2 * Copyright (C) 2011 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
19 * There are a couple checks that try to see if a variable
20 * comes from the user. It would be better to unify them
21 * into one place. Also it we should follow the data down
22 * the call paths. Hence this file.
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
30 static int my_call_id
;
33 static bool func_gets_user_data
;
35 static const char * kstr_funcs
[] = {
36 "kstrtoull", "kstrtoll", "kstrtoul", "kstrtol", "kstrtouint",
37 "kstrtoint", "kstrtou64", "kstrtos64", "kstrtou32", "kstrtos32",
38 "kstrtou16", "kstrtos16", "kstrtou8", "kstrtos8", "kstrtoull_from_user"
39 "kstrtoll_from_user", "kstrtoul_from_user", "kstrtol_from_user",
40 "kstrtouint_from_user", "kstrtoint_from_user", "kstrtou16_from_user",
41 "kstrtos16_from_user", "kstrtou8_from_user", "kstrtos8_from_user",
42 "kstrtou64_from_user", "kstrtos64_from_user", "kstrtou32_from_user",
43 "kstrtos32_from_user",
46 static const char *returns_user_data
[] = {
47 "simple_strtol", "simple_strtoll", "simple_strtoul", "simple_strtoull",
48 "kvm_register_read", "nlmsg_data", "nla_data", "memdup_user",
49 "kmap_atomic", "skb_network_header",
52 static void set_points_to_user_data(struct expression
*expr
);
54 static struct stree
*start_states
;
55 static struct stree_stack
*saved_stack
;
56 static void save_start_states(struct statement
*stmt
)
58 start_states
= clone_stree(__get_cur_stree());
61 static void free_start_states(void)
63 free_stree(&start_states
);
66 static void match_save_states(struct expression
*expr
)
68 push_stree(&saved_stack
, start_states
);
72 static void match_restore_states(struct expression
*expr
)
74 free_stree(&start_states
);
75 start_states
= pop_stree(&saved_stack
);
78 static struct smatch_state
*empty_state(struct sm_state
*sm
)
80 return alloc_estate_empty();
83 static void pre_merge_hook(struct sm_state
*sm
)
85 struct smatch_state
*user
;
86 struct smatch_state
*extra
;
87 struct range_list
*rl
;
94 user
= get_state(my_id
, sm
->name
, sm
->sym
);
97 if (!__in_function_def
&& !estate_rl(sm
->state
)) {
99 * If the one side is capped and the other side is empty then
100 * let's just mark it as not-user data because the information
101 * isn't going to be useful. How this looks is:
103 * if (user_var > trusted)
104 * user_var = trusted; <-- empty state
108 * The problem is that sometimes things are capped to a literal
109 * and we'd like to keep the state in that case... Ugh. I've
110 * added a check which assumes that everything less than 100 is
111 * probably capped against a literal.
114 if (is_capped_var_sym(sm
->name
, sm
->sym
) &&
115 sval_cmp(estate_max(user
), sval_100
) > 0)
116 set_state(my_id
, sm
->name
, sm
->sym
, alloc_estate_empty());
119 extra
= get_state(SMATCH_EXTRA
, sm
->name
, sm
->sym
);
120 if (!extra
|| !estate_rl(extra
))
122 rl
= rl_intersection(estate_rl(user
), estate_rl(extra
));
123 if (rl_to_sval(rl
, &dummy
))
125 set_state(my_id
, sm
->name
, sm
->sym
, alloc_estate_rl(clone_rl(rl
)));
128 static void extra_nomod_hook(const char *name
, struct symbol
*sym
, struct expression
*expr
, struct smatch_state
*state
)
130 struct smatch_state
*user
;
131 struct range_list
*rl
;
133 user
= get_state(my_id
, name
, sym
);
136 rl
= rl_intersection(estate_rl(user
), estate_rl(state
));
137 if (rl_equiv(rl
, estate_rl(user
)))
139 set_state(my_id
, name
, sym
, alloc_estate_rl(rl
));
142 static void tag_inner_struct_members(struct expression
