2 * smatch/check_deference.c
4 * Copyright (C) 2006 Dan Carpenter.
6 * Licensed under the Open Software License version 1.1
13 #include "smatch_slist.h"
14 #include "smatch_extra.h"
22 * This check has two smatch IDs.
23 * my_size_id - used to store the size of arrays.
24 * my_used_id - keeps a record of array offsets that have been used.
25 * If the code checks that they are within bounds later on,
26 * we complain about using an array offset before checking
27 * that it is within bounds.
29 static int my_size_id
;
30 static int my_used_id
;
32 static struct symbol
*this_func
;
34 static int get_array_size(struct expression
*expr
);
36 static void match_function_def(struct symbol
*sym
)
41 static void print_args(struct expression
*expr
, int size
)
52 name
= get_variable_from_expr(expr
, &sym
);
57 FOR_EACH_PTR(this_func
->ctype
.base_type
->arguments
, arg
) {
58 arg_name
= (arg
->ident
?arg
->ident
->name
:"-");
59 if (sym
== arg
&& !strcmp(name
, arg_name
)) {
60 sm_info("param %d array index. size %d", i
, size
);
64 } END_FOR_EACH_PTR(arg
);
69 static char *alloc_num(long long num
)
71 static char buff
[256];
73 if (num
== whole_range
.min
)
74 snprintf(buff
, 255, "min");
75 else if (num
== whole_range
.max
)
76 snprintf(buff
, 255, "max");
78 snprintf(buff
, 255, "(%lld)", num
);
80 snprintf(buff
, 255, "%lld", num
);
83 return alloc_sname(buff
);
86 static void delete(const char *name
, struct symbol
*sym
, struct expression
*expr
, void *unused
)
88 delete_state(my_used_id
, name
, sym
);
91 static struct smatch_state
*alloc_my_state(int val
)
93 struct smatch_state
*state
;
95 state
= malloc(sizeof(*state
));
96 state
->name
= alloc_num(val
);
97 state
->data
= malloc(sizeof(int));
98 *(int *)state
->data
= val
;
102 static int is_last_struct_member(struct expression
*expr
)
104 struct ident
*member
;
105 struct symbol
*struct_sym
;
108 if (!expr
|| expr
->type
!= EXPR_DEREF
)
111 member
= expr
->member
;
112 struct_sym
= get_type(expr
->deref
);
115 if (struct_sym
->type
== SYM_PTR
)
116 struct_sym
= get_base_type(struct_sym
);
117 FOR_EACH_PTR_REVERSE(struct_sym
->symbol_list
, tmp
) {
118 if (tmp
->ident
== member
)
121 } END_FOR_EACH_PTR_REVERSE(tmp
);
125 static int get_initializer_size(struct expression
*expr
)
129 return expr
->string
->length
;
130 case EXPR_INITIALIZER
: {
131 struct expression
*tmp
;
135 FOR_EACH_PTR(expr
->expr_list
, tmp
) {
136 if (tmp
->type
== EXPR_INDEX
&& tmp
->idx_to
> max
)
139 } END_FOR_EACH_PTR(tmp
);
145 return get_array_size(expr
);
150 static int get_array_size(struct expression
*expr
)
153 struct smatch_state
*state
;
156 if (expr
->type
== EXPR_STRING
)
157 return expr
->string
->length
;
159 tmp
= get_type(expr
);
163 if (tmp
->type
== SYM_ARRAY
) {
164 ret
= get_expression_value(tmp
->array_size
);
165 if (ret
== 1 && is_last_struct_member(expr
))
171 if (expr
->type
== EXPR_SYMBOL
&& expr
->symbol
->initializer
) {
172 if (expr
->symbol
->initializer
!= expr
) /* int a = a; */
173 return get_initializer_size(expr
->symbol
->initializer
);
175 state
= get_state_expr(my_size_id
, expr
);
176 if (!state
|| !state
->data
)
178 if (tmp
->type
== SYM_PTR
)
179 tmp
= get_base_type(tmp
);
180 if (!tmp
->ctype
.alignment
)
182 ret
= *(int *)state
->data
/ tmp
->ctype
.alignment
;
186 static int definitely_just_used_as_limiter(struct expression
*array
, struct expression
*offset
)
189 struct expression
*tmp
;
193 if (!get_value(offset
, &val
))
195 if (get_array_size(array
