search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
user_data2: fix crashing bug
[smatch.git] / check_user_data2.c
blob5aea9ef7da725d10978d42611f1a9a220da7a7e5
1 /*
2 * Copyright (C) 2011 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * There are a couple checks that try to see if a variable
20 * comes from the user. It would be better to unify them
21 * into one place. Also it we should follow the data down
22 * the call paths. Hence this file.
23 */
24
25 #include "smatch.h"
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
28
29 static int my_id;
30 static int my_call_id;
31
32 STATE(called);
33
34 static const char * kstr_funcs[] = {
35 "kstrtoull", "kstrtoll", "kstrtoul", "kstrtol", "kstrtouint",
36 "kstrtoint", "kstrtou64", "kstrtos64", "kstrtou32", "kstrtos32",
37 "kstrtou16", "kstrtos16", "kstrtou8", "kstrtos8", "kstrtoull_from_user"
38 "kstrtoll_from_user", "kstrtoul_from_user", "kstrtol_from_user",
39 "kstrtouint_from_user", "kstrtoint_from_user", "kstrtou16_from_user",
40 "kstrtos16_from_user", "kstrtou8_from_user", "kstrtos8_from_user",
41 "kstrtou64_from_user", "kstrtos64_from_user", "kstrtou32_from_user",
42 "kstrtos32_from_user",
43 };
44
45 static struct stree *start_states;
46 static struct stree_stack *saved_stack;
47 static void save_start_states(struct statement *stmt)
48 {
49 start_states = clone_stree(__get_cur_stree());
50 }
51
52 static void free_start_states(void)
53 {
54 free_stree(&start_states);
55 }
56
57 static void match_save_states(struct expression *expr)
58 {
59 push_stree(&saved_stack, start_states);
60 start_states = NULL;
61 }
62
63 static void match_restore_states(struct expression *expr)
64 {
65 free_stree(&start_states);
66 start_states = pop_stree(&saved_stack);
67 }
68
69 static struct smatch_state *empty_state(struct sm_state *sm)
70 {
71 return alloc_estate_empty();
72 }
73
74 static void pre_merge_hook(struct sm_state *sm)
75 {
76 struct smatch_state *user;
77 struct smatch_state *extra;
78 struct range_list *rl;
79
80 extra = get_state(SMATCH_EXTRA, sm->name, sm->sym);
81 if (!extra || !estate_rl(extra))
82 return;
83 user = get_state(my_id, sm->name, sm->sym);
84 if (!user || !estate_rl(user))
85 return;
86 rl = rl_intersection(estate_rl(user), estate_rl(extra));
87 set_state(my_id, sm->name, sm->sym, alloc_estate_rl(clone_rl(rl)));
88 }
89
90 static void tag_inner_struct_members(struct expression *expr, struct symbol *member)
91 {
92 struct expression *edge_member;
93 struct symbol *base = get_real_base_type(member);
94 struct symbol *tmp;
95
96 if (member->ident)
97 expr = member_expression(expr, '.', member->ident);
98
99 FOR_EACH_PTR(base->symbol_list, tmp) {
100 struct symbol *type;
101
102 type = get_real_base_type(tmp);
103 if (!type)
104 continue;
105
106 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
107 tag_inner_struct_members(expr, tmp);
108 continue;
109 }
110
111 if (!tmp->ident)
112 continue;
113
114 edge_member = member_expression(expr, '.', tmp->ident);
115 set_state_expr(my_id, edge_member, alloc_estate_whole(type));
116 } END_FOR_EACH_PTR(tmp);
117
118
119 }
120
121 static void tag_struct_members(struct symbol *type, struct expression *expr)
122 {
123 struct symbol *tmp;
124 struct expression *member;
125 int op = '*';
126
127 if (expr->type == EXPR_PREOP && expr->op == '&') {
128 expr = strip_expr(expr->unop);
129 op = '.';
130 }
131
132 FOR_EACH_PTR(type->symbol_list, tmp) {
133 type = get_real_base_type(tmp);
134 if (!type)
135 continue;
136
137 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
138 tag_inner_struct_members(expr, tmp);
139 continue;
140 }
141
142 if (!tmp->ident)
143 continue;
144
145 member = member_expression(expr, op, tmp->ident);
146 set_state_expr(my_id, member, alloc_estate_whole(get_type(member)));
147 } END_FOR_EACH_PTR(tmp);
148 }
149
150 static void tag_base_type(struct expression *expr)
151 {
152 if (expr->type == EXPR_PREOP && expr->op == '&')
153 expr = strip_expr(expr->unop);