*expr
, struct symbol
*member
)
144 struct expression
*edge_member
;
145 struct symbol
*base
= get_real_base_type(member
);
149 expr
= member_expression(expr
, '.', member
->ident
);
151 FOR_EACH_PTR(base
->symbol_list
, tmp
) {
154 type
= get_real_base_type(tmp
);
158 if (type
->type
== SYM_UNION
|| type
->type
== SYM_STRUCT
) {
159 tag_inner_struct_members(expr
, tmp
);
166 edge_member
= member_expression(expr
, '.', tmp
->ident
);
167 set_state_expr(my_id
, edge_member
, alloc_estate_whole(type
));
168 } END_FOR_EACH_PTR(tmp
);
171 static void tag_struct_members(struct symbol
*type
, struct expression
*expr
)
174 struct expression
*member
;
177 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&') {
178 expr
= strip_expr(expr
->unop
);
182 FOR_EACH_PTR(type
->symbol_list
, tmp
) {
183 type
= get_real_base_type(tmp
);
187 if (type
->type
== SYM_UNION
|| type
->type
== SYM_STRUCT
) {
188 tag_inner_struct_members(expr
, tmp
);
195 member
= member_expression(expr
, op
, tmp
->ident
);
196 set_state_expr(my_id
, member
, alloc_estate_whole(get_type(member
)));
198 if (type
->type
== SYM_ARRAY
)
199 set_points_to_user_data(member
);
200 } END_FOR_EACH_PTR(tmp
);
203 static void tag_base_type(struct expression
*expr
)
205 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '&')
206 expr
= strip_expr(expr
->unop
);
208 expr
= deref_expression(expr
);
209 set_state_expr(my_id
, expr
, alloc_estate_whole(get_type(expr
)));
212 static void tag_as_user_data(struct expression
*expr
)
216 expr
= strip_expr(expr
);
218 type
= get_type(expr
);
219 if (!type
|| type
->type
!= SYM_PTR
)
221 type
= get_real_base_type(type
);
224 if (type
== &void_ctype
) {
225 set_state_expr(my_id
, deref_expression(expr
), alloc_estate_whole(&ulong_ctype
));
228 if (type
->type
== SYM_BASETYPE
)
230 if (type
->type
== SYM_STRUCT
|| type
->type
== SYM_UNION
) {
231 if (expr
->type
!= EXPR_PREOP
|| expr
->op
!= '&')
232 expr
= deref_expression(expr
);
234 set_state_expr(my_id
, deref_expression(expr
), alloc_estate_whole(&ulong_ctype
));
235 tag_struct_members(type
, expr
);
239 static void match_user_copy(const char *fn
, struct expression
*expr
, void *_param
)
241 int param
= PTR_INT(_param
);
242 struct expression
*dest
;
244 func_gets_user_data
= true;
246 dest
= get_argument_from_call_expr(expr
->args
, param
);
247 dest
= strip_expr(dest
);
250 tag_as_user_data(dest
);
253 static int is_dev_attr_name(struct expression
*expr
)
258 name
= expr_to_str(expr
);
261 if (strstr(name
, "->attr.name"))
267 static int ends_in_n(struct expression
*expr
)
273 if (expr
->type
!= EXPR_STRING
|| !expr
->string
)
280 if (str
->data
[str
->length
- 3] == '%' &&
281 str
->data
[str
->length
- 2] == 'n')
286 static void match_sscanf(const char *fn
, struct expression
*expr
, void *unused
)
288 struct expression
*str
, *format
, *arg
;
291 func_gets_user_data
= true;
293 str
= get_argument_from_call_expr(expr
->args
, 0);
294 if (is_dev_attr_name(str
))
297 format
= get_argument_from_call_expr(expr
->args
, 1);
298 if (is_dev_attr_name(format
))
301 last
= ptr_list_size((struct ptr_list
*)expr
->args
) - 1;
304 FOR_EACH_PTR(expr
->args
, arg
) {
308 if (i
== last
&& ends_in_n(format
))
310 tag_as_user_data(arg
);
311 } END_FOR_EACH_PTR(arg
);
314 static int is_skb_data(struct expression
*expr
)
321 if (expr
->type
== EXPR_BINOP
&& expr
->op
== '+')
322 return is_skb_data(expr
->left
);
324 expr
= strip_expr(expr
);
327 if (expr
->type
!= EXPR_DEREF
|| expr
->op
!= '.')
