search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kernel: fix a type bug handling err_cast()
[smatch.git] / smatch_kernel_user_data.c
blobc25b30c7ec2267b6cdeb20b6fcabb59155d0f135
1 /*
2 * Copyright (C) 2011 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * There are a couple checks that try to see if a variable
20 * comes from the user. It would be better to unify them
21 * into one place. Also it we should follow the data down
22 * the call paths. Hence this file.
23 */
24
25 #include "smatch.h"
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
28
29 static int my_id;
30 static int my_call_id;
31
32 STATE(called);
33 static bool func_gets_user_data;
34
35 static const char *kstr_funcs[] = {
36 "kstrtoull", "kstrtoll", "kstrtoul", "kstrtol", "kstrtouint",
37 "kstrtoint", "kstrtou64", "kstrtos64", "kstrtou32", "kstrtos32",
38 "kstrtou16", "kstrtos16", "kstrtou8", "kstrtos8", "kstrtoull_from_user"
39 "kstrtoll_from_user", "kstrtoul_from_user", "kstrtol_from_user",
40 "kstrtouint_from_user", "kstrtoint_from_user", "kstrtou16_from_user",
41 "kstrtos16_from_user", "kstrtou8_from_user", "kstrtos8_from_user",
42 "kstrtou64_from_user", "kstrtos64_from_user", "kstrtou32_from_user",
43 "kstrtos32_from_user",
44 };
45
46 static const char *returns_user_data[] = {
47 "simple_strtol", "simple_strtoll", "simple_strtoul", "simple_strtoull",
48 "kvm_register_read",
49 };
50
51 static const char *returns_pointer_to_user_data[] = {
52 "nlmsg_data", "nla_data", "memdup_user", "kmap_atomic", "skb_network_header",
53 };
54
55 static void set_points_to_user_data(struct expression *expr);
56
57 static struct stree *start_states;
58 static struct stree_stack *saved_stack;
59 static void save_start_states(struct statement *stmt)
60 {
61 start_states = clone_stree(__get_cur_stree());
62 }
63
64 static void free_start_states(void)
65 {
66 free_stree(&start_states);
67 }
68
69 static void match_save_states(struct expression *expr)
70 {
71 push_stree(&saved_stack, start_states);
72 start_states = NULL;
73 }
74
75 static void match_restore_states(struct expression *expr)
76 {
77 free_stree(&start_states);
78 start_states = pop_stree(&saved_stack);
79 }
80
81 static struct smatch_state *empty_state(struct sm_state *sm)
82 {
83 return alloc_estate_empty();
84 }
85
86 static void pre_merge_hook(struct sm_state *cur, struct sm_state *other)
87 {
88 struct smatch_state *user = cur->state;
89 struct smatch_state *extra;
90 struct smatch_state *state;
91 struct range_list *rl;
92
93 extra = __get_state(SMATCH_EXTRA, cur->name, cur->sym);
94 if (!extra)
95 return;
96 rl = rl_intersection(estate_rl(user), estate_rl(extra));
97 state = alloc_estate_rl(clone_rl(rl));
98 if (estate_capped(user) || is_capped_var_sym(cur->name, cur->sym))
99 estate_set_capped(state);
100 if (estate_treat_untagged(user))
101 estate_set_treat_untagged(state);
102 set_state(my_id, cur->name, cur->sym, state);
103 }
104
105 static void extra_nomod_hook(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
106 {
107 struct smatch_state *user, *new;
108 struct range_list *rl;
109
110 user = __get_state(my_id, name, sym);
111 if (!user)
112 return;
113 rl = rl_intersection(estate_rl(user), estate_rl(state));
114 if (rl_equiv(rl, estate_rl(user)))
115 return;
116 new = alloc_estate_rl(rl);
117 if (estate_capped(user))
118 estate_set_capped(new);
119 if (estate_treat_untagged(user))
120 estate_set_treat_untagged(new);
121 set_state(my_id, name, sym, new);
122 }
123
124 static bool binop_capped(struct expression *expr)
125 {
126 struct range_list *left_rl;
127 int comparison;
128
129 if (expr->op == '-' && get_user_rl(expr->left, &left_rl)) {
130 if (user_rl_capped(expr->left))
131 return true;
132 comparison = get_comparison(expr->left, expr->right);
133 if (comparison && show_special(comparison)[0] == '>')
134 return true;
135 return false;
136 }
137
138 if (expr->op == '&' || expr->op == '%') {
139 if (is_capped(expr->left) || is_capped(expr->right))
140 return true;
141 if (user_rl_capped(expr->left) || user_rl_capped(expr->right))
142 return true;
143 return false;
144 }
145
146 if (user_rl_capped(expr->left) &&
147 user_rl_capped(expr->right))
148 return true;
149 return false;
150 }
151
152 bool user_rl_capped(struct expression *expr)
153 {
154 struct smatch_state *state;
155 struct range_list *rl;
156 sval_t sval;
157
158 expr = strip_expr(expr);
159 if (!expr)
160 return false;
161 if (get_value(expr, &sval))
162 return true;
163 if (expr->type == EXPR_BINOP)
164 return binop_capped(expr);
165 if ((expr->type == EXPR_PREOP || expr->type == EXPR_POSTOP) &&
166 (expr->op == SPECIAL_INCREMENT || expr->op == SPECIAL_DECREMENT))
167 return user_rl_capped(expr->unop);
168 state = get_state_expr(my_id, expr);
169 if (state)
170 return estate_capped(state);
171
172 if (get_user_rl(expr, &rl))
173 return false; /* uncapped user data */
174
175 return true; /* not actually user data */
176 }
177
178 bool user_rl_treat_untagged(struct expression *expr)
