11f5207b7SJohn Levon /*
21f5207b7SJohn Levon * Copyright (C) 2010 Dan Carpenter.
31f5207b7SJohn Levon *
41f5207b7SJohn Levon * This program is free software; you can redistribute it and/or
51f5207b7SJohn Levon * modify it under the terms of the GNU General Public License
61f5207b7SJohn Levon * as published by the Free Software Foundation; either version 2
71f5207b7SJohn Levon * of the License, or (at your option) any later version.
81f5207b7SJohn Levon *
91f5207b7SJohn Levon * This program is distributed in the hope that it will be useful,
101f5207b7SJohn Levon * but WITHOUT ANY WARRANTY; without even the implied warranty of
111f5207b7SJohn Levon * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
121f5207b7SJohn Levon * GNU General Public License for more details.
131f5207b7SJohn Levon *
141f5207b7SJohn Levon * You should have received a copy of the GNU General Public License
151f5207b7SJohn Levon * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
161f5207b7SJohn Levon */
171f5207b7SJohn Levon
181f5207b7SJohn Levon #include "smatch.h"
191f5207b7SJohn Levon
201f5207b7SJohn Levon static int my_id;
211f5207b7SJohn Levon
can_overflow(struct expression * expr)221f5207b7SJohn Levon static int can_overflow(struct expression *expr)
231f5207b7SJohn Levon {
241f5207b7SJohn Levon sval_t max;
251f5207b7SJohn Levon int uncapped = 0;
261f5207b7SJohn Levon
271f5207b7SJohn Levon expr = strip_expr(expr);
281f5207b7SJohn Levon
291f5207b7SJohn Levon if (expr->type == EXPR_BINOP) {
301f5207b7SJohn Levon uncapped += can_overflow(expr->left);
311f5207b7SJohn Levon uncapped += can_overflow(expr->right);
321f5207b7SJohn Levon
331f5207b7SJohn Levon if (uncapped &&
341f5207b7SJohn Levon (expr->op == '+' || expr->op == '*' || expr->op == SPECIAL_LEFTSHIFT))
351f5207b7SJohn Levon return 1;
361f5207b7SJohn Levon
371f5207b7SJohn Levon return 0;
381f5207b7SJohn Levon }
391f5207b7SJohn Levon
401f5207b7SJohn Levon if (get_implied_max(expr, &max))
411f5207b7SJohn Levon return 0;
421f5207b7SJohn Levon if (get_absolute_max(expr, &max) && sval_cmp_val(max, 4096) <= 0)
431f5207b7SJohn Levon return 0;
441f5207b7SJohn Levon return 1;
451f5207b7SJohn Levon }
461f5207b7SJohn Levon
match_size(struct expression * size_expr)471f5207b7SJohn Levon static void match_size(struct expression *size_expr)
481f5207b7SJohn Levon {
491f5207b7SJohn Levon char *name;
501f5207b7SJohn Levon
511f5207b7SJohn Levon size_expr = strip_expr(size_expr);
521f5207b7SJohn Levon if (!size_expr)
531f5207b7SJohn Levon return;
541f5207b7SJohn Levon if (size_expr->type != EXPR_BINOP) {
551f5207b7SJohn Levon size_expr = get_assigned_expr(size_expr);
561f5207b7SJohn Levon if (!size_expr || size_expr->type != EXPR_BINOP)
571f5207b7SJohn Levon return;
581f5207b7SJohn Levon }
591f5207b7SJohn Levon if (!can_overflow(size_expr))
601f5207b7SJohn Levon return;
611f5207b7SJohn Levon
621f5207b7SJohn Levon name = expr_to_str(size_expr);
631f5207b7SJohn Levon sm_warning("math in access_ok() is dangerous '%s'", name);
641f5207b7SJohn Levon
651f5207b7SJohn Levon free_string(name);
661f5207b7SJohn Levon }
671f5207b7SJohn Levon
match_access_ok(const char * fn,struct expression * expr,void * data)681f5207b7SJohn Levon static void match_access_ok(const char *fn, struct expression *expr, void *data)
691f5207b7SJohn Levon {
701f5207b7SJohn Levon struct expression *size_expr;
711f5207b7SJohn Levon
721f5207b7SJohn Levon size_expr = get_argument_from_call_expr(expr->args, 1);
731f5207b7SJohn Levon match_size(size_expr);
741f5207b7SJohn Levon }
751f5207b7SJohn Levon
split_asm_constraints(struct expression_list * expr_list)761f5207b7SJohn Levon static void split_asm_constraints(struct expression_list *expr_list)
771f5207b7SJohn Levon {
781f5207b7SJohn Levon struct expression *expr;
791f5207b7SJohn Levon int i;
801f5207b7SJohn Levon
811f5207b7SJohn Levon i = 0;
821f5207b7SJohn Levon FOR_EACH_PTR(expr_list, expr) {
831f5207b7SJohn Levon i++;
84*c85f09ccSJohn Levon if (expr->type != EXPR_ASM_OPERAND)
851f5207b7SJohn Levon continue;
86*c85f09ccSJohn Levon if (i == 1)
87*c85f09ccSJohn Levon match_size(expr->expr);
881f5207b7SJohn Levon } END_FOR_EACH_PTR(expr);
891f5207b7SJohn Levon }
901f5207b7SJohn Levon
match_asm_stmt(struct statement * stmt)911f5207b7SJohn Levon static void match_asm_stmt(struct statement *stmt)
921f5207b7SJohn Levon {
931f5207b7SJohn Levon char *name;
941f5207b7SJohn Levon
951f5207b7SJohn Levon name = get_macro_name(stmt->pos);
961f5207b7SJohn Levon if (!name || strcmp(name, "access_ok") != 0)
971f5207b7SJohn Levon return;
981f5207b7SJohn Levon split_asm_constraints(stmt->asm_inputs);
991f5207b7SJohn Levon }
1001f5207b7SJohn Levon
check_access_ok_math(int id)1011f5207b7SJohn Levon void check_access_ok_math(int id)
1021f5207b7SJohn Levon {
1031f5207b7SJohn Levon my_id = id;
1041f5207b7SJohn Levon if (option_project != PROJ_KERNEL)
1051f5207b7SJohn Levon return;
1061f5207b7SJohn Levon if (!option_spammy)
1071f5207b7SJohn Levon return;
1081f5207b7SJohn Levon add_function_hook("__access_ok", &match_access_ok, NULL);
1091f5207b7SJohn Levon add_hook(&match_asm_stmt, ASM_HOOK);
1101f5207b7SJohn Levon }
111