2 * Copyright (C) 2014 Oracle.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
19 * Looks for integers that we get from the user which can be attacked
20 * with an integer overflow.
25 #include "smatch_slist.h"
29 static void match_condition(struct expression
*expr
)
31 struct expression
*left
, *right
;
36 if (expr
->type
!= EXPR_COMPARE
)
41 type
= get_type(expr
);
42 if (!type_signed(type
))
45 left
= strip_expr(expr
->left
);
46 right
= strip_expr(expr
->right
);
48 if (left
->type
!= EXPR_BINOP
) {
49 left
= get_assigned_expr(left
);
50 left
= strip_expr(left
);
51 if (!left
|| left
->type
!= EXPR_BINOP
)
55 if (left
->op
!= '+' && left
->op
!= '*' && left
->op
!= SPECIAL_LEFTSHIFT
)
58 if (has_variable(left
, right
) == 1) {
59 left_name
= expr_to_str(left
);
60 right_name
= expr_to_str(right
);
61 sm_msg("warn: signed overflow undefined. '%s %s %s'", left_name
, show_special(expr
->op
), right_name
);
62 free_string(left_name
);
63 free_string(right_name
);
67 static void match_binop(struct expression
*expr
)
69 sval_t left_val
, right_min
;
75 if (!get_value(expr
->left
, &left_val
))
78 switch (left_val
.uvalue
) {
90 get_absolute_min(expr
->right
, &right_min
);
91 if (!sval_is_negative(right_min
))
94 str
= expr_to_str(expr
);
95 sm_msg("warn: potential negative subtraction from max '%s'", str
);
99 void check_signed_integer_overflow_check(int id
)
103 if (option_project
== PROJ_KERNEL
) {
104 /* The kernel uses -fno-strict-overflow so it's fine */
108 add_hook(&match_condition
, CONDITION_HOOK
);
109 add_hook(&match_binop
, BINOP_HOOK
);