check_string_len.c

   1 /*
   2  * smatch/check_string_len.c
   3  *
   4  * Copyright (C) 2013 Oracle.
   5  *
   6  * Licensed under the Open Software License version 1.1
   7  *
   8  */
   9
  10 /*
  11  * This tries to find buffer overflows in sprintf().
  12  * I'll freely admit that the code is sort of crap.
  13  * Also if it sees "sprintf("%2d\n", x)" then it assumes x is less than 99.
  14  * That might not be true so there maybe buffer overflows which are missed.
  15  *
  16  */
  17
  18 #include <ctype.h>
  19 #include "smatch.h"
  20
  21 static int my_id;
  22
  23 struct param_info {
  24         int buf_or_limit;
  25         int string;
  26 };
  27
  28 struct param_info zero_one = {0, 1};
  29
  30 static int handle_format(struct expression *call, char **pp, int *arg_nr)
  31 {
  32         struct expression *arg;
  33         char *p = *pp;
  34         int ret = 1;
  35         char buf[256];
  36         sval_t max;
  37
  38         p++;  /* we passed it with *p == '%' */
  39
  40         if (*p == '%') {
  41                 p++;
  42                 ret = 1;
  43                 goto out_no_arg;
  44         }
  45         if (*p == 'c') {
  46                 p++;
  47                 ret = 1;
  48                 goto out;
  49         }
  50
  51
  52         if (isdigit(*p) || *p == '.') {
  53                 unsigned long num;
  54
  55                 if (*p == '.')
  56                         p++;
  57
  58                 num = strtoul(p, &p, 10);
  59                 ret = num;
  60
  61                 while (*p == 'l')
  62                         p++;
  63                 p++; /* eat the 'd' char */
  64                 goto out;
  65         }
  66
  67         if (*p == 'l') {
  68                 p++;
  69                 if (*p == 'l')
  70                         p++;
  71         }
  72
  73         if (option_project == PROJ_KERNEL && *p == 'z')
  74                 p++;
  75
  76         if (option_project == PROJ_KERNEL && *p == 'p') {
  77                 if (*(p + 1) == 'I' || *(p + 1) == 'i') {
  78                         char *eye;
  79
  80                         eye = p + 1;
  81                         p += 2;
  82                         if (*p == 'h' || *p == 'n' || *p == 'b' || *p == 'l')
  83                                 p++;
  84                         if (*p == '4') {
  85                                 p++;
  86                                 ret = 15;
  87                                 goto out;
  88                         }
  89                         if (*p == '6') {
  90                                 p++;
  91                                 if (*p == 'c')
  92                                         p++;
  93                                 if (*eye == 'I')
  94                                         ret = 39;
  95                                 if (*eye == 'i')
  96                                         ret = 32;
  97                                 goto out;
  98                         }
  99                 }
 100                 if (*(p + 1) == 'M') {
 101                         p += 2;
 102                         if (*p == 'R' || *p == 'F')
 103                                 p++;
 104                         ret = 17;
 105                         goto out;
 106                 }
 107                 if (*(p + 1) == 'm') {
 108                         p += 2;
 109                         if (*p == 'R')
 110                                 p++;
 111                         ret = 12;
 112                         goto out;
 113                 }
 114         }
 115
 116         arg = get_argument_from_call_expr(call->args, *arg_nr);
 117         if (!arg)
 118                 goto out;
 119
 120         if (*p == 's') {
 121                 ret = get_array_size_bytes(arg);
 122                 if (ret < 0)
 123                         ret = 1;
 124                 /* we don't print the NUL here */
 125                 ret--;
 126                 p++;
 127                 goto out;
 128         }
 129
 130         if (*p != 'd' && *p != 'i' && *p != 'x' && *p != 'X' && *p != 'u' && *p != 'p') {
 131                 ret = 1;
 132                 p++;
 133                 goto out;
 134         }
 135
 136         get_absolute_max(arg, &max);
 137
 138         if (*p == 'x' || *p == 'X' || *p == 'p') {
 139                 ret = snprintf(buf, sizeof(buf), "%llx", max.uvalue);
 140         } else if (*p == 'u') {
 141                 ret = snprintf(buf, sizeof(buf), "%llu", max.uvalue);
 142         } else if (!expr_unsigned(arg)) {
 143                 sval_t min;
 144                 int tmp;
 145
 146                 ret = snprintf(buf, sizeof(buf), "%lld", max.value);
 147                 get_absolute_min(arg, &min);
 148                 tmp = snprintf(buf, sizeof(buf), "%lld", min.value);
 149                 if (tmp > ret)
 150                         ret = tmp;
 151         } else {
 152                 ret = snprintf(buf, sizeof(buf), "%lld", max.value);
 153         }
 154         p++;
 155
 156 out:
 157         (*arg_nr)++;
 158 out_no_arg:
 159         *pp = p;
 160         return ret;
 161 }
 162
 163 static int get_string_size(struct expression *call, int arg)
 164 {
 165         struct expression *expr;
 166         char *p;
 167         int count;
 168
 169         expr = get_argument_from_call_expr(call->args, arg);
 170         if (!expr || expr->type != EXPR_STRING)
 171                 return -1;
 172
 173         arg++;
 174         count = 0;
 175         p = expr->string->data;
 176         while (*p) {
 177
 178                 if (*p == '%') {
 179                         count += handle_format(call, &p, &arg);
 180                 } else if (*p == '\\') {
 181                         p++;
 182                 }else {
 183                         p++;
 184                         count++;
 185                 }
 186         }
 187
 188         count++; /* count the NUL terminator */
 189         return count;
 190 }
 191
 192 static void match_not_limited(const char *fn, struct expression *call, void *info)
 193 {
 194         struct param_info *params = info;
 195         struct expression *arg;
 196         int buf_size, size;
 197         int user = 0;
 198         int i;
 199
 200         arg = get_argument_from_call_expr(call->args, params->buf_or_limit);
 201         buf_size = get_array_size_bytes(arg);
 202         if (buf_size <= 0)
 203                 return;
 204
 205         size = get_string_size(call, params->string);
 206         if (size <= 0)
 207                 return;
 208         if (size <= buf_size)
 209                 return;
 210
 211         i = 0;
 212         FOR_EACH_PTR(call->args, arg) {
 213                 if (i++ <= params->string)
 214                         continue;
 215                 if (is_user_data(arg))
 216                         user = 1;
 217         } END_FOR_EACH_PTR(arg);
 218
 219         sm_msg("error: format string overflow. buf_size: %d length: %d%s",
 220                buf_size, size, user ? " [user data]": "");
 221 }
 222
 223 void check_string_len(int id)
 224 {
 225         my_id = id;
 226         add_function_hook("sprintf", &match_not_limited, &zero_one);
 227 }
 228