search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
extra: get_implied_range_list() should handle conditions as well
[smatch.git] / check_overflow.c
bloba69a408145e7324ab9e019ed0e76ea7d53c289b4
1 /*
2 * smatch/check_overflow.c
3 *
4 * Copyright (C) 2010 Dan Carpenter.
5 *
6 * Licensed under the Open Software License version 1.1
7 *
8 */
9
10 #include <stdlib.h>
11 #include "parse.h"
12 #include "smatch.h"
13 #include "smatch_slist.h"
14 #include "smatch_extra.h"
15
16 struct bound {
17 int param;
18 int size;
19 };
20
21 /*
22 * This check has two smatch IDs.
23 * my_used_id - keeps a record of array offsets that have been used.
24 * If the code checks that they are within bounds later on,
25 * we complain about using an array offset before checking
26 * that it is within bounds.
27 */
28 static int my_used_id;
29
30 static struct symbol *this_func;
31
32 static void match_function_def(struct symbol *sym)
33 {
34 this_func = sym;
35 }
36
37 struct limiter {
38 int buf_arg;
39 int limit_arg;
40 };
41 static struct limiter b0_l2 = {0, 2};
42 static struct limiter b1_l2 = {1, 2};
43
44 static void delete(const char *name, struct symbol *sym, struct expression *expr, void *unused)
45 {
46 delete_state(my_used_id, name, sym);
47 }
48
49 static int definitely_just_used_as_limiter(struct expression *array, struct expression *offset)
50 {
51 long long val;
52 struct expression *tmp;
53 int step = 0;
54 int dot_ops = 0;
55
56 if (!get_implied_value(offset, &val))
57 return 0;
58 if (get_array_size(array) != val)
59 return 0;
60
61 FOR_EACH_PTR_REVERSE(big_expression_stack, tmp) {
62 if (step == 0) {
63 step = 1;
64 continue;
65 }
66 if (tmp->type == EXPR_PREOP && tmp->op == '(')
67 continue;
68 if (tmp->op == '.' && !dot_ops++)
69 continue;
70 if (step == 1 && tmp->op == '&') {
71 step = 2;
72 continue;
73 }
74 if (step == 2 && tmp->type == EXPR_COMPARE)
75 return 1;
76 return 0;
77 } END_FOR_EACH_PTR_REVERSE(tmp);
78 return 0;
79 }
80
81 static void array_check(struct expression *expr)
82 {
83 struct expression *array_expr;
84 int array_size;
85 struct expression *offset;
86 long long max;
87 char *name;
88
89 expr = strip_expr(expr);
90 if (!is_array(expr))
91 return;
92
93 array_expr = strip_parens(expr->unop->left);
94 array_size = get_array_size(array_expr);
95 if (!array_size || array_size == 1)
96 return;
97
98 offset = get_array_offset(expr);
99 if (!get_fuzzy_max(offset, &max)) {
100 if (getting_address())
101 return;
102 set_state_expr(my_used_id, offset, alloc_state_num(array_size));
103 add_modification_hook_expr(my_used_id, offset, &delete, NULL);
104 } else if (array_size <= max) {
105 const char *level = "error";
106
107 if (getting_address())
108 level = "warn";
109
110 if (definitely_just_used_as_limiter(array_expr, offset))
111 return;
112
113 if (!option_spammy) {
114 struct smatch_state *state;
115
116 state = get_state_expr(SMATCH_EXTRA, offset);
117 if (state && is_whole_range(state))
118 return;
119 }
120
121 name = get_variable_from_expr_complex(array_expr, NULL);
122 /* Blast. Smatch can't figure out glibc's strcmp __strcmp_cg()
123 * so it prints an error every time you compare to a string
124 * literal array with 4 or less chars.
125 */
126 if (name && strcmp(name, "__s1") && strcmp(name, "__s2")) {
127 sm_msg("%s: buffer overflow '%s' %d <= %lld",
128 level, name, array_size, max);
129 }
130 free_string(name);
131 }
132 }
133
134 static void match_condition(struct expression *expr)
135 {
136 int left;
137 long long val;
138 struct state_list *slist;
139 struct sm_state *tmp;
140 int boundary;
141
142 if (!expr || expr->type != EXPR_COMPARE)
143 return;
144 if (get_macro_name(expr->pos))
145 return;
146 if (get_implied_value(expr->left, &val))
147 left = 1;
148 else if (get_implied_value(expr->right, &val))
149 left = 0;
150 else
151 return;
152
153 if (left)
154 slist = get_possible_states_expr(my_used_id, expr->right);
155 else
156 slist = get_possible_states_expr(my_used_id, expr->left);
157 if (!slist)
158 return;
159 FOR_EACH_PTR(slist, tmp) {
160 if (tmp->state == &merged)
161 continue;
162 boundary = PTR_INT(tmp->state->data);
163 boundary -= val;
164 if (boundary < 1 && boundary > -1) {
165 char *name;
166
167 name = get_variable_from_expr((left ? expr->right : expr->left), NULL);
168 sm_msg("error: testing array offset '%s' after use.", name);
169 return;
170 }
171 } END_FOR_EACH_PTR(tmp);
172 }
173
174 static void match_strcpy(const char *fn, struct expression *expr, void *unused)
175 {
176 struct expression *dest;
177 struct expression *data;
178 char *dest_name = NULL;
179 char *data_name = NULL;
180 int dest_size;
181 int data_size;
182
183 dest = get_argument_from_call_expr(expr->args, 0);
184 data = get_argument_from_call_expr(expr->args, 1);
185 dest_size = get_array_size_bytes(dest);
186 data_size = get_array_size_bytes(data);
187
188 if (!dest_size)
189 return;
190
191 /* If the size of both arrays is known and the destination
192 * buffer is larger than the source buffer, we're okay.
