2 * Copyright (C) 2011 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
19 * There are a couple checks that try to see if a variable
20 * comes from the user. It would be better to unify them
21 * into one place. Also it we should follow the data down
22 * the call paths. Hence this file.
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
30 static int my_call_id
;
33 static bool func_gets_user_data
;
35 static const char * kstr_funcs
[] = {
36 "kstrtoull", "kstrtoll", "kstrtoul", "kstrtol", "kstrtouint",
37 "kstrtoint", "kstrtou64", "kstrtos64", "kstrtou32", "kstrtos32",
38 "kstrtou16", "kstrtos16", "kstrtou8", "kstrtos8", "kstrtoull_from_user"
39 "kstrtoll_from_user", "kstrtoul_from_user", "kstrtol_from_user",
40 "kstrtouint_from_user", "kstrtoint_from_user", "kstrtou16_from_user",
41 "kstrtos16_from_user", "kstrtou8_from_user", "kstrtos8_from_user",
42 "kstrtou64_from_user", "kstrtos64_from_user", "kstrtou32_from_user",
43 "kstrtos32_from_user",
46 static void set_points_to_user_data(struct expression
*expr
);
48 static struct stree
*start_states
;
49 static struct stree_stack
*saved_stack
;
50 static void save_start_states(struct statement
*stmt
)
52 start_states
= clone_stree(__get_cur_stree());
55 static void free_start_states(void)
57 free_stree(&start_states
);
60 static void match_save_states(struct expression
*expr
)
62 push_stree(&saved_stack
, start_states
);
66 static void match_restore_states(struct expression
*expr
)
68 free_stree(&start_states
);
69 start_states
= pop_stree(&saved_stack
);
72 static struct smatch_state
*empty_state(struct sm_state
*sm
)
74 return alloc_estate_empty();
77 static void pre_merge_hook(struct sm_state
*sm
)
79 struct smatch_state
*user
;
80 struct smatch_state
*extra
;
81 struct range_list
*rl
;
84 extra
= get_state(SMATCH_EXTRA
, sm
->name
, sm
->sym
);
85 if (!extra
|| !estate_rl(extra
))
87 user
= get_state(my_id
, sm
->name
, sm
->sym
);
88 if (!user
|| !estate_rl(user
))
90 rl
= rl_intersection(estate_rl(user
), estate_rl(extra
));
91 if (rl_to_sval(rl
, &dummy
))
93 set_state(my_id
, sm
->name
, sm
->sym
, alloc_estate_rl(clone_rl(rl
)));
96 static void extra_nomod_hook(const char *name
, struct symbol
*sym
, struct smatch_state
*state
)
98 struct smatch_state
*user
;
99 struct range_list
*rl
;
101 user
= get_state(my_id
, name
, sym
);
104 rl
= rl_intersection(estate_rl(user
), estate_rl(state
));
105 if (rl_equiv(rl
, estate_rl(user
)))
107 set_state(my_id
, name
, sym
, alloc_estate_rl(rl
));
110 static void tag_inner_struct_members(struct expression
*expr
, struct symbol
*member
)
112 struct expression
*edge_member
;
113 struct symbol
*base
= get_real_base_type(member
);
117 expr
= member_expression(expr
, '.', member
->ident
);
119 FOR_EACH_PTR(base
->symbol_list
, tmp
) {
122 type
= get_real_base_type(tmp
);
126 if (type
->type
== SYM_UNION
|| type
->type
== SYM_STRUCT
) {
127 tag_inner_struct_members(expr
, tmp
);
134 edge_member
= member_expression(expr
, '.', tmp
->ident
);
135 set_state_expr(my_id
, edge_member
, alloc_estate_whole(type
));
136 } END_FOR_EACH_PTR(tmp
);
139 static void tag_struct_members(struct symbol
*type
, struct expression
*expr
)
142 struct expression
*member
;
145 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&') {
146 expr
= strip_expr(expr
->unop
);
150 FOR_EACH_PTR(type
->symbol_list
, tmp
) {
151 type
= get_real_base_type(tmp
);
155 if (type
->type
== SYM_UNION
|| type
->type
== SYM_STRUCT
) {
156 tag_inner_struct_members(expr
, tmp
);
163 member
= member_expression(expr
, op
, tmp
->ident
);
164 set_state_expr(my_id
, member
