2 * smatch/check_user_data.c
4 * Copyright (C) 2011 Dan Carpenter.
6 * Licensed under the Open Software License version 1.1
11 * There are a couple checks that try to see if a variable
12 * comes from the user. It would be better to unify them
13 * into one place. Also it we should follow the data down
14 * the call paths. Hence this file.
18 #include "smatch_slist.h"
25 int is_user_data(struct expression
*expr
)
27 struct state_list
*slist
= NULL
;
33 expr
= strip_expr(expr
);
36 if (expr
->type
== EXPR_BINOP
) {
37 if (is_user_data(expr
->left
))
39 if (is_user_data(expr
->right
))
43 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
44 expr
= strip_expr(expr
->unop
);
46 tmp
= get_sm_state_expr(my_id
, expr
);
48 return slist_has_state(tmp
->possible
, &user_data
);
50 name
= get_variable_from_expr_complex(expr
, &sym
);
54 slist
= get_all_states(my_id
);
55 FOR_EACH_PTR(slist
, tmp
) {
58 if (!strncmp(tmp
->name
, name
, strlen(tmp
->name
))) {
59 if (slist_has_state(tmp
->possible
, &user_data
))
63 } END_FOR_EACH_PTR(tmp
);
71 void set_param_user_data(const char *name
, struct symbol
*sym
, char *key
, char *value
)
75 if (strncmp(key
, "$$", 2))
77 snprintf(fullname
, 256, "%s%s", name
, key
+ 2);
78 set_state(my_id
, fullname
, sym
, &user_data
);
81 static void match_condition(struct expression
*expr
)
86 case SPECIAL_UNSIGNED_LT
:
87 case SPECIAL_UNSIGNED_LTE
:
88 if (is_user_data(expr
->left
))
89 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
90 if (is_user_data(expr
->right
))
91 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
95 case SPECIAL_UNSIGNED_GT
:
96 case SPECIAL_UNSIGNED_GTE
:
97 if (is_user_data(expr
->right
))
98 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
99 if (is_user_data(expr
->left
))
100 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
103 if (is_user_data(expr
->left
))
104 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
105 if (is_user_data(expr
->right
))
106 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
108 case SPECIAL_NOTEQUAL
:
109 if (is_user_data(expr
->left
))
110 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
111 if (is_user_data(expr
->right
))
112 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
120 static void match_normal_assign(struct expression
*expr
)
122 if (is_user_data(expr
->left
))
123 set_state_expr(my_id
, expr
->left
, &capped
);
126 static void match_assign(struct expression
*expr
)
130 name
= get_macro_name(&expr
->pos
);
131 if (!name
|| strcmp(name
, "get_user") != 0) {
132 match_normal_assign(expr
);
135 name
= get_variable_from_expr(expr
->right
, NULL
);
136 if (!name
|| strcmp(name
, "__val_gu") != 0)
138 set_state_expr(my_id
, expr
->left
, &user_data
);
143 static void match_user_copy(const char *fn
, struct expression
*expr
, void *_param
)
145 int param
= PTR_INT(_param
);
146 struct expression
*dest
;
148 dest
= get_argument_from_call_expr(expr
->args
, param
);
149 dest
= strip_expr(dest
);
152 /* the first thing I tested this on pass &foo to a function */
153 set_state_expr(my_id
, dest
, &user_data
);
154 if (dest
->type
== EXPR_PREOP
&& dest
->op
== '&') {
155 /* but normally I'd think it would pass the actual variable */
157 set_state_expr(my_id
, dest
, &user_data
);
161 static void match_user_assign_function(const char *fn
, struct expression
*expr
, void *unused
)
163 set_state_expr(my_id
, expr
->left
, &user_data
);
166 static void match_assign_userdata(struct expression
*expr
)
168 if (is_user_data(expr
->right
))
169 set_state_expr(my_id
, expr
->left
, &user_data
);
172 static void match_caller_info(struct expression
*expr
)
174 struct expression
*tmp
;
178 func
= get_fnptr_name(expr
->fn
);
183 FOR_EACH_PTR(expr
->args
, tmp
) {
184 if (is_user_data(tmp
))
185 sm_msg("info: passes user_data %s %d '$$'", func
, i
);
187 } END_FOR_EACH_PTR(tmp
);
190 static void struct_member_callback(char *fn
, int param
, char *printed_name
, struct smatch_state
*state
)
192 if (state
== &capped
)
194 sm_msg("info: passes user_data '%s' %d '%s'", fn
, param
, printed_name
);
197 void check_user_data(int id
)
199 if (option_project
!= PROJ_KERNEL
)
202 add_definition_db_callback(set_param_user_data
, USER_DATA
);
203 add_hook(&match_condition
, CONDITION_HOOK
);
204 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
205 add_hook(&match_assign_userdata
, ASSIGNMENT_HOOK
);
206 add_function_hook("copy_from_user", &match_user_copy
, INT_PTR(0));
207 add_function_hook("__copy_from_user", &match_user_copy
, INT_PTR(0));
208 add_function_hook("memcpy_fromiovec", &match_user_copy
, INT_PTR(0));
209 add_function_assign_hook("kmemdup_user", &match_user_assign_function
, NULL
);
211 add_hook(&match_caller_info
, FUNCTION_CALL_HOOK
);
212 add_member_info_callback(my_id
, struct_member_callback
);