332 if (strcmp(expr
->member
->name
, "data") != 0)
335 sym
= expr_to_sym(expr
->deref
);
338 sym
= get_real_base_type(sym
);
339 if (!sym
|| sym
->type
!= SYM_PTR
)
341 sym
= get_real_base_type(sym
);
342 if (!sym
|| sym
->type
!= SYM_STRUCT
|| !sym
->ident
)
344 if (strcmp(sym
->ident
->name
, "sk_buff") != 0)
350 static int get_rl_from_function(struct expression
*expr
, struct range_list
**rl
)
354 if (expr
->type
!= EXPR_CALL
|| expr
->fn
->type
!= EXPR_SYMBOL
||
355 !expr
->fn
->symbol_name
|| !expr
->fn
->symbol_name
->name
)
358 for (i
= 0; i
< ARRAY_SIZE(returns_user_data
); i
++) {
359 if (strcmp(expr
->fn
->symbol_name
->name
, returns_user_data
[i
]) == 0) {
360 *rl
= alloc_whole_rl(get_type(expr
));
367 int points_to_user_data(struct expression
*expr
)
369 struct smatch_state
*state
;
370 struct range_list
*rl
;
376 expr
= strip_expr(expr
);
379 if (is_skb_data(expr
))
381 if (get_rl_from_function(expr
, &rl
))
384 if (expr
->type
== EXPR_BINOP
&& expr
->op
== '+') {
385 if (points_to_user_data(expr
->left
))
387 if (points_to_user_data(expr
->right
))
392 name
= expr_to_var_sym(expr
, &sym
);
395 snprintf(buf
, sizeof(buf
), "*%s", name
);
396 state
= get_state(my_id
, buf
, sym
);
397 if (state
&& estate_rl(state
))
404 static void set_points_to_user_data(struct expression
*expr
)
410 name
= expr_to_var_sym(expr
, &sym
);
413 snprintf(buf
, sizeof(buf
), "*%s", name
);
414 set_state(my_id
, buf
, sym
, alloc_estate_whole(&llong_ctype
));
419 static int comes_from_skb_data(struct expression
*expr
)
421 expr
= strip_expr(expr
);
422 if (!expr
|| expr
->type
!= EXPR_PREOP
|| expr
->op
!= '*')
425 expr
= strip_expr(expr
->unop
);
428 if (expr
->type
== EXPR_BINOP
&& expr
->op
== '+')
429 expr
= strip_expr(expr
->left
);
431 return is_skb_data(expr
);
434 static int handle_struct_assignment(struct expression
*expr
)
436 struct expression
*right
;
437 struct symbol
*left_type
, *right_type
;
439 left_type
= get_type(expr
->left
);
440 if (!left_type
|| left_type
->type
!= SYM_PTR
)
442 left_type
= get_real_base_type(left_type
);
445 if (left_type
->type
!= SYM_STRUCT
&&
446 left_type
->type
!= SYM_UNION
)
450 * Ignore struct to struct assignments because for those we look at the
451 * individual members.
453 right
= strip_expr(expr
->right
);
454 right_type
= get_type(right
);
455 if (!right_type
|| right_type
->type
!= SYM_PTR
)
458 /* If we are assigning struct members then normally that is handled
459 * by fake assignments, however if we cast one struct to a different
460 * of struct then we handle that here.
462 right_type
= get_real_base_type(right_type
);
463 if (right_type
== left_type
)
466 if (!points_to_user_data(right
))
469 tag_as_user_data(expr
->left
);
473 static int handle_get_user(struct expression
*expr
)
478 name
= get_macro_name(expr
->pos
);
479 if (!name
|| strcmp(name
, "get_user") != 0)
482 name
= expr_to_var(expr
->right
);
483 if (!name
|| strcmp(name
, "__val_gu") != 0)
485 set_state_expr(my_id
, expr
->left
, alloc_estate_whole(get_type(expr
->left
)));
492 static void match_assign(struct expression
*expr
)
494 struct range_list
*rl
;
496 if (is_fake_call(expr
->right
))
497 goto clear_old_state
;
498 if (handle_get_user(expr
))
500 if (points_to_user_data(expr
->right
))
501 set_points_to_user_data(expr
->left
);
502 if (handle_struct_assignment(expr
))
505 if (!get_user_rl(expr
->right
, &rl
))
506 goto clear_old_state
;
508 rl
= cast_rl(get_type(expr
->left
), rl
);
509 set_state_expr(my_id
, expr
->left
, alloc_estate_rl(rl
