search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
param_key: fix container of when no struct member is referenced
[smatch.git] / smatch_kernel_host_data.c
blob3c0d9bd23ab06bb6cd5d93f3abf411738cf84b53
1 /*
2 * Copyright (C) 2011 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /* The below code is an adjustment of the smatch_kernel_user_data.c to
19 * track (untrusted and potentially malicious) data received by a guest
20 * kernel via various low-level port IO, MMIO, MSR, CPUID and PCI config
21 * space access functions (see func_table for a full list) from an
22 * untrusted host/VMM under confidential computing threat model
23 * (where a guest VM does not trust the host/VMM).
24 * We call this data as 'host' data here. Being able to track host data
25 * allows creating new smatch patterns that can perform various checks
26 * on such data, i.e. verify that that there are no spectre v1 gadgets
27 * on this attack surface or even simply report locations where host data
28 * is being processed in the kernel source code (useful for a targeted code
29 * audit).
30 * Similar as smatch_kernel_user_data.c it works with
31 * smatch_points_to_host_input.c code.
32 *
33 * Copyright (C) 2022 Elena Reshetova Intel Corporation.
34 */
35
36 #include "smatch.h"
37 #include "smatch_slist.h"
38 #include "smatch_extra.h"
39
40 struct host_fn_info {
41 const char *name;
42 int type;
43 int param;
44 const char *key;
45 const sval_t *implies_start, *implies_end;
46 func_hook *call_back;
47 };
48
49 static struct host_fn_info func_table[] = {
50 /* Functions that return host data as return value */
51 { "inb", HOST_DATA, -1, "$" },
52 { "inw", HOST_DATA, -1, "$" },
53 { "inl", HOST_DATA, -1, "$" },
54 { "__inb", HOST_DATA, -1, "$" },
55 { "__inw", HOST_DATA, -1, "$" },
56 { "__inl", HOST_DATA, -1, "$" },
57 { "ioread8", HOST_DATA, -1, "$" },
58 { "ioread16", HOST_DATA, -1, "$" },
59 { "ioread32", HOST_DATA, -1, "$" },
60 { "ioread16be", HOST_DATA, -1, "$" },
61 { "ioread32be", HOST_DATA, -1, "$" },
62 { "ioread64_lo_hi", HOST_DATA, -1, "$" },
63 { "ioread64_hi_lo", HOST_DATA, -1, "$" },
64 { "ioread64be_lo_hi", HOST_DATA, -1, "$" },
65 { "ioread64be_hi_lo", HOST_DATA, -1, "$" },
66 { "iomap_readq", HOST_DATA, -1, "$" },
67 { "iomap_readb", HOST_DATA, -1, "$" },
68 { "iomap_readw", HOST_DATA, -1, "$" },
69 { "iomap_readl", HOST_DATA, -1, "$" },
70 { "readb", HOST_DATA, -1, "$" },
71 { "readw", HOST_DATA, -1, "$" },
72 { "readl", HOST_DATA, -1, "$" },
73 { "readq", HOST_DATA, -1, "$" },
74 { "__raw_readb", HOST_DATA, -1, "$" },
75 { "__raw_readw", HOST_DATA, -1, "$" },
76 { "__raw_readl", HOST_DATA, -1, "$" },
77 { "__raw_readq", HOST_DATA, -1, "$" },
78 { "__readq", HOST_DATA, -1, "$" },
79 { "__readl", HOST_DATA, -1, "$" },
80 { "__readb", HOST_DATA, -1, "$" },
81 { "__readw", HOST_DATA, -1, "$" },
82 { "native_read_msr", HOST_DATA, -1, "$" },
83 { "native_read_msr_safe", HOST_DATA, -1, "$" },
84 { "__rdmsr", HOST_DATA, -1, "$" },
85 { "paravirt_read_msr", HOST_DATA, -1, "$" },
86 { "paravirt_read_msr_safe", HOST_DATA, -1, "$" },
87 /* the below 3 apic funcs are needed
88 * since they unwrap to apic->read(reg),
89 * apic->icr_read() and *(APIC_BASE + reg) */
90 { "apic_read", HOST_DATA, -1, "$" },
91 { "apic_icr_read", HOST_DATA, -1, "$" },
92 { "native_apic_mem_read", HOST_DATA, -1, "$" },
93 /* the below one is x86_apic_ops.io_apic_read */
94 { "io_apic_read", HOST_DATA, -1, "$" },
95 /* virtio_cread8/16/32/64 funcs are needed
96 * since they call vdev->config->get */
97 { "virtio_cread8", HOST_DATA, -1, "$" },
98 { "virtio_cread16", HOST_DATA, -1, "$" },
99 { "virtio_cread32", HOST_DATA, -1, "$" },
100 { "virtio_cread64", HOST_DATA, -1, "$" },
101 { "__virtio16_to_cpu", HOST_DATA, -1, "$" },
102 { "__virtio32_to_cpu", HOST_DATA, -1, "$" },
103 { "__virtio64_to_cpu", HOST_DATA, -1, "$" },
104 { "serial_dl_read", HOST_DATA, -1, "$" },
105 { "serial_in", HOST_DATA, -1, "$" },
106 { "serial_port_in", HOST_DATA, -1, "$" },
107 { "cpuid_eax", HOST_DATA, -1, "$" },
108 { "cpuid_ebx", HOST_DATA, -1, "$" },
109 { "cpuid_ecx", HOST_DATA, -1, "$" },
110 { "cpuid_edx", HOST_DATA, -1, "$" },
111 /* Functions that return host data as argument 1 */
112 { "memcpy_fromio", HOST_DATA, 0, "*$" },
113 /* Functions that return host data as argument 2 */
114 { "acpi_os_read_iomem", HOST_DATA, 1, "*$" },
115 { "mmio_insb", HOST_DATA, 1, "*$" },
116 { "mmio_insw", HOST_DATA, 1, "*$" },
117 { "mmio_insl", HOST_DATA, 1, "*$" },
118 { "acpi_read_bit_register", HOST_DATA, 1, "*$" },
119 /* Functions that return host data as argument 3 */
120 { "rdmsrl_on_cpu", HOST_DATA, 2, "*$" },
121 { "rdmsrl_safe_on_cpu", HOST_DATA, 2, "*$" },
122 { "__virtio_cread_many", HOST_DATA, 2, "*$" },
123 { "pci_user_read_config_word", HOST_DATA, 2, "*$" },
124 { "pci_user_read_config_dword", HOST_DATA, 2, "*$" },