193 */
194 if (data_size && dest_size >= data_size)
195 return;
196
197 dest_name = get_variable_from_expr_complex(dest, NULL);
198 data_name = get_variable_from_expr_complex(data, NULL);
199
200 if (data_size)
201 sm_msg("error: %s() '%s' too large for '%s' (%d vs %d)",
202 fn, data_name, dest_name, data_size, dest_size);
203 else if (option_spammy)
204 sm_msg("warn: %s() '%s' of unknown size might be too large for '%s'",
205 fn, data_name, dest_name);
206
207 free_string(dest_name);
208 free_string(data_name);
209 }
210
211 static void match_snprintf(const char *fn, struct expression *expr, void *unused)
212 {
213 struct expression *dest;
214 struct expression *dest_size_expr;
215 struct expression *format_string;
216 struct expression *data;
217 char *data_name = NULL;
218 int dest_size;
219 long long limit_size;
220 char *format;
221 int data_size;
222
223 dest = get_argument_from_call_expr(expr->args, 0);
224 dest_size_expr = get_argument_from_call_expr(expr->args, 1);
225 format_string = get_argument_from_call_expr(expr->args, 2);
226 data = get_argument_from_call_expr(expr->args, 3);
227
228 dest_size = get_array_size_bytes(dest);
229 if (!get_implied_value(dest_size_expr, &limit_size))
230 return;
231 if (dest_size && dest_size < limit_size)
232 sm_msg("error: snprintf() is printing too much %lld vs %d", limit_size, dest_size);
233 format = get_variable_from_expr(format_string, NULL);
234 if (!format)
235 return;
236 if (strcmp(format, "\"%s\""))
237 goto free;
238 data_name = get_variable_from_expr_complex(data, NULL);
239 data_size = get_array_size_bytes(data);
240 if (limit_size < data_size)
241 sm_msg("error: snprintf() chops off the last chars of '%s': %d vs %lld",
242 data_name, data_size, limit_size);
243 free:
244 free_string(data_name);
245 free_string(format);
246 }
247
248 static void match_sprintf(const char *fn, struct expression *expr, void *unused)
249 {
250 struct expression *dest;
251 struct expression *format_string;
252 struct expression *data;
253 char *data_name = NULL;
254 int dest_size;
255 char *format;
256 int data_size;
257
258 dest = get_argument_from_call_expr(expr->args, 0);
259 format_string = get_argument_from_call_expr(expr->args, 1);
260 data = get_argument_from_call_expr(expr->args, 2);
261
262 dest_size = get_array_size_bytes(dest);
263 if (!dest_size)
264 return;
265 format = get_variable_from_expr(format_string, NULL);
266 if (!format)
267 return;
268 if (strcmp(format, "\"%s\""))
269 goto free;
270 data_name = get_variable_from_expr_complex(data, NULL);
271 data_size = get_array_size_bytes(data);
272 if (dest_size < data_size)
273 sm_msg("error: sprintf() copies too much data from '%s': %d vs %d",
274 data_name, data_size, dest_size);
275 free:
276 free_string(data_name);
277 free_string(format);
278 }
279
280 static void match_limited(const char *fn, struct expression *expr, void *_limiter)
281 {
282 struct limiter *limiter = (struct limiter *)_limiter;
283 struct expression *dest;
284 struct expression *data;
285 char *dest_name = NULL;
286 long long needed;
287 int has;
288
289 dest = get_argument_from_call_expr(expr->args, limiter->buf_arg);
290 data = get_argument_from_call_expr(expr->args, limiter->limit_arg);
291 if (!get_fuzzy_max(data, &needed))
292 return;
293 has = get_array_size_bytes(dest);
294 if (!has)
295 return;
296 if (has >= needed)
297 return;
298
299 dest_name = get_variable_from_expr_complex(dest, NULL);
300 sm_msg("error: %s() '%s' too small (%d vs %lld)", fn, dest_name, has, needed);
301 free_string(dest_name);
302 }
303
304 void check_overflow(int id)
305 {
306 my_used_id = id;
307 add_hook(&match_function_def, FUNC_DEF_HOOK);
308 add_hook(&array_check, OP_HOOK);
309 add_hook(&match_condition, CONDITION_HOOK);
310 add_function_hook("strcpy", &match_strcpy, NULL);
311 add_function_hook("snprintf", &match_snprintf, NULL);
312 add_function_hook("sprintf", &match_sprintf, NULL);
313 if (option_project == PROJ_KERNEL) {
314 add_function_hook("copy_to_user", &match_limited, &b0_l2);
315 add_function_hook("copy_to_user", &match_limited, &b1_l2);
316 add_function_hook("_copy_to_user", &match_limited, &b0_l2);
317 add_function_hook("_copy_to_user", &match_limited, &b1_l2);
318 add_function_hook("__copy_to_user", &match_limited, &b0_l2);
319 add_function_hook("__copy_to_user", &match_limited, &b1_l2);
320 add_function_hook("copy_from_user", &match_limited, &b0_l2);
321 add_function_hook("copy_from_user", &match_limited, &b1_l2);
322 add_function_hook("_copy_from_user", &match_limited, &b0_l2);
323 add_function_hook("_copy_from_user", &match_limited, &b1_l2);
324 add_function_hook("__copy_from_user", &match_limited, &b0_l2);
325 add_function_hook("__copy_from_user", &match_limited, &b1_l2);
326 }
327 }
Static analysis for C