179 {
180 struct smatch_state *state;
181 struct range_list *rl;
182 sval_t sval;
183
184 expr = strip_expr(expr);
185 if (!expr)
186 return false;
187 if (get_value(expr, &sval))
188 return true;
189
190 state = get_state_expr(my_id, expr);
191 if (state)
192 return estate_treat_untagged(state);
193
194 if (get_user_rl(expr, &rl))
195 return false; /* uncapped user data */
196
197 return true; /* not actually user data */
198 }
199
200 static void tag_inner_struct_members(struct expression *expr, struct symbol *member)
201 {
202 struct expression *edge_member;
203 struct symbol *base = get_real_base_type(member);
204 struct symbol *tmp;
205
206 if (member->ident)
207 expr = member_expression(expr, '.', member->ident);
208
209 FOR_EACH_PTR(base->symbol_list, tmp) {
210 struct symbol *type;
211
212 type = get_real_base_type(tmp);
213 if (!type)
214 continue;
215
216 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
217 tag_inner_struct_members(expr, tmp);
218 continue;
219 }
220
221 if (!tmp->ident)
222 continue;
223
224 edge_member = member_expression(expr, '.', tmp->ident);
225 set_state_expr(my_id, edge_member, alloc_estate_whole(type));
226 } END_FOR_EACH_PTR(tmp);
227 }
228
229 static void tag_struct_members(struct symbol *type, struct expression *expr)
230 {
231 struct symbol *tmp;
232 struct expression *member;
233 int op = '*';
234
235 if (expr->type == EXPR_PREOP && expr->op == '&') {
236 expr = strip_expr(expr->unop);
237 op = '.';
238 }
239
240 FOR_EACH_PTR(type->symbol_list, tmp) {
241 type = get_real_base_type(tmp);
242 if (!type)
243 continue;
244
245 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
246 tag_inner_struct_members(expr, tmp);
247 continue;
248 }
249
250 if (!tmp->ident)
251 continue;
252
253 member = member_expression(expr, op, tmp->ident);
254 set_state_expr(my_id, member, alloc_estate_whole(get_type(member)));
255
256 if (type->type == SYM_ARRAY)
257 set_points_to_user_data(member);
258 } END_FOR_EACH_PTR(tmp);
259 }
260
261 static void tag_base_type(struct expression *expr)
262 {
263 if (expr->type == EXPR_PREOP && expr->op == '&')
264 expr = strip_expr(expr->unop);
265 else
266 expr = deref_expression(expr);
267 set_state_expr(my_id, expr, alloc_estate_whole(get_type(expr)));
268 }
269
270 static void tag_as_user_data(struct expression *expr)
271 {
272 struct symbol *type;
273
274 expr = strip_expr(expr);
275
276 type = get_type(expr);
277 if (!type || type->type != SYM_PTR)
278 return;
279 type = get_real_base_type(type);
280 if (!type)
281 return;
282 if (type == &void_ctype) {
283 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype));
284 return;
285 }
286 if (type->type == SYM_BASETYPE)
287 tag_base_type(expr);
288 if (type->type == SYM_STRUCT || type->type == SYM_UNION) {
289 if (expr->type != EXPR_PREOP || expr->op != '&')
290 expr = deref_expression(expr);
291 else
292 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype));
293 tag_struct_members(type, expr);
294 }
295 }
296
297 static void match_user_copy(const char *fn, struct expression *expr, void *_param)
298 {
299 int param = PTR_INT(_param);
300 struct expression *dest;
301
302 func_gets_user_data = true;
303
304 dest = get_argument_from_call_expr(expr->args, param);
305 dest = strip_expr(dest);
306 if (!dest)
307 return;
308 tag_as_user_data(dest);
309 }
310
311 static int is_dev_attr_name(struct expression *expr)
312 {
313 char *name;
314 int ret = 0;
315
316 name = expr_to_str(expr);
317 if (!name)
318 return 0;
319 if (strstr(name, "->attr.name"))
320 ret = 1;
321 free_string(name);
322 return ret;
323 }
324
325 static int ends_in_n(struct expression *expr)
326 {
327 struct string *str;
328
329 if (!expr)
330 return 0;
331 if (expr->type != EXPR_STRING || !expr->string)
332 return 0;
333
334 str = expr->string;
335 if (str->length < 3)
336 return 0;
337
338 if (str->data[str->length - 3] == '%' &&
339 str->data[str->length - 2] == 'n')
340 return 1;
341 return 0;
342 }
343
344 static void match_sscanf(const char *fn, struct expression *expr, void *unused)
345 {
346 struct expression *str, *format, *arg;
347 int i, last;
348
349 func_gets_user_data = true;
350
351 str = get_argument_from_call_expr(expr->args, 0);
352 if (is_dev_attr_name(str))
353 return;
354
355 format = get_argument_from_call_expr(expr->args, 1);
356 if (is_dev_attr_name(format))
357 return;
358
359 last = ptr_list_size((struct ptr_list *)expr->args) - 1;
360
361 i = -1;
362 FOR_EACH_PTR(expr->args, arg) {
363 i++;
364 if (i < 2)
365 continue;
366 if (i == last && ends_in_n(format))
367 continue;
368 tag_as_user_data(arg);
369 } END_FOR_EACH_PTR(arg);
370 }
371
372 static int is_skb_data(struct expression *expr)
373 {
374 struct symbol *sym;
375
376 if (!expr)
377 return 0;
378
379 if (expr->type == EXPR_BINOP && expr->op == '+')
380 return is_skb_data(expr->left);
381
382 expr = strip_expr(expr);
383 if (!expr)
384 return 0;
385 if (expr->type != EXPR_DEREF || expr->op != '.')
