check_checking_for_null_instead_of_err_ptr.c

   1 /*
   2  * Copyright (C) 2017 Oracle.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 #include "smatch.h"
  19 #include "smatch_slist.h"
  20 #include "smatch_extra.h"
  21
  22 static int my_id;
  23
  24 static const char *untrusted_fn_ptrs[] = {
  25         "(struct target_core_fabric_ops)->fabric_make_np",
  26         "(struct target_core_fabric_ops)->fabric_make_tpg",
  27         "(struct configfs_group_operations)->make_item",
  28         "(cgroup_subsys_state)->css_alloc",
  29 };
  30
  31 static bool from_untrusted_fn_ptr(struct expression *expr)
  32 {
  33         struct expression *prev;
  34         char *member_name;
  35         bool ret = false;
  36         int i;
  37
  38         prev = get_assigned_expr(expr);
  39         if (!prev || prev->type != EXPR_CALL)
  40                 return false;
  41
  42         member_name = get_member_name(prev->fn);
  43         if (!member_name)
  44                 return false;
  45
  46         for (i = 0; i < ARRAY_SIZE(untrusted_fn_ptrs); i++) {
  47                 if (strcmp(member_name, untrusted_fn_ptrs[i]) == 0) {
  48                         ret = true;
  49                         break;
  50                 }
  51         }
  52         free_string(member_name);
  53         return ret;
  54 }
  55
  56 static void match_condition(struct expression *expr)
  57 {
  58         char *name;
  59
  60         while (expr->type == EXPR_ASSIGNMENT)
  61                 expr = strip_expr(expr->left);
  62
  63         if (!is_pointer(expr))
  64                 return;
  65
  66         if (implied_not_equal(expr, 0) &&
  67             possible_err_ptr(expr) &&
  68             !from_untrusted_fn_ptr(expr)) {
  69                 name = expr_to_str(expr);
  70                 sm_msg("warn: '%s' is an error pointer or valid", name);
  71                 free_string(name);
  72         }
  73 }
  74
  75 static void match_condition2(struct expression *expr)
  76 {
  77         struct range_list *rl;
  78         struct data_range *drange;
  79         char *name;
  80
  81         if (!is_pointer(expr))
  82                 return;
  83         if (!get_implied_rl(expr, &rl))
  84                 return;
  85
  86         FOR_EACH_PTR(rl, drange) {
  87                 if (sval_cmp(drange->min, drange->max) != 0)
  88                         continue;
  89                 if (drange->min.value >= -4095 && drange->min.value < 0)
  90                         goto warn;
  91         } END_FOR_EACH_PTR(drange);
  92
  93         return;
  94
  95 warn:
  96         if (from_untrusted_fn_ptr(expr))
  97                 return;
  98
  99         name = expr_to_str(expr);
 100         sm_warning("'%s' could be an error pointer", name);
 101         free_string(name);
 102 }
 103
 104 void check_checking_for_null_instead_of_err_ptr(int id)
 105 {
 106         if (option_project != PROJ_KERNEL)
 107                 return;
 108
 109         my_id = id;
 110         add_hook(&match_condition, CONDITION_HOOK);
 111         if (option_spammy)
 112                 add_hook(&match_condition2, CONDITION_HOOK);
 113 }
 114