125 { "pci_user_read_config_byte", HOST_DATA, 2, "*$" },
126 /* Functions that return host data as argument 4 */
127 { "pci_bus_read_config_byte", HOST_DATA, 3, "*$" },
128 { "pci_bus_read_config_word", HOST_DATA, 3, "*$" },
129 { "pci_bus_read_config_dword", HOST_DATA, 3, "*$" },
130 /* Functions that return host data as arguments 3 and 4 */
131 { "rdmsr_on_cpu", HOST_DATA, 2, "*$" },
132 { "rdmsr_on_cpu", HOST_DATA, 3, "*$" },
133 { "rdmsr_safe_on_cpu", HOST_DATA, 2, "*$" },
134 { "rdmsr_safe_on_cpu", HOST_DATA, 3, "*$" },
135 /* Functions that return host data as argument 6 */
136 { "raw_pci_read", HOST_DATA, 5, "*$" },
137 /* Functions that return host data as arguments 2-5 */
138 { "cpuid", HOST_DATA, 1, "*$" },
139 { "cpuid", HOST_DATA, 2, "*$" },
140 { "cpuid", HOST_DATA, 3, "*$" },
141 { "cpuid", HOST_DATA, 4, "*$" },
142 /* Functions that return host data as arguments 3-6 */
143 { "cpuid_count", HOST_DATA, 2, "*$" },
144 { "cpuid_count", HOST_DATA, 3, "*$" },
145 { "cpuid_count", HOST_DATA, 4, "*$" },
146 { "cpuid_count", HOST_DATA, 5, "*$" },
147 };
148
149 static int my_id;
150 static unsigned long func_gets_host_data;
151 static struct stree *start_states;
152
153 static struct smatch_state *empty_state(struct sm_state *sm)
154 {
155 return alloc_estate_empty();
156 }
157
158 static struct smatch_state *new_state(struct symbol *type)
159 {
160 struct smatch_state *state;
161
162 if (!type || type_is_ptr(type))
163 return NULL;
164
165 state = alloc_estate_whole(type);
166 estate_set_new(state);
167 return state;
168 }
169
170 static void pre_merge_hook(struct sm_state *cur, struct sm_state *other)
171 {
172 struct smatch_state *kernel = cur->state;
173 struct smatch_state *extra;
174 struct smatch_state *state;
175 struct range_list *rl;
176
177 extra = __get_state(SMATCH_EXTRA, cur->name, cur->sym);
178 if (!extra)
179 return;
180 rl = rl_intersection(estate_rl(kernel), estate_rl(extra));
181 state = alloc_estate_rl(clone_rl(rl));
182 if (estate_capped(kernel) || is_capped_var_sym(cur->name, cur->sym))
183 estate_set_capped(state);
184 if (estates_equiv(state, cur->state))
185 return;
186 if (estate_new(cur->state))
187 estate_set_new(state);
188 set_state(my_id, cur->name, cur->sym, state);
189 }
190
191 static void extra_nomod_hook(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
192 {
193 struct smatch_state *host, *new;
194 struct range_list *rl;
195
196 host = __get_state(my_id, name, sym);
197 if (!host)
198 return;
199
200 rl = rl_intersection(estate_rl(host), estate_rl(state));
201 if (rl_equiv(rl, estate_rl(host)))
202 return;
203 new = alloc_estate_rl(rl);
204 if (estate_capped(host))
205 estate_set_capped(new);
206 set_state(my_id, name, sym, new);
207 }
208
209 static void store_type_info(struct expression *expr, struct smatch_state *state)
210 {
211 struct symbol *type;
212 char *type_str, *member;
213
214 if (__in_fake_assign)
215 return;
216
217 if (!estate_rl(state))
218 return;
219
220 expr = strip_expr(expr);
221 if (!expr || expr->type != EXPR_DEREF || !expr->member)
222 return;
223
224 type = get_type(expr->deref);
225 if (!type || !type->ident)
226 return;
227
228 type_str = type_to_str(type);
229 if (!type_str)
230 return;
231 member = get_member_name(expr);
232 if (!member)
233 return;
234
235 sql_insert_function_type_info(HOST_DATA, type_str, member, state->name);
236 }
237
238 static void set_host_data(struct expression *expr, struct smatch_state *state)
239 {
240 store_type_info(expr, state);
241 set_state_expr(my_id, expr, state);
242 }
243
244 static bool host_rl_known(struct expression *expr)
245 {
246 struct range_list *rl;
247 sval_t close_to_max;
248
249 if (!get_host_rl(expr, &rl))
250 return true;
251
252 close_to_max = sval_type_max(rl_type(rl));
253 close_to_max.value -= 100;
254
255 if (sval_cmp(rl_max(rl), close_to_max) >= 0)
256 return false;
257 return true;
258 }
259
260 static bool is_array_index_mask_nospec(struct expression *expr)
261 {
262 struct expression *orig;
263
264 orig = get_assigned_expr(expr);
265 if (!orig || orig->type != EXPR_CALL)
266 return false;
267 return sym_name_is("array_index_mask_nospec", orig->fn);
268 }
269
270 static bool binop_capped(struct expression *expr)
271 {
272 struct range_list *left_rl;
273 int comparison;
274 sval_t sval;
275
276 if (expr->op == '-' && get_host_rl(expr->left, &left_rl)) {
277 if (host_rl_capped(expr->left))
278 return true;
279 comparison = get_comparison(expr->left, expr->right);
280 if (comparison && show_special(comparison)[0] == '>')
281 return true;
282 return false;
283 }
284
285 if (expr->op == '&' || expr->op == '%') {
286 bool left_host, left_capped, right_host, right_capped;
287
288 if (!get_value(expr->right, &sval) && is_capped(expr->right))
289 return true;
290 if (is_array_index_mask_nospec(expr->right))
291 return true;
292 if (is_capped(expr->left))
293 return true;