));
514 if (get_state_expr(my_id
, expr
->left
))
515 set_state_expr(my_id
, expr
->left
, alloc_estate_empty());
518 static void handle_eq_noteq(struct expression
*expr
)
520 struct smatch_state
*left_orig
, *right_orig
;
522 left_orig
= get_state_expr(my_id
, expr
->left
);
523 right_orig
= get_state_expr(my_id
, expr
->right
);
525 if (!left_orig
&& !right_orig
)
527 if (left_orig
&& right_orig
)
531 set_true_false_states_expr(my_id
, expr
->left
,
532 expr
->op
== SPECIAL_EQUAL
? alloc_estate_empty() : NULL
,
533 expr
->op
== SPECIAL_EQUAL
? NULL
: alloc_estate_empty());
535 set_true_false_states_expr(my_id
, expr
->right
,
536 expr
->op
== SPECIAL_EQUAL
? alloc_estate_empty() : NULL
,
537 expr
->op
== SPECIAL_EQUAL
? NULL
: alloc_estate_empty());
541 static void handle_unsigned_lt_gt(struct expression
*expr
)
544 struct range_list
*left
;
545 struct range_list
*right
;
546 struct range_list
*non_negative
;
547 sval_t min
, minus_one
;
550 * conditions are mostly handled by smatch_extra.c. The special case
551 * here is that say you have if (user_int < unknown_u32) {
552 * In Smatch extra we say that, We have no idea what value
553 * unknown_u32 is so the only thin we can say for sure is that
554 * user_int is not -1 (UINT_MAX). But in check_user_data2.c we should
555 * assume that unless unknown_u32 is user data, it's probably less than
560 type
= get_type(expr
);
561 if (!type_unsigned(type
))
565 * Assume if (user < trusted) { ... because I am lazy and because this
566 * is the correct way to write code.
568 if (!get_user_rl(expr
->left
, &left
))
570 if (get_user_rl(expr
->right
, &right
))
573 if (!sval_is_negative(rl_min(left
)))
576 minus_one
.type
= rl_type(left
);
577 minus_one
.value
= -1;
578 non_negative
= remove_range(left
, min
, minus_one
);
582 case SPECIAL_UNSIGNED_LT
:
584 case SPECIAL_UNSIGNED_LTE
:
585 set_true_false_states_expr(my_id
, expr
->left
,
586 alloc_estate_rl(non_negative
), NULL
);
589 case SPECIAL_UNSIGNED_GT
:
591 case SPECIAL_UNSIGNED_GTE
:
592 set_true_false_states_expr(my_id
, expr
->left
,
593 NULL
, alloc_estate_rl(non_negative
));
598 static void match_condition(struct expression
*expr
)
600 if (expr
->type
!= EXPR_COMPARE
)
603 if (expr
->op
== SPECIAL_EQUAL
||
604 expr
->op
== SPECIAL_NOTEQUAL
) {
605 handle_eq_noteq(expr
);
609 handle_unsigned_lt_gt(expr
);
612 static void match_user_assign_function(const char *fn
, struct expression
*expr
, void *unused
)
614 tag_as_user_data(expr
->left
);
615 set_points_to_user_data(expr
->left
);
618 static void match_returns_user_rl(const char *fn
, struct expression
*expr
, void *unused
)
620 func_gets_user_data
= true;
623 static int get_user_macro_rl(struct expression
*expr
, struct range_list
**rl
)
625 struct expression
*parent
;
631 macro
= get_macro_name(expr
->pos
);
635 /* handle ntohl(foo[i]) where "i" is trusted */
636 parent
= expr_get_parent_expr(expr
);
637 while (parent
&& parent
->type
!= EXPR_BINOP
)
638 parent
= expr_get_parent_expr(parent
);
639 if (parent
&& parent
->type
== EXPR_BINOP
) {
640 char *parent_macro
= get_macro_name(parent
->pos
);
642 if (parent_macro
&& strcmp(macro
, parent_macro
) == 0)
646 if (strcmp(macro
, "ntohl") == 0) {
647 *rl
= alloc_whole_rl(&uint_ctype
);
650 if (strcmp(macro
, "ntohs") == 0) {
651 *rl
= alloc_whole_rl(&ushort_ctype
);
658 struct range_list
*rl
;
659 struct expression
*call
;
661 static int returned_rl_callback(void *_info
, int argc
, char **argv
, char **azColName
)
663 struct db_info
*db_info
= _info
