2 * smatch/check_user_data.c
4 * Copyright (C) 2011 Dan Carpenter.
6 * Licensed under the Open Software License version 1.1
11 * There are a couple checks that try to see if a variable
12 * comes from the user. It would be better to unify them
13 * into one place. Also it we should follow the data down
14 * the call paths. Hence this file.
18 #include "smatch_slist.h"
19 #include "smatch_extra.h"
26 static int is_skb_data(struct expression
*expr
)
33 name
= get_variable_from_expr(expr
, &sym
);
37 sym
= get_base_type(sym
);
38 if (!sym
|| sym
->type
!= SYM_PTR
)
40 sym
= get_base_type(sym
);
41 if (!sym
|| sym
->type
!= SYM_STRUCT
|| !sym
->ident
)
43 if (strcmp(sym
->ident
->name
, "sk_buff") != 0)
49 if (strcmp(name
+ len
- 6, "->data") == 0)
57 int is_user_data(struct expression
*expr
)
59 struct state_list
*slist
= NULL
;
65 expr
= strip_expr(expr
);
70 if (is_skb_data(expr
))
72 if (expr
->type
== EXPR_BINOP
) {
73 if (is_user_data(expr
->left
))
75 if (is_user_data(expr
->right
))
79 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
80 expr
= strip_expr(expr
->unop
);
82 tmp
= get_sm_state_expr(my_id
, expr
);
84 return slist_has_state(tmp
->possible
, &user_data
);
86 name
= get_variable_from_expr_complex(expr
, &sym
);
90 slist
= get_all_states(my_id
);
91 FOR_EACH_PTR(slist
, tmp
) {
94 if (!strncmp(tmp
->name
, name
, strlen(tmp
->name
))) {
95 if (slist_has_state(tmp
->possible
, &user_data
))
99 } END_FOR_EACH_PTR(tmp
);
107 void set_param_user_data(const char *name
, struct symbol
*sym
, char *key
, char *value
)
111 if (strncmp(key
, "$$", 2))
113 snprintf(fullname
, 256, "%s%s", name
, key
+ 2);
114 set_state(my_id
, fullname
, sym
, &user_data
);
117 static void match_condition(struct expression
*expr
)
122 case SPECIAL_UNSIGNED_LT
:
123 case SPECIAL_UNSIGNED_LTE
:
124 if (is_user_data(expr
->left
))
125 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
126 if (is_user_data(expr
->right
))
127 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
131 case SPECIAL_UNSIGNED_GT
:
132 case SPECIAL_UNSIGNED_GTE
:
133 if (is_user_data(expr
->right
))
134 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
135 if (is_user_data(expr
->left
))
136 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
139 if (is_user_data(expr
->left
))
140 set_true_false_states_expr(my_id
, expr
->left
, &capped
, NULL
);
141 if (is_user_data(expr
->right
))
142 set_true_false_states_expr(my_id
, expr
->right
, &capped
, NULL
);
144 case SPECIAL_NOTEQUAL
:
145 if (is_user_data(expr
->left
))
146 set_true_false_states_expr(my_id
, expr
->left
, NULL
, &capped
);
147 if (is_user_data(expr
->right
))
148 set_true_false_states_expr(my_id
, expr
->right
, NULL
, &capped
);
156 static void match_normal_assign(struct expression
*expr
)
158 if (is_user_data(expr
->left
))
159 set_state_expr(my_id
, expr
->left
, &capped
);
162 static void match_assign(struct expression
*expr
)
166 name
= get_macro_name(expr
->pos
);
167 if (!name
|| strcmp(name
, "get_user") != 0) {
168 match_normal_assign(expr
);
171 name
= get_variable_from_expr(expr
->right
, NULL
);
172 if (!name
|| strcmp(name
, "__val_gu") != 0)
174 set_state_expr(my_id
, expr
->left
, &user_data
);
179 static void match_user_copy(const char *fn
, struct expression
*expr
, void *_param
)