294 left_host = is_host_rl(expr->left);
295 right_host = is_host_rl(expr->right);
296 if (!left_host && !right_host)
297 return true;
298
299 left_capped = host_rl_capped(expr->left);
300 right_capped = host_rl_capped(expr->right);
301
302 if (left_host && left_capped) {
303 if (!right_host)
304 return true;
305 if (right_host && right_capped)
306 return true;
307 return false;
308 }
309 if (right_host && right_capped) {
310 if (!left_host)
311 return true;
312 return false;
313 }
314 return false;
315 }
316
317 /*
318 * Generally "capped" means that we capped it to an unknown value.
319 * This is useful because if Smatch doesn't know what the value is then
320 * we have to trust that it is correct. But if we known cap value is
321 * 100 then we can check if 100 is correct and complain if it's wrong.
322 *
323 * So then the problem is with BINOP when we take a capped variable
324 * plus a host variable which is clamped to a known range (uncapped)
325 * the result should be capped.
326 */
327 if ((host_rl_capped(expr->left) || host_rl_known(expr->left)) &&
328 (host_rl_capped(expr->right) || host_rl_known(expr->right)))
329 return true;
330 return false;
331 }
332
333 bool host_rl_capped(struct expression *expr)
334 {
335 struct smatch_state *state;
336 struct range_list *rl;
337 sval_t sval;
338
339 expr = strip_expr(expr);
340 if (!expr)
341 return false;
342 if (get_value(expr, &sval))
343 return true;
344 if (expr->type == EXPR_BINOP)
345 return binop_capped(expr);
346 if ((expr->type == EXPR_PREOP || expr->type == EXPR_POSTOP) &&
347 (expr->op == SPECIAL_INCREMENT || expr->op == SPECIAL_DECREMENT))
348 return host_rl_capped(expr->unop);
349 state = get_state_expr(my_id, expr);
350 if (state)
351 return estate_capped(state);
352
353 if (!get_host_rl(expr, &rl)) {
354 /*
355 * The non host data parts of a binop are capped and
356 * also empty host rl states are capped.
357 */
358 return true;
359 }
360
361 if (rl_to_sval(rl, &sval))
362 return true;
363
364 return false; /* uncapped host data */
365 }
366
367 static void tag_inner_struct_members(struct expression *expr, struct symbol *member)
368 {
369 struct expression *edge_member;
370 struct symbol *base = get_real_base_type(member);
371 struct symbol *tmp;
372
373 if (member->ident)
374 expr = member_expression(expr, '.', member->ident);
375
376 FOR_EACH_PTR(base->symbol_list, tmp) {
377 struct symbol *type;
378
379 type = get_real_base_type(tmp);
380 if (!type)
381 continue;
382
383 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
384 tag_inner_struct_members(expr, tmp);
385 continue;
386 }
387
388 if (!tmp->ident)
389 continue;
390
391 edge_member = member_expression(expr, '.', tmp->ident);
392 set_host_data(edge_member, new_state(type));
393 } END_FOR_EACH_PTR(tmp);
394 }
395
396 static void tag_struct_members(struct symbol *type, struct expression *expr)
397 {
398 struct symbol *tmp;
399 struct expression *member;
400 int op = '*';
401
402 if (expr->type == EXPR_PREOP && expr->op == '&') {
403 expr = strip_expr(expr->unop);
404 op = '.';
405 }
406
407 FOR_EACH_PTR(type->symbol_list, tmp) {
408 type = get_real_base_type(tmp);
409 if (!type)
410 continue;
411
412 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
413 tag_inner_struct_members(expr, tmp);
414 continue;
415 }
416
417 if (!tmp->ident)
418 continue;
419
420 member = member_expression(expr, op, tmp->ident);
421 if (type->type == SYM_ARRAY) {
422 set_points_to_host_data(member, true);
423 } else {
424 set_host_data(member, new_state(get_type(member)));
425 }
426 } END_FOR_EACH_PTR(tmp);
427 }
428
429 static void tag_base_type(struct expression *expr)
430 {
431 if (expr->type == EXPR_PREOP && expr->op == '&')
432 expr = strip_expr(expr->unop);
433 else
434 expr = deref_expression(expr);
435 set_host_data(expr, new_state(get_type(expr)));
436 }
437
438 static void tag_as_host_data(struct expression *expr)
439 {
440 struct symbol *type;
441
442 expr = strip_expr(expr);
443 type = get_type(expr);
444
445 if (!type)
446 return;
447
448 if (type->type == SYM_PTR){
449 type = get_real_base_type(type);
450 if (!type)
451 return;
452 if (type == &void_ctype) {
453 set_host_data(deref_expression(expr), new_state(&ulong_ctype));
454 return;
455 }
456 if (type->type == SYM_BASETYPE) {
457 if (expr->type != EXPR_PREOP && expr->op != '&')
458 set_points_to_host_data(expr, true);
459 tag_base_type(expr);
460 return;
461 }
462 if (type->type == SYM_STRUCT || type->type == SYM_UNION) {
463 if (expr->type != EXPR_PREOP || expr->op != '&')
464 expr = deref_expression(expr);
465 else
466 set_host_data(deref_expression(expr), new_state(&ulong_ctype));
467 tag_struct_members(type, expr);
468 }
469 return;
470 }
471
472 if (expr->type == EXPR_DEREF) {
473 type = get_type(expr->deref);
474 expr = strip_expr(expr->deref);
475
476 if (!type){
477 sm_msg("%s: no type\n", __func__);
478 return;
479 }
480 }