, alloc_estate_whole(get_type(member
)));
166 if (type
->type
== SYM_ARRAY
)
167 set_points_to_user_data(member
);
168 } END_FOR_EACH_PTR(tmp
);
171 static void tag_base_type(struct expression
*expr
)
173 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
174 expr
= strip_expr(expr
->unop
);
176 expr
= deref_expression(expr
);
177 set_state_expr(my_id
, expr
, alloc_estate_whole(get_type(expr
)));
180 static void tag_as_user_data(struct expression
*expr
)
184 expr
= strip_expr(expr
);
186 type
= get_type(expr
);
187 if (!type
|| type
->type
!= SYM_PTR
)
189 type
= get_real_base_type(type
);
192 if (type
== &void_ctype
) {
193 set_state_expr(my_id
, deref_expression(expr
), alloc_estate_whole(&ulong_ctype
));
196 if (type
->type
== SYM_BASETYPE
)
198 if (type
->type
== SYM_STRUCT
|| type
->type
== SYM_UNION
) {
199 if (expr
->type
!= EXPR_PREOP
|| expr
->op
!= '&')
200 expr
= deref_expression(expr
);
202 set_state_expr(my_id
, deref_expression(expr
), alloc_estate_whole(&ulong_ctype
));
203 tag_struct_members(type
, expr
);
207 static void match_user_copy(const char *fn
, struct expression
*expr
, void *_param
)
209 int param
= PTR_INT(_param
);
210 struct expression
*dest
;
212 func_gets_user_data
= true;
214 dest
= get_argument_from_call_expr(expr
->args
, param
);
215 dest
= strip_expr(dest
);
218 tag_as_user_data(dest
);
221 static void match_sscanf(const char *fn
, struct expression
*expr
, void *unused
)
223 struct expression
*arg
;
226 func_gets_user_data
= true;
229 FOR_EACH_PTR(expr
->args
, arg
) {
233 tag_as_user_data(arg
);
234 } END_FOR_EACH_PTR(arg
);
237 static int is_skb_data(struct expression
*expr
)
244 if (expr
->type
== EXPR_BINOP
&& expr
->op
== '+')
245 return is_skb_data(expr
->left
);
247 expr
= strip_expr(expr
);
250 if (expr
->type
!= EXPR_DEREF
|| expr
->op
!= '.')
255 if (strcmp(expr
->member
->name
, "data") != 0)
258 sym
= expr_to_sym(expr
->deref
);
261 sym
= get_real_base_type(sym
);
262 if (!sym
|| sym
->type
!= SYM_PTR
)
264 sym
= get_real_base_type(sym
);
265 if (!sym
|| sym
->type
!= SYM_STRUCT
|| !sym
->ident
)
267 if (strcmp(sym
->ident
->name
, "sk_buff") != 0)
273 static int points_to_user_data(struct expression
*expr
)
275 struct smatch_state
*state
;
281 expr
= strip_expr(expr
);
284 if (is_skb_data(expr
))
287 if (expr
->type
== EXPR_BINOP
&& expr
->op
== '+') {
288 if (points_to_user_data(expr
->left
))
290 if (points_to_user_data(expr
->right
))
295 name
= expr_to_var_sym(expr
, &sym
);
298 snprintf(buf
, sizeof(buf
), "*%s", name
);
299 state
= get_state(my_id
, buf
, sym
);
300 if (state
&& estate_rl(state
))
307 static void set_points_to_user_data(struct expression
*expr
)
313 name
= expr_to_var_sym(expr
, &sym
);
316 snprintf(buf
, sizeof(buf
), "*%s", name
);
317 set_state(my_id
, buf
, sym
, alloc_estate_whole(&llong_ctype
));
322 static int comes_from_skb_data(struct expression
*expr
)
324 expr
= strip_expr(expr
);
325 if (!expr
|| expr
->type
!= EXPR_PREOP
|| expr
->op
!= '*')
328 expr
= strip_expr(expr
->unop
);
331 if (expr
->type
== EXPR_BINOP
&& expr
->op
== '+')
332 expr
= strip_expr(expr
->left
);
334 return is_skb_data(expr
);
337 static int handle_struct_assignment(struct expression
*expr
)
339 struct expression
*right
;
340 struct symbol
*left_type
, *right_type
;
342 left_type
= get_type(expr
->left
);
343 if (!left_type
|| left_type
->type
!= SYM_PTR
)
345 left_type
= get_real_base_type(left_type
);
348 if (left_type
->type
!= SYM_STRUCT
&&
349 left_type
->type
!= SYM_UNION
)
353 * Ignore struct to struct assignments because for those we look at the
354 * individual members.