154 else
155 expr = deref_expression(expr);
156 set_state_expr(my_id, expr, alloc_estate_whole(get_type(expr)));
157 }
158
159 static void tag_as_user_data(struct expression *expr)
160 {
161 struct symbol *type;
162
163 expr = strip_expr(expr);
164
165 type = get_type(expr);
166 if (!type || type->type != SYM_PTR)
167 return;
168 type = get_real_base_type(type);
169 if (!type)
170 return;
171 if (type == &void_ctype) {
172 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype));
173 return;
174 }
175 if (type->type == SYM_BASETYPE)
176 tag_base_type(expr);
177 if (type->type == SYM_STRUCT) {
178 if (expr->type != EXPR_PREOP || expr->op != '&')
179 expr = deref_expression(expr);
180 tag_struct_members(type, expr);
181 }
182 }
183
184 static void match_user_copy(const char *fn, struct expression *expr, void *_param)
185 {
186 int param = PTR_INT(_param);
187 struct expression *dest;
188
189 dest = get_argument_from_call_expr(expr->args, param);
190 dest = strip_expr(dest);
191 if (!dest)
192 return;
193 tag_as_user_data(dest);
194 }
195
196 static void match_sscanf(const char *fn, struct expression *expr, void *unused)
197 {
198 struct expression *arg;
199 int i;
200
201 i = -1;
202 FOR_EACH_PTR(expr->args, arg) {
203 i++;
204 if (i < 2)
205 continue;
206 tag_as_user_data(arg);
207 } END_FOR_EACH_PTR(arg);
208 }
209
210 static int points_to_user_data(struct expression *expr)
211 {
212 struct smatch_state *state;
213 char buf[256];
214 struct symbol *sym;
215 char *name;
216 int ret = 0;
217
218 expr = strip_expr(expr);
219
220 if (expr->type == EXPR_BINOP && expr->op == '+') {
221 if (points_to_user_data(expr->left))
222 return 1;
223 if (points_to_user_data(expr->right))
224 return 1;
225 return 0;
226 }
227
228 name = expr_to_var_sym(expr, &sym);
229 if (!name || !sym)
230 goto free;
231 snprintf(buf, sizeof(buf), "*%s", name);
232 state = get_state(my_id, buf, sym);
233 if (state && estate_rl(state))
234 ret = 1;
235 free:
236 free_string(name);
237 return ret;
238 }
239
240 static void set_points_to_user_data(struct expression *expr)
241 {
242 char *name;
243 struct symbol *sym;
244 char buf[256];
245
246 name = expr_to_var_sym(expr, &sym);
247 if (!name || !sym)
248 goto free;
249 snprintf(buf, sizeof(buf), "*%s", name);
250 set_state(my_id, buf, sym, alloc_estate_whole(&llong_ctype));
251 free:
252 free_string(name);
253 }
254
255 static int is_skb_data(struct expression *expr)
256 {
257 struct symbol *sym;
258
259 expr = strip_expr(expr);
260 if (!expr || expr->type != EXPR_DEREF)
261 return 0;
262
263 if (!expr->member)
264 return 0;
265 if (strcmp(expr->member->name, "data") != 0)
266 return 0;
267
268 sym = expr_to_sym(expr->deref);
269 if (!sym)
270 return 0;
271 sym = get_real_base_type(sym);
272 if (!sym || sym->type != SYM_PTR)
273 return 0;
274 sym = get_real_base_type(sym);
275 if (!sym || sym->type != SYM_STRUCT || !sym->ident)
276 return 0;
277 if (strcmp(sym->ident->name, "sk_buff") != 0)
278 return 0;
279
280 return 1;
281 }
282
283 static int comes_from_skb_data(struct expression *expr)
284 {
285 expr = strip_expr(expr);
286 if (!expr)
287 return 0;
288
289 switch (expr->type) {
290 case EXPR_BINOP:
291 if (comes_from_skb_data(expr->left))
292 return 1;
293 if (comes_from_skb_data(expr->right))
294 return 1;
295 return 0;
296 case EXPR_PREOP:
297 return comes_from_skb_data(expr->unop);
298 case EXPR_DEREF:
299 if (is_skb_data(expr))
300 return 1;
301 return comes_from_skb_data(expr->deref);
302 default:
303 return 0;
304 }
305 }
306
307
308 static int handle_struct_assignment(struct expression *expr)
309 {
310 struct expression *right;
311 struct symbol *type;
312
313 type = get_type(expr->left);
314 if (!type || type->type != SYM_PTR)
315 return 0;
316 type = get_real_base_type(type);
317 if (!type || type->type != SYM_STRUCT)
318 return 0;
319
320 /*
321 * Ignore struct to struct assignments because for those we look at the
322 * individual members.