) != val
)
198 FOR_EACH_PTR_REVERSE(big_expression_stack
, tmp
) {
203 if (tmp
->type
== EXPR_PREOP
&& tmp
->op
== '(')
205 if (tmp
->op
== '.' && !dot_ops
++)
207 if (step
== 1 && tmp
->op
== '&') {
211 if (step
== 2 && tmp
->type
== EXPR_COMPARE
)
214 } END_FOR_EACH_PTR_REVERSE(tmp
);
218 static void array_check(struct expression
*expr
)
220 struct expression
*array_expr
;
222 struct expression
*offset
;
226 expr
= strip_expr(expr
);
230 array_expr
= get_array_name(expr
);
231 array_size
= get_array_size(array_expr
);
235 offset
= get_array_offset(expr
);
236 if (!get_fuzzy_max(offset
, &max
)) {
237 if (getting_address())
239 set_state_expr(my_used_id
, offset
, alloc_state_num(array_size
));
240 add_modification_hook_expr(my_used_id
, offset
, &delete, NULL
);
241 print_args(offset
, array_size
);
242 } else if (array_size
<= max
) {
243 const char *level
= "error";
245 if (getting_address())
248 if (definitely_just_used_as_limiter(array_expr
, offset
))
251 name
= get_variable_from_expr_complex(array_expr
, NULL
);
252 /* Blast. Smatch can't figure out glibc's strcmp __strcmp_cg()
253 * so it prints an error every time you compare to a string
254 * literal array with 4 or less chars.
256 if (name
&& strcmp(name
, "__s1") && strcmp(name
, "__s2")) {
257 sm_msg("%s: buffer overflow '%s' %d <= %lld",
258 level
, name
, array_size
, max
);
264 static void match_condition(struct expression
*expr
)
268 struct state_list
*slist
;
269 struct sm_state
*tmp
;
272 if (!expr
|| expr
->type
!= EXPR_COMPARE
)
274 if (get_implied_value(expr
->left
, &val
))
276 else if (get_implied_value(expr
->right
, &val
))
282 slist
= get_possible_states_expr(my_used_id
, expr
->right
);
284 slist
= get_possible_states_expr(my_used_id
, expr
->left
);
287 FOR_EACH_PTR(slist
, tmp
) {
288 if (tmp
->state
== &merged
)
290 boundary
= (int)tmp
->state
->data
;
292 if (boundary
< 1 && boundary
> -1) {
295 name
= get_variable_from_expr((left
? expr
->right
: expr
->left
), NULL
);
296 sm_msg("error: testing array offset '%s' after use.", name
);
299 } END_FOR_EACH_PTR(tmp
);
302 static void match_string_assignment(struct expression
*expr
)
304 struct expression
*left
;
305 struct expression
*right
;
307 left
= strip_expr(expr
->left
);
308 right
= strip_expr(expr
->right
);
309 if (right
->type
!= EXPR_STRING
|| !right
->string
)
311 set_state_expr(my_size_id
, left
, alloc_my_state(right
->string
->length
));
314 static void match_array_assignment(struct expression
*expr
)
316 struct expression
*left
;
317 struct expression
*right
;
318 struct symbol
*left_type
;
323 left
= strip_expr(expr
->left
);
324 left_type
= get_type(left
);
325 if (!left_type
|| left_type
->type
!= SYM_PTR
)
327 left_type
= get_base_type(left_type
);
330 right
= strip_expr(expr
->right
);
331 array_size
= get_array_size(right
);
333 set_state_expr(my_size_id
, left
,
334 alloc_my_state(array_size
* left_type
->ctype
.alignment
));
337 static void match_malloc(const char *fn
, struct expression
*expr
, void *unused
)
339 struct expression
*right
;
340 struct expression
*arg
;
343 right
= strip_expr(expr
->right
);
344 arg
= get_argument_from_call_expr(right
->args
, 0);
345 if (!get_implied_value(arg
, &bytes
))
347 set_state_expr(my_size_id
, expr
->left
, alloc_my_state(bytes
));
350 static void match_strcpy(const char *fn
, struct expression
*expr
, void *unused
)
352 struct expression
*dest
;
353 struct expression
*data
;
354 char *dest_name