356 right
= strip_expr(expr
->right
);
357 right_type
= get_type(right
);
358 if (!right_type
|| right_type
->type
!= SYM_PTR
)
361 /* If we are assigning struct members then normally that is handled
362 * by fake assignments, however if we cast one struct to a different
363 * of struct then we handle that here.
365 right_type
= get_real_base_type(right_type
);
366 if (right_type
== left_type
)
369 if (!points_to_user_data(right
))
372 tag_as_user_data(expr
->left
);
376 static int handle_get_user(struct expression
*expr
)
381 name
= get_macro_name(expr
->pos
);
382 if (!name
|| strcmp(name
, "get_user") != 0)
385 name
= expr_to_var(expr
->right
);
386 if (!name
|| strcmp(name
, "__val_gu") != 0)
388 set_state_expr(my_id
, expr
->left
, alloc_estate_whole(get_type(expr
->left
)));
395 static void match_assign(struct expression
*expr
)
397 struct range_list
*rl
;
399 if (is_fake_call(expr
->right
))
401 if (handle_get_user(expr
))
403 if (points_to_user_data(expr
->right
))
404 set_points_to_user_data(expr
->left
);
405 if (handle_struct_assignment(expr
))
408 if (!get_user_rl(expr
->right
, &rl
))
409 goto clear_old_state
;
411 rl
= cast_rl(get_type(expr
->left
), rl
);
412 set_state_expr(my_id
, expr
->left
, alloc_estate_rl(rl
));
417 if (get_state_expr(my_id
, expr
->left
))
418 set_state_expr(my_id
, expr
->left
, alloc_estate_empty());
421 static void handle_eq_noteq(struct expression
*expr
)
423 struct smatch_state
*left_orig
, *right_orig
;
425 left_orig
= get_state_expr(my_id
, expr
->left
);
426 right_orig
= get_state_expr(my_id
, expr
->right
);
428 if (!left_orig
&& !right_orig
)
430 if (left_orig
&& right_orig
)
434 set_true_false_states_expr(my_id
, expr
->left
,
435 expr
->op
== SPECIAL_EQUAL
? alloc_estate_empty() : NULL
,
436 expr
->op
== SPECIAL_EQUAL
? NULL
: alloc_estate_empty());
438 set_true_false_states_expr(my_id
, expr
->right
,
439 expr
->op
== SPECIAL_EQUAL
? alloc_estate_empty() : NULL
,
440 expr
->op
== SPECIAL_EQUAL
? NULL
: alloc_estate_empty());
444 static void handle_unsigned_lt_gt(struct expression
*expr
)
447 struct range_list
*left
;
448 struct range_list
*right
;
449 struct range_list
*non_negative
;
450 sval_t min
, minus_one
;
453 * conditions are mostly handled by smatch_extra.c. The special case
454 * here is that say you have if (user_int < unknown_u32) {
455 * In Smatch extra we say that, We have no idea what value
456 * unknown_u32 is so the only thin we can say for sure is that
457 * user_int is not -1 (UINT_MAX). But in check_user_data2.c we should
458 * assume that unless unknown_u32 is user data, it's probably less than
463 type
= get_type(expr
);
464 if (!type_unsigned(type
))
468 * Assume if (user < trusted) { ... because I am lazy and because this
469 * is the correct way to write code.
