search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
small clean ups.
[smatch.git] / check_overflow.c
blob7e44b8ec9c62522c7febe590fccea676fbaf16f3
1 /*
2 * sparse/check_deference.c
3 *
4 * Copyright (C) 2006 Dan Carpenter.
5 *
6 * Licensed under the Open Software License version 1.1
7 *
8 */
9
10 #include <stdlib.h>
11 #include "parse.h"
12 #include "smatch.h"
13 #include "smatch_slist.h"
14
15 struct bound {
16 int param;
17 int size;
18 };
19
20 static int my_id;
21
22 static struct symbol *this_func;
23
24 static void match_function_def(struct symbol *sym)
25 {
26 this_func = sym;
27 }
28
29 static void print_args(struct expression *expr, int size)
30 {
31 struct symbol *sym;
32 char *name;
33 struct symbol *arg;
34 const char *arg_name;
35 int i;
36
37 if (!option_spammy)
38 return;
39
40 name = get_variable_from_expr(expr, &sym);
41 if (!name || !sym)
42 goto free;
43
44 i = 0;
45 FOR_EACH_PTR(this_func->ctype.base_type->arguments, arg) {
46 arg_name = (arg->ident?arg->ident->name:"-");
47 if (sym == arg && !strcmp(name, arg_name)) {
48 sm_msg("param %d array index. size %d", i, size);
49 goto free;
50 }
51 i++;
52 } END_FOR_EACH_PTR(arg);
53 free:
54 free_string(name);
55 }
56
57 static char *alloc_num(long long num)
58 {
59 static char buff[256];
60
61 if (num == whole_range.min) {
62 snprintf(buff, 255, "min");
63 } else if (num == whole_range.max) {
64 snprintf(buff, 255, "max");
65 } else if (num < 0) {
66 snprintf(buff, 255, "(%lld)", num);
67 } else {
68 snprintf(buff, 255, "%lld", num);
69 }
70 buff[255] = '\0';
71 return alloc_sname(buff);
72 }
73
74 static struct smatch_state *alloc_my_state(int val)
75 {
76 struct smatch_state *state;
77
78 state = malloc(sizeof(*state));
79 state->name = alloc_num(val);
80 state->data = malloc(sizeof(int));
81 *(int *)state->data = val;
82 return state;
83 }
84
85 static void match_declaration(struct symbol *sym)
86 {
87 struct symbol *base_type;
88 char *name;
89 int size;
90
91 if (!sym->ident)
92 return;
93
94 name = sym->ident->name;
95 base_type = get_base_type(sym);
96
97 if (base_type->type == SYM_ARRAY && base_type->bit_size > 0) {
98 set_state(my_id, name, NULL, alloc_my_state(base_type->bit_size));
99 } else {
100 if (sym->initializer &&
101 sym->initializer->type == EXPR_STRING &&
102 sym->initializer->string) {
103 size = sym->initializer->string->length * 8;
104 set_state(my_id, name, NULL, alloc_my_state(size));
105 }
106 }
107 }
108
109 static int get_array_size(struct expression *expr)
110 {
111 char *name;
112 struct symbol *tmp;
113 struct smatch_state *state;
114 int ret = 0;
115
116 if (expr->type != EXPR_SYMBOL)
117 return 0;
118 tmp = get_base_type(expr->symbol);
119 if (tmp->type == SYM_ARRAY) {
120 ret = get_expression_value(tmp->array_size);
121 if (ret)
122 return ret;
123 }
124 name = get_variable_from_expr(expr, NULL);
125 if (!name)
126 return 0;
127 state = get_state(my_id, name, NULL);
128 if (!state || !state->data)
129 goto free;
130 if (tmp->type == SYM_PTR)
131 tmp = get_base_type(tmp);
132 ret = *(int *)state->data / 8 / tmp->ctype.alignment;
133 free:
134 free_string(name);
135 return ret;
136 }
137
138 extern int check_assigned_expr_id;
139 static void print_assigned_expr(struct expression *expr)
140 {
141 #if 0
142 struct state_list *slist;
143 struct sm_state *tmp;