;
664 struct range_list
*rl
;
665 char *return_ranges
= argv
[0];
666 char *user_ranges
= argv
[1];
667 struct expression
*arg
;
673 call_results_to_rl(db_info
->call
, get_type(db_info
->call
), user_ranges
, &rl
);
674 if (str_to_comparison_arg(return_ranges
, db_info
->call
, &comparison
, &arg
) &&
675 comparison
== SPECIAL_EQUAL
) {
676 struct range_list
*orig_rl
;
678 if (!get_user_rl(arg
, &orig_rl
))
680 rl
= rl_intersection(rl
, orig_rl
);
684 db_info
->rl
= rl_union(db_info
->rl
, rl
);
689 static int has_user_data(struct symbol
*sym
)
691 struct sm_state
*tmp
;
693 FOR_EACH_MY_SM(my_id
, __get_cur_stree(), tmp
) {
696 } END_FOR_EACH_SM(tmp
);
700 static int we_pass_user_data(struct expression
*call
)
702 struct expression
*arg
;
705 FOR_EACH_PTR(call
->args
, arg
) {
706 sym
= expr_to_sym(arg
);
709 if (has_user_data(sym
))
711 } END_FOR_EACH_PTR(arg
);
716 static int db_returned_user_rl(struct expression
*call
, struct range_list
**rl
)
718 struct db_info db_info
= {};
720 /* for function pointers assume everything is used */
721 if (call
->fn
->type
!= EXPR_SYMBOL
)
723 if (is_fake_call(call
))
727 run_sql(&returned_rl_callback
, &db_info
,
728 "select return, value from return_states where %s and type = %d and parameter = -1 and key = '$';",
729 get_static_filter(call
->fn
->symbol
), USER_DATA3_SET
);
731 func_gets_user_data
= true;
736 run_sql(&returned_rl_callback
, &db_info
,
737 "select return, value from return_states where %s and type = %d and parameter = -1 and key = '$';",
738 get_static_filter(call
->fn
->symbol
), USER_DATA3
);
740 if (!we_pass_user_data(call
))
749 struct stree
*get_user_stree(void)
751 return get_all_states_stree(my_id
);
754 static int user_data_flag
;
755 static int no_user_data_flag
;
756 static struct range_list
*var_user_rl(struct expression
*expr
)
758 struct smatch_state
*state
;
759 struct range_list
*rl
;
760 struct range_list
*absolute_rl
;
762 if (expr
->type
== EXPR_BINOP
&& expr
->op
== '%') {
763 struct range_list
*left
, *right
;
765 if (!get_user_rl(expr
->right
, &right
))
767 get_absolute_rl(expr
->left
, &left
);
768 rl
= rl_binop(left
, '%', right
);
772 if (!option_spammy
&& expr
->type
== EXPR_BINOP
&& expr
->op
== '/') {
773 struct range_list
*left
= NULL
;
774 struct range_list
*right
= NULL
;
775 struct range_list
*abs_right
;
778 * The specific bug I'm dealing with is:
780 * foo = capped_user / unknown;
782 * Instead of just saying foo is now entirely user_rl we should
783 * probably say instead that it is not at all user data.
787 get_user_rl(expr
->left
, &left
);
788 get_user_rl(expr
->right
, &right
);
789 get_absolute_rl(expr
->right
, &abs_right
);
791 if (left
&& !right
) {
792 rl
= rl_binop(left
, '/', abs_right
);
793 if (sval_cmp(rl_max(left
), rl_max(rl
)) < 0)
794 no_user_data_flag
= 1;
800 if (get_rl_from_function(expr
, &rl
))
803 if (get_user_macro_rl(expr
, &rl
))
806 if (comes_from_skb_data(expr
)) {
807 rl
= alloc_whole_rl(get_type(expr
));
811 state
= get_state_expr(my_id
, expr
);
812 if (state
&& estate_rl(state
)) {
813 rl
= estate_rl(state
);
817 if (expr
->type
== EXPR_CALL
&& db_returned_user_rl(expr
, &rl
))
820 if (is_array(expr
)) {
821 struct expression
*array
= get_array_base(expr
);
823 if (!get_state_expr(my_id
, array
)) {
824 no_user_data_flag
= 1;
829 if (expr
->type
== EXPR_PREOP
&& expr
->op
== '*' &&
830 is_user_rl(expr
->unop
)) {
831 rl
= var_to_absolute_rl(expr
);
838 absolute_rl
= var_to_absolute_rl(expr
);
839 return clone_rl(rl_intersection(rl