386 return 0;
387
388 if (!expr->member)
389 return 0;
390 if (strcmp(expr->member->name, "data") != 0)
391 return 0;
392
393 sym = expr_to_sym(expr->deref);
394 if (!sym)
395 return 0;
396 sym = get_real_base_type(sym);
397 if (!sym || sym->type != SYM_PTR)
398 return 0;
399 sym = get_real_base_type(sym);
400 if (!sym || sym->type != SYM_STRUCT || !sym->ident)
401 return 0;
402 if (strcmp(sym->ident->name, "sk_buff") != 0)
403 return 0;
404
405 return 1;
406 }
407
408 static bool is_points_to_user_data_fn(struct expression *expr)
409 {
410 int i;
411
412 expr = strip_expr(expr);
413 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL ||
414 !expr->fn->symbol)
415 return false;
416 expr = expr->fn;
417 for (i = 0; i < ARRAY_SIZE(returns_pointer_to_user_data); i++) {
418 if (sym_name_is(returns_pointer_to_user_data[i], expr))
419 return true;
420 }
421 return false;
422 }
423
424 static int get_rl_from_function(struct expression *expr, struct range_list **rl)
425 {
426 int i;
427
428 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL ||
429 !expr->fn->symbol_name || !expr->fn->symbol_name->name)
430 return 0;
431
432 for (i = 0; i < ARRAY_SIZE(returns_user_data); i++) {
433 if (strcmp(expr->fn->symbol_name->name, returns_user_data[i]) == 0) {
434 *rl = alloc_whole_rl(get_type(expr));
435 return 1;
436 }
437 }
438 return 0;
439 }
440
441 int points_to_user_data(struct expression *expr)
442 {
443 struct smatch_state *state;
444 struct range_list *rl;
445 char buf[256];
446 struct symbol *sym;
447 char *name;
448 int ret = 0;
449
450 expr = strip_expr(expr);
451 if (!expr)
452 return 0;
453 if (is_skb_data(expr))
454 return 1;
455 if (is_points_to_user_data_fn(expr))
456 return 1;
457 if (get_rl_from_function(expr, &rl))
458 return 1;
459
460 if (expr->type == EXPR_BINOP && expr->op == '+') {
461 if (points_to_user_data(expr->left))
462 return 1;
463 if (points_to_user_data(expr->right))
464 return 1;
465 return 0;
466 }
467
468 name = expr_to_var_sym(expr, &sym);
469 if (!name || !sym)
470 goto free;
471 snprintf(buf, sizeof(buf), "*%s", name);
472 state = __get_state(my_id, buf, sym);
473 if (state && estate_rl(state))
474 ret = 1;
475 free:
476 free_string(name);
477 return ret;
478 }
479
480 static void set_points_to_user_data(struct expression *expr)
481 {
482 char *name;
483 struct symbol *sym;
484 char buf[256];
485 struct symbol *type;
486
487 name = expr_to_var_sym(expr, &sym);
488 if (!name || !sym)
489 goto free;
490 snprintf(buf, sizeof(buf), "*%s", name);
491 type = get_type(expr);
492 if (type && type->type == SYM_PTR)
493 type = get_real_base_type(type);
494 if (!type || type->type != SYM_BASETYPE)
495 type = &llong_ctype;
496 set_state(my_id, buf, sym, alloc_estate_whole(type));
497 free:
498 free_string(name);
499 }
500
501 static int comes_from_skb_data(struct expression *expr)
502 {
503 expr = strip_expr(expr);
504 if (!expr || expr->type != EXPR_PREOP || expr->op != '*')
505 return 0;
506
507 expr = strip_expr(expr->unop);
508 if (!expr)
509 return 0;
510 if (expr->type == EXPR_BINOP && expr->op == '+')
511 expr = strip_expr(expr->left);
512
513 return is_skb_data(expr);
514 }
515
516 static int handle_struct_assignment(struct expression *expr)
517 {
518 struct expression *right;
519 struct symbol *left_type, *right_type;
520
521 left_type = get_type(expr->left);
522 if (!left_type || left_type->type != SYM_PTR)
523 return 0;
524 left_type = get_real_base_type(left_type);
525 if (!left_type)
526 return 0;
527 if (left_type->type != SYM_STRUCT &&
528 left_type->type != SYM_UNION)
529 return 0;
530
531 /*
532 * Ignore struct to struct assignments because for those we look at the
533 * individual members.
534 */
535 right = strip_expr(expr->right);
536 right_type = get_type(right);
537 if (!right_type || right_type->type != SYM_PTR)
538 return 0;
539
540 /* If we are assigning struct members then normally that is handled
541 * by fake assignments, however if we cast one struct to a different
542 * of struct then we handle that here.
543 */
544 right_type = get_real_base_type(right_type);
545 if (right_type == left_type)
546 return 0;
547
548 if (!points_to_user_data(right))
549 return 0;
550
551 tag_as_user_data(expr->left);
552 return 1;
553 }
554
555 static int handle_get_user(struct expression *expr)
556 {
557 char *name;
558 int ret = 0;
559
560 name = get_macro_name(expr->pos);
561 if (!name || strcmp(name, "get_user") != 0)
562 return 0;
563
564 name = expr_to_var(expr->right);
565 if (!name || (strcmp(name, "__val_gu") != 0 && strcmp(name, "__gu_val") != 0))
566 goto free;
567 set_state_expr(my_id, expr->left, alloc_estate_whole(get_type(expr->left)));
568 ret = 1;
569 free:
570 free_string(name);
571 return ret;
572 }
573
574 static bool handle_op_assign(struct expression *expr)
575 {
576 struct expression *binop_expr;
577 struct smatch_state *state;
578 struct range_list *rl;
579
580 switch (expr->op) {
581 case SPECIAL_ADD_ASSIGN:
582 case SPECIAL_SUB_ASSIGN:
583 case SPECIAL_AND_ASSIGN:
584 case SPECIAL_MOD_ASSIGN:
585 case SPECIAL_SHL_ASSIGN:
586 case SPECIAL_SHR_ASSIGN:
587 case SPECIAL_OR_ASSIGN:
588 case SPECIAL_XOR_ASSIGN:
589 case SPECIAL_MUL_ASSIGN:
590 case SPECIAL_DIV_ASSIGN:
591 binop_expr = binop_expression(expr->left,
592 op_remove_assign(expr->op),
593 expr->right);
594 if (!get_user_rl(binop_expr, &rl))
595 return true;
596
597 rl = cast_rl(get_type(expr->left), rl);
598 state = alloc_estate_rl(rl);
599 if (user_rl_capped(binop_expr))
600 estate_set_capped(state);
601 if (user_rl_treat_untagged(expr->left))
602 estate_set_treat_untagged(state);
603 set_state_expr(my_id, expr->left, state);
604 return true;
605 }
606 return false;
607 }
608
609 static void match_assign(struct expression *expr)
610 {
611 struct range_list *rl;
612 static struct expression *handled;
613 struct smatch_state *state;
614 struct expression *faked;
615
616 faked = get_faked_expression();
617 if (faked && faked == handled)
618 return;
619 if (is_fake_call(expr->right))
