2 * Copyright (C) 2011 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
19 * There are a couple checks that try to see if a variable
20 * comes from the user. It would be better to unify them
21 * into one place. Also it we should follow the data down
22 * the call paths. Hence this file.
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
32 STATE(user_data_passed
);
40 int is_user_macro(struct expression
*expr
)
43 struct range_list
*rl
;
45 macro
= get_macro_name(expr
->pos
);
49 if (get_implied_rl(expr
, &rl
) && !is_whole_rl(rl
))
51 if (strcmp(macro
, "ntohl") == 0)
53 if (strcmp(macro
, "ntohs") == 0)
58 static int has_user_data_state(struct expression
*expr
)
65 expr
= strip_expr(expr
);
66 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
67 expr
= strip_expr(expr
->unop
);
69 name
= expr_to_str_sym(expr
, &sym
);
74 stree
= __get_cur_stree();
75 FOR_EACH_MY_SM(my_id
, stree
, sm
) {
78 } END_FOR_EACH_SM(sm
);
82 static int passes_user_data(struct expression
*expr
)
84 struct expression
*arg
;
86 FOR_EACH_PTR(expr
->args
, arg
) {
87 if (is_user_data(arg
))
89 if (has_user_data_state(arg
))
91 } END_FOR_EACH_PTR(arg
);
96 static struct expression
*db_expr
;
97 static int db_user_data
;
98 static int db_user_data_callback(void *unused
, int argc
, char **argv
, char **azColName
)
100 if (atoi(argv
[0]) == PASSED_DATA
&& !passes_user_data(db_expr
))
106 static int is_user_fn_db(struct expression
*expr
)
109 static char sql_filter
[1024];
111 if (is_fake_call(expr
))
113 if (expr
->fn
->type
!= EXPR_SYMBOL
)
115 sym
= expr
->fn
->symbol
;
119 if (sym
->ctype
.modifiers
& MOD_STATIC
) {
120 snprintf(sql_filter
, 1024, "file = '%s' and function = '%s';",
121 get_filename(), sym
->ident
->name
);
123 snprintf(sql_filter
, 1024, "function = '%s' and static = 0;",
129 run_sql(db_user_data_callback
,
130 "select value from return_states where type=%d and parameter = -1 and key = '$$' and %s",
131 USER_DATA
, sql_filter
);
135 static int is_user_function(struct expression
*expr
)
137 if (expr
->type
!= EXPR_CALL
)
139 return is_user_fn_db(expr
);
142 static int is_skb_data(struct expression
*expr
)
149 name
= expr_to_var_sym(expr
, &sym
);
153 sym
= get_base_type(sym
);
154 if (!sym
|| sym
->type
!= SYM_PTR
)
156 sym
= get_base_type(sym
);
157 if (!sym
|| sym
->type
!= SYM_STRUCT
|| !sym
->ident
)
159 if (strcmp(sym
->ident
->name
, "sk_buff") != 0)
165 if (strcmp(name
+ len
- 6, "->data") == 0)
173 static int in_container_of_macro(struct expression
*expr
)
177 macro
= get_macro_name(expr
->pos
);
181 if (strcmp(macro
, "container_of") == 0)
186 static int is_user_data_state(struct expression
*expr
)
188 struct stree
*stree
= NULL
;
189 struct sm_state
*tmp
;
194 tmp
= get_sm_state_expr(my_id
, expr
);
196 if (slist_has_state(tmp
->possible
, &user_data_set
))
198 if (slist_has_state(tmp
->possible
, &user_data_passed
))
203 name
= expr_to_str_sym(expr
, &sym
);
207 stree
= __get_cur_stree();
208 FOR_EACH_MY_SM(my_id
, stree
, tmp
) {
211 if (!strncmp(tmp
->name
, name
, strlen(tmp
->name
))) {
212 if (slist_has_state(tmp
->possible
, &user_data_set
))
214 else if (slist_has_state(tmp
->possible
, &user_data_passed
))
218 } END_FOR_EACH_SM(tmp
);
225 int is_user_data(struct expression
*expr
)
234 if (in_container_of_macro(expr
))
237 user_data
= is_user_macro(expr
);
240 user_data
= is_user_function(expr
);
243 user_data
= is_skb_data(expr
);
247 expr
= strip_expr(expr
); /* this has to come after is_user_macro() */
249 if (expr
->type
== EXPR_BINOP
) {
250 user_data
= is_user_data(expr
->left
);
255 user_data
= is_user_data(expr
->right
);
260 if (expr
->type
== EXPR_PREOP
&& (expr
->op
== '&' || expr
->op
== '*'))
261 expr
= strip_expr(expr
->unop
);
