2 * smatch/check_user_data.c
4 * Copyright (C) 2011 Dan Carpenter.
6 * Licensed under the Open Software License version 1.1
11 * There are a couple checks that try to see if a variable
12 * comes from the user. It would be better to unify them
13 * into one place. Also it we should follow the data down
14 * the call paths. Hence this file.
18 #include "smatch_slist.h"
25 int is_user_data(struct expression
*expr
)
27 struct state_list
*slist
= NULL
;
33 expr
= strip_expr(expr
);
34 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
35 expr
= strip_expr(expr
->unop
);
37 tmp
= get_sm_state_expr(my_id
, expr
);
39 return slist_has_state(tmp
->possible
, &user_data
);
41 name
= get_variable_from_expr_complex(expr
, &sym
);
45 slist
= get_all_states(my_id
);
46 FOR_EACH_PTR(slist
, tmp
) {
49 if (!strncmp(tmp
->name
, name
, strlen(tmp
->name
))) {
50 if (slist_has_state(tmp
->possible
, &user_data
))
54 } END_FOR_EACH_PTR(tmp
);
62 void set_param_user_data(const char *name
, struct symbol
*sym
, char *key
, char *value
)
66 if (strncmp(key
, "$$", 2))
68 snprintf(fullname
, 256, "%s%s", name
, key
+ 2);
69 set_state(my_id
, fullname
, sym
, &user_data
);
72 static void match_condition(struct expression
*expr
)
77 case SPECIAL_UNSIGNED_LT
:
78 case SPECIAL_UNSIGNED_LTE
:
79 if (is_user_data(expr
->left
))
80 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
81 if (is_user_data(expr
->right
))
82 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
86 case SPECIAL_UNSIGNED_GT
:
87 case SPECIAL_UNSIGNED_GTE
:
88 if (is_user_data(expr
->right
))
89 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
90 if (is_user_data(expr
->left
))
91 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
94 if (is_user_data(expr
->left
))
95 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
96 if (is_user_data(expr
->right
))
97 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
99 case SPECIAL_NOTEQUAL
:
100 if (is_user_data(expr
->left
))
101 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
102 if (is_user_data(expr
->right
))
103 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
111 static void match_normal_assign(struct expression
*expr
)
113 if (is_user_data(expr
->left
))
114 set_state_expr(my_id
, expr
->left
, &capped
);
117 static void match_assign(struct expression
*expr
)
121 name
= get_macro_name(&expr
->pos
);
122 if (!name
|| strcmp(name
, "get_user") != 0) {
123 match_normal_assign(expr
);
126 name
= get_variable_from_expr(expr
->right
, NULL
);
127 if (!name
|| strcmp(name
, "__val_gu") != 0)
129 set_state_expr(my_id
, expr
->left
, &user_data
);
134 static void match_user_copy(const char *fn
, struct expression
*expr
, void *_param
)
136 int param
= PTR_INT(_param
);
137 struct expression
*dest
;
139 dest
= get_argument_from_call_expr(expr
->args
, param
);
140 dest
= strip_expr(dest
);
143 /* the first thing I tested this on pass &foo to a function */
144 set_state_expr(my_id
, dest
, &user_data
);
145 if (dest
->type
== EXPR_PREOP
&& dest
->op
== '&') {
146 /* but normally I'd think it would pass the actual variable */
148 set_state_expr(my_id
, dest
, &user_data
);
152 static void match_user_assign_function(const char *fn
, struct expression
*expr
, void *unused
)
154 set_state_expr(my_id
, expr
->left
, &user_data
);
157 static void match_assign_userdata(struct expression
*expr
)
159 if (is_user_data(expr
->right
))
160 set_state_expr(my_id
, expr
->left
, &user_data
);
163 static void match_caller_info(struct expression
*expr
)
165 struct expression
*tmp
;
169 func
= get_fnptr_name(expr
->fn
);
174 FOR_EACH_PTR(expr
->args
, tmp
) {
175 if (is_user_data(tmp
))
176 sm_msg("info: passes user_data %s %d '$$'", func
, i
);
178 } END_FOR_EACH_PTR(tmp
);
181 static void struct_member_callback(char *fn
, int param
, char *printed_name
, struct smatch_state
*state
)
183 if (state
== &capped
)
185 sm_msg("info: passes user_data '%s' %d '%s'", fn
, param
, printed_name
);
188 void check_user_data(int id
)
190 if (option_project
!= PROJ_KERNEL
)
193 add_definition_db_callback(set_param_user_data
, USER_DATA
);
194 add_hook(&match_condition
, CONDITION_HOOK
);
195 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
196 add_hook(&match_assign_userdata
, ASSIGNMENT_HOOK
);
197 add_function_hook("copy_from_user", &match_user_copy
, INT_PTR(0));
198 add_function_hook("__copy_from_user", &match_user_copy
, INT_PTR(0));
199 add_function_hook("memcpy_fromiovec", &match_user_copy
, INT_PTR(0));
200 add_function_assign_hook("kmemdup_user", &match_user_assign_function
, NULL
);
202 add_hook(&match_caller_info
, FUNCTION_CALL_HOOK
);
203 add_member_info_callback(my_id
, struct_member_callback
);