323 */
324 right = strip_expr(expr->right);
325 type = get_type(right);
326 if (!type || type->type != SYM_PTR)
327 return 0;
328
329 /* structs are handled else where */
330 type = get_real_base_type(type);
331 if (type && type->type == SYM_STRUCT)
332 return 0;
333
334 if (!points_to_user_data(right) && !is_skb_data(right))
335 return 0;
336
337 tag_as_user_data(expr->left);
338 return 1;
339 }
340
341 static int handle_get_user(struct expression *expr)
342 {
343 char *name;
344 int ret = 0;
345
346 name = get_macro_name(expr->pos);
347 if (!name || strcmp(name, "get_user") != 0)
348 return 0;
349
350 name = expr_to_var(expr->right);
351 if (!name || strcmp(name, "__val_gu") != 0)
352 goto free;
353 set_state_expr(my_id, expr->left, alloc_estate_whole(get_type(expr->left)));
354 ret = 1;
355 free:
356 free_string(name);
357 return ret;
358 }
359
360 static void match_assign(struct expression *expr)
361 {
362 struct range_list *rl;
363
364 if (is_fake_call(expr->right))
365 return;
366 if (handle_get_user(expr))
367 return;
368 if (points_to_user_data(expr->right))
369 set_points_to_user_data(expr->left);
370 if (handle_struct_assignment(expr))
371 return;
372
373 if (expr->right->type == EXPR_CALL ||
374 !get_user_rl(expr->right, &rl))
375 goto clear_old_state;
376
377 rl = cast_rl(get_type(expr->left), rl);
378 set_state_expr(my_id, expr->left, alloc_estate_rl(rl));
379
380 return;
381
382 clear_old_state:
383 if (get_state_expr(my_id, expr->left))
384 set_state_expr(my_id, expr->left, alloc_estate_empty());
385 }
386
387 static void match_user_assign_function(const char *fn, struct expression *expr, void *unused)
388 {
389 tag_as_user_data(expr->left);
390 set_points_to_user_data(expr->left);
391 }
392
393 static int get_user_macro_rl(struct expression *expr, struct range_list **rl)
394 {
395 char *macro;
396
397 if (!expr)
398 return 0;
399 macro = get_macro_name(expr->pos);
400
401 if (!macro)
402 return 0;
403
404 if (strcmp(macro, "ntohl") == 0) {
405 *rl = alloc_whole_rl(&uint_ctype);
406 return 1;
407 }
408 if (strcmp(macro, "ntohs") == 0) {
409 *rl = alloc_whole_rl(&ushort_ctype);
410 return 1;
411 }
412 return 0;
413 }
414
415 static int user_data_flag;
416 static struct range_list *var_user_rl(struct expression *expr)
417 {
418 struct smatch_state *state;
419 struct range_list *rl;
420 struct range_list *absolute_rl;
421
422 if (get_user_macro_rl(expr, &rl))
423 goto found;
424
425 if (comes_from_skb_data(expr)) {
426 rl = alloc_whole_rl(get_type(expr));
427 goto found;
428 }
429
430 state = get_state_expr(my_id, expr);
431 if (state && estate_rl(state)) {
432 rl = estate_rl(state);
433 goto found;
434 }
435
436 return NULL;
437 found:
438 user_data_flag = 1;
439 absolute_rl = var_to_absolute_rl(expr);
440 return clone_rl(rl_intersection(rl, absolute_rl));
441 }
442
443 int get_user_rl(struct expression *expr, struct range_list **rl)
444 {
445
446 user_data_flag = 0;
447 custom_get_absolute_rl(expr, &var_user_rl, rl);
448 if (!user_data_flag) {
449 *rl = NULL;
450 return 0;
451 }
452 return 1;
453 }
454
455 static void match_call_info(struct expression *expr)
456 {
457 struct range_list *rl;
