2 * sparse/check_get_user_overflow.c
4 * Copyright (C) 2010 Dan Carpenter.
6 * Licensed under the Open Software License version 1.1
11 * Looks for integers that we get from the user which can be attacked
12 * with an integer overflow.
17 #include "smatch_slist.h"
25 static void match_condition(struct expression
*expr
)
27 struct smatch_state
*left_max_true
= NULL
;
28 struct smatch_state
*left_max_false
= NULL
;
29 struct smatch_state
*right_max_true
= NULL
;
30 struct smatch_state
*right_max_false
= NULL
;
32 struct smatch_state
*left_min_true
= NULL
;
33 struct smatch_state
*left_min_false
= NULL
;
34 struct smatch_state
*right_min_true
= NULL
;
35 struct smatch_state
*right_min_false
= NULL
;
40 case SPECIAL_UNSIGNED_LT
:
41 case SPECIAL_UNSIGNED_LTE
:
42 left_max_true
= &capped
;
43 right_max_false
= &capped
;
44 right_min_true
= &capped
;
45 left_min_false
= &capped
;
49 case SPECIAL_UNSIGNED_GT
:
50 case SPECIAL_UNSIGNED_GTE
:
51 left_max_false
= &capped
;
52 right_max_true
= &capped
;
53 left_min_true
= &capped
;
54 right_min_false
= &capped
;
57 left_max_true
= &capped
;
58 right_max_true
= &capped
;
59 left_min_true
= &capped
;
60 right_min_true
= &capped
;
62 case SPECIAL_NOTEQUAL
:
63 left_max_false
= &capped
;
64 right_max_false
= &capped
;
65 left_min_false
= &capped
;
66 right_min_false
= &capped
;
72 if (get_state_expr(my_max_id
, expr
->left
)) {
73 set_true_false_states_expr(my_max_id
, expr
->left
, left_max_true
, left_max_false
);
74 set_true_false_states_expr(my_min_id
, expr
->left
, left_min_true
, left_min_false
);
76 if (get_state_expr(my_max_id
, expr
->right
)) {
77 set_true_false_states_expr(my_max_id
, expr
->right
, right_max_true
, right_max_false
);
78 set_true_false_states_expr(my_min_id
, expr
->right
, right_min_true
, right_min_false
);
82 static void match_normal_assign(struct expression
*expr
)
84 if (get_state_expr(my_max_id
, expr
->left
)) {
85 set_state_expr(my_max_id
, expr
->left
, &capped
);
86 set_state_expr(my_min_id
, expr
->left
, &capped
);
90 static void match_assign(struct expression
*expr
)
94 name
= get_macro_name(expr
->pos
);
95 if (!name
|| strcmp(name
, "get_user") != 0) {
96 match_normal_assign(expr
);
99 name
= expr_to_var(expr
->right
);
100 if (!name
|| strcmp(name
, "__val_gu") != 0)
102 set_state_expr(my_max_id
, expr
->left
, &user_data
);
103 set_state_expr(my_min_id
, expr
->left
, &user_data
);
108 static void check_expr(struct expression
*expr
)
117 sm
= get_sm_state_expr(my_max_id
, expr
);
118 if (sm
&& slist_has_state(sm
->possible
, &user_data
)) {
119 if (!get_absolute_max(expr
, &max
) || sval_cmp_val(max
, 20000) > 0)
123 sm
= get_sm_state_expr(my_min_id
, expr
);
124 if (sm
&& slist_has_state(sm
->possible
, &user_data
)) {
125 if (!get_absolute_min(expr
, &sval
) ||
126 (sval_is_negative(sval
) && sval_cmp_val(sval
, -20000) < 0))
130 if (!overflow
&& !underflow
)
133 name
= expr_to_var_sym(expr
, NULL
);
134 if (overflow
&& underflow
)
135 sm_msg("warn: check for integer over/underflow '%s'", name
);
137 sm_msg("warn: check for integer underflow '%s'", name
);
139 sm_msg("warn: check for integer overflow '%s'", name
);
142 set_state_expr(my_max_id
, expr
, &capped
);
143 set_state_expr(my_min_id
, expr
, &capped
);
146 static void match_binop(struct expression
*expr
)
154 if (expr
->op
== SPECIAL_RIGHTSHIFT
)
156 if (expr
->op
== SPECIAL_LEFTSHIFT
)
159 check_expr(expr
->left
);
160 check_expr(expr
->right
);
163 void check_get_user_overflow(int id
)
165 if (option_project
!= PROJ_KERNEL
)
168 add_hook(&match_condition
, CONDITION_HOOK
);
169 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
170 add_hook(&match_binop
, BINOP_HOOK
);
173 void check_get_user_overflow2(int id
)