263 return is_user_data_state(expr
);
266 int implied_user_data(struct expression
*expr
, struct range_list
**rl
)
268 if (!is_user_data(expr
))
270 get_absolute_rl(expr
, rl
);
274 int is_capped_user_data(struct expression
*expr
)
278 sm
= get_sm_state_expr(my_id
, expr
);
281 if (slist_has_state(sm
->possible
, &capped
))
286 static void set_param_user_data(const char *name
, struct symbol
*sym
, char *key
, char *value
)
290 /* sanity check. this should always be true. */
291 if (strncmp(key
, "$$", 2) != 0)
293 snprintf(fullname
, 256, "%s%s", name
, key
+ 2);
294 set_state(my_id
, fullname
, sym
, &user_data_passed
);
297 static void match_syscall_definition(struct symbol
*sym
)
302 macro
= get_macro_name(sym
->pos
);
305 if (strncmp("SYSCALL_DEFINE", macro
, strlen("SYSCALL_DEFINE")) != 0 &&
306 strncmp("COMPAT_SYSCALL_DEFINE", macro
, strlen("COMPAT_SYSCALL_DEFINE")) != 0)
309 FOR_EACH_PTR(sym
->ctype
.base_type
->arguments
, arg
) {
310 set_state(my_id
, arg
->ident
->name
, arg
, &user_data_set
);
311 } END_FOR_EACH_PTR(arg
);
314 static void match_condition(struct expression
*expr
)
319 case SPECIAL_UNSIGNED_LT
:
320 case SPECIAL_UNSIGNED_LTE
:
321 if (is_user_data(expr
->left
))
322 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
323 if (is_user_data(expr
->right
))
324 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
328 case SPECIAL_UNSIGNED_GT
:
329 case SPECIAL_UNSIGNED_GTE
:
330 if (is_user_data(expr
->right
))
331 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
332 if (is_user_data(expr
->left
))
333 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
336 if (is_user_data(expr
->left
))
337 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
338 if (is_user_data(expr
->right
))
339 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
341 case SPECIAL_NOTEQUAL
:
342 if (is_user_data(expr
->left
))
343 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
344 if (is_user_data(expr
->right
))
345 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
352 static int handle_get_user(struct expression
*expr
)
357 name
= get_macro_name(expr
->pos
);
358 if (!name
|| strcmp(name
, "get_user") != 0)
361 name
= expr_to_var(expr
->right
);
362 if (!name
|| strcmp(name
, "__val_gu") != 0)
364 set_state_expr(my_id
, expr
->left
, &user_data_set
);
371 static void match_assign(struct expression
*expr
)
375 if (handle_get_user(expr
))
378 user_data
= is_user_data(expr
->right
);
379 if (user_data
== PASSED_DATA
)
380 set_state_expr(my_id
, expr
->left
, &user_data_passed
);
381 else if (user_data
== SET_DATA
)
382 set_state_expr(my_id
, expr
->left
, &user_data_set
);
383 else if (get_state_expr(my_id
, expr
->left
))
384 set_state_expr(my_id
, expr
->left
, &capped
);
387 static void tag_struct_members(struct symbol
*type
, struct expression
*expr
)
390 struct expression
*member
;
393 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&') {
394 expr
= strip_expr(expr
->unop
);
398 FOR_EACH_PTR(type
->symbol_list
, tmp
) {
401 member
= member_expression(expr
, op
, tmp
->ident
);
402 set_state_expr(my_id
, member
, &user_data_set
);
403 } END_FOR_EACH_PTR(tmp
);
406 static void tag_base_type(struct expression
*expr
)
408 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
409 expr
= strip_expr(expr
->unop
);
411 expr
= deref_expression(expr
);
412 set_state_expr(my_id
, expr
, &user_data_set
);
415 static void tag_as_user_data(struct expression
*expr
)
419 expr
= strip_expr(expr
);
421 type
= get_type(expr
);
422 if (!type
|| type
->type
!= SYM_PTR
)
424 type
= get_real_base_type(type
);
427 if (type
== &void_ctype
) {
428 set_state_expr(my_id
, deref_expression(expr
), &user_data_set
);
431 if (type
->type
== SYM_BASETYPE
)
433 if (type
->type
== SYM_STRUCT