471 if (!get_user_rl(expr
->left
, &left
))
473 if (get_user_rl(expr
->right
, &right
))
476 if (!sval_is_negative(rl_min(left
)))
479 minus_one
.type
= rl_type(left
);
480 minus_one
.value
= -1;
481 non_negative
= remove_range(left
, min
, minus_one
);
485 case SPECIAL_UNSIGNED_LT
:
487 case SPECIAL_UNSIGNED_LTE
:
488 set_true_false_states_expr(my_id
, expr
->left
,
489 alloc_estate_rl(non_negative
), NULL
);
492 case SPECIAL_UNSIGNED_GT
:
494 case SPECIAL_UNSIGNED_GTE
:
495 set_true_false_states_expr(my_id
, expr
->left
,
496 NULL
, alloc_estate_rl(non_negative
));
501 static void match_condition(struct expression
*expr
)
503 if (expr
->type
!= EXPR_COMPARE
)
506 if (expr
->op
== SPECIAL_EQUAL
||
507 expr
->op
== SPECIAL_NOTEQUAL
) {
508 handle_eq_noteq(expr
);
512 handle_unsigned_lt_gt(expr
);
515 static void match_user_assign_function(const char *fn
, struct expression
*expr
, void *unused
)
517 func_gets_user_data
= true;
519 tag_as_user_data(expr
->left
);
520 set_points_to_user_data(expr
->left
);
523 static void match_simple_strtoul(const char *fn
, struct expression
*expr
, void *unused
)
525 func_gets_user_data
= true;
527 set_state_expr(my_id
, expr
->left
, alloc_estate_whole(get_type(expr
->left
)));
530 static int get_user_macro_rl(struct expression
*expr
, struct range_list
**rl
)
536 macro
= get_macro_name(expr
->pos
);
541 if (strcmp(macro
, "ntohl") == 0) {
542 *rl
= alloc_whole_rl(&uint_ctype
);
545 if (strcmp(macro
, "ntohs") == 0) {
546 *rl
= alloc_whole_rl(&ushort_ctype
);
553 struct range_list
*rl
;
554 struct expression
*call
;
556 static int returned_rl_callback(void *_info
, int argc
, char **argv
, char **azColName
)
558 struct db_info
*db_info
= _info
;
559 struct range_list
*rl
;
560 char *return_ranges
= argv
[0];
561 char *user_ranges
= argv
[1];
562 struct expression
*arg
;
568 call_results_to_rl(db_info
->call
, get_type(db_info
->call
), user_ranges
, &rl
);
569 if (str_to_comparison_arg(return_ranges
, db_info
->call
, &comparison
, &arg
) &&
570 comparison
== SPECIAL_EQUAL
) {
571 struct range_list
*orig_rl
;
573 if (!get_user_rl(arg
, &orig_rl
))
575 rl
= rl_intersection(rl
, orig_rl
);
579 db_info
->rl
= rl_union(db_info
->rl
, rl
);
584 static int has_user_data(struct symbol
*sym
)
586 struct sm_state
*tmp
;
588 FOR_EACH_MY_SM(my_id
, __get_cur_stree(), tmp
) {
591 } END_FOR_EACH_SM(tmp
);
595 static int we_pass_user_data(struct expression
*call
)
597 struct expression
*arg
;
600 FOR_EACH_PTR(call
->args
, arg
) {
601 sym
= expr_to_sym(arg
);
604 if (has_user_data(sym
))
606 } END_FOR_EACH_PTR(arg
);
611 static int db_returned_user_rl(struct expression
*call
, struct range_list
**rl
)
613 struct db_info db_info
= {};
615 /* for function pointers assume everything is used */
616 if (call
->fn
->type
!= EXPR_SYMBOL
)
618 if (is_fake_call(call
))
622 run_sql(&returned_rl_callback
, &db_info
,
623 "select return, value from return_states where %s and type = %d and parameter = -1 and key = '$';",
624 get_static_filter(call
->fn
->symbol
), USER_DATA3_SET
);
626 func_gets_user_data
= true;
631 run_sql(&returned_rl_callback
, &db_info