481
482 if (type->type == SYM_BASETYPE) {
483 if (expr->type == EXPR_PREOP && expr->op == '*')
484 set_points_to_host_data(expr->unop, true);
485 set_host_data(expr, new_state(get_type(expr)));
486 return;
487 }
488 if (type->type == SYM_STRUCT || type->type == SYM_UNION) {
489 set_host_data(expr, new_state(&ulong_ctype));
490 tag_struct_members(type, expr);
491 }
492 }
493
494 static int get_rl_from_function(struct expression *expr, struct range_list **rl)
495 {
496 if (!expr)
497 return 0;
498
499 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL ||
500 !expr->fn->symbol_name || !expr->fn->symbol_name->name)
501 return 0;
502
503 for (int i = 0; i < ARRAY_SIZE(func_table); i++) {
504 if ((strcmp(expr->fn->symbol_name->name, func_table[i].name) == 0) &&
505 (func_table[i].param == -1)) {
506 *rl = alloc_whole_rl(get_type(expr));
507 return 1;
508 }
509 }
510 return 0;
511 }
512
513 static bool state_is_new(struct expression *expr)
514 {
515 struct smatch_state *state;
516
517 state = get_state_expr(my_id, expr);
518 if (estate_new(state))
519 return true;
520
521 if (expr->type == EXPR_BINOP) {
522 if (state_is_new(expr->left))
523 return true;
524 if (state_is_new(expr->right))
525 return true;
526 }
527 return false;
528 }
529
530 static void handle_derefed_pointers(struct expression *expr, bool is_new)
531 {
532 expr = strip_expr(expr);
533 if (expr->type != EXPR_PREOP ||
534 expr->op != '*')
535 return;
536 expr = strip_expr(expr->unop);
537 set_points_to_host_data(expr, is_new);
538 }
539
540 static bool handle_op_assign(struct expression *expr)
541 {
542 struct expression *binop_expr;
543 struct smatch_state *state;
544 struct range_list *rl;
545 bool is_new;
546
547 switch (expr->op) {
548 case SPECIAL_ADD_ASSIGN:
549 case SPECIAL_SUB_ASSIGN:
550 case SPECIAL_AND_ASSIGN:
551 case SPECIAL_MOD_ASSIGN:
552 case SPECIAL_SHL_ASSIGN:
553 case SPECIAL_SHR_ASSIGN:
554 case SPECIAL_OR_ASSIGN:
555 case SPECIAL_XOR_ASSIGN:
556 case SPECIAL_MUL_ASSIGN:
557 case SPECIAL_DIV_ASSIGN:
558 binop_expr = binop_expression(expr->left,
559 op_remove_assign(expr->op),
560 expr->right);
561 if (!get_host_rl(binop_expr, &rl))
562 return true;
563 rl = cast_rl(get_type(expr->left), rl);
564 state = alloc_estate_rl(rl);
565 if (expr->op == SPECIAL_AND_ASSIGN ||
566 expr->op == SPECIAL_MOD_ASSIGN ||
567 host_rl_capped(binop_expr))
568 estate_set_capped(state);
569 is_new = state_is_new(binop_expr);
570 if (is_new)
571 estate_set_new(state);
572 estate_set_assigned(state);
573 set_host_data(expr->left, state);
574 handle_derefed_pointers(expr->left, is_new);
575 return true;
576 }
577 return false;
578 }
579
580 static void match_assign_host(struct expression *expr)
581 {
582 struct symbol *left_type, *right_type;
583 struct range_list *rl = NULL;
584 static struct expression *handled;
585 struct smatch_state *state;
586 struct expression *faked;
587 bool is_capped = false;
588 bool is_new = false;
589
590 if (!expr)
591 return;
592
593 left_type = get_type(expr->left);
594 if (left_type == &void_ctype)
595 return;
596
597 faked = get_faked_expression();
598
599 /* FIXME: handle fake array assignments frob(&host_array[x]); */
600
601 if (faked &&
602 faked->type == EXPR_ASSIGNMENT &&
603 points_to_host_data(faked->right)) {
604 rl = alloc_whole_rl(get_type(expr->left));
605 is_new = true;
606 goto set;
607 }
608
609 if (faked && faked == handled)
610 return;
611 if (is_fake_call(expr->right))
612 goto clear_old_state;
613 if (points_to_host_data(expr->right) &&
614 is_struct_ptr(get_type(expr->left))) {
615 handled = expr;
616 // This should be handled by smatch_points_to_host_data.c
617 //set_points_to_host_data(expr->left);
618 }
619
620 if (handle_op_assign(expr))
621 return;
622 if (expr->op != '=')
623 goto clear_old_state;
624
625 /* Handled by DB code */
626 if (expr->right->type == EXPR_CALL)
627 return;
628
629 if (faked)
630 disable_type_val_lookups();
631 get_host_rl(expr->right, &rl);
632 if (faked)
633 enable_type_val_lookups();
634 if (!rl)
635 goto clear_old_state;
636
637 is_capped = host_rl_capped(expr->right);
638 is_new = state_is_new(expr->right);
639
640 set:
641 if (type_is_ptr(left_type)) {
642 right_type = get_type(expr->right);
643 if (right_type && right_type->type == SYM_ARRAY)
644 set_points_to_host_data(expr->left, is_new);
645 return;
646 }
647
648 rl = cast_rl(left_type, rl);
649 state = alloc_estate_rl(rl);
650 if (is_new)
651 estate_set_new(state);
652 if (is_capped)
653 estate_set_capped(state);
654 estate_set_assigned(state);
655 set_host_data(expr->left, state);
656 handle_derefed_pointers(expr->left, is_new);
657 return;
658
659 clear_old_state:
660
661 /*
662 * HACK ALERT!!! This should be at the start of the function. The
663 * the problem is that handling "pointer = array;" assignments is
664 * handled in this function instead of in kernel_points_to_host_data.c.