= NULL
;
355 char *data_name
= NULL
;
356 struct smatch_state
*dest_state
;
357 struct smatch_state
*data_state
;
361 dest
= get_argument_from_call_expr(expr
->args
, 0);
362 dest_name
= get_variable_from_expr(dest
, NULL
);
364 data
= get_argument_from_call_expr(expr
->args
, 1);
365 data_name
= get_variable_from_expr(data
, NULL
);
367 dest_state
= get_state(my_size_id
, dest_name
, NULL
);
368 if (!dest_state
|| !dest_state
->data
)
371 data_state
= get_state(my_size_id
, data_name
, NULL
);
372 if (!data_state
|| !data_state
->data
)
374 dest_size
= *(int *)dest_state
->data
;
375 data_size
= *(int *)data_state
->data
;
376 if (dest_size
< data_size
)
377 sm_msg("error: %s (%d) too large for %s (%d)",
378 data_name
, data_size
, dest_name
, dest_size
);
380 free_string(dest_name
);
381 free_string(data_name
);
384 static void match_limitted(const char *fn
, struct expression
*expr
, void *limit_arg
)
386 struct expression
*dest
;
387 struct expression
*data
;
388 char *dest_name
= NULL
;
389 struct smatch_state
*state
;
393 dest
= get_argument_from_call_expr(expr
->args
, 0);
394 dest_name
= get_variable_from_expr(dest
, NULL
);
396 data
= get_argument_from_call_expr(expr
->args
, PTR_INT(limit_arg
));
397 if (!get_value(data
, &needed
))
399 state
= get_state(my_size_id
, dest_name
, NULL
);
400 if (!state
|| !state
->data
)
402 has
= *(int *)state
->data
;
404 sm_msg("error: %s too small for %lld bytes.", dest_name
, needed
);
406 free_string(dest_name
);
409 static void match_array_func(const char *fn
, struct expression
*expr
, void *info
)
411 struct bound
*bound_info
= (struct bound
*)info
;
412 struct expression
*arg
;
415 arg
= get_argument_from_call_expr(expr
->args
, bound_info
->param
);
416 if (!get_implied_value(arg
, &offset
))
418 if (offset
>= bound_info
->size
)
419 sm_msg("error: buffer overflow calling %s. param %d. %lld >= %d",
420 fn
, bound_info
->param
, offset
, bound_info
->size
);
423 static void register_array_funcs(void)
427 struct bound
*bound_info
;
429 token
= get_tokens_file("kernel.array_bounds");
432 if (token_type(token
) != TOKEN_STREAMBEGIN
)
435 while (token_type(token
) != TOKEN_STREAMEND
) {
436 bound_info
= malloc(sizeof(*bound_info
));
437 if (token_type(token
) != TOKEN_IDENT
)
439 func
= show_ident(token
->ident
);
441 if (token_type(token
) != TOKEN_NUMBER
)
443 bound_info
->param
= atoi(token
->number
);
445 if (token_type(token
) != TOKEN_NUMBER
)
447 bound_info
->size
= atoi(token
->number
);
448 add_function_hook(func
, &match_array_func
, bound_info
);
454 void check_overflow(int id
)
457 add_hook(&match_function_def
, FUNC_DEF_HOOK
);
458 add_hook(&array_check
, OP_HOOK
);
459 add_hook(&match_string_assignment
, ASSIGNMENT_HOOK
);
460 add_hook(&match_array_assignment
, ASSIGNMENT_HOOK
);
461 add_hook(&match_condition
, CONDITION_HOOK
);
462 add_function_assign_hook("malloc", &match_malloc
, NULL
);
463 add_function_hook("strcpy", &match_strcpy
, NULL
);
464 add_function_hook("strncpy", &match_limitted
, (void *)2);
465 if (option_project
== PROJ_KERNEL
) {
466 add_function_assign_hook("kmalloc", &match_malloc
, NULL
);
467 add_function_assign_hook("kzalloc", &match_malloc
, NULL
);
468 add_function_assign_hook("vmalloc", &match_malloc
, NULL
);
469 add_function_hook("copy_to_user", &match_limitted
, (void *)2);
470 add_function_hook("copy_from_user", &match_limitted
, (void *)2);
472 register_array_funcs();
475 void register_check_overflow_again(int id
)