,
632 "select return, value from return_states where %s and type = %d and parameter = -1 and key = '$';",
633 get_static_filter(call
->fn
->symbol
), USER_DATA3
);
635 if (!we_pass_user_data(call
))
644 static int user_data_flag
;
645 static struct range_list
*var_user_rl(struct expression
*expr
)
647 struct smatch_state
*state
;
648 struct range_list
*rl
;
649 struct range_list
*absolute_rl
;
651 if (expr
->type
== EXPR_BINOP
&& expr
->op
== '%') {
652 struct range_list
*left
, *right
;
654 if (!get_user_rl(expr
->right
, &right
))
656 get_absolute_rl(expr
->left
, &left
);
657 rl
= rl_binop(left
, '%', right
);
661 if (get_user_macro_rl(expr
, &rl
))
664 if (comes_from_skb_data(expr
)) {
665 rl
= alloc_whole_rl(get_type(expr
));
669 state
= get_state_expr(my_id
, expr
);
670 if (state
&& estate_rl(state
)) {
671 rl
= estate_rl(state
);
675 if (expr
->type
== EXPR_CALL
&& db_returned_user_rl(expr
, &rl
))
681 absolute_rl
= var_to_absolute_rl(expr
);
682 return clone_rl(rl_intersection(rl
, absolute_rl
));
685 int get_user_rl(struct expression
*expr
, struct range_list
**rl
)
689 custom_get_absolute_rl(expr
, &var_user_rl
, rl
);
690 if (!user_data_flag
) {
697 int get_user_rl_var_sym(const char *name
, struct symbol
*sym
, struct range_list
**rl
)
699 struct smatch_state
*state
;
701 state
= get_state(my_id
, name
, sym
);
702 if (state
&& estate_rl(state
)) {
703 *rl
= estate_rl(state
);
709 static void match_call_info(struct expression
*expr
)
711 struct range_list
*rl
;
712 struct expression
*arg
;
716 FOR_EACH_PTR(expr
->args
, arg
) {
719 if (!get_user_rl(arg
, &rl
))
722 sql_insert_caller_info(expr
, USER_DATA3
, i
, "$", show_rl(rl
));
723 } END_FOR_EACH_PTR(arg
);
726 static void struct_member_callback(struct expression
*call
, int param
, char *printed_name
, struct sm_state
*sm
)
728 struct smatch_state
*state
;
729 struct range_list
*rl
;
731 if (strcmp(sm
->state
->name
, "") == 0)
734 state
= get_state(SMATCH_EXTRA
, sm
->name
, sm
->sym
);
735 if (!state
|| !estate_rl(state
))
736 rl
= estate_rl(sm
->state
);
738 rl
= rl_intersection(estate_rl(sm
->state
), estate_rl(state
));
740 sql_insert_caller_info(call
, USER_DATA3
, param
, printed_name
, show_rl(rl
));
743 static void set_param_user_data(const char *name
, struct symbol
*sym
, char *key
, char *value
)
745 struct range_list
*rl
= NULL
;
746 struct smatch_state
*state
;
750 if (strcmp(key
, "*$") == 0)
751 snprintf(fullname
, sizeof(fullname
), "*%s", name
);
752 else if (strncmp(key
, "$", 1) == 0)
753 snprintf(fullname
, 256, "%s%s", name
, key
+ 1);
757 type
= get_member_type_from_key(symbol_expression(sym
), key
);
759 /* if the caller passes a void pointer with user data */
760 if (strcmp(key
, "*$") == 0 && type
&& type
!= &void_ctype
) {
761 struct expression
*expr
= symbol_expression(sym
);
763 tag_as_user_data(expr
);
764 set_points_to_user_data(expr
);
767 str_to_rl(type
, value
, &rl
);
768 state
= alloc_estate_rl(rl
);
769 set_state(my_id
, fullname
, sym
, state
);
772 static void set_called(const char *name
, struct symbol
*sym
, char *key
, char *value
)
774 set_state(my_call_id