620 goto clear_old_state;
621 if (handle_get_user(expr))
622 return;
623 if (points_to_user_data(expr->right)) {
624 handled = expr;
625 set_points_to_user_data(expr->left);
626 }
627 if (handle_struct_assignment(expr))
628 return;
629
630 if (handle_op_assign(expr))
631 return;
632 if (expr->op != '=')
633 goto clear_old_state;
634
635 /* Handled by DB code */
636 if (expr->right->type == EXPR_CALL || __in_fake_parameter_assign)
637 return;
638
639 if (!get_user_rl(expr->right, &rl))
640 goto clear_old_state;
641
642 rl = cast_rl(get_type(expr->left), rl);
643 state = alloc_estate_rl(rl);
644
645 if (user_rl_capped(expr->right))
646 estate_set_capped(state);
647 if (user_rl_treat_untagged(expr->right))
648 estate_set_treat_untagged(state);
649 set_state_expr(my_id, expr->left, state);
650
651 return;
652
653 clear_old_state:
654 if (get_state_expr(my_id, expr->left))
655 set_state_expr(my_id, expr->left, alloc_estate_empty());
656 }
657
658 static void handle_eq_noteq(struct expression *expr)
659 {
660 struct smatch_state *left_orig, *right_orig;
661
662 left_orig = get_state_expr(my_id, expr->left);
663 right_orig = get_state_expr(my_id, expr->right);
664
665 if (!left_orig && !right_orig)
666 return;
667 if (left_orig && right_orig)
668 return;
669
670 if (left_orig) {
671 set_true_false_states_expr(my_id, expr->left,
672 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL,
673 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty());
674 } else {
675 set_true_false_states_expr(my_id, expr->right,
676 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL,
677 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty());
678 }
679 }
680
681 static struct range_list *strip_negatives(struct range_list *rl)
682 {
683 sval_t min = rl_min(rl);
684 sval_t minus_one = { .type = rl_type(rl), .value = -1 };
685 sval_t over = { .type = rl_type(rl), .value = INT_MAX + 1ULL };
686 sval_t max = sval_type_max(rl_type(rl));
687
688 if (!rl)
689 return NULL;
690
691 if (type_unsigned(rl_type(rl)) && type_bits(rl_type(rl)) > 31)
692 return remove_range(rl, over, max);
693
694 return remove_range(rl, min, minus_one);
695 }
696
697 static void handle_compare(struct expression *expr)
698 {
699 struct expression *left, *right;
700 struct range_list *left_rl = NULL;
701 struct range_list *right_rl = NULL;
702 struct range_list *user_rl;
703 struct smatch_state *capped_state;
704 struct smatch_state *left_true = NULL;
705 struct smatch_state *left_false = NULL;
706 struct smatch_state *right_true = NULL;
707 struct smatch_state *right_false = NULL;
708 struct symbol *type;
709 sval_t sval;
710
711 left = strip_expr(expr->left);
712 right = strip_expr(expr->right);
713
714 while (left->type == EXPR_ASSIGNMENT)
715 left = strip_expr(left->left);
716
717 /*
718 * Conditions are mostly handled by smatch_extra.c, but there are some
719 * times where the exact values are not known so we can't do that.
720 *
721 * Normally, we might consider using smatch_capped.c to supliment smatch
722 * extra but that doesn't work when we merge unknown uncapped kernel
723 * data with unknown capped user data. The result is uncapped user
724 * data. We need to keep it separate and say that the user data is
725 * capped. In the past, I would have marked this as just regular
726 * kernel data (not user data) but we can't do that these days because
727 * we need to track user data for Spectre.
728 *
729 * The other situation which we have to handle is when we do have an
730 * int and we compare against an unknown unsigned kernel variable. In
731 * that situation we assume that the kernel data is less than INT_MAX.
732 * Otherwise then we get all sorts of array underflow false positives.
733 *
734 */
735
736 /* Handled in smatch_extra.c */
737 if (get_implied_value(left, &sval) ||
738 get_implied_value(right, &sval))
739 return;
740
741 get_user_rl(left, &left_rl);
742 get_user_rl(right, &right_rl);
743
744 /* nothing to do */
745 if (!left_rl && !right_rl)
746 return;
747 /* if both sides are user data that's not a good limit */
748 if (left_rl && right_rl)
749 return;
750
751 if (left_rl)
752 user_rl = left_rl;
753 else
754 user_rl = right_rl;
755
756 type = get_type(expr);
757 if (type_unsigned(type))
758 user_rl = strip_negatives(user_rl);
759 capped_state = alloc_estate_rl(user_rl);
760 estate_set_capped(capped_state);
761
762 switch (expr->op) {
763 case '<':
764 case SPECIAL_UNSIGNED_LT:
765 case SPECIAL_LTE:
766 case SPECIAL_UNSIGNED_LTE:
767 if (left_rl)
768 left_true = capped_state;
769 else
770 right_false = capped_state;
771 break;
772 case '>':
773 case SPECIAL_UNSIGNED_GT:
774 case SPECIAL_GTE:
775 case SPECIAL_UNSIGNED_GTE:
776 if (left_rl)
777 left_false = capped_state;
778 else
779 right_true = capped_state;
780 break;
781 }
782
783 set_true_false_states_expr(my_id, left, left_true, left_false);
784 set_true_false_states_expr(my_id, right, right_true, right_false);
785 }
786
787 static void match_condition(struct expression *expr)
788 {
789 if (expr->type != EXPR_COMPARE)
790 return;
791
792 if (expr->op == SPECIAL_EQUAL ||
793 expr->op == SPECIAL_NOTEQUAL) {
794 handle_eq_noteq(expr);
795 return;
796 }
797
798 handle_compare(expr);
799 }
800
801 static void match_user_assign_function(const char *fn, struct expression *expr, void *unused)
802 {
803 tag_as_user_data(expr->left);
804 set_points_to_user_data(expr->left);
805 }
806
807 static void match_returns_user_rl(const char *fn, struct expression *expr, void *unused)
808 {
809 func_gets_user_data = true;
810 }
811
812 static int get_user_macro_rl(struct expression *expr, struct range_list **rl)
813 {
814 struct expression *parent;
815 char *macro;
816
817 if (!expr)
818 return 0;
819
820 macro = get_macro_name(expr->pos);
821 if (!macro)
822 return 0;
823
824 /* handle ntohl(foo[i]) where "i" is trusted */
825 parent = expr_get_parent_expr(expr);
826 while (parent && parent->type != EXPR_BINOP)
827 parent = expr_get_parent_expr(parent);
