search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kernel_printf: add some quotes around the function name
[smatch.git] / check_user_data2.c
blobee6c52d90a3cc323cb549166c21a237ea97f15f7
1 /*
2 * Copyright (C) 2011 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * There are a couple checks that try to see if a variable
20 * comes from the user. It would be better to unify them
21 * into one place. Also it we should follow the data down
22 * the call paths. Hence this file.
23 */
24
25 #include "smatch.h"
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
28
29 static int my_id;
30 static int my_call_id;
31
32 STATE(called);
33
34 static struct smatch_state *empty_state(struct sm_state *sm)
35 {
36 return alloc_estate_empty();
37 }
38
39 static void tag_inner_struct_members(struct expression *expr, struct symbol *member)
40 {
41 struct expression *edge_member;
42 struct symbol *base = get_real_base_type(member);
43 struct symbol *tmp;
44
45 if (member->ident)
46 expr = member_expression(expr, '.', member->ident);
47
48 FOR_EACH_PTR(base->symbol_list, tmp) {
49 struct symbol *type;
50
51 type = get_real_base_type(tmp);
52 if (!type)
53 continue;
54
55 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
56 tag_inner_struct_members(expr, tmp);
57 continue;
58 }
59
60 if (!tmp->ident)
61 continue;
62
63 edge_member = member_expression(expr, '.', tmp->ident);
64 set_state_expr(my_id, edge_member, alloc_estate_whole(type));
65 } END_FOR_EACH_PTR(tmp);
66
67
68 }
69
70 static void tag_struct_members(struct symbol *type, struct expression *expr)
71 {
72 struct symbol *tmp;
73 struct expression *member;
74 int op = '*';
75
76 if (expr->type == EXPR_PREOP && expr->op == '&') {
77 expr = strip_expr(expr->unop);
78 op = '.';
79 }
80
81 FOR_EACH_PTR(type->symbol_list, tmp) {
82 type = get_real_base_type(tmp);
83 if (!type)
84 continue;
85
86 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
87 tag_inner_struct_members(expr, tmp);
88 continue;
89 }
90
91 if (!tmp->ident)
92 continue;
93
94 member = member_expression(expr, op, tmp->ident);
95 set_state_expr(my_id, member, alloc_estate_whole(get_type(member)));
96 } END_FOR_EACH_PTR(tmp);
97 }
98
99 static void tag_base_type(struct expression *expr)
100 {
101 if (expr->type == EXPR_PREOP && expr->op == '&')
102 expr = strip_expr(expr->unop);
103 else
104 expr = deref_expression(expr);
105 set_state_expr(my_id, expr, alloc_estate_whole(get_type(expr)));
106 }
107
108 static void tag_as_user_data(struct expression *expr)
109 {
110 struct symbol *type;
111
112 expr = strip_expr(expr);
113
114 type = get_type(expr);
115 if (!type || type->type != SYM_PTR)
116 return;
117 type = get_real_base_type(type);
118 if (!type)
119 return;
120 if (type == &void_ctype) {
121 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype));
122 return;
123 }
124 if (type->type == SYM_BASETYPE)
125 tag_base_type(expr);
126 if (type->type == SYM_STRUCT) {
127 if (expr->type != EXPR_PREOP || expr->op != '&')
128 expr = deref_expression(expr);
129 tag_struct_members(type, expr);
130 }
131 }
132
133 static void match_user_copy(const char *fn, struct expression *expr, void *_param)
134 {
135 int param = PTR_INT(_param);
136 struct expression *dest;
137
138 dest = get_argument_from_call_expr(expr->args, param);
139 dest = strip_expr(dest);
140 if (!dest)
141 return;
142 tag_as_user_data(dest);
143 }
144
145 static int points_to_user_data(struct expression *expr)
146 {
147 struct smatch_state *state;
148 char buf[256];
149 struct symbol *sym;
150 char *name;
151 int ret = 0;
152
153 name = expr_to_var_sym(expr, &sym);
154 if (!name || !sym)
155 goto free;
156 snprintf(buf, sizeof(buf), "*%s", name);
157 state = get_state(my_id, buf, sym);
158 if (state && estate_rl(state))
159 ret = 1;
160 free:
161 free_string(name);
162 return ret;
163 }
164
165 static int is_skb_data(struct expression *expr)
166 {
167 struct symbol *sym;
168
169 expr = strip_expr(expr);
170 if (!expr || expr->type != EXPR_DEREF)
171 return 0;
172
173 if (!expr->member)
174 return 0;
175 if (strcmp(expr->member->name, "data") != 0)
176 return 0;
177
178 sym = expr_to_sym(expr->deref);
179 if (!sym)
180 return 0;
181 sym = get_real_base_type(sym);
182 if (!sym || sym->type != SYM_PTR)
183 return 0;
184 sym = get_real_base_type(sym);
185 if (!sym || sym->type != SYM_STRUCT || !sym->ident)
186 return 0;
187 if (strcmp(sym->ident->name, "sk_buff") != 0)
188 return 0;
189
190 return 1;
191 }
192
193 static int comes_from_skb_data(struct expression *expr)
194 {
195 expr = strip_expr(expr);
196 if (!expr)
197 return 0;
198
199 return 0;
200 switch (expr->type) {
201 case EXPR_BINOP:
202 if (comes_from_skb_data(expr->left))
203 return 1;
204 if (comes_from_skb_data(expr->right))
205 return 1;
206 return 0;
207 case EXPR_PREOP:
208 return comes_from_skb_data(expr->unop);
209 case EXPR_DEREF:
210 if (is_skb_data(expr))
211 return 1;
212 return comes_from_skb_data(expr->deref);
213 default:
214 return 0;
215 }
216 }
217
218
219 static int handle_struct_assignment(struct expression *expr)
220 {
221 struct expression *right;
222 struct symbol *type;
223
224 type = get_type(expr->left);
225 if (!type || type->type != SYM_PTR)
226 return 0;
227 type = get_real_base_type(type);
228 if (!type || type->type != SYM_STRUCT)
229 return 0;
230
231 /*
232 * Ignore struct to struct assignments because for those we look at the
233 * individual members.