, "this_function", NULL
, &called
);
777 static void match_syscall_definition(struct symbol
*sym
)
784 macro
= get_macro_name(sym
->pos
);
786 (strncmp("SYSCALL_DEFINE", macro
, strlen("SYSCALL_DEFINE")) == 0 ||
787 strncmp("COMPAT_SYSCALL_DEFINE", macro
, strlen("COMPAT_SYSCALL_DEFINE")) == 0))
790 name
= get_function();
791 if (!option_no_db
&& get_state(my_call_id
, "this_function", NULL
) != &called
) {
792 if (name
&& strncmp(name
, "sys_", 4) == 0)
796 if (name
&& strncmp(name
, "compat_sys_", 11) == 0)
802 FOR_EACH_PTR(sym
->ctype
.base_type
->arguments
, arg
) {
803 set_state(my_id
, arg
->ident
->name
, arg
, alloc_estate_whole(get_real_base_type(arg
)));
804 } END_FOR_EACH_PTR(arg
);
807 static void set_to_user_data(struct expression
*expr
, char *key
, char *value
)
812 struct range_list
*rl
= NULL
;
814 type
= get_member_type_from_key(expr
, key
);
815 name
= get_variable_from_key(expr
, key
, &sym
);
819 call_results_to_rl(expr
, type
, value
, &rl
);
821 set_state(my_id
, name
, sym
, alloc_estate_rl(rl
));
827 static void returns_param_user_data(struct expression
*expr
, int param
, char *key
, char *value
)
829 struct expression
*arg
;
830 struct expression
*call
;
833 while (call
->type
== EXPR_ASSIGNMENT
)
834 call
= strip_expr(call
->right
);
835 if (call
->type
!= EXPR_CALL
)
838 if (!we_pass_user_data(call
))
842 if (expr
->type
!= EXPR_ASSIGNMENT
)
844 set_to_user_data(expr
->left
, key
, value
);
848 arg
= get_argument_from_call_expr(call
->args
, param
);
851 set_to_user_data(arg
, key
, value
);
854 static void returns_param_user_data_set(struct expression
*expr
, int param
, char *key
, char *value
)
856 struct expression
*arg
;
858 func_gets_user_data
= true;
861 if (expr
->type
!= EXPR_ASSIGNMENT
)
863 if (strcmp(key
, "*$") == 0) {
864 set_points_to_user_data(expr
->left
);
865 tag_as_user_data(expr
->left
);
867 set_to_user_data(expr
->left
, key
, value
);
872 while (expr
->type
== EXPR_ASSIGNMENT
)
873 expr
= strip_expr(expr
->right
);
874 if (expr
->type
!= EXPR_CALL
)
877 arg
= get_argument_from_call_expr(expr
->args
, param
);
880 set_to_user_data(arg
, key
, value
);
883 static int has_empty_state(struct sm_state
*sm
)
885 struct sm_state
*tmp
;
887 FOR_EACH_PTR(sm
->possible
, tmp
) {
888 if (!estate_rl(tmp
->state
))
890 } END_FOR_EACH_PTR(tmp
);
895 static void param_set_to_user_data(int return_id
, char *return_ranges
, struct expression
*expr
)
898 struct smatch_state
*start_state
;
899 struct range_list
*rl
;
902 const char *param_name
;
904 expr
= strip_expr(expr
);
905 return_str
= expr_to_str(expr
);
907 FOR_EACH_MY_SM(my_id
, __get_cur_stree(), sm
) {
908 if (has_empty_state(sm
))
911 param
= get_param_num_from_sym(sm
->sym
);
913 if (expr_to_sym(expr
) == sm
->sym
)
919 /* The logic here was that if we were passed in a user data then
920 * we don't record that. It's like the difference between
921 * param_filter and param_set. When I think about it, I'm not
922 * sure it actually works. It's probably harmless because we
923 * checked earlier that we're not returning a parameter...
924 * Let's mark this as a TODO.