458 struct expression *arg;
459 int i = 0;
460
461 i = -1;
462 FOR_EACH_PTR(expr->args, arg) {
463 i++;
464
465 if (!get_user_rl(arg, &rl))
466 continue;
467
468 sql_insert_caller_info(expr, USER_DATA3, i, "$", show_rl(rl));
469 } END_FOR_EACH_PTR(arg);
470 }
471
472 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
473 {
474 struct smatch_state *state;
475 struct range_list *rl;
476
477 if (strcmp(sm->state->name, "") == 0)
478 return;
479
480 state = get_state(SMATCH_EXTRA, sm->name, sm->sym);
481 if (!state || !estate_rl(state))
482 rl = estate_rl(sm->state);
483 else
484 rl = rl_intersection(estate_rl(sm->state), estate_rl(state));
485
486 sql_insert_caller_info(call, USER_DATA3, param, printed_name, show_rl(rl));
487 }
488
489 static void set_param_user_data(const char *name, struct symbol *sym, char *key, char *value)
490 {
491 struct range_list *rl = NULL;
492 struct smatch_state *state;
493 struct symbol *type;
494 char fullname[256];
495
496 if (strcmp(key, "*$") == 0)
497 snprintf(fullname, sizeof(fullname), "*%s", name);
498 else if (strncmp(key, "$", 1) == 0)
499 snprintf(fullname, 256, "%s%s", name, key + 1);
500 else
501 return;
502
503 type = get_member_type_from_key(symbol_expression(sym), key);
504
505 /* if the caller passes a void pointer with user data */
506 if (strcmp(key, "*$") == 0 && type && type != &void_ctype) {
507 struct expression *expr = symbol_expression(sym);
508
509 tag_as_user_data(expr);
510 set_points_to_user_data(expr);
511 return;
512 }
513 str_to_rl(type, value, &rl);
514 state = alloc_estate_rl(rl);
515 set_state(my_id, fullname, sym, state);
516 }
517
518 static void set_called(const char *name, struct symbol *sym, char *key, char *value)
519 {
520 set_state(my_call_id, "this_function", NULL, &called);
521 }
522
523 static void match_syscall_definition(struct symbol *sym)
524 {
525 struct symbol *arg;
526 char *macro;
527 char *name;
528 int is_syscall = 0;
529
530 macro = get_macro_name(sym->pos);
531 if (macro &&
532 (strncmp("SYSCALL_DEFINE", macro, strlen("SYSCALL_DEFINE")) == 0 ||
533 strncmp("COMPAT_SYSCALL_DEFINE", macro, strlen("COMPAT_SYSCALL_DEFINE")) == 0))
534 is_syscall = 1;
535
536 name = get_function();
537 if (!option_no_db && get_state(my_call_id, "this_function", NULL) != &called) {
538 if (name && strncmp(name, "sys_", 4) == 0)
539 is_syscall = 1;
540 }
541
542 if (name && strncmp(name, "compat_sys_", 11) == 0)
543 is_syscall = 1;
544
545 if (!is_syscall)
546 return;
547
548 FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) {
549 set_state(my_id, arg->ident->name, arg, alloc_estate_whole(get_real_base_type(arg)));
550 } END_FOR_EACH_PTR(arg);
551 }
552
553 static void returns_param_user_data(struct expression *expr, int param, char *key, char *value)
554 {
555 struct expression *arg;
556 char *name;
557 struct symbol *sym;
558 struct symbol *type;
559 struct range_list *rl = NULL;
560
561 while (expr->type == EXPR_ASSIGNMENT)
562 expr = strip_expr(expr->right);
563 if (expr->type != EXPR_CALL)
564 return;
565
566 arg = get_argument_from_call_expr(expr->args, param);
567 if (!arg)
568 return;
569 type = get_member_type_from_key(arg, key);