665 */
666 if (type_is_ptr(left_type))
667 return;
668
669 if (get_state_expr(my_id, expr->left))
670 set_host_data(expr->left, alloc_estate_empty());
671 }
672
673 static void handle_eq_noteq(struct expression *expr)
674 {
675 struct smatch_state *left_orig, *right_orig;
676
677 left_orig = get_state_expr(my_id, expr->left);
678 right_orig = get_state_expr(my_id, expr->right);
679
680 if (!left_orig && !right_orig)
681 return;
682 if (left_orig && right_orig)
683 return;
684
685 if (left_orig) {
686 set_true_false_states_expr(my_id, expr->left,
687 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL,
688 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty());
689 } else {
690 set_true_false_states_expr(my_id, expr->right,
691 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL,
692 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty());
693 }
694 }
695
696 static struct range_list *strip_negatives(struct range_list *rl)
697 {
698 sval_t min = rl_min(rl);
699 sval_t minus_one = { .type = rl_type(rl), .value = -1 };
700 sval_t over = { .type = rl_type(rl), .value = INT_MAX + 1ULL };
701 sval_t max = sval_type_max(rl_type(rl));
702
703 if (!rl)
704 return NULL;
705
706 if (type_unsigned(rl_type(rl)) && type_bits(rl_type(rl)) > 31)
707 return remove_range(rl, over, max);
708
709 return remove_range(rl, min, minus_one);
710 }
711
712 static void handle_compare(struct expression *expr)
713 {
714 struct expression *left, *right;
715 struct range_list *left_rl = NULL;
716 struct range_list *right_rl = NULL;
717 struct range_list *host_rl;
718 struct smatch_state *capped_state;
719 struct smatch_state *left_true = NULL;
720 struct smatch_state *left_false = NULL;
721 struct smatch_state *right_true = NULL;
722 struct smatch_state *right_false = NULL;
723 struct symbol *type;
724 sval_t sval;
725
726 left = strip_expr(expr->left);
727 right = strip_expr(expr->right);
728
729 while (left->type == EXPR_ASSIGNMENT)
730 left = strip_expr(left->left);
731
732 /*
733 * Conditions are mostly handled by smatch_extra.c, but there are some
734 * times where the exact values are not known so we can't do that.
735 *
736 * Normally, we might consider using smatch_capped.c to supliment smatch
737 * extra but that doesn't work when we merge unknown uncapped kernel
738 * data with unknown capped host data. The result is uncapped host
739 * data. We need to keep it separate and say that the host data is
740 * capped. In the past, I would have marked this as just regular
741 * kernel data (not host data) but we can't do that these days because
742 * we need to track host data for Spectre.
743 *
744 * The other situation which we have to handle is when we do have an
745 * int and we compare against an unknown unsigned kernel variable. In
746 * that situation we assume that the kernel data is less than INT_MAX.
747 * Otherwise then we get all sorts of array underflow false positives.