234 */
235 right = strip_expr(expr->right);
236 type = get_type(right);
237 if (!type || type->type != SYM_PTR)
238 return 0;
239 type = get_real_base_type(type);
240 if (type && type->type == SYM_STRUCT)
241 return 0;
242
243 if (!points_to_user_data(right) && !is_skb_data(right))
244 return 0;
245
246 tag_as_user_data(expr->left);
247 return 1;
248 }
249
250 static int handle_get_user(struct expression *expr)
251 {
252 char *name;
253 int ret = 0;
254
255 name = get_macro_name(expr->pos);
256 if (!name || strcmp(name, "get_user") != 0)
257 return 0;
258
259 name = expr_to_var(expr->right);
260 if (!name || strcmp(name, "__val_gu") != 0)
261 goto free;
262 set_state_expr(my_id, expr->left, alloc_estate_whole(get_type(expr->left)));
263 ret = 1;
264 free:
265 free_string(name);
266 return ret;
267 }
268
269 static void match_assign(struct expression *expr)
270 {
271 struct range_list *rl;
272
273 if (is_fake_call(expr->right))
274 return;
275 if (handle_struct_assignment(expr))
276 return;
277 if (handle_get_user(expr))
278 return;
279
280 if (expr->right->type == EXPR_CALL ||
281 !get_user_rl(expr->right, &rl))
282 goto clear_old_state;
283
284 rl = cast_rl(get_type(expr->left), rl);
285 set_state_expr(my_id, expr->left, alloc_estate_rl(rl));
286
287 return;
288
289 clear_old_state:
290 if (get_state_expr(my_id, expr->left))
291 set_state_expr(my_id, expr->left, alloc_estate_empty());
292 }
293
294 static void match_user_assign_function(const char *fn, struct expression *expr, void *unused)
295 {
296 tag_as_user_data(expr->left);
297 }
298
299 static int get_user_macro_rl(struct expression *expr, struct range_list **rl)
300 {
301 char *macro;
302
303 if (!expr)
304 return 0;
305 macro = get_macro_name(expr->pos);
306
307 if (!macro)
308 return 0;
309
310 if (strcmp(macro, "ntohl") == 0) {
311 *rl = alloc_whole_rl(&uint_ctype);
312 return 1;
313 }
314 if (strcmp(macro, "ntohs") == 0) {
315 *rl = alloc_whole_rl(&ushort_ctype);
316 return 1;
317 }
318 return 0;
319 }
320
321 static int user_data_flag;
322 static struct range_list *var_user_rl(struct expression *expr)
323 {
324 struct smatch_state *state;
325 struct range_list *rl;
326 struct range_list *absolute_rl;
327
328 if (get_user_macro_rl(expr, &rl))
329 goto found;
330
331 if (comes_from_skb_data(expr)) {
332 rl = alloc_whole_rl(get_type(expr));
333 goto found;
334 }
335
336 state = get_state_expr(my_id, expr);
337 if (state && estate_rl(state)) {
338 rl = estate_rl(state);
339 goto found;
340 }
341
342 return NULL;
343 found:
344 user_data_flag = 1;
345 absolute_rl = var_to_absolute_rl(expr);
346 return clone_rl(rl_intersection(rl, absolute_rl));
347 }
348
349 int get_user_rl(struct expression *expr, struct range_list **rl)
350 {
351
352 user_data_flag = 0;
353 custom_get_absolute_rl(expr, &var_user_rl, rl);
354 if (!user_data_flag) {
355 *rl = NULL;
356 return 0;
357 }
358 return 1;
359 }
360
361 static void match_call_info(struct expression *expr)
362 {
363 struct range_list *rl;
364 struct expression *arg;
365 int i = 0;
366
367 i = -1;
368 FOR_EACH_PTR(expr->args, arg) {
369 i++;
370
371 if (!get_user_rl(arg, &rl))
372 continue;
373
374 sql_insert_caller_info(expr, USER_DATA3, i, "$", show_rl(rl));
375 i++;
376 } END_FOR_EACH_PTR(arg);
377 }
378
379 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
380 {
381 struct smatch_state *state;
382 struct range_list *rl;
383