144 char *name;
145
146 name = get_variable_from_expr(expr, NULL);
147 slist = get_possible_states_expr(check_assigned_expr_id, expr);
148 FOR_EACH_PTR(slist, tmp) {
149 if (tmp->state == &undefined || tmp->state == &merged)
150 continue;
151 smatch_msg("debug: unknown initializer %s = %s", name, show_state(tmp->state));
152 } END_FOR_EACH_PTR(tmp);
153 free_string(name);
154 #endif
155 }
156
157 static void array_check(struct expression *expr)
158 {
159 struct expression *dest;
160 int array_size;
161 struct expression *offset;
162 long long max;
163 char *name;
164
165 expr = strip_expr(expr);
166 if (!is_array(expr))
167 return;
168
169 dest = get_array_name(expr);
170 array_size = get_array_size(dest);
171 if (!array_size) {
172 name = get_variable_from_expr(dest, NULL);
173 if (!name)
174 return;
175 // smatch_msg("debug: array '%s' unknown size", name);
176 print_assigned_expr(dest);
177 return;
178 }
179
180 offset = get_array_offset(expr);
181 if (!get_implied_max(offset, &max)) {
182 name = get_variable_from_expr(dest, NULL);
183 // smatch_msg("debug: offset '%s' unknown", name);
184 print_args(offset, array_size);
185 } else if (array_size <= max) {
186 name = get_variable_from_expr(dest, NULL);
187 /*FIXME!!!!!!!!!!!
188 blast. smatch can't figure out glibc's strcmp __strcmp_cg()
189 so it prints an error every time you compare to a string
190 literal array with 4 or less chars. */
191 if (strcmp(name, "__s1") && strcmp(name, "__s2"))
192 sm_msg("error: buffer overflow '%s' %d <= %lld", name, array_size, max);
193 free_string(name);
194 }
195 }
196
197 static void match_string_assignment(struct expression *expr)
198 {
199 struct expression *left;
200 struct expression *right;
201 char *name;
202
203 left = strip_expr(expr->left);
204 right = strip_expr(expr->right);
205 name = get_variable_from_expr(left, NULL);
206 if (!name)
207 return;
208 if (right->type != EXPR_STRING || !right->string)
209 goto free;
210 set_state(my_id, name, NULL,
211 alloc_my_state(right->string->length * 8));
212 free:
213 free_string(name);
214 }
215
216 static void match_malloc(const char *fn, struct expression *expr, void *unused)
217 {
218 char *name;
219 struct expression *right;
220 struct expression *arg;
221 long long bytes;
222
223 name = get_variable_from_expr(expr->left, NULL);
224 if (!name)
225 return;
226
227 right = strip_expr(expr->right);
228 arg = get_argument_from_call_expr(right->args, 0);
229 if (!get_implied_value(arg, &bytes))
230 goto free;
231 set_state(my_id, name, NULL, alloc_my_state(bytes * 8));
232 free:
233 free_string(name);
234 }
235
236 static void match_strcpy(const char *fn, struct expression *expr,
237 void *unused)
238 {
239 struct expression *dest;
240 struct expression *data;
241 char *dest_name = NULL;
242 char *data_name = NULL;
243 struct smatch_state *dest_state;
244 struct smatch_state *data_state;
245 int dest_size;
246 int data_size;
247
248 dest = get_argument_from_call_expr(expr->args, 0);
249 dest_name = get_variable_from_expr(dest, NULL);
250
251 data = get_argument_from_call_expr(expr->args, 1);
252 data_name = get_variable_from_expr(data, NULL);
253
254 dest_state = get_state(my_id, dest_name, NULL);
255 if (!dest_state || !dest_state->data)
256 goto free;
257
258 data_state = get_state(my_id, data_name, NULL);