, absolute_rl
));
842 int get_user_rl(struct expression
*expr
, struct range_list
**rl
)
845 no_user_data_flag
= 0;
846 custom_get_absolute_rl(expr
, &var_user_rl
, rl
);
847 if (!user_data_flag
|| no_user_data_flag
)
853 int get_user_rl_spammy(struct expression
*expr
, struct range_list
**rl
)
858 ret
= get_user_rl(expr
, rl
);
864 int is_user_rl(struct expression
*expr
)
866 struct range_list
*tmp
;
868 return get_user_rl_spammy(expr
, &tmp
);
871 int get_user_rl_var_sym(const char *name
, struct symbol
*sym
, struct range_list
**rl
)
873 struct smatch_state
*state
;
875 state
= get_state(my_id
, name
, sym
);
876 if (state
&& estate_rl(state
)) {
877 *rl
= estate_rl(state
);
883 static void match_call_info(struct expression
*expr
)
885 struct range_list
*rl
;
886 struct expression
*arg
;
891 FOR_EACH_PTR(expr
->args
, arg
) {
893 type
= get_arg_type(expr
->fn
, i
);
895 if (!get_user_rl(arg
, &rl
))
898 rl
= cast_rl(type
, rl
);
899 sql_insert_caller_info(expr
, USER_DATA3
, i
, "$", show_rl(rl
));
900 } END_FOR_EACH_PTR(arg
);
903 static int is_struct_ptr(struct symbol
*sym
)
909 type
= get_real_base_type(sym
);
910 if (!type
|| type
->type
!= SYM_PTR
)
912 type
= get_real_base_type(type
);
913 if (!type
|| type
->type
!= SYM_STRUCT
)
918 static void struct_member_callback(struct expression
*call
, int param
, char *printed_name
, struct sm_state
*sm
)
920 struct smatch_state
*state
;
921 struct range_list
*rl
;
925 * Smatch uses a hack where if we get an unsigned long we say it's
926 * both user data and it points to user data. But if we pass it to a
927 * function which takes an int, then it's just user data. There's not
928 * enough bytes for it to be a pointer.
931 type
= get_arg_type(call
->fn
, param
);
932 if (type
&& type_bits(type
) < type_bits(&ptr_ctype
))
935 if (strcmp(sm
->state
->name
, "") == 0)
938 if (strcmp(printed_name
, "*$") == 0 &&
939 is_struct_ptr(sm
->sym
))
942 state
= get_state(SMATCH_EXTRA
, sm
->name
, sm
->sym
);
943 if (!state
|| !estate_rl(state
))
944 rl
= estate_rl(sm
->state
);
946 rl
= rl_intersection(estate_rl(sm
->state
), estate_rl(state
));
948 sql_insert_caller_info(call
, USER_DATA3
, param
, printed_name
, show_rl(rl
));
951 static void set_param_user_data(const char *name
, struct symbol
*sym
, char *key
, char *value
)
953 struct range_list
*rl
= NULL
;
954 struct smatch_state
*state
;
958 if (strcmp(key
, "*$") == 0)
959 snprintf(fullname
, sizeof(fullname
), "*%s", name
);
960 else if (strncmp(key
, "$", 1) == 0)
961 snprintf(fullname
, 256, "%s%s", name
, key
+ 1);
965 type
= get_member_type_from_key(symbol_expression(sym
), key
);
967 /* if the caller passes a void pointer with user data */
968 if (strcmp(key
, "*$") == 0 && type
&& type
!= &void_ctype
) {
969 struct expression
*expr
= symbol_expression(sym
);
971 tag_as_user_data(expr
);
972 set_points_to_user_data(expr
);
975 str_to_rl(type
, value
, &rl
);
976 state
= alloc_estate_rl(rl
);
977 set_state(my_id
, fullname
, sym
, state
);
980 static void set_called(const char *name
, struct symbol
*sym
, char *key
, char *value
)
982 set_state(my_call_id
, "this_function", NULL
, &called
);
985 static void match_syscall_definition(struct symbol
*sym
)
992 macro
= get_macro_name(sym
->pos
);
994 (strncmp("SYSCALL_DEFINE", macro
, strlen("SYSCALL_DEFINE")) == 0 ||
995 strncmp("COMPAT_SYSCALL_DEFINE", macro
, strlen("COMPAT_SYSCALL_DEFINE")) == 0))
998 name
= get_function();
999 if (!option_no_db
&& get_state(my_call_id
, "this_function", NULL
) != &called
