search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
db: sort return_states by file
[smatch.git] / check_rosenberg.c
blobc62cd58ece3559bb9fa2d40e7c85c8a7d8c5e094
1 /*
2 * Copyright (C) 2011 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /* Does a search for Dan Rosenberg style info leaks */
19
20 /* fixme: struct includes a struct with a hole in it */
21 /* function is called that clears the struct */
22
23 #include "scope.h"
24 #include "smatch.h"
25 #include "smatch_function_hashtable.h"
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
28
29 static int my_whole_id;
30 static int my_member_id;
31
32 STATE(cleared);
33
34 static void extra_mod_hook(const char *name, struct symbol *sym, struct smatch_state *state)
35 {
36 struct symbol *type;
37
38 type = get_real_base_type(sym);
39 if (!type || type->type != SYM_STRUCT)
40 return;
41
42 set_state(my_member_id, name, sym, state);
43 }
44
45 static void print_holey_warning(struct expression *data, const char *member)
46 {
47 char *name;
48
49 name = expr_to_str(data);
50 if (member) {
51 sm_msg("warn: check that '%s' doesn't leak information (struct has a hole after '%s')",
52 name, member);
53 } else {
54 sm_msg("warn: check that '%s' doesn't leak information (struct has holes)",
55 name);
56 }
57 free_string(name);
58 }
59
60 static int check_struct(struct expression *expr, struct symbol *type)
61 {
62 struct symbol *tmp, *base_type;
63 const char *prev = NULL;
64 int align;
65
66 align = 0;
67 FOR_EACH_PTR(type->symbol_list, tmp) {
68 base_type = get_real_base_type(tmp);
69 if (base_type && base_type->type == SYM_STRUCT) {
70 if (check_struct(expr, base_type))
71 return 1;
72 }
73 if (type->ctype.attribute->is_packed)
74 continue;
75
76 if (!tmp->ctype.alignment) {
77 sm_msg("warn: cannot determine the alignment here\n");
78 } else if (align % tmp->ctype.alignment) {
79 print_holey_warning(expr, prev);
80 return 1;
81 }
82
83 if (base_type == &bool_ctype)
84 align += 1;
85 else if (type_bits(tmp) <= 0)
86 align = 0;
87 else
88 align += type_bytes(tmp);
89
90 if (tmp->ident)
91 prev = tmp->ident->name;
92 else
93 prev = NULL;
94 } END_FOR_EACH_PTR(tmp);
95
96 if (align % type->ctype.alignment) {
97 print_holey_warning(expr, prev);
98 return 1;
99 }
100
101 return 0;
102 }
103
104 static int warn_on_holey_struct(struct expression *expr)
105 {
106 struct symbol *type;
107 type = get_type(expr);
108 if (!type || type->type != SYM_STRUCT)
109 return 0;
110
111 return check_struct(expr, type);
112 }
113
114 static int has_global_scope(struct expression *expr)
115 {
116 struct symbol *sym;
117
118 if (expr->type != EXPR_SYMBOL)
119 return FALSE;
120 sym = expr->symbol;
121 return toplevel(sym->scope);
122 }
123
124 static int was_initialized(struct expression *expr)
125 {
126 struct symbol *sym;
127 char *name;
128
129 name = expr_to_var_sym(expr, &sym);
130 if (!name)
131 return 0;
132 if (sym->initializer)
133 return 1;
134 return 0;
135 }
136
137 static void match_clear(const char *fn, struct expression *expr, void *_arg_no)
138 {
139 struct expression *ptr;
140 int arg_no = PTR_INT(_arg_no);
141
142 ptr = get_argument_from_call_expr(expr->args, arg_no);
143 if (!ptr)
144 return;
145 ptr = strip_expr(ptr);
146 if (ptr->type != EXPR_PREOP || ptr->op != '&')
147 return;
148 ptr = strip_expr(ptr->unop);
149 set_state_expr(my_whole_id, ptr, &cleared);
150 }
151
152 static int was_memset(struct expression *expr)
153 {
154 if (get_state_expr(my_whole_id, expr) == &cleared)
155 return 1;
156 return 0;
157 }
158
159 static int member_initialized(char *name, struct symbol *outer, struct symbol *member, int pointer)
160 {
161 char buf[256];
162 struct symbol *base;
163
164 base = get_base_type(member);
165 if (!base || base->type != SYM_BASETYPE || !member->ident)
166 return FALSE;
167
168 if (pointer)
169 snprintf(buf, 256, "%s->%s", name, member->ident->name);
170 else
171 snprintf(buf, 256, "%s.%s", name, member->ident->name);
172
173 if (get_state(my_member_id, buf, outer))
174 return TRUE;
175
176 return FALSE;
177 }
178
179 static int member_uninitialized(char *name, struct symbol *outer, struct symbol *member, int pointer)
180 {
181 char buf[256];
182 struct symbol *base;
183 struct sm_state *sm;
184
185 base = get_base_type(member);
186 if (!base || base->type != SYM_BASETYPE || !member->ident)
187 return FALSE;
188
189 if (pointer)
190 snprintf(buf, 256, "%s->%s", name, member->ident->name);
191 else
192 snprintf(buf, 256, "%s.%s", name, member->ident->name);
193
194 sm = get_sm_state(my_member_id, buf, outer);
195 if (sm && !slist_has_state(sm->possible, &undefined))
196 return FALSE;
197
198 sm_msg("warn: check that '%s' doesn't leak information", buf);
199 return TRUE;
200 }
201
202 static int check_members_initialized(struct expression *expr)
203 {
204 char *name;
205 struct symbol *outer;
206 struct symbol *sym;
207 struct symbol *tmp;
208 int pointer = 0;
209 int printed = 0;
210
211 sym = get_type(expr);
212 if (sym && sym->type == SYM_PTR) {
213 pointer = 1;
214 sym = get_real_base_type(sym);
215 }
216 if (!sym)
217 return 0;
218 if (sym->type != SYM_STRUCT)
219 return 0;
220
221 name = expr_to_var_sym(expr, &outer);
222
223 /*
224 * check that at least one member was set. If all of them were not set
225 * it's more likely a problem in the check than a problem in the kernel
226 * code.