828 if (parent && parent->type == EXPR_BINOP) {
829 char *parent_macro = get_macro_name(parent->pos);
830
831 if (parent_macro && strcmp(macro, parent_macro) == 0)
832 return 0;
833 }
834
835 if (strcmp(macro, "ntohl") == 0) {
836 *rl = alloc_whole_rl(&uint_ctype);
837 return 1;
838 }
839 if (strcmp(macro, "ntohs") == 0) {
840 *rl = alloc_whole_rl(&ushort_ctype);
841 return 1;
842 }
843 return 0;
844 }
845
846 static int has_user_data(struct symbol *sym)
847 {
848 struct sm_state *tmp;
849
850 FOR_EACH_MY_SM(my_id, __get_cur_stree(), tmp) {
851 if (tmp->sym == sym)
852 return 1;
853 } END_FOR_EACH_SM(tmp);
854 return 0;
855 }
856
857 static int we_pass_user_data(struct expression *call)
858 {
859 struct expression *arg;
860 struct symbol *sym;
861
862 FOR_EACH_PTR(call->args, arg) {
863 sym = expr_to_sym(arg);
864 if (!sym)
865 continue;
866 if (has_user_data(sym))
867 return 1;
868 } END_FOR_EACH_PTR(arg);
869
870 return 0;
871 }
872
873 static int db_returned_user_rl(struct expression *call, struct range_list **rl)
874 {
875 struct smatch_state *state;
876 char buf[48];
877
878 if (is_fake_call(call))
879 return 0;
880 snprintf(buf, sizeof(buf), "return %p", call);
881 state = get_state(my_id, buf, NULL);
882 if (!state || !estate_rl(state))
883 return 0;
884 *rl = estate_rl(state);
885 return 1;
886 }
887
888 struct stree *get_user_stree(void)
889 {
890 return get_all_states_stree(my_id);
891 }
892
893 static int user_data_flag;
894 static int no_user_data_flag;
895 struct range_list *var_user_rl(struct expression *expr)
896 {
897 struct smatch_state *state;
898 struct range_list *rl;
899 struct range_list *absolute_rl;
900
901 if (expr->type == EXPR_PREOP && expr->op == '&') {
902 no_user_data_flag = 1;
903 return NULL;
904 }
905
906 if (expr->type == EXPR_BINOP && expr->op == '%') {
907 struct range_list *left, *right;
908
909 if (!get_user_rl(expr->right, &right))
910 return NULL;
911 get_absolute_rl(expr->left, &left);
912 rl = rl_binop(left, '%', right);
913 goto found;
914 }
915
916 if (expr->type == EXPR_BINOP && expr->op == '/') {
917 struct range_list *left = NULL;
918 struct range_list *right = NULL;
919 struct range_list *abs_right;
920
921 /*
922 * The specific bug I'm dealing with is:
923 *
924 * foo = capped_user / unknown;
925 *
926 * Instead of just saying foo is now entirely user_rl we should
927 * probably say instead that it is not at all user data.
928 *
929 */
930
931 get_user_rl(expr->left, &left);
932 get_user_rl(expr->right, &right);
933 get_absolute_rl(expr->right, &abs_right);
934
935 if (left && !right) {
936 rl = rl_binop(left, '/', abs_right);
937 if (sval_cmp(rl_max(left), rl_max(rl)) < 0)
938 no_user_data_flag = 1;
939 }
940
941 return NULL;
942 }
943
944 if (get_rl_from_function(expr, &rl))
945 goto found;
946
947 if (get_user_macro_rl(expr, &rl))
948 goto found;
949
950 if (comes_from_skb_data(expr)) {
951 rl = alloc_whole_rl(get_type(expr));
952 goto found;
953 }
954
955 state = get_state_expr(my_id, expr);
956 if (state && estate_rl(state)) {
957 rl = estate_rl(state);
958 goto found;
959 }
960
961 if (expr->type == EXPR_CALL && db_returned_user_rl(expr, &rl))
962 goto found;
963
964 if (is_array(expr)) {
965 struct expression *array = get_array_base(expr);
966
967 if (!get_state_expr(my_id, array)) {
968 no_user_data_flag = 1;
969 return NULL;
970 }
971 }
972
973 if (expr->type == EXPR_PREOP && expr->op == '*' &&
974 is_user_rl(expr->unop)) {
975 rl = var_to_absolute_rl(expr);
976 goto found;
977 }
978
979 return NULL;
980 found:
981 user_data_flag = 1;
982 absolute_rl = var_to_absolute_rl(expr);
983 return clone_rl(rl_intersection(rl, absolute_rl));
984 }
985
986 static bool is_ptr_subtract(struct expression *expr)
987 {
988 expr = strip_expr(expr);
989 if (!expr)
990 return false;
991 if (expr->type == EXPR_BINOP && expr->op == '-' &&
992 type_is_ptr(get_type(expr->left))) {
993 return true;
994 }
995 return false;
996 }
997
998 int get_user_rl(struct expression *expr, struct range_list **rl)
999 {
1000 if (is_ptr_subtract(expr))
1001 return 0;
1002
1003 user_data_flag = 0;
1004 no_user_data_flag = 0;
1005 custom_get_absolute_rl(expr, &var_user_rl, rl);
1006 if (!user_data_flag || no_user_data_flag)
1007 *rl = NULL;
1008
1009 return !!*rl;
1010 }
1011
1012 int is_user_rl(struct expression *expr)
1013 {
1014 struct range_list *tmp;
1015
1016 return !!get_user_rl(expr, &tmp);
1017 }
1018
1019 int get_user_rl_var_sym(const char *name, struct symbol *sym, struct range_list **rl)
1020 {
1021 struct smatch_state *state;
1022
1023 state = get_state(my_id, name, sym);
1024 if (state && estate_rl(state)) {
1025 *rl = estate_rl(state);
1026 return 1;
1027 }
1028 return 0;
1029 }
1030
1031 static char *get_user_rl_str(struct expression *expr, struct symbol *type)
1032 {
1033 struct range_list *rl;
1034 static char buf[64];
1035
1036 if (!get_user_rl(expr, &rl))
1037 return NULL;
1038 rl = cast_rl(type, rl);
1039 snprintf(buf, sizeof(buf), "%s%s%s",
1040 show_rl(rl),
1041 user_rl_capped(expr) ? "[c]" : "",
1042 user_rl_treat_untagged(expr) ? "[u]" : "");
1043 return buf;
1044 }
1045
1046 static void match_call_info(struct expression *expr)
1047 {
1048 struct expression *arg;
1049 struct symbol *type;
1050 char *str;
1051 int i;
1052
1053 i = -1;
1054 FOR_EACH_PTR(expr->args, arg) {
1055 i++;
1056 type = get_arg_type(expr->fn, i);
1057 str = get_user_rl_str(arg, type);
1058 if (!str)
1059 continue;
1060
1061 sql_insert_caller_info(expr, USER_DATA, i, "$", str);
1062 } END_FOR_EACH_PTR(arg);
1063 }
1064
1065 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
1066 {
1067 struct smatch_state *state;
1068 struct range_list *rl;
1069 struct symbol *type;
1070 char buf[64];
1071
1072 /*
1073 * Smatch uses a hack where if we get an unsigned long we say it's
1074 * both user data and it points to user data. But if we pass it to a
1075 * function which takes an int, then it's just user data. There's not
1076 * enough bytes for it to be a pointer.