748 *
749 */
750
751 /* Handled in smatch_extra.c */
752 if (get_implied_value(left, &sval) ||
753 get_implied_value(right, &sval))
754 return;
755
756 get_host_rl(left, &left_rl);
757 get_host_rl(right, &right_rl);
758
759 /* nothing to do */
760 if (!left_rl && !right_rl)
761 return;
762 /* if both sides are host data that's not a good limit */
763 if (left_rl && right_rl)
764 return;
765
766 if (left_rl)
767 host_rl = left_rl;
768 else
769 host_rl = right_rl;
770
771 type = get_type(expr);
772 if (type_unsigned(type))
773 host_rl = strip_negatives(host_rl);
774 capped_state = alloc_estate_rl(host_rl);
775 estate_set_capped(capped_state);
776
777 switch (expr->op) {
778 case '<':
779 case SPECIAL_UNSIGNED_LT:
780 case SPECIAL_LTE:
781 case SPECIAL_UNSIGNED_LTE:
782 if (left_rl)
783 left_true = capped_state;
784 else
785 right_false = capped_state;
786 break;
787 case '>':
788 case SPECIAL_UNSIGNED_GT:
789 case SPECIAL_GTE:
790 case SPECIAL_UNSIGNED_GTE:
791 if (left_rl)
792 left_false = capped_state;
793 else
794 right_true = capped_state;
795 break;
796 }
797 set_true_false_states_expr(my_id, left, left_true, left_false);
798 set_true_false_states_expr(my_id, right, right_true, right_false);
799 }
800
801 static void match_condition_host(struct expression *expr)
802 {
803 if (!expr)
804 return;
805
806 if (expr->type != EXPR_COMPARE)
807 return;
808
809 if (expr->op == SPECIAL_EQUAL ||
810 expr->op == SPECIAL_NOTEQUAL) {
811 handle_eq_noteq(expr);
812 return;
813 }
814 handle_compare(expr);
815 }
816
817 static void match_returns_host_rl(const char *fn, struct expression *expr, void *unused)
818 {
819 func_gets_host_data = true;
820 }
821
822 static int has_host_data(struct symbol *sym)
823 {
824 struct sm_state *tmp;
825
826 FOR_EACH_MY_SM(my_id, __get_cur_stree(), tmp) {
827 if (tmp->sym == sym)
828 return 1;
829 } END_FOR_EACH_SM(tmp);
830 return 0;
831 }
832
833 bool we_pass_host_data(struct expression *call)
834 {
835 struct expression *arg;
836 struct symbol *sym;
837
838 FOR_EACH_PTR(call->args, arg) {
839 if (points_to_host_data(arg))
840 return true;
841 sym = expr_to_sym(arg);
842 if (!sym)
843 continue;
844 if (has_host_data(sym))
845 return true;
846 } END_FOR_EACH_PTR(arg);
847
848 return false;
849 }
850
851 static int db_returned_host_rl(struct expression *call, struct range_list **rl)
852 {
853 struct smatch_state *state;
854 char buf[48];
855
856 if (is_fake_call(call))
857 return 0;
858 snprintf(buf, sizeof(buf), "return %p", call);
859 state = get_state(my_id, buf, NULL);
860 if (!state || !estate_rl(state))
861 return 0;
862 *rl = estate_rl(state);
863 return 1;
864 }
865
866 struct stree *get_host_stree(void)
867 {
868 return get_all_states_stree(my_id);
869 }
870
871 static int host_data_flag;
872 static int no_host_data_flag;
873
874 struct range_list *var_host_rl(struct expression *expr)
875 {
876 struct smatch_state *state;
877 struct range_list *rl;
878 struct range_list *absolute_rl;
879
880 if (expr->type == EXPR_PREOP && expr->op == '&') {
881 no_host_data_flag = 1;
882 return NULL;
883 }
884
885 if (expr->type == EXPR_BINOP && expr->op == '%') {
886 struct range_list *left, *right;
887
888 if (!get_host_rl(expr->right, &right))
889 return NULL;
890 get_absolute_rl(expr->left, &left);
891 rl = rl_binop(left, '%', right);
892 goto found;
893 }
894
895 if (expr->type == EXPR_BINOP && expr->op == '/') {
896 struct range_list *left = NULL;
897 struct range_list *right = NULL;
898 struct range_list *abs_right;
899
900 get_host_rl(expr->left, &left);
901 get_host_rl(expr->right, &right);
902 get_absolute_rl(expr->right, &abs_right);
903
904 if (left && !right) {
905 rl = rl_binop(left, '/', abs_right);
906 if (sval_cmp(rl_max(left), rl_max(rl)) < 0)
907 no_host_data_flag = 1;
908 }
909
910 return NULL;
911 }
912
913 if (get_rl_from_function(expr, &rl))
914 goto found;
915
916 state = get_state_expr(my_id, expr);
917 if (state && estate_rl(state)) {
918 rl = estate_rl(state);
919 goto found;
920 }
921
922 if (expr->type == EXPR_CALL && db_returned_host_rl(expr, &rl))
923 goto found;
924
925 if (expr->type == EXPR_PREOP && expr->op == '*' &&
926 points_to_host_data(expr->unop)) {
927 rl = var_to_absolute_rl(expr);
928 goto found;
929 }
930
931 if (is_array(expr)) {
932 struct expression *array = get_array_base(expr);
933
934 if (!get_state_expr(my_id, array)) {
935 no_host_data_flag = 1;
936 return NULL;
937 }
938 }
939
940 return NULL;
941 found:
942 host_data_flag = 1;
943 absolute_rl = var_to_absolute_rl(expr);
944 return clone_rl(rl_intersection(rl, absolute_rl));
945 }
946
947 static bool is_ptr_subtract(struct expression *expr)
948 {
949 expr = strip_expr(expr);
950 if (!expr)
951 return false;
952 if (expr->type == EXPR_BINOP && expr->op == '-' &&
953 type_is_ptr(get_type(expr->left))) {
954 return true;
955 }
956 return false;
957 }
958
959 int get_host_rl(struct expression *expr, struct range_list **rl)