570 name = get_variable_from_key(arg, key, &sym);
571 if (!name || !sym)
572 goto free;
573
574 call_results_to_rl(expr, type, value, &rl);
575
576 set_state(my_id, name, sym, alloc_estate_rl(rl));
577 free:
578 free_string(name);
579 }
580
581 static int has_empty_state(struct sm_state *sm)
582 {
583 struct sm_state *tmp;
584
585 FOR_EACH_PTR(sm->possible, tmp) {
586 if (!estate_rl(tmp->state))
587 return 1;
588 } END_FOR_EACH_PTR(tmp);
589
590 return 0;
591 }
592
593 static void param_set_to_user_data(int return_id, char *return_ranges, struct expression *expr)
594 {
595 struct sm_state *sm;
596 struct smatch_state *start_state;
597 int param;
598 const char *param_name;
599
600 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
601 if (has_empty_state(sm))
602 continue;
603
604
605 param = get_param_num_from_sym(sm->sym);
606 if (param < 0) {
607 if (expr_to_sym(expr) == sm->sym)
608 param = -1;
609 else
610 continue;
611 }
612
613
614 start_state = get_state_stree(start_states, my_id, sm->name, sm->sym);
615 if (start_state && estates_equiv(sm->state, start_state))
616 continue;
617
618
619 param_name = get_param_name(sm);
620 if (!param_name)
621 continue;
622 if (strcmp(param_name, "$") == 0)
623 continue;
624
625 sql_insert_return_states(return_id, return_ranges, USER_DATA3,
626 param, param_name, show_rl(estate_rl(sm->state)));
627 } END_FOR_EACH_SM(sm);
628 }
629
630 void check_user_data2(int id)
631 {
632 int i;
633
634 my_id = id;
635
636 if (option_project != PROJ_KERNEL)
637 return;
638
639 add_hook(&save_start_states, AFTER_DEF_HOOK);
640 add_hook(&free_start_states, END_FUNC_HOOK);
641 add_hook(&match_save_states, INLINE_FN_START);
642 add_hook(&match_restore_states, INLINE_FN_END);
643
644 add_unmatched_state_hook(my_id, &empty_state);
645 add_pre_merge_hook(my_id, &pre_merge_hook);
646 add_merge_hook(my_id, &merge_estates);
647
648 add_function_hook("copy_from_user", &match_user_copy, INT_PTR(0));
649 add_function_hook("__copy_from_user", &match_user_copy, INT_PTR(0));
650 add_function_hook("memcpy_fromiovec", &match_user_copy, INT_PTR(0));
651 for (i = 0; i < ARRAY_SIZE(kstr_funcs); i++)
652 add_function_hook(kstr_funcs[i], &match_user_copy, INT_PTR(2));
653
654 add_function_hook("sscanf", &match_sscanf, NULL);
655
656 add_function_assign_hook("memdup_user", &match_user_assign_function, NULL);
657 add_function_assign_hook("kmap_atomic", &match_user_assign_function, NULL);
658 add_function_assign_hook("skb_network_header", &match_user_assign_function, NULL);
659
660 add_hook(&match_syscall_definition, AFTER_DEF_HOOK);
661
662 add_hook(&match_assign, ASSIGNMENT_HOOK);
663
664 add_hook(&match_call_info, FUNCTION_CALL_HOOK);
665 add_member_info_callback(my_id, struct_member_callback);
666 select_caller_info_hook(set_param_user_data, USER_DATA3);
667 select_return_states_hook(USER_DATA3, &returns_param_user_data);
668 add_split_return_callback(&param_set_to_user_data);
669 }
670
671 void check_user_data3(int id)
672 {
673 my_call_id = id;
674
675 if (option_project != PROJ_KERNEL)
676 return;
677 select_caller_info_hook(set_called, INTERNAL);
678 }
679
Static analysis for C