1077 *
1078 */
1079 type = get_arg_type(call->fn, param);
1080 if (type && type_bits(type) < type_bits(&ptr_ctype))
1081 return;
1082
1083 if (strcmp(sm->state->name, "") == 0)
1084 return;
1085
1086 if (strcmp(printed_name, "*$") == 0 &&
1087 is_struct_ptr(sm->sym))
1088 return;
1089
1090 state = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
1091 if (!state || !estate_rl(state))
1092 rl = estate_rl(sm->state);
1093 else
1094 rl = rl_intersection(estate_rl(sm->state), estate_rl(state));
1095
1096 if (!rl)
1097 return;
1098
1099 snprintf(buf, sizeof(buf), "%s%s%s", show_rl(rl),
1100 estate_capped(sm->state) ? "[c]" : "",
1101 estate_treat_untagged(sm->state) ? "[u]" : "");
1102 sql_insert_caller_info(call, USER_DATA, param, printed_name, buf);
1103 }
1104
1105 static void db_param_set(struct expression *expr, int param, char *key, char *value)
1106 {
1107 struct expression *arg;
1108 char *name;
1109 struct symbol *sym;
1110 struct smatch_state *state;
1111
1112 while (expr->type == EXPR_ASSIGNMENT)
1113 expr = strip_expr(expr->right);
1114 if (expr->type != EXPR_CALL)
1115 return;
1116
1117 arg = get_argument_from_call_expr(expr->args, param);
1118 if (!arg)
1119 return;
1120 name = get_variable_from_key(arg, key, &sym);
1121 if (!name || !sym)
1122 goto free;
1123
1124 state = get_state(my_id, name, sym);
1125 if (!state)
1126 goto free;
1127
1128 set_state(my_id, name, sym, alloc_estate_empty());
1129 free:
1130 free_string(name);
1131 }
1132
1133 static bool param_data_capped(const char *value)
1134 {
1135 if (strstr(value, ",c") || strstr(value, "[c"))
1136 return true;
1137 return false;
1138 }
1139
1140 static bool param_data_treat_untagged(const char *value)
1141 {
1142 if (strstr(value, ",u") || strstr(value, "[u"))
1143 return true;
1144 return false;
1145 }
1146
1147 static void set_param_user_data(const char *name, struct symbol *sym, char *key, char *value)
1148 {
1149 struct range_list *rl = NULL;
1150 struct smatch_state *state;
1151 struct expression *expr;
1152 struct symbol *type;
1153 char fullname[256];
1154 char *key_orig = key;
1155 bool add_star = false;
1156
1157 if (strcmp(key, "**$") == 0) {
1158 snprintf(fullname, sizeof(fullname), "**%s", name);
1159 } else {
1160 if (key[0] == '*') {
1161 add_star = true;
1162 key++;
1163 }
1164
1165 snprintf(fullname, 256, "%s%s%s", add_star ? "*" : "", name, key + 1);
1166 }
1167
1168 expr = symbol_expression(sym);
1169 type = get_member_type_from_key(expr, key_orig);
1170
1171 /*
1172 * Say this function takes a struct ponter but the caller passes
1173 * this_function(skb->data). We have two options, we could pass *$
1174 * as user data or we could pass foo->bar, foo->baz as user data.
1175 * The second option is easier to implement so we do that.
