fill_db_untrusted: follow untrusted data down the call tree
[smatch.git] / check_err_ptr_deref.c
blobe00784dbd5ecebb2e46b76bbeb8047e30fce0bf6
1 /*
2 * sparse/check_err_ptr_deref.c
4 * Copyright (C) 2009 Dan Carpenter.
6 * Licensed under the Open Software License version 1.1
8 */
10 #include "smatch.h"
11 #include "smatch_slist.h"
12 #include "smatch_extra.h"
14 static int my_id;
16 STATE(err_ptr);
17 STATE(checked);
19 static void ok_to_use(const char *name, struct symbol *sym, struct expression *expr, void *unused)
21 set_state(my_id, name, sym, &checked);
24 static void check_is_err_ptr(struct sm_state *sm)
26 if (!sm)
27 return;
29 if (slist_has_state(sm->possible, &err_ptr)) {
30 sm_msg("error: '%s' dereferencing possible ERR_PTR()",
31 sm->name);
32 set_state(my_id, sm->name, sm->sym, &checked);
36 static void match_returns_err_ptr(const char *fn, struct expression *expr,
37 void *info)
39 set_state_expr(my_id, expr->left, &err_ptr);
43 static void match_checked(const char *fn, struct expression *call_expr,
44 struct expression *assign_expr, void *unused)
46 struct expression *arg;
48 arg = get_argument_from_call_expr(call_expr->args, 0);
49 arg = strip_expr(arg);
50 while (arg->type == EXPR_ASSIGNMENT)
51 arg = strip_expr(arg->left);
52 set_state_expr(my_id, arg, &checked);
55 static void match_err(const char *fn, struct expression *call_expr,
56 struct expression *assign_expr, void *unused)
58 struct expression *arg;
60 arg = get_argument_from_call_expr(call_expr->args, 0);
61 arg = strip_expr(arg);
62 while (arg->type == EXPR_ASSIGNMENT)
63 arg = strip_expr(arg->left);
64 set_state_expr(my_id, arg, &err_ptr);
67 static void match_dereferences(struct expression *expr)
69 struct sm_state *sm;
71 if (expr->type != EXPR_PREOP)
72 return;
73 expr = strip_expr(expr->unop);
75 sm = get_sm_state_expr(my_id, expr);
76 check_is_err_ptr(sm);
79 static void match_condition(struct expression *expr)
81 if (expr->type == EXPR_ASSIGNMENT) {
82 match_condition(expr->right);
83 match_condition(expr->left);
85 if (!get_state_expr(my_id, expr))
86 return;
87 /* If we know the variable is zero that means it's not an ERR_PTR */
88 set_true_false_states_expr(my_id, expr, NULL, &checked);
91 static void register_err_ptr_funcs(void)
93 struct token *token;
94 const char *func;
96 token = get_tokens_file("kernel.returns_err_ptr");
97 if (!token)
98 return;
99 if (token_type(token) != TOKEN_STREAMBEGIN)
100 return;
101 token = token->next;
102 while (token_type(token) != TOKEN_STREAMEND) {
103 if (token_type(token) != TOKEN_IDENT)
104 return;
105 func = show_ident(token->ident);
106 add_function_assign_hook(func, &match_returns_err_ptr, NULL);
107 token = token->next;
109 clear_token_alloc();
112 static void match_err_ptr(const char *fn, struct expression *expr, void *unused)
114 struct expression *arg;
115 struct sm_state *sm;
116 struct sm_state *tmp;
117 long long tmp_min;
118 long long tmp_max;
119 long long min = whole_range.max;
120 long long max = whole_range.min;
122 arg = get_argument_from_call_expr(expr->args, 0);
123 sm = get_sm_state_expr(SMATCH_EXTRA, arg);
124 if (!sm)
125 return;
126 FOR_EACH_PTR(sm->possible, tmp) {
127 tmp_min = get_dinfo_min(get_dinfo(tmp->state));
128 if (tmp_min != whole_range.min && tmp_min < min)
129 min = tmp_min;
130 tmp_max = get_dinfo_max(get_dinfo(tmp->state));
131 if (tmp_max != whole_range.max && tmp_max > max)
132 max = tmp_max;
133 } END_FOR_EACH_PTR(tmp);
134 if (min < -4095)
135 sm_msg("error: %lld too low for ERR_PTR", min);
136 if (max > 0)
137 sm_msg("error: passing non neg %lld to ERR_PTR", max);
140 static void match_ptr_err(const char *fn, struct expression *expr, void *unused)
142 struct expression *arg;
143 struct expression *right;
145 right = strip_expr(expr->right);
146 arg = get_argument_from_call_expr(right->args, 0);
147 if (get_state_expr(my_id, arg) == &err_ptr) {
148 set_extra_expr_mod(expr->left, alloc_extra_state_range(-4095, -1));
152 void check_err_ptr_deref(int id)
154 if (option_project != PROJ_KERNEL)
155 return;
157 my_id = id;
158 return_implies_state("IS_ERR", 0, 0, &match_checked, NULL);
159 return_implies_state("IS_ERR", 1, 1, &match_err, NULL);
160 return_implies_state("IS_ERR_OR_NULL", 0, 0, &match_checked, NULL);
161 return_implies_state("IS_ERR_OR_NULL", 1, 1, &match_err, NULL);
162 register_err_ptr_funcs();
163 add_hook(&match_dereferences, DEREF_HOOK);
164 add_function_hook("ERR_PTR", &match_err_ptr, NULL);
165 add_function_assign_hook("PTR_ERR", &match_ptr_err, NULL);
166 add_hook(&match_condition, CONDITION_HOOK);
167 set_default_modification_hook(my_id, ok_to_use);