smatch_data/db/fixup_kernel.sh

   1 #!/bin/bash
   2
   3 # mark some paramaters as coming from user space
   4 cat << EOF | sqlite3 smatch_db.sqlite
   5 /* we only care about the main ->read/write() functions. */
   6 delete from caller_info where function = '(struct file_operations)->read' and file != 'fs/read_write.c';
   7 delete from caller_info where function = '(struct file_operations)->write' and file != 'fs/read_write.c';
   8 delete from function_ptr where function = '(struct file_operations)->read';
   9 delete from function_ptr where function = '(struct file_operations)->write';
  10
  11 /* delete these function pointers which cause false positives */
  12 delete from caller_info where function = '(struct notifier_block)->notifier_call' and type != 0;
  13 delete from caller_info where function = '(struct mISDNchannel)->send' and type != 0;
  14 delete from caller_info where function = '(struct irq_router)->get' and type != 0;
  15 delete from caller_info where function = '(struct irq_router)->set' and type != 0;
  16 delete from caller_info where function = '(struct net_device_ops)->ndo_change_mtu' and caller = 'i40e_dbg_netdev_ops_write';
  17 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
  18
  19 /* type 1003 is USER_DATA */
  20 delete from caller_info where caller = 'hid_input_report' and type = 1003;
  21 delete from caller_info where caller = 'nes_process_iwarp_aeqe' and type = 1003;
  22 delete from caller_info where caller = 'oz_process_ep0_urb' and type = 1003;
  23 delete from caller_info where function = 'dev_hard_start_xmit' and key = '\$\$' and type = 1003;
  24 delete from caller_info where function like '%->ndo_start_xmit' and key = '\$\$' and type = 1003;
  25 delete from caller_info where caller = 'packet_rcv_fanout' and function = '(struct packet_type)->func' and parameter = 1 and type = 1003;
  26 delete from caller_info where caller = 'hptiop_probe' and type = 1003;
  27 delete from caller_info where caller = 'p9_fd_poll' and function = '(struct file_operations)->poll' and type = 1003;
  28 delete from caller_info where caller = 'proc_reg_poll' and function = 'proc_reg_poll ptr poll' and type = 1003;
  29 delete from caller_info where function = 'blkdev_ioctl' and type = 1003 and parameter = 0 and key = '\$\$';
  30
  31 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 3, 0, '$$', '1');
  32 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 3, 1, '$$', '1');
  33 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 3, 2, '$$', '1');
  34
  35 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
  36
  37 /*
  38  * rw_verify_area is a very central function for the kernel.  The 1000000 isn't
  39  * accurate but I've picked it so that we can add "pos + count" without wrapping
  40  * on 32 bits.
  41  */
  42 delete from return_states where function = 'rw_verify_area';
  43 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000[<=p3]', 0, 0, -1, '', '');
  44 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000[<=p3]', 0, 11, 2, '*\$\$', '0-1000000');
  45 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000[<=p3]', 0, 11, 3, '\$\$', '0-1000000');
  46 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)', 0, 0, -1, '', '');
  47
  48
  49 /* store a bunch of capped functions */
  50 update return_states set return = '0-u32max[<=p2]' where function = 'copy_to_user';
  51 update return_states set return = '0-u32max[<=p2]' where function = '_copy_to_user';
  52 update return_states set return = '0-u32max[<=p2]' where function = '__copy_to_user';
  53 update return_states set return = '0-u32max[<=p2]' where function = 'copy_from_user';
  54 update return_states set return = '0-u32max[<=p2]' where function = '_copy_from_user';
  55 update return_states set return = '0-u32max[<=p2]' where function = '__copy_from_user';
  56
  57 /* 64 CPUs aught to be enough for anyone */
  58 update return_states set return = '1-64' where function = 'cpumask_weight';
  59
  60 update return_states set return = '0-8' where function = '__arch_hweight8';
  61 update return_states set return = '0-16' where function = '__arch_hweight16';
  62 update return_states set return = '0-32' where function = '__arch_hweight32';
  63 update return_states set return = '0-64' where function = '__arch_hweight64';
  64
  65 /*
  66  * Preserve the value across byte swapping.  By the time we use it for math it
  67  * will be byte swapped back to CPU endian.
  68  */
  69 update return_states set return = '[==p0]' where function = '__fswab64';
  70 update return_states set return = '[==p0]' where function = '__fswab32';
  71 update return_states set return = '[==p0]' where function = '__fswab16';
  72
  73 EOF
  74
  75 call_id=$(echo "select distinct call_id from caller_info where function = '__kernel_write';" | sqlite3 smatch_db.sqlite)
  76 for id in $call_id ; do
  77     echo "insert into caller_info values ('fake', '', '__kernel_write', $id, 0, 1, 3, '*\$\$', '0-1000000');" | sqlite3 smatch_db.sqlite
  78 done
  79
  80 for i in $(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3 smatch_db.sqlite ) ; do
  81     echo "update return_states set return = \"$i[<=p1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3 smatch_db.sqlite
  82 done
  83
  84