1176 *
1177 */
1178 if (strcmp(key_orig, "*$") == 0) {
1179 struct symbol *tmp = type;
1180
1181 while (tmp && tmp->type == SYM_PTR)
1182 tmp = get_real_base_type(tmp);
1183
1184 if (tmp && (tmp->type == SYM_STRUCT || tmp->type == SYM_UNION)) {
1185 tag_as_user_data(symbol_expression(sym));
1186 return;
1187 }
1188 }
1189
1190 str_to_rl(type, value, &rl);
1191 state = alloc_estate_rl(rl);
1192 if (param_data_capped(value) || is_capped(expr))
1193 estate_set_capped(state);
1194 if (param_data_treat_untagged(value) || sym->ctype.as == 5)
1195 estate_set_treat_untagged(state);
1196 set_state(my_id, fullname, sym, state);
1197 }
1198
1199 static void set_called(const char *name, struct symbol *sym, char *key, char *value)
1200 {
1201 set_state(my_call_id, "this_function", NULL, &called);
1202 }
1203
1204 static void match_syscall_definition(struct symbol *sym)
1205 {
1206 struct symbol *arg;
1207 char *macro;
1208 char *name;
1209 int is_syscall = 0;
1210
1211 macro = get_macro_name(sym->pos);
1212 if (macro &&
1213 (strncmp("SYSCALL_DEFINE", macro, strlen("SYSCALL_DEFINE")) == 0 ||
1214 strncmp("COMPAT_SYSCALL_DEFINE", macro, strlen("COMPAT_SYSCALL_DEFINE")) == 0))
1215 is_syscall = 1;
1216
1217 name = get_function();
1218 if (!option_no_db && get_state(my_call_id, "this_function", NULL) != &called) {
1219 if (name && strncmp(name, "sys_", 4) == 0)
1220 is_syscall = 1;
1221 }
1222
1223 if (name && strncmp(name, "compat_sys_", 11) == 0)
1224 is_syscall = 1;
1225
1226 if (!is_syscall)
1227 return;
1228
1229 FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) {
1230 set_state(my_id, arg->ident->name, arg, alloc_estate_whole(get_real_base_type(arg)));
1231 } END_FOR_EACH_PTR(arg);
1232 }
1233
1234 static void store_user_data_return(struct expression *expr, char *key, char *value)
1235 {
1236 struct range_list *rl;
1237 struct symbol *type;
1238 char buf[48];
1239
1240 if (strcmp(key, "$") != 0)
1241 return;
1242
1243 type = get_type(expr);
1244 snprintf(buf, sizeof(buf), "return %p", expr);
1245 call_results_to_rl(expr, type, value, &rl);
1246
1247 set_state(my_id, buf, NULL, alloc_estate_rl(rl));
1248 }
1249
1250 static void set_to_user_data(struct expression *expr, char *key, char *value)
1251 {
1252 struct smatch_state *state;
1253 char *name;
1254 struct symbol *sym;
1255 struct symbol *type;
1256 struct range_list *rl = NULL;
1257
1258 type = get_member_type_from_key(expr, key);
1259 name = get_variable_from_key(expr, key, &sym);
1260 if (!name || !sym)
1261 goto free;
1262
1263 call_results_to_rl(expr, type, value, &rl);
1264
1265 state = alloc_estate_rl(rl);
1266 if (param_data_capped(value))
1267 estate_set_capped(state);
1268 if (param_data_treat_untagged(value))
1269 estate_set_treat_untagged(state);
1270 set_state(my_id, name, sym, state);
1271 free:
1272 free_string(name);
1273 }
1274
1275 static void returns_param_user_data(struct expression *expr, int param, char *key, char *value)
1276 {
1277 struct expression *arg;
1278 struct expression *call;
1279
1280 call = expr;
1281 while (call->type == EXPR_ASSIGNMENT)
1282 call = strip_expr(call->right);
1283 if (call->type != EXPR_CALL)
1284 return;
1285
1286 if (!we_pass_user_data(call))
1287 return;
1288
1289 if (param == -1) {
1290 if (expr->type != EXPR_ASSIGNMENT) {
1291 store_user_data_return(expr, key, value);
1292 return;
1293 }
1294 set_to_user_data(expr->left, key, value);
1295 return;
1296 }
1297
1298 arg = get_argument_from_call_expr(call->args, param);
1299 if (!arg)
1300 return;
1301 set_to_user_data(arg, key, value);
1302 }
1303
1304 static void returns_param_user_data_set(struct expression *expr, int param, char *key, char *value)
1305 {
1306 struct expression *arg;
1307
1308 func_gets_user_data = true;
1309
1310 if (param == -1) {
1311 if (expr->type != EXPR_ASSIGNMENT) {
1312 store_user_data_return(expr, key, value);
1313 return;
1314 }
1315 if (strcmp(key, "*$") == 0) {
1316 set_points_to_user_data(expr->left);
1317 tag_as_user_data(expr->left);
1318 } else {
1319 set_to_user_data(expr->left, key, value);
1320 }
1321 return;
1322 }
1323
1324 while (expr->type == EXPR_ASSIGNMENT)
1325 expr = strip_expr(expr->right);
1326 if (expr->type != EXPR_CALL)
1327 return;
1328
1329 arg = get_argument_from_call_expr(expr->args, param);
1330 if (!arg)
1331 return;
1332 set_to_user_data(arg, key, value);
1333 }
1334
1335 static void param_set_to_user_data(int return_id, char *return_ranges, struct expression *expr)
1336 {
1337 struct sm_state *sm;
1338 struct smatch_state *start_state;
1339 struct range_list *rl;
1340 int param;
1341 char *return_str;
1342 const char *param_name;
1343 struct symbol *ret_sym;
1344 bool return_found = false;
1345 bool pointed_at_found = false;
1346 char buf[64];
1347
1348 expr = strip_expr(expr);
1349 return_str = expr_to_str(expr);
1350 ret_sym = expr_to_sym(expr);
1351
1352 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
1353 param = get_param_num_from_sym(sm->sym);
1354 if (param < 0)
1355 continue;
1356
1357 if (!param_was_set_var_sym(sm->name, sm->sym))
1358 continue;
1359
1360 /* The logic here was that if we were passed in a user data then
1361 * we don't record that. It's like the difference between
1362 * param_filter and param_set. When I think about it, I'm not
1363 * sure it actually works. It's probably harmless because we
1364 * checked earlier that we're not returning a parameter...
1365 * Let's mark this as a TODO.