) {
1000 if (name
&& strncmp(name
, "sys_", 4) == 0)
1004 if (name
&& strncmp(name
, "compat_sys_", 11) == 0)
1010 FOR_EACH_PTR(sym
->ctype
.base_type
->arguments
, arg
) {
1011 set_state(my_id
, arg
->ident
->name
, arg
, alloc_estate_whole(get_real_base_type(arg
)));
1012 } END_FOR_EACH_PTR(arg
);
1015 static void set_to_user_data(struct expression
*expr
, char *key
, char *value
)
1019 struct symbol
*type
;
1020 struct range_list
*rl
= NULL
;
1022 type
= get_member_type_from_key(expr
, key
);
1023 name
= get_variable_from_key(expr
, key
, &sym
);
1027 call_results_to_rl(expr
, type
, value
, &rl
);
1029 set_state(my_id
, name
, sym
, alloc_estate_rl(rl
));
1035 static void returns_param_user_data(struct expression
*expr
, int param
, char *key
, char *value
)
1037 struct expression
*arg
;
1038 struct expression
*call
;
1041 while (call
->type
== EXPR_ASSIGNMENT
)
1042 call
= strip_expr(call
->right
);
1043 if (call
->type
!= EXPR_CALL
)
1046 if (!we_pass_user_data(call
))
1050 if (expr
->type
!= EXPR_ASSIGNMENT
)
1052 set_to_user_data(expr
->left
, key
, value
);
1056 arg
= get_argument_from_call_expr(call
->args
, param
);
1059 set_to_user_data(arg
, key
, value
);
1062 static void returns_param_user_data_set(struct expression
*expr
, int param
, char *key
, char *value
)
1064 struct expression
*arg
;
1066 func_gets_user_data
= true;
1069 if (expr
->type
!= EXPR_ASSIGNMENT
)
1071 if (strcmp(key
, "*$") == 0) {
1072 set_points_to_user_data(expr
->left
);
1073 tag_as_user_data(expr
->left
);
1075 set_to_user_data(expr
->left
, key
, value
);
1080 while (expr
->type
== EXPR_ASSIGNMENT
)
1081 expr
= strip_expr(expr
->right
);
1082 if (expr
->type
!= EXPR_CALL
)
1085 arg
= get_argument_from_call_expr(expr
->args
, param
);
1088 set_to_user_data(arg
, key
, value
);
1091 static int has_empty_state(struct sm_state
*sm
)
1093 struct sm_state
*tmp
;
1095 FOR_EACH_PTR(sm
->possible
, tmp
) {
1096 if (!estate_rl(tmp
->state
))
1098 } END_FOR_EACH_PTR(tmp
);
1103 static void param_set_to_user_data(int return_id
, char *return_ranges
, struct expression
*expr
)
1105 struct sm_state
*sm
;
1106 struct smatch_state
*start_state
;
1107 struct range_list
*rl
;
1110 const char *param_name
;
1111 struct symbol
*ret_sym
;
1112 bool return_found
= false;
1114 expr
= strip_expr(expr
);
1115 return_str
= expr_to_str(expr
);
1116 ret_sym
= expr_to_sym(expr
);
1118 FOR_EACH_MY_SM(my_id
, __get_cur_stree(), sm
) {
1119 if (has_empty_state(sm
))
1122 param
= get_param_num_from_sym(sm
->sym
);
1126 /* The logic here was that if we were passed in a user data then
1127 * we don't record that. It's like the difference between
1128 * param_filter and param_set. When I think about it, I'm not
1129 * sure it actually works. It's probably harmless because we
1130 * checked earlier that we're not returning a parameter...
1131 * Let's mark this as a TODO.
1133 start_state
= get_state_stree(start_states
, my_id
, sm
->name
, sm
->sym
);
1134 if (start_state
&& rl_equiv(estate_rl(sm
->state
), estate_rl(start_state
)))
1137 param_name
= get_param_name(sm
);
1140 if (strcmp(param_name
, "$") == 0) /* The -1 param is handled after the loop */
1143 sql_insert_return_states(return_id
, return_ranges
,
1144 func_gets_user_data
? USER_DATA3_SET
: USER_DATA3
,
1145 param
, param_name
, show_rl(estate_rl(sm
->state
)));
1146 } END_FOR_EACH_SM(sm
);
1148 if (points_to_user_data(expr
)) {
1149 sql_insert_return_states(return_id
, return_ranges
,
1150 (is_skb_data(expr
) || !func_gets_user_data
) ?
