debug: add __smatch_about(var) to print what smatch knows about a variable
[smatch.git] / check_get_user_overflow.c
blob35b873f445515acc458f3d938f6e7a3eccce8c76
1 /*
2 * sparse/check_get_user_overflow.c
4 * Copyright (C) 2010 Dan Carpenter.
6 * Licensed under the Open Software License version 1.1
8 */
11 * Looks for integers that we get from the user which can be attacked
12 * with an integer overflow.
16 #include "smatch.h"
17 #include "smatch_slist.h"
19 static int my_max_id;
20 static int my_min_id;
22 STATE(capped);
23 STATE(user_data);
25 static void match_condition(struct expression *expr)
27 struct smatch_state *left_max_true = NULL;
28 struct smatch_state *left_max_false = NULL;
29 struct smatch_state *right_max_true = NULL;
30 struct smatch_state *right_max_false = NULL;
32 struct smatch_state *left_min_true = NULL;
33 struct smatch_state *left_min_false = NULL;
34 struct smatch_state *right_min_true = NULL;
35 struct smatch_state *right_min_false = NULL;
37 switch (expr->op) {
38 case '<':
39 case SPECIAL_LTE:
40 case SPECIAL_UNSIGNED_LT:
41 case SPECIAL_UNSIGNED_LTE:
42 left_max_true = &capped;
43 right_max_false = &capped;
44 right_min_true = &capped;
45 left_min_false = &capped;
46 break;
47 case '>':
48 case SPECIAL_GTE:
49 case SPECIAL_UNSIGNED_GT:
50 case SPECIAL_UNSIGNED_GTE:
51 left_max_false = &capped;
52 right_max_true = &capped;
53 left_min_true = &capped;
54 right_min_false = &capped;
55 break;
56 case SPECIAL_EQUAL:
57 left_max_true = &capped;
58 right_max_true = &capped;
59 left_min_true = &capped;
60 right_min_true = &capped;
61 break;
62 case SPECIAL_NOTEQUAL:
63 left_max_false = &capped;
64 right_max_false = &capped;
65 left_min_false = &capped;
66 right_min_false = &capped;
67 break;
68 default:
69 return;
72 if (get_state_expr(my_max_id, expr->left)) {
73 set_true_false_states_expr(my_max_id, expr->left, left_max_true, left_max_false);
74 set_true_false_states_expr(my_min_id, expr->left, left_min_true, left_min_false);
76 if (get_state_expr(my_max_id, expr->right)) {
77 set_true_false_states_expr(my_max_id, expr->right, right_max_true, right_max_false);
78 set_true_false_states_expr(my_min_id, expr->right, right_min_true, right_min_false);
82 static void match_normal_assign(struct expression *expr)
84 if (get_state_expr(my_max_id, expr->left)) {
85 set_state_expr(my_max_id, expr->left, &capped);
86 set_state_expr(my_min_id, expr->left, &capped);
90 static void match_assign(struct expression *expr)
92 char *name;
94 name = get_macro_name(expr->pos);
95 if (!name || strcmp(name, "get_user") != 0) {
96 match_normal_assign(expr);
97 return;
99 name = expr_to_var(expr->right);
100 if (!name || strcmp(name, "__val_gu") != 0)
101 goto free;
102 set_state_expr(my_max_id, expr->left, &user_data);
103 set_state_expr(my_min_id, expr->left, &user_data);
104 free:
105 free_string(name);
108 static void check_expr(struct expression *expr)
110 struct sm_state *sm;
111 sval_t max;
112 sval_t sval;
113 char *name;
114 int overflow = 0;
115 int underflow = 0;
117 sm = get_sm_state_expr(my_max_id, expr);
118 if (sm && slist_has_state(sm->possible, &user_data)) {
119 if (!get_absolute_max(expr, &max) || sval_cmp_val(max, 20000) > 0)
120 overflow = 1;
123 sm = get_sm_state_expr(my_min_id, expr);
124 if (sm && slist_has_state(sm->possible, &user_data)) {
125 if (!get_absolute_min(expr, &sval) ||
126 (sval_is_negative(sval) && sval_cmp_val(sval, -20000) < 0))
127 underflow = 1;
130 if (!overflow && !underflow)
131 return;
133 name = expr_to_var_sym(expr, NULL);
134 if (overflow && underflow)
135 sm_msg("warn: check for integer over/underflow '%s'", name);
136 else if (underflow)
137 sm_msg("warn: check for integer underflow '%s'", name);
138 else
139 sm_msg("warn: check for integer overflow '%s'", name);
140 free_string(name);
142 set_state_expr(my_max_id, expr, &capped);
143 set_state_expr(my_min_id, expr, &capped);
146 static void match_binop(struct expression *expr)
148 if (expr->op == '^')
149 return;
150 if (expr->op == '&')
151 return;
152 if (expr->op == '|')
153 return;
154 if (expr->op == SPECIAL_RIGHTSHIFT)
155 return;
156 if (expr->op == SPECIAL_LEFTSHIFT)
157 return;
159 check_expr(expr->left);
160 check_expr(expr->right);
163 void check_get_user_overflow(int id)
165 if (option_project != PROJ_KERNEL)
166 return;
167 my_max_id = id;
168 add_hook(&match_condition, CONDITION_HOOK);
169 add_hook(&match_assign, ASSIGNMENT_HOOK);
170 add_hook(&match_binop, BINOP_HOOK);
173 void check_get_user_overflow2(int id)
175 my_min_id = id;