smatch_data/db/fixup_kernel.sh

   1 #!/bin/bash
   2
   3 db_file=$1
   4 cat << EOF | sqlite3 $db_file
   5 /* we only care about the main ->read/write() functions. */
   6 delete from caller_info where function = '(struct file_operations)->read' and file != 'fs/read_write.c';
   7 delete from caller_info where function = '(struct file_operations)->write' and file != 'fs/read_write.c';
   8 delete from function_ptr where function = '(struct file_operations)->read';
   9 delete from function_ptr where function = '(struct file_operations)->write';
  10
  11 /* delete these function pointers which cause false positives */
  12 delete from caller_info where function = '(struct file_operations)->open' and type != 0;
  13 delete from caller_info where function = '(struct notifier_block)->notifier_call' and type != 0;
  14 delete from caller_info where function = '(struct mISDNchannel)->send' and type != 0;
  15 delete from caller_info where function = '(struct irq_router)->get' and type != 0;
  16 delete from caller_info where function = '(struct irq_router)->set' and type != 0;
  17 delete from caller_info where function = '(struct net_device_ops)->ndo_change_mtu' and caller = 'i40e_dbg_netdev_ops_write';
  18 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
  19
  20 /* type 1003 is USER_DATA */
  21 delete from caller_info where caller = 'hid_input_report' and type = 1003;
  22 delete from caller_info where caller = 'nes_process_iwarp_aeqe' and type = 1003;
  23 delete from caller_info where caller = 'oz_process_ep0_urb' and type = 1003;
  24 delete from caller_info where function = 'dev_hard_start_xmit' and key = '\$' and type = 1003;
  25 delete from caller_info where function like '%->ndo_start_xmit' and key = '\$' and type = 1003;
  26 delete from caller_info where caller = 'packet_rcv_fanout' and function = '(struct packet_type)->func' and parameter = 1 and type = 1003;
  27 delete from caller_info where caller = 'hptiop_probe' and type = 1003;
  28 delete from caller_info where caller = 'p9_fd_poll' and function = '(struct file_operations)->poll' and type = 1003;
  29 delete from caller_info where caller = 'proc_reg_poll' and function = 'proc_reg_poll ptr poll' and type = 1003;
  30 delete from caller_info where function = 'blkdev_ioctl' and type = 1003 and parameter = 0 and key = '\$';
  31
  32 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 0, '\$', '1');
  33 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 1, '\$', '1');
  34 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 2, '\$', '1');
  35
  36 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
  37
  38 /*
  39  * rw_verify_area is a very central function for the kernel.  The 1000000000
  40  * isn't accurate but I've picked it so that we can add "pos + count" without
  41  * wrapping on 32 bits.
  42  */
  43 delete from return_states where function = 'rw_verify_area';
  44 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 0,   -1,      '', '');
  45 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 102,  2, '*\$', '0-1000000000');
  46 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 1011, 3,  '\$', '0-1000000000');
  47 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)',     0, 0,   -1,      '', '');
  48
  49 /*
  50  * I am a bad person for doing this to __kmalloc() which is a very deep function
  51  * and can easily be removed instead of to kmalloc().  But kmalloc() is an
  52  * inline function so it ends up being recorded thousands of times in the
  53  * database.  Doing this is easier.
  54  *
  55  */
  56 delete from return_states where function = '__kmalloc';
  57 insert into return_states values ('faked', '__kmalloc', 0, 1, '16', 0,    0,  -1, '', '');
  58 insert into return_states values ('faked', '__kmalloc', 0, 1, '16', 0, 1011,   0, '\$', '0');
  59 insert into return_states values ('faked', '__kmalloc', 0, 2, '0,4096-ptr_max', 0,    0, -1, '', '');
  60 insert into return_states values ('faked', '__kmalloc', 0, 2, '0,4096-ptr_max', 0, 1011,  0, '\$', '1-4000000');
  61 insert into return_states values ('faked', '__kmalloc', 0, 3, '0', 0,    0,  -1, '', '');
  62 insert into return_states values ('faked', '__kmalloc', 0, 3, '0', 0,    1011,  0, '\$', '4000000-long_max');
  63
  64 delete from return_states where function = 'vmalloc';
  65 insert into return_states values ('faked', 'vmalloc', 0, 1, '0,4096-ptr_max', 0,    0, -1, '', '');
  66 insert into return_states values ('faked', 'vmalloc', 0, 1, '0,4096-ptr_max', 0, 1011,  0, '\$', '1-128000000');
  67 insert into return_states values ('faked', 'vmalloc', 0, 2, '0', 0,    0,  -1, '', '');
  68
  69 delete from return_states where function = 'ksize';
  70 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0,    0, -1, '', '');
  71 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 1011,  0, '\$', '16');
  72 insert into return_states values ('faked', 'ksize', 0, 2, '1-4000000', 0,    0,  -1, '', '');
  73
  74 /* store a bunch of capped functions */
  75 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_to_user';
  76 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_to_user';
  77 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_to_user';
  78 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_from_user';
  79 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_from_user';
  80 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_from_user';
  81
  82 /* 64 CPUs aught to be enough for anyone */
  83 update return_states set return = '1-64' where function = 'cpumask_weight';
  84
  85 update return_states set return = '0-8' where function = '__arch_hweight8';
  86 update return_states set return = '0-16' where function = '__arch_hweight16';
  87 update return_states set return = '0-32' where function = '__arch_hweight32';
  88 update return_states set return = '0-64' where function = '__arch_hweight64';
  89
  90 /*
  91  * Preserve the value across byte swapping.  By the time we use it for math it
  92  * will be byte swapped back to CPU endian.
  93  */
  94 update return_states set return = '0-u64max[==\$0]' where function = '__fswab64';
  95 update return_states set return = '0-u32max[==\$0]' where function = '__fswab32';
  96 update return_states set return = '0-u16max[==\$0]' where function = '__fswab16';
  97
  98 delete from return_states where function = 'bitmap_allocate_region' and return = '1';
  99 delete from return_states where function = 'pci_bus_read_config_word' and return = 135;
 100 delete from return_states where function = 'pci_bus_write_config_word' and return = 135;
 101
 102 update return_states set return = '(-4095)-s32max[<=\$3]' where function = 'get_user_pages' and return = 's32min-s32max';
 103 update return_states set return = '(-4095)-s64max[<=\$3]' where function = 'get_user_pages' and return = 's64min-s64max';
 104
 105 delete from caller_info where caller = '__kernel_write';
 106
 107 EOF
 108
 109 call_id=$(echo "select distinct call_id from caller_info where function = '__kernel_write';" | sqlite3 $db_file)
 110 for id in $call_id ; do
 111     echo "insert into caller_info values ('fake', '', '__kernel_write', $id, 0, 1, 1003, '*\$', '0-1000000000');" | sqlite3 $db_file
 112 done
 113
 114 for i in $(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3 $db_file ) ; do
 115     echo "update return_states set return = \"$i[<=\$1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3 $db_file
 116 done
 117
 118