960 {
961 if (is_ptr_subtract(expr))
962 return 0;
963
964 host_data_flag = 0;
965 no_host_data_flag = 0;
966 custom_get_absolute_rl(expr, &var_host_rl, rl);
967 if (!host_data_flag || no_host_data_flag)
968 *rl = NULL;
969 return !!*rl;
970 }
971
972 int is_host_rl(struct expression *expr)
973 {
974 struct range_list *tmp;
975
976 return get_host_rl(expr, &tmp) && tmp;
977 }
978
979 int get_host_rl_var_sym(const char *name, struct symbol *sym, struct range_list **rl)
980 {
981 struct smatch_state *state;
982
983 state = get_state(my_id, name, sym);
984 if (state && estate_rl(state)) {
985 *rl = estate_rl(state);
986 return 1;
987 }
988 return 0;
989 }
990
991 static void return_info_callback_host(int return_id, char *return_ranges,
992 struct expression *returned_expr,
993 int param,
994 const char *printed_name,
995 struct sm_state *sm)
996 {
997 struct smatch_state *extra;
998 struct range_list *rl;
999 char buf[64];
1000
1001 if (param >= 0) {
1002 if (strcmp(printed_name, "$") == 0)
1003 return;
1004 if (!estate_assigned(sm->state) &&
1005 !estate_new(sm->state))
1006 return;
1007 }
1008 rl = estate_rl(sm->state);
1009 if (!rl)
1010 return;
1011 extra = get_state(SMATCH_EXTRA, sm->name, sm->sym);
1012 if (estate_rl(extra))
1013 rl = rl_intersection(estate_rl(sm->state), estate_rl(extra));
1014 if (!rl)
1015 return;
1016
1017 snprintf(buf, sizeof(buf), "%s%s%s",
1018 show_rl(rl),
1019 estate_capped(sm->state) ? "[c]" : "", "");
1020 sql_insert_return_states(return_id, return_ranges,
1021 estate_new(sm->state) ? HOST_DATA_SET : HOST_DATA,
1022 param, printed_name, buf);
1023
1024 }
1025
1026 static void caller_info_callback_host(struct expression *call, int param, char *printed_name, struct sm_state *sm)
1027 {
1028 struct smatch_state *state;
1029 struct range_list *rl;
1030 struct symbol *type;
1031 char buf[64];
1032
1033 /*
1034 * Smatch uses a hack where if we get an unsigned long we say it's
1035 * both host data and it points to host data. But if we pass it to a
1036 * function which takes an int, then it's just host data. There's not
1037 * enough bytes for it to be a pointer.
1038 *
1039 */
1040 type = get_arg_type(call->fn, param);
1041 if (strcmp(printed_name, "$") != 0 && type && type_bits(type) < type_bits(&ptr_ctype))
1042 return;
1043
1044 if (strcmp(sm->state->name, "") == 0)
1045 return;
1046
1047 state = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
1048 if (!state || !estate_rl(state))
1049 rl = estate_rl(sm->state);
1050 else
1051 rl = rl_intersection(estate_rl(sm->state), estate_rl(state));
1052
1053 if (!rl)
1054 return;
1055
1056 snprintf(buf, sizeof(buf), "%s%s%s", show_rl(rl),
1057 estate_capped(sm->state) ? "[c]" : "", "");
1058 sql_insert_caller_info(call, HOST_DATA, param, printed_name, buf);
1059 }
1060
1061 static void db_param_set(struct expression *expr, int param, char *key, char *value)
1062 {
1063 struct expression *arg;
1064 char *name;
1065 struct symbol *sym;
1066 struct smatch_state *state;
1067
1068 while (expr->type == EXPR_ASSIGNMENT)
1069 expr = strip_expr(expr->right);
1070 if (expr->type != EXPR_CALL)
1071 return;
1072
1073 arg = get_argument_from_call_expr(expr->args, param);
1074 if (!arg)
1075 return;
1076
1077 name = get_variable_from_key(arg, key, &sym);
1078 if (!name || !sym)
1079 goto free;
1080
1081 state = get_state(my_id, name, sym);
1082 if (!state)
1083 goto free;
1084
1085 set_state(my_id, name, sym, alloc_estate_empty());
1086 free:
1087 free_string(name);
1088 }
1089
1090 static bool param_data_capped(const char *value)
1091 {
1092 if (strstr(value, ",c") || strstr(value, "[c"))
1093 return true;
1094 return false;
1095 }
1096
1097 static void set_param_host_data(const char *name, struct symbol *sym, char *key, char *value)
1098 {
1099 struct expression *expr;
1100 struct range_list *rl = NULL;
1101 struct smatch_state *state;
1102 struct symbol *type;
1103 char *fullname;
1104
1105 expr = symbol_expression(sym);
1106 fullname = get_variable_from_key(expr, key, NULL);
1107 if (!fullname)
1108 return;
1109
1110 type = get_member_type_from_key(expr, key);
1111 if (type && type->type == SYM_STRUCT)
1112 return;
1113
1114 if (!type)
1115 return;
1116
1117 str_to_rl(type, value, &rl);
1118 rl = swap_mtag_seed(expr, rl);
1119 state = alloc_estate_rl(rl);
1120 if (param_data_capped(value) || is_capped(expr))
1121 estate_set_capped(state);
1122 set_state(my_id, fullname, sym, state);
1123 }
1124
1125 #define OLD 0
1126 #define NEW 1
1127
1128 static void store_host_data_return(struct expression *expr, char *key, char *value, bool is_new)
1129 {
1130 struct smatch_state *state;
1131 struct range_list *rl;
1132 struct symbol *type;
1133 char buf[48];
1134
1135 if (key[0] != '$')
1136 return;
1137
1138 type = get_type(expr);
1139 snprintf(buf, sizeof(buf), "return %p%s", expr, key + 1);
1140 call_results_to_rl(expr, type, value, &rl);
1141