259 if (!data_state || !data_state->data)
260 goto free;
261 dest_size = *(int *)dest_state->data / 8;
262 data_size = *(int *)data_state->data / 8;
263 if (dest_size < data_size)
264 sm_msg("error: %s (%d) too large for %s (%d)", data_name,
265 data_size, dest_name, dest_size);
266 free:
267 free_string(dest_name);
268 free_string(data_name);
269 }
270
271 static void match_limitted(const char *fn, struct expression *expr,
272 void *limit_arg)
273 {
274 struct expression *dest;
275 struct expression *data;
276 char *dest_name = NULL;
277 struct smatch_state *state;
278 long long needed;
279 int has;
280
281 dest = get_argument_from_call_expr(expr->args, 0);
282 dest_name = get_variable_from_expr(dest, NULL);
283
284 data = get_argument_from_call_expr(expr->args, PTR_INT(limit_arg));
285 if (!get_value(data, &needed))
286 goto free;
287 state = get_state(my_id, dest_name, NULL);
288 if (!state || !state->data)
289 goto free;
290 has = *(int *)state->data / 8;
291 if (has < needed)
292 sm_msg("error: %s too small for %lld bytes.", dest_name,
293 needed);
294 free:
295 free_string(dest_name);
296 }
297
298 static void match_array_func(const char *fn, struct expression *expr, void *info)
299 {
300 struct bound *bound_info = (struct bound *)info;
301 struct expression *arg;
302 long long offset;
303
304 arg = get_argument_from_call_expr(expr->args, bound_info->param);
305 if (!get_implied_value(arg, &offset))
306 return;
307 if (offset >= bound_info->size)
308 sm_msg("buffer overflow calling %s. param %d. %lld >= %d", fn, bound_info->param, offset, bound_info->size);
309 }
310
311 static void register_array_funcs(void)
312 {
313 struct token *token;
314 const char *func;
315 struct bound *bound_info;
316
317 token = get_tokens_file("kernel.array_bounds");
318 if (!token)
319 return;
320 if (token_type(token) != TOKEN_STREAMBEGIN)
321 return;
322 token = token->next;
323 while (token_type(token) != TOKEN_STREAMEND) {
324 bound_info = malloc(sizeof(*bound_info));
325 if (token_type(token) != TOKEN_IDENT)
326 return;
327 func = show_ident(token->ident);
328 token = token->next;
329 if (token_type(token) != TOKEN_NUMBER)
330 return;
331 bound_info->param = atoi(token->number);
332 token = token->next;
333 if (token_type(token) != TOKEN_NUMBER)
334 return;
335 bound_info->size = atoi(token->number);
336 add_function_hook(func, &match_array_func, bound_info);
337 token = token->next;
338 }
339 clear_token_alloc();
340 }
341
342 void check_overflow(int id)
343 {
344 my_id = id;
345 add_hook(&match_function_def, FUNC_DEF_HOOK);
346 add_hook(&match_declaration, DECLARATION_HOOK);
347 add_hook(&array_check, OP_HOOK);
348 add_hook(&match_string_assignment, ASSIGNMENT_HOOK);
349 add_function_assign_hook("malloc", &match_malloc, NULL);
350 add_function_hook("strcpy", &match_strcpy, NULL);
351 add_function_hook("strncpy", &match_limitted, (void *)2);
352 if (option_project == PROJ_KERNEL) {
353 add_function_assign_hook("kmalloc", &match_malloc, NULL);
354 add_function_assign_hook("kzalloc", &match_malloc, NULL);
355 add_function_assign_hook("vmalloc", &match_malloc, NULL);
356 add_function_hook("copy_to_user", &match_limitted, (void *)2);
357 add_function_hook("copy_from_user", &match_limitted, (void *)2);
358 }
359 register_array_funcs();
360 }
Static analysis for C