926 start_state
= get_state_stree(start_states
, my_id
, sm
->name
, sm
->sym
);
927 if (start_state
&& rl_equiv(estate_rl(sm
->state
), estate_rl(start_state
)))
931 param_name
= state_name_to_param_name(sm
->name
, return_str
);
933 param_name
= get_param_name(sm
);
936 if (strcmp(param_name
, "$") == 0) /* The -1 param is handled after the loop */
939 sql_insert_return_states(return_id
, return_ranges
,
940 func_gets_user_data
? USER_DATA3_SET
: USER_DATA3
,
941 param
, param_name
, show_rl(estate_rl(sm
->state
)));
942 } END_FOR_EACH_SM(sm
);
944 if (points_to_user_data(expr
)) {
945 sql_insert_return_states(return_id
, return_ranges
,
946 (is_skb_data(expr
) || !func_gets_user_data
) ?
947 USER_DATA3_SET
: USER_DATA3
,
949 } else if (get_user_rl(expr
, &rl
)) {
950 sql_insert_return_states(return_id
, return_ranges
,
951 func_gets_user_data
? USER_DATA3_SET
: USER_DATA3
,
952 -1, "$", show_rl(rl
));
955 free_string(return_str
);
958 static struct int_stack
*gets_data_stack
;
959 static void match_function_def(struct symbol
*sym
)
961 func_gets_user_data
= false;
964 static void match_inline_start(struct expression
*expr
)
966 push_int(&gets_data_stack
, func_gets_user_data
);
969 static void match_inline_end(struct expression
*expr
)
971 func_gets_user_data
= pop_int(&gets_data_stack
);
974 void check_user_data2(int id
)
980 if (option_project
!= PROJ_KERNEL
)
983 add_hook(&match_function_def
, FUNC_DEF_HOOK
);
984 add_hook(&match_inline_start
, INLINE_FN_START
);
985 add_hook(&match_inline_end
, INLINE_FN_END
);
987 add_hook(&save_start_states
, AFTER_DEF_HOOK
);
988 add_hook(&free_start_states
, AFTER_FUNC_HOOK
);
989 add_hook(&match_save_states
, INLINE_FN_START
);
990 add_hook(&match_restore_states
, INLINE_FN_END
);
992 add_unmatched_state_hook(my_id
, &empty_state
);
993 add_extra_nomod_hook(&extra_nomod_hook
);
994 add_pre_merge_hook(my_id
, &pre_merge_hook
);
995 add_merge_hook(my_id
, &merge_estates
);
997 add_function_hook("copy_from_user", &match_user_copy
, INT_PTR(0));
998 add_function_hook("__copy_from_user", &match_user_copy
, INT_PTR(0));
999 add_function_hook("memcpy_fromiovec", &match_user_copy
, INT_PTR(0));
1000 for (i
= 0; i
< ARRAY_SIZE(kstr_funcs
); i
++)
1001 add_function_hook(kstr_funcs
[i
], &match_user_copy
, INT_PTR(2));
1003 add_function_assign_hook("simple_strtol", &match_simple_strtoul
, NULL
);
1004 add_function_assign_hook("simple_strtoll", &match_simple_strtoul
, NULL
);
1005 add_function_assign_hook("simple_strtoul", &match_simple_strtoul
, NULL
);
1006 add_function_assign_hook("simple_strtoull", &match_simple_strtoul
, NULL
);
1008 add_function_hook("sscanf", &match_sscanf
, NULL
);
1010 add_function_assign_hook("memdup_user", &match_user_assign_function
, NULL
);
1011 add_function_assign_hook("kmap_atomic", &match_user_assign_function
, NULL
);
1012 add_function_assign_hook("skb_network_header", &match_user_assign_function
, NULL
);
1014 add_hook(&match_syscall_definition
, AFTER_DEF_HOOK
);
1016 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
1017 add_hook(&match_condition
, CONDITION_HOOK
);
1019 add_hook(&match_call_info
, FUNCTION_CALL_HOOK
);
1020 add_member_info_callback(my_id
, struct_member_callback
);
1021 select_caller_info_hook(set_param_user_data
, USER_DATA3
);
1022 select_return_states_hook(USER_DATA3
, &returns_param_user_data
);
1023 select_return_states_hook(USER_DATA3_SET
, &returns_param_user_data_set
);
1024 add_split_return_callback(¶m_set_to_user_data
);
1027 void check_user_data3(int id
)
1031 if (option_project
!= PROJ_KERNEL
)
1033 select_caller_info_hook(set_called
, INTERNAL
);