT) {
  48                         if (parent->right == expr)
  49                                 return 1;
  50                         if (parent->left == expr)
  51                                 return 0;
  52                 }
  53                 expr = parent;
  54         }
  55
  56         stmt = expr_get_parent_stmt(last_parent);
  57         if (stmt && stmt->type == STMT_RETURN)
  58                 return 1;
  59
  60         return 0;
  61 }
  62
  63 static unsigned long long get_max_by_type(struct expression *expr)
  64 {
  65         sval_t max = {
  66                 .type = &ullong_ctype,
  67                 .uvalue = -1ULL,
  68         };
  69         struct symbol *type;
  70         int cnt = 0;
  71
  72         while (true) {
  73                 expr = strip_parens(expr);
  74                 type = get_type(expr);
  75                 if (type && sval_type_max(type).uvalue < max.uvalue)
  76                         max = sval_type_max(type);
  77                 if (expr->type == EXPR_PREOP) {
  78                         expr = expr->unop;
  79                 } else if (expr->type == EXPR_BINOP) {
  80                         if (expr->op == '%' || expr->op == '&')
  81                                 expr = expr->right;
  82                         else
  83                                 return max.uvalue;
  84                 } else {
  85                         expr = get_assigned_expr(expr);
  86                         if (!expr)
  87                                 return max.uvalue;
  88                 }
  89                 if (cnt++ > 5)
  90                         return max.uvalue;
  91         }
  92
  93         return max.uvalue;
  94 }
  95
  96 static unsigned long long get_mask(struct expression *expr)
  97 {
  98         struct expression *tmp;
  99         sval_t mask;
 100         int cnt = 0;
 101
 102         expr = strip_expr(expr);
 103
 104         tmp = get_assigned_expr(expr);
 105         while (tmp) {
 106                 expr = tmp;
 107                 if (++cnt > 3)
 108                         break;
 109                 tmp = get_assigned_expr(expr);
 110         }
 111
 112         if (expr->type == EXPR_BINOP && expr->op == '&') {
 113                 if (get_value(expr->right, &mask))  /* right is the common case */
 114                         return mask.uvalue;
 115                 if (get_value(expr->left, &mask))
 116                         return mask.uvalue;
 117         }
 118
 119         return ULLONG_MAX;
 120 }
 121
 122 static void array_check(struct expression *expr)
 123 {
 124         struct expression_list *conditions;
 125         struct expression *array_expr, *offset;
 126         unsigned long long mask;
 127         int array_size;
 128         char *name;
 129
 130         expr = strip_expr(expr);
 131         if (!is_array(expr))
 132                 return;
 133
 134         if (is_impossible_path())
 135                 return;
 136         if (is_write(expr))
 137                 return;
 138         if (!is_read(expr))
 139                 return;
 140
 141         array_expr = get_array_base(expr);
 142         if (suppress_multiple && is_ignored_expr(my_id, array_expr))
 143                 return;
 144
 145         offset = get_array_offset(expr);
 146         if (!is_user_rl(offset))
 147                 return;
 148         if (is_nospec(offset))
 149                 return;
 150
 151         array_size = get_array_size(array_expr);
 152         if (array_size > 0 && get_max_by_type(offset) < array_size)
 153                 return;
 154 //      binfo = get_bit_info(offset);
 155 //      if (array_size > 0 && binfo && binfo->possible < array_size)
 156 //              return;
 157
 158         mask = get_mask(offset);
 159         if (mask <= array_size)
 160                 return;
 161
 162         conditions = get_conditions(offset);
 163
 164         name = expr_to_str(array_expr);
 165         sm_msg("warn: potential spectre issue '%s'%s",
 166                name, conditions ? " (local cap)" : "");
 167         if (suppress_multiple)
 168                 add_ignore_expr(my_id, array_expr);
 169         free_string(name);
 170 }
 171
 172 void check_spectre(int id)
 173 {
 174         my_id = id;
 175
 176         suppress_multiple = getenv("FULL_SPECTRE") == NULL;
 177
 178         if (option_project != PROJ_KERNEL)
 179                 return;
 180
 181         add_hook(&array_check, OP_HOOK);
 182 }