227 */
228 FOR_EACH_PTR(sym->symbol_list, tmp) {
229 if (member_initialized(name, outer, tmp, pointer))
230 goto check;
231 } END_FOR_EACH_PTR(tmp);
232 goto out;
233
234 check:
235 FOR_EACH_PTR(sym->symbol_list, tmp) {
236 if (member_uninitialized(name, outer, tmp, pointer)) {
237 printed = 1;
238 goto out;
239 }
240 } END_FOR_EACH_PTR(tmp);
241 out:
242 free_string(name);
243 return printed;
244 }
245
246 static void check_was_initialized(struct expression *data)
247 {
248 data = strip_expr(data);
249 if (!data)
250 return;
251 if (data->type == EXPR_PREOP && data->op == '&')
252 data = strip_expr(data->unop);
253 if (data->type != EXPR_SYMBOL)
254 return;
255
256 if (has_global_scope(data))
257 return;
258 if (was_initialized(data))
259 return;
260 if (was_memset(data))
261 return;
262 if (warn_on_holey_struct(data))
263 return;
264 check_members_initialized(data);
265 }
266
267 static void match_copy_to_user(const char *fn, struct expression *expr, void *_arg)
268 {
269 int arg = PTR_INT(_arg);
270 struct expression *data;
271
272 data = get_argument_from_call_expr(expr->args, arg);
273 data = strip_expr(data);
274 if (!data)
275 return;
276 if (data->type != EXPR_PREOP || data->op != '&')
277 return;
278 check_was_initialized(data);
279 }
280
281 static void db_param_cleared(struct expression *expr, int param, char *key, char *value)
282 {
283 while (expr->type == EXPR_ASSIGNMENT)
284 expr = strip_expr(expr->right);
285 if (expr->type != EXPR_CALL)
286 return;
287
288 match_clear(NULL, expr, INT_PTR(param));
289 }
290
291 static void match_assign(struct expression *expr)
292 {
293 struct symbol *type;
294
295 type = get_type(expr->left);
296 if (!type || type->type != SYM_STRUCT)
297 return;
298 set_state_expr(my_whole_id, expr->left, &cleared);
299 }
300
301 static void register_clears_argument(void)
302 {
303 struct token *token;
304 const char *func;
305 int arg;
306
307 token = get_tokens_file("kernel.clears_argument");
308 if (!token)
309 return;
310 if (token_type(token) != TOKEN_STREAMBEGIN)
311 return;
312 token = token->next;
313 while (token_type(token) != TOKEN_STREAMEND) {
314 if (token_type(token) != TOKEN_IDENT)
315 return;
316 func = show_ident(token->ident);
317 token = token->next;
318 if (token_type(token) != TOKEN_NUMBER)
319 return;
320 arg = atoi(token->number);
321
322 add_function_hook(func, &match_clear, INT_PTR(arg));
323 token = token->next;
324 }
325 clear_token_alloc();
326 }
327
328 static void register_copy_funcs_from_file(void)
329 {
330 struct token *token;
331 const char *func;
332 int arg;
333
334 token = get_tokens_file("kernel.rosenberg_funcs");
335 if (!token)
336 return;
337 if (token_type(token) != TOKEN_STREAMBEGIN)
338 return;
339 token = token->next;
340 while (token_type(token) != TOKEN_STREAMEND) {
341 if (token_type(token) != TOKEN_IDENT)
342 return;
343 func = show_ident(token->ident);
344 token = token->next;
345 if (token_type(token) != TOKEN_NUMBER)
346 return;
347 arg = atoi(token->number);
348 add_function_hook(func, &match_copy_to_user, INT_PTR(arg));
349 token = token->next;
350 }
351 clear_token_alloc();
352 }
353
354 void check_rosenberg(int id)
355 {
356 if (option_project != PROJ_KERNEL)
357 return;
358 my_whole_id = id;
359
360 add_function_hook("memset", &match_clear, INT_PTR(0));
361 add_function_hook("memcpy", &match_clear, INT_PTR(0));
362 add_function_hook("memzero", &match_clear, INT_PTR(0));
363 add_function_hook("__memset", &match_clear, INT_PTR(0));
364 add_function_hook("__memcpy", &match_clear, INT_PTR(0));
365 add_function_hook("__memzero", &match_clear, INT_PTR(0));
366 add_function_hook("__builtin_memset", &match_clear, INT_PTR(0));
367 add_function_hook("__builtin_memcpy", &match_clear, INT_PTR(0));
368
369 add_hook(&match_assign, ASSIGNMENT_HOOK);
370 register_clears_argument();
371 select_return_states_hook(PARAM_CLEARED, &db_param_cleared);
372
373 register_copy_funcs_from_file();
374 }
375
376 void check_rosenberg2(int id)
377 {
378 if (option_project != PROJ_KERNEL)
379 return;
380
381 my_member_id = id;
382 add_extra_mod_hook(&extra_mod_hook);
383 }
384
Static analysis for C