search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smatch_kernel_host_data: enable additional debug
[smatch.git] / check_spectre.c
blob009c7f0b009ba5baf93507186cc50206480af60d
1 /*
2 * Copyright (C) 2018 Oracle.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #include "smatch.h"
19 #include "smatch_extra.h"
20
21 static int my_id;
22 extern int second_half_id;
23 extern void set_spectre_first_half(struct expression *expr);
24
25 enum kernel_data_types {
26 USER_DATA_TYPE = 0,
27 HOST_DATA_TYPE = 1,
28 };
29
30 static int suppress_multiple = 1;
31 static int analyzed_data_type = USER_DATA_TYPE;
32
33 static int is_write(struct expression *expr)
34 {
35 return 0;
36 }
37
38 static int is_read(struct expression *expr)
39 {
40 struct expression *parent, *last_parent;
41 struct statement *stmt;
42
43 if (is_write(expr))
44 return 0;
45
46 last_parent = expr;
47 while ((parent = expr_get_parent_expr(expr))){
48
49 last_parent = parent;
50
51 /* If we pass a value as a parameter that's a read, probably? */
52 // if (parent->type == EXPR_CALL)
53 // return 1;
54
55 if (parent->type == EXPR_ASSIGNMENT) {
56 if (parent->right == expr)
57 return 1;
58 if (parent->left == expr)
59 return 0;
60 }
61 expr = parent;
62 }
63
64 stmt = expr_get_parent_stmt(last_parent);
65 if (stmt && stmt->type == STMT_RETURN)
66 return 1;
67
68 return 0;
69 }
70
71 static int is_harmless(struct expression *expr)
72 {
73 struct expression *tmp, *parent;
74 struct statement *stmt;
75 int count = 0;
76
77 parent = expr;
78 while ((tmp = expr_get_parent_expr(parent))) {
79 if (tmp->type == EXPR_ASSIGNMENT || tmp->type == EXPR_CALL)
80 return 0;
81 parent = tmp;
82 if (count++ > 4)
83 break;
84 }
85
86 stmt = expr_get_parent_stmt(parent);
87 if (!stmt)
88 return 0;
89 if (stmt->type == STMT_IF && stmt->if_conditional == parent)
90 return 1;
91 if (stmt->type == STMT_ITERATOR &&
92 (stmt->iterator_pre_condition == parent ||
93 stmt->iterator_post_condition == parent))
94 return 1;
95
96 return 0;
97 }
98
99 static unsigned long long get_max_by_type(struct expression *expr)
100 {
101 sval_t max = {
102 .type = &ullong_ctype,
103 .uvalue = -1ULL,
104 };
105 struct symbol *type;
106 int cnt = 0;
107
108 while (true) {
109 expr = strip_parens(expr);
110 type = get_type(expr);
111 if (type && sval_type_max(type).uvalue < max.uvalue)
112 max = sval_type_max(type);
113 if (expr->type == EXPR_PREOP) {
114 expr = expr->unop;
115 } else if (expr->type == EXPR_BINOP) {
116 if (expr->op == '%' || expr->op == '&')
117 expr = expr->right;
118 else
119 return max.uvalue;
120 } else {
121 expr = get_assigned_expr(expr);
122 if (!expr)
123 return max.uvalue;
124 }
125 if (cnt++ > 5)
126 return max.uvalue;
127 }
128
129 return max.uvalue;
130 }
131
132 static unsigned long long get_mask(struct expression *expr)
133 {
134 struct expression *tmp;
135 sval_t mask;
136 int cnt = 0;
137
138 expr = strip_expr(expr);
139
140 tmp = get_assigned_expr(expr);
141 while (tmp) {
142 expr = tmp;
143 if (++cnt > 3)
144 break;
145 tmp = get_assigned_expr(expr);
146 }
147
148 if (expr->type == EXPR_BINOP && expr->op == '&') {
149 if (get_value(expr->right, &mask)) /* right is the common case */
150 return mask.uvalue;
151 if (get_value(expr->left, &mask))
152 return mask.uvalue;
153 }
154
155 return ULLONG_MAX;
156 }
157
158 static void array_check(struct expression *expr)
159 {
160 struct expression_list *conditions;
161 struct expression *array_expr, *offset;
162 unsigned long long mask;
163 int array_size;
164 char *name;
165
166 expr = strip_expr(expr);
167 if (!is_array(expr))
168 return;
169
170 if (is_impossible_path())
171 return;
172 if (is_harmless(expr))
173 return;
174
175 array_expr = get_array_base(expr);
176 if (suppress_multiple && is_ignored_expr(my_id, array_expr)) {
177 set_spectre_first_half(expr);
178 return;
179 }
180
181 offset = get_array_offset(expr);
182 switch(analyzed_data_type) {
183 case USER_DATA_TYPE:
184 if (!is_user_rl(offset))
185 return;
186 break;
187 case HOST_DATA_TYPE:
188 if (!is_host_rl(offset))
189 return;
190 break;
191 default:
192 return;
193 }
194
195 if (is_nospec(offset))
196 return;
197
198 array_size = get_array_size(array_expr);
199 if (array_size > 0 && get_max_by_type(offset) < array_size)
200 return;
201 // binfo = get_bit_info(offset);
202 // if (array_size > 0 && binfo && binfo->possible < array_size)
203 // return;
204
205 mask = get_mask(offset);
206 if (mask <= array_size)
207 return;
208
209 conditions = get_conditions(offset);
210
211 name = expr_to_str(array_expr);
212 sm_warning("potential spectre issue '%s' [%s]%s",
213 name,
214 is_read(expr) ? "r" : "w",
215 conditions ? " (local cap)" : "");
216
217 set_spectre_first_half(expr);
218 if (suppress_multiple)
219 add_ignore_expr(my_id, array_expr);
220 free_string(name);
221 }
222
223 void check_spectre(int id)
224 {
225 my_id = id;
226
227 suppress_multiple = getenv("FULL_SPECTRE") == NULL;
228 if (getenv("ANALYZE_HOST_DATA"))
229 analyzed_data_type = HOST_DATA_TYPE;
230
231 if (option_project != PROJ_KERNEL)
232 return;
233
234 add_hook(&array_check, OP_HOOK);
235 }
Static analysis for C