384 if (strcmp(sm->state->name, "") == 0)
385 return;
386
387 state = get_state(SMATCH_EXTRA, sm->name, sm->sym);
388 if (!state || !estate_rl(state))
389 rl = estate_rl(sm->state);
390 else
391 rl = rl_intersection(estate_rl(sm->state), estate_rl(state));
392
393 sql_insert_caller_info(call, USER_DATA3, param, printed_name, show_rl(rl));
394 }
395
396 static void set_param_user_data(const char *name, struct symbol *sym, char *key, char *value)
397 {
398 struct range_list *rl = NULL;
399 struct smatch_state *state;
400 struct symbol *type;
401 char fullname[256];
402
403 if (strcmp(key, "*$") == 0)
404 snprintf(fullname, sizeof(fullname), "*%s", name);
405 else if (strncmp(key, "$", 1) == 0)
406 snprintf(fullname, 256, "%s%s", name, key + 1);
407 else
408 return;
409
410 type = get_member_type_from_key(symbol_expression(sym), key);
411
412 /* if the caller passes a void pointer with user data */
413 if (strcmp(key, "*$") == 0 && type && type != &void_ctype) {
414 struct expression *expr = symbol_expression(sym);
415
416 tag_as_user_data(expr);
417 return;
418 }
419 str_to_rl(type, value, &rl);
420 state = alloc_estate_rl(rl);
421 set_state(my_id, fullname, sym, state);
422 }
423
424 static void set_called(const char *name, struct symbol *sym, char *key, char *value)
425 {
426 set_state(my_call_id, "this_function", NULL, &called);
427 }
428
429 static void match_syscall_definition(struct symbol *sym)
430 {
431 struct symbol *arg;
432 char *macro;
433 char *name;
434 int is_syscall = 0;
435
436 macro = get_macro_name(sym->pos);
437 if (macro &&
438 (strncmp("SYSCALL_DEFINE", macro, strlen("SYSCALL_DEFINE")) == 0 ||
439 strncmp("COMPAT_SYSCALL_DEFINE", macro, strlen("COMPAT_SYSCALL_DEFINE")) == 0))
440 is_syscall = 1;
441
442 name = get_function();
443 if (!option_no_db && get_state(my_call_id, "this_function", NULL) != &called) {
444 if (name && strncmp(name, "sys_", 4) == 0)
445 is_syscall = 1;
446 }
447
448 if (name && strncmp(name, "compat_sys_", 11) == 0)
449 is_syscall = 1;
450
451 if (!is_syscall)
452 return;
453
454 FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) {
455 set_state(my_id, arg->ident->name, arg, alloc_estate_whole(get_real_base_type(arg)));
456 } END_FOR_EACH_PTR(arg);
457 }
458
459 void check_user_data2(int id)
460 {
461 my_id = id;
462
463 if (option_project != PROJ_KERNEL)
464 return;
465
466 add_unmatched_state_hook(my_id, &empty_state);
467 add_merge_hook(my_id, &merge_estates);
468
469 add_function_hook("copy_from_user", &match_user_copy, INT_PTR(0));
470 add_function_hook("__copy_from_user", &match_user_copy, INT_PTR(0));
471 add_function_hook("memcpy_fromiovec", &match_user_copy, INT_PTR(0));
472 add_function_hook("_kstrtoull", &match_user_copy, INT_PTR(2));
473
474 add_function_assign_hook("kmemdup_user", &match_user_assign_function, NULL);
475 add_function_assign_hook("kmap_atomic", &match_user_assign_function, NULL);
476
477 add_hook(&match_syscall_definition, AFTER_DEF_HOOK);
478
479 add_hook(&match_assign, ASSIGNMENT_HOOK);
480
481 add_hook(&match_call_info, FUNCTION_CALL_HOOK);
482 add_member_info_callback(my_id, struct_member_callback);
483 select_caller_info_hook(set_param_user_data, USER_DATA3);
484 }
485
486 void check_user_data3(int id)
487 {
488 my_call_id = id;
489
490 if (option_project != PROJ_KERNEL)
491 return;
492 select_caller_info_hook(set_called, INTERNAL);
493 }
494
Static analysis for C