1366 */
1367 start_state = get_state_stree(start_states, my_id, sm->name, sm->sym);
1368 if (start_state && rl_equiv(estate_rl(sm->state), estate_rl(start_state)))
1369 continue;
1370
1371 param_name = get_param_name(sm);
1372 if (!param_name)
1373 continue;
1374 if (strcmp(param_name, "$") == 0) /* The -1 param is handled after the loop */
1375 continue;
1376
1377 snprintf(buf, sizeof(buf), "%s%s%s",
1378 show_rl(estate_rl(sm->state)),
1379 estate_capped(sm->state) ? "[c]" : "",
1380 estate_treat_untagged(sm->state) ? "[u]" : "");
1381 sql_insert_return_states(return_id, return_ranges,
1382 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1383 param, param_name, buf);
1384 } END_FOR_EACH_SM(sm);
1385
1386 /* This if for "return foo;" where "foo->bar" is user data. */
1387 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
1388 if (!ret_sym)
1389 break;
1390 if (ret_sym != sm->sym)
1391 continue;
1392
1393 param_name = state_name_to_param_name(sm->name, return_str);
1394 if (!param_name)
1395 continue;
1396 if (strcmp(param_name, "$") == 0)
1397 return_found = true;
1398 if (strcmp(param_name, "*$") == 0)
1399 pointed_at_found = true;
1400 snprintf(buf, sizeof(buf), "%s%s%s",
1401 show_rl(estate_rl(sm->state)),
1402 estate_capped(sm->state) ? "[c]" : "",
1403 estate_treat_untagged(sm->state) ? "[u]" : "");
1404 sql_insert_return_states(return_id, return_ranges,
1405 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1406 -1, param_name, buf);
1407 } END_FOR_EACH_SM(sm);
1408
1409 /* This if for "return ntohl(foo);" */
1410 if (!return_found && get_user_rl(expr, &rl)) {
1411 snprintf(buf, sizeof(buf), "%s%s%s",
1412 show_rl(rl),
1413 user_rl_capped(expr) ? "[c]" : "",
1414 user_rl_treat_untagged(expr) ? "[u]" : "");
1415 sql_insert_return_states(return_id, return_ranges,
1416 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1417 -1, "$", buf);
1418 }
1419
1420 /*
1421 * This is to handle things like return skb->data where we don't set a
1422 * state for that.
1423 */
1424 if (!pointed_at_found && points_to_user_data(expr)) {
1425 sql_insert_return_states(return_id, return_ranges,
1426 (is_skb_data(expr) || func_gets_user_data) ?
1427 USER_DATA_SET : USER_DATA,
1428 -1, "*$", "s64min-s64max");
1429 }
1430
1431 free_string(return_str);
1432 }
1433
1434 static void returns_param_capped(struct expression *expr, int param, char *key, char *value)
1435 {
1436 struct smatch_state *state, *new;
1437 struct symbol *sym;
1438 char *name;
1439
1440 name = return_state_to_var_sym(expr, param, key, &sym);
1441 if (!name || !sym)
1442 goto free;
1443
1444 state = get_state(my_id, name, sym);
1445 if (!state || estate_capped(state))
1446 goto free;
1447
1448 new = clone_estate(state);
1449 estate_set_capped(new);
1450
1451 set_state(my_id, name, sym, new);
1452 free:
1453 free_string(name);
1454 }
1455
1456 static struct int_stack *gets_data_stack;
1457 static void match_function_def(struct symbol *sym)
1458 {
1459 func_gets_user_data = false;
1460 }
1461
1462 static void match_inline_start(struct expression *expr)
1463 {
1464 push_int(&gets_data_stack, func_gets_user_data);
1465 }
1466
1467 static void match_inline_end(struct expression *expr)
1468 {
1469 func_gets_user_data = pop_int(&gets_data_stack);
1470 }
1471
1472 void register_kernel_user_data(int id)
1473 {
1474 int i;
1475
1476 my_id = id;
1477
1478 if (option_project != PROJ_KERNEL)
1479 return;
1480
1481 set_dynamic_states(my_id);
1482
1483 add_hook(&match_function_def, FUNC_DEF_HOOK);
1484 add_hook(&match_inline_start, INLINE_FN_START);
1485 add_hook(&match_inline_end, INLINE_FN_END);
1486
1487 add_hook(&save_start_states, AFTER_DEF_HOOK);
1488 add_hook(&free_start_states, AFTER_FUNC_HOOK);
1489 add_hook(&match_save_states, INLINE_FN_START);
1490 add_hook(&match_restore_states, INLINE_FN_END);
1491
1492 add_unmatched_state_hook(my_id, &empty_state);
1493 add_extra_nomod_hook(&extra_nomod_hook);
1494 add_pre_merge_hook(my_id, &pre_merge_hook);
1495 add_merge_hook(my_id, &merge_estates);
1496
1497 add_function_hook("copy_from_user", &match_user_copy, INT_PTR(0));
1498 add_function_hook("__copy_from_user", &match_user_copy, INT_PTR(0));
1499 add_function_hook("memcpy_fromiovec", &match_user_copy, INT_PTR(0));
1500 for (i = 0; i < ARRAY_SIZE(kstr_funcs); i++)
1501 add_function_hook(kstr_funcs[i], &match_user_copy, INT_PTR(2));
1502 add_function_hook("usb_control_msg", &match_user_copy, INT_PTR(6));
1503
1504 for (i = 0; i < ARRAY_SIZE(returns_user_data); i++) {
1505 add_function_assign_hook(returns_user_data[i], &match_user_assign_function, NULL);
1506 add_function_hook(returns_user_data[i], &match_returns_user_rl, NULL);
1507 }
1508
1509 add_function_hook("sscanf", &match_sscanf, NULL);
1510
1511 add_hook(&match_syscall_definition, AFTER_DEF_HOOK);
1512
1513 add_hook(&match_assign, ASSIGNMENT_HOOK);
1514 select_return_states_hook(PARAM_SET, &db_param_set);
1515 add_hook(&match_condition, CONDITION_HOOK);
1516
1517 add_hook(&match_call_info, FUNCTION_CALL_HOOK);
1518 add_member_info_callback(my_id, struct_member_callback);
1519 select_caller_info_hook(set_param_user_data, USER_DATA);
1520 select_return_states_hook(USER_DATA, &returns_param_user_data);
1521 select_return_states_hook(USER_DATA_SET, &returns_param_user_data_set);
1522 select_return_states_hook(CAPPED_DATA, &returns_param_capped);
1523 add_split_return_callback(&param_set_to_user_data);
1524 }
1525
1526 void register_kernel_user_data2(int id)
1527 {
1528 my_call_id = id;
1529
1530 if (option_project != PROJ_KERNEL)
1531 return;
1532 select_caller_info_hook(set_called, INTERNAL);
1533 }
1534
Static analysis for C