1151 USER_DATA3_SET
: USER_DATA3
,
1157 FOR_EACH_MY_SM(my_id
, __get_cur_stree(), sm
) {
1160 if (ret_sym
!= sm
->sym
)
1163 param_name
= state_name_to_param_name(sm
->name
, return_str
);
1166 if (strcmp(param_name
, "$") == 0)
1167 return_found
= true;
1168 sql_insert_return_states(return_id
, return_ranges
,
1169 func_gets_user_data
? USER_DATA3_SET
: USER_DATA3
,
1170 -1, param_name
, show_rl(estate_rl(sm
->state
)));
1171 } END_FOR_EACH_SM(sm
);
1174 if (!return_found
&& get_user_rl(expr
, &rl
)) {
1175 sql_insert_return_states(return_id
, return_ranges
,
1176 func_gets_user_data
? USER_DATA3_SET
: USER_DATA3
,
1177 -1, "$", show_rl(rl
));
1182 free_string(return_str
);
1185 static struct int_stack
*gets_data_stack
;
1186 static void match_function_def(struct symbol
*sym
)
1188 func_gets_user_data
= false;
1191 static void match_inline_start(struct expression
*expr
)
1193 push_int(&gets_data_stack
, func_gets_user_data
);
1196 static void match_inline_end(struct expression
*expr
)
1198 func_gets_user_data
= pop_int(&gets_data_stack
);
1201 void register_kernel_user_data2(int id
)
1207 if (option_project
!= PROJ_KERNEL
)
1210 add_hook(&match_function_def
, FUNC_DEF_HOOK
);
1211 add_hook(&match_inline_start
, INLINE_FN_START
);
1212 add_hook(&match_inline_end
, INLINE_FN_END
);
1214 add_hook(&save_start_states
, AFTER_DEF_HOOK
);
1215 add_hook(&free_start_states
, AFTER_FUNC_HOOK
);
1216 add_hook(&match_save_states
, INLINE_FN_START
);
1217 add_hook(&match_restore_states
, INLINE_FN_END
);
1219 add_unmatched_state_hook(my_id
, &empty_state
);
1220 add_extra_nomod_hook(&extra_nomod_hook
);
1221 add_pre_merge_hook(my_id
, &pre_merge_hook
);
1222 add_merge_hook(my_id
, &merge_estates
);
1224 add_function_hook("copy_from_user", &match_user_copy
, INT_PTR(0));
1225 add_function_hook("__copy_from_user", &match_user_copy
, INT_PTR(0));
1226 add_function_hook("memcpy_fromiovec", &match_user_copy
, INT_PTR(0));
1227 for (i
= 0; i
< ARRAY_SIZE(kstr_funcs
); i
++)
1228 add_function_hook(kstr_funcs
[i
], &match_user_copy
, INT_PTR(2));
1229 add_function_hook("usb_control_msg", &match_user_copy
, INT_PTR(6));
1231 for (i
= 0; i
< ARRAY_SIZE(returns_user_data
); i
++) {
1232 add_function_assign_hook(returns_user_data
[i
], &match_user_assign_function
, NULL
);
1233 add_function_hook(returns_user_data
[i
], &match_returns_user_rl
, NULL
);
1236 add_function_hook("sscanf", &match_sscanf
, NULL
);
1238 add_hook(&match_syscall_definition
, AFTER_DEF_HOOK
);
1240 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
1241 add_hook(&match_condition
, CONDITION_HOOK
);
1243 add_hook(&match_call_info
, FUNCTION_CALL_HOOK
);
1244 add_member_info_callback(my_id
, struct_member_callback
);
1245 select_caller_info_hook(set_param_user_data
, USER_DATA3
);
1246 select_return_states_hook(USER_DATA3
, &returns_param_user_data
);
1247 select_return_states_hook(USER_DATA3_SET
, &returns_param_user_data_set
);
1248 add_split_return_callback(¶m_set_to_user_data
);
1251 void register_kernel_user_data3(int id
)
1255 if (option_project
!= PROJ_KERNEL
)
1257 select_caller_info_hook(set_called
, INTERNAL
);