1142 state = alloc_estate_rl(rl);
1143 if (is_new)
1144 estate_set_new(state);
1145 set_state(my_id, buf, NULL, state);
1146 }
1147
1148 static void set_to_host_data(struct expression *expr, char *key, char *value, bool is_new)
1149 {
1150 struct smatch_state *state;
1151 char *name;
1152 struct symbol *sym;
1153 struct symbol *type;
1154 struct range_list *rl = NULL;
1155
1156 type = get_member_type_from_key(expr, key);
1157 name = get_variable_from_key(expr, key, &sym);
1158 if (!name || !sym)
1159 goto free;
1160
1161 call_results_to_rl(expr, type, value, &rl);
1162
1163 state = alloc_estate_rl(rl);
1164 if (param_data_capped(value))
1165 estate_set_capped(state);
1166 if (is_new)
1167 estate_set_new(state);
1168 estate_set_assigned(state);
1169 set_state(my_id, name, sym, state);
1170 free:
1171 free_string(name);
1172 }
1173
1174 static void returns_param_host_data(struct expression *expr, int param, char *key, char *value)
1175 {
1176 struct expression *arg;
1177 struct expression *call;
1178
1179 call = expr;
1180 while (call->type == EXPR_ASSIGNMENT)
1181 call = strip_expr(call->right);
1182 if (call->type != EXPR_CALL)
1183 return;
1184
1185 if (!we_pass_host_data(call))
1186 return;
1187
1188 if (param == -1) {
1189 if (expr->type != EXPR_ASSIGNMENT) {
1190 store_host_data_return(expr, key, value, OLD);
1191 return;
1192 }
1193 set_to_host_data(expr->left, key, value, OLD);
1194 return;
1195 }
1196
1197 arg = get_argument_from_call_expr(call->args, param);
1198 if (!arg)
1199 return;
1200 set_to_host_data(arg, key, value, OLD);
1201 }
1202
1203 static void returns_param_host_data_set(struct expression *expr, int param, char *key, char *value)
1204 {
1205 struct expression *arg;
1206
1207 func_gets_host_data = true;
1208
1209 if (param == -1) {
1210 if (expr->type != EXPR_ASSIGNMENT) {
1211 store_host_data_return(expr, key, value, NEW);
1212 return;
1213 }
1214 set_to_host_data(expr->left, key, value, NEW);
1215 return;
1216 }
1217
1218 while (expr->type == EXPR_ASSIGNMENT)
1219 expr = strip_expr(expr->right);
1220 if (expr->type != EXPR_CALL)
1221 return;
1222
1223 arg = get_argument_from_call_expr(expr->args, param);
1224 if (!arg)
1225 return;
1226 set_to_host_data(arg, key, value, NEW);
1227 }
1228
1229 static void returns_param_capped_host(struct expression *expr, int param, char *key, char *value)
1230 {
1231 struct smatch_state *state, *new;
1232 struct symbol *sym;
1233 char *name;
1234
1235 name = get_name_sym_from_param_key(expr, param, key, &sym);
1236 if (!name || !sym)
1237 goto free;
1238
1239 state = get_state(my_id, name, sym);
1240 if (!state || estate_capped(state))
1241 goto free;
1242
1243 new = clone_estate(state);
1244 estate_set_capped(new);
1245
1246 set_state(my_id, name, sym, new);
1247 free:
1248 free_string(name);
1249 }
1250
1251 struct param_key_data {
1252 param_key_hook *call_back;
1253 int param;
1254 const char *key;
1255 void *info;
1256 };
1257
1258 static void match_function_def(struct symbol *sym)
1259 {
1260 if (is_host_data_fn(sym))
1261 func_gets_host_data = true;
1262 }
1263
1264 static void set_param_host_input_data(struct expression *expr, const char *name,
1265 struct symbol *sym, void *data)
1266 {
1267 struct expression *arg;
1268
1269 func_gets_host_data = true;
1270 arg = gen_expression_from_name_sym(name, sym);
1271 tag_as_host_data(arg);
1272 }
1273
1274 void register_kernel_host_data(int id)
1275 {
1276 int i;
1277 struct host_fn_info *info;
1278
1279 my_id = id;
1280
1281 if (option_project != PROJ_KERNEL)
1282 return;
1283
1284 set_dynamic_states(my_id);
1285 add_function_data(&func_gets_host_data);
1286 add_hook(&match_function_def, FUNC_DEF_HOOK);
1287
1288 add_function_data((unsigned long *)&start_states);
1289 add_unmatched_state_hook(my_id, &empty_state);
1290 add_extra_nomod_hook(&extra_nomod_hook);
1291 add_pre_merge_hook(my_id, &pre_merge_hook);
1292 add_merge_hook(my_id, &merge_estates);
1293
1294
1295 for (i = 0; i < ARRAY_SIZE(func_table); i++) {
1296 info = &func_table[i];
1297 add_function_param_key_hook_late(info->name, &set_param_host_input_data,
1298 info->param, info->key, info);
1299 }
1300
1301 for (i = 0; i < ARRAY_SIZE(func_table); i++) {
1302 if (func_table[i].param == -1)
1303 add_function_hook(func_table[i].name, &match_returns_host_rl, NULL);
1304 }
1305
1306 add_hook(&match_assign_host, ASSIGNMENT_HOOK);
1307 select_return_states_hook(PARAM_SET, &db_param_set);
1308 add_hook(&match_condition_host, CONDITION_HOOK);
1309
1310 add_caller_info_callback(my_id, caller_info_callback_host);
1311 add_return_info_callback(my_id, return_info_callback_host);
1312 select_caller_info_hook(set_param_host_data, HOST_DATA);
1313 select_return_states_hook(HOST_DATA, &returns_param_host_data);
1314 select_return_states_hook(HOST_DATA_SET, &returns_param_host_data_set);
1315 select_return_states_hook(CAPPED_DATA, &returns_param_capped_host);
1316 }
Static analysis for C