181 int param
= PTR_INT(_param
);
182 struct expression
*dest
;
184 dest
= get_argument_from_call_expr(expr
->args
, param
);
185 dest
= strip_expr(dest
);
188 /* the first thing I tested this on pass &foo to a function */
189 set_state_expr(my_id
, dest
, &user_data
);
190 if (dest
->type
== EXPR_PREOP
&& dest
->op
== '&') {
191 /* but normally I'd think it would pass the actual variable */
193 set_state_expr(my_id
, dest
, &user_data
);
197 static void match_user_assign_function(const char *fn
, struct expression
*expr
, void *unused
)
199 set_state_expr(my_id
, expr
->left
, &user_data
);
202 static void match_assign_userdata(struct expression
*expr
)
204 if (is_user_data(expr
->right
))
205 set_state_expr(my_id
, expr
->left
, &user_data
);
208 static void match_caller_info(struct expression
*expr
)
210 struct expression
*tmp
;
214 func
= get_fnptr_name(expr
->fn
);
219 FOR_EACH_PTR(expr
->args
, tmp
) {
220 if (is_user_data(tmp
))
221 sm_msg("info: passes user_data %s %d '$$' %s", func
, i
,
222 is_static(expr
->fn
) ? "static" : "global");
224 } END_FOR_EACH_PTR(tmp
);
227 static void struct_member_callback(char *fn
, char *global_static
, int param
, char *printed_name
, struct smatch_state
*state
)
229 if (state
== &capped
)
231 sm_msg("info: passes user_data '%s' %d '%s' %s", fn
, param
, printed_name
, global_static
);
234 static void match_return(struct expression
*expr
)
236 if (is_user_data(expr
))
237 sm_msg("info: returns_user_data %s", global_static());
240 static int db_user_data
;
241 static int db_user_data_callback(void *unused
, int argc
, char **argv
, char **azColName
)
247 static int passes_user_data(struct expression
*expr
)
249 struct expression
*arg
;
251 FOR_EACH_PTR(expr
->args
, arg
) {
252 if (is_user_data(arg
))
254 } END_FOR_EACH_PTR(arg
);
259 static void match_call_assignment(struct expression
*expr
)
262 static char sql_filter
[1024];
264 if (expr
->right
->fn
->type
!= EXPR_SYMBOL
)
266 sym
= expr
->right
->fn
->symbol
;
270 if (!passes_user_data(expr
->right
))
273 if (sym
->ctype
.modifiers
& MOD_STATIC
) {
274 snprintf(sql_filter
, 1024, "file = '%s' and function = '%s' and type = %d;",
275 get_filename(), sym
->ident
->name
, USER_DATA
);
277 snprintf(sql_filter
, 1024, "function = '%s' and static = 0 and type = %d;",
278 sym
->ident
->name
, USER_DATA
);
282 run_sql(db_user_data_callback
, "select value from return_info where %s",
285 set_state_expr(my_id
, expr
->left
, &user_data
);
288 void check_user_data(int id
)
290 if (option_project
!= PROJ_KERNEL
)
293 add_definition_db_callback(set_param_user_data
, USER_DATA
);
294 add_hook(match_call_assignment
, CALL_ASSIGNMENT_HOOK
);
295 add_hook(&match_condition
, CONDITION_HOOK
);
296 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
297 add_hook(&match_assign_userdata
, ASSIGNMENT_HOOK
);
298 add_function_hook("copy_from_user", &match_user_copy
, INT_PTR(0));
299 add_function_hook("__copy_from_user", &match_user_copy
, INT_PTR(0));
300 add_function_hook("memcpy_fromiovec", &match_user_copy
, INT_PTR(0));
301 add_function_assign_hook("kmemdup_user", &match_user_assign_function
, NULL
);
303 add_hook(&match_caller_info
, FUNCTION_CALL_HOOK
);
304 add_member_info_callback(my_id
, struct_member_callback
);
305 add_hook(&match_return
, RETURN_HOOK
);