) {
434 if (expr
->type
!= EXPR_PREOP
|| expr
->op
!= '&')
435 expr
= deref_expression(expr
);
436 tag_struct_members(type
, expr
);
440 static void match_user_copy(const char *fn
, struct expression
*expr
, void *_param
)
442 int param
= PTR_INT(_param
);
443 struct expression
*dest
;
445 dest
= get_argument_from_call_expr(expr
->args
, param
);
446 dest
= strip_expr(dest
);
449 tag_as_user_data(dest
);
452 static void match_user_assign_function(const char *fn
, struct expression
*expr
, void *unused
)
454 set_state_expr(my_id
, expr
->left
, &user_data_set
);
457 static void match_caller_info(struct expression
*expr
)
459 struct expression
*tmp
;
463 FOR_EACH_PTR(expr
->args
, tmp
) {
464 if (is_user_data(tmp
))
465 sql_insert_caller_info(expr
, USER_DATA
, i
, "$$", "");
467 } END_FOR_EACH_PTR(tmp
);
470 static void struct_member_callback(struct expression
*call
, int param
, char *printed_name
, struct smatch_state
*state
)
472 if (state
== &capped
)
474 sql_insert_caller_info(call
, USER_DATA
, param
, printed_name
, "");
477 static void returned_member_callback(int return_id
, char *return_ranges
, char *printed_name
, struct smatch_state
*state
)
479 if (state
== &capped
)
481 sql_insert_return_states(return_id
, return_ranges
, USER_DATA
, -1, printed_name
, "");
484 static void print_returned_user_data(int return_id
, char *return_ranges
, struct expression
*expr
)
487 struct sm_state
*tmp
;
490 const char *passed_or_new
;
492 user_data
= is_user_data(expr
);
493 if (user_data
== PASSED_DATA
) {
494 sql_insert_return_states(return_id
, return_ranges
, USER_DATA
,
497 if (user_data
== SET_DATA
) {
498 sql_insert_return_states(return_id
, return_ranges
, USER_DATA
,
502 stree
= __get_cur_stree();
504 FOR_EACH_MY_SM(my_id
, stree
, tmp
) {
505 const char *param_name
;
507 param
= get_param_num_from_sym(tmp
->sym
);
511 if (is_capped_var_sym(tmp
->name
, tmp
->sym
))
513 /* ignore states that were already USER_DATA to begin with */
514 if (get_state_stree(get_start_states(), my_id
, tmp
->name
, tmp
->sym
))
517 param_name
= get_param_name(tmp
);
518 if (!param_name
|| strcmp(param_name
, "$$") == 0)
521 if (slist_has_state(tmp
->possible
, &user_data_set
))
523 else if (slist_has_state(tmp
->possible
, &user_data_passed
))
528 sql_insert_return_states(return_id
, return_ranges
, USER_DATA
,
529 param
, param_name
, passed_or_new
);
530 } END_FOR_EACH_SM(tmp
);
533 static void db_return_states_userdata(struct expression
*expr
, int param
, char *key
, char *value
)
538 if (expr
->type
== EXPR_ASSIGNMENT
&& param
== -1 && strcmp(key
, "*$$") == 0) {
539 tag_as_user_data(expr
->left
);
543 name
= return_state_to_var_sym(expr
, param
, key
, &sym
);
547 set_state(my_id
, name
, sym
, &user_data_set
);
552 void check_user_data(int id
)
554 if (option_project
!= PROJ_KERNEL
)
557 select_caller_info_hook(set_param_user_data
, USER_DATA
);
558 add_hook(&match_syscall_definition
, FUNC_DEF_HOOK
);
559 add_hook(&match_condition
, CONDITION_HOOK
);
560 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
561 add_function_hook("copy_from_user", &match_user_copy
, INT_PTR(0));
562 add_function_hook("__copy_from_user", &match_user_copy
, INT_PTR(0));
563 add_function_hook("memcpy_fromiovec", &match_user_copy
, INT_PTR(0));
564 add_function_assign_hook("kmemdup_user", &match_user_assign_function
, NULL
);
565 add_function_hook("_kstrtoull", &match_user_copy
, INT_PTR(2));
567 add_hook(&match_caller_info
, FUNCTION_CALL_HOOK
);
568 add_member_info_callback(my_id
, struct_member_callback
);
569 add_returned_member_callback(my_id
, returned_member_callback
);
570 add_split_return_callback(print_returned_user_data
);
571 select_return_states_hook(USER_DATA
, &db_return_states_userdata
);