1 /* 2 * Copyright (C) 2010 Dan Carpenter. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 2 7 * of the License, or (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt 16 */ 17 18 /* 19 * This tries to find places which should probably return -EFAULT 20 * but return the number of bytes to copy instead. 21 */ 22 23 #include <string.h> 24 #include "smatch.h" 25 #include "smatch_slist.h" 26 #include "smatch_extra.h" 27 28 static int my_id; 29 30 STATE(remaining); 31 STATE(ok); 32 33 static void ok_to_use(struct sm_state *sm, struct expression *mod_expr) 34 { 35 if (sm->state != &ok) 36 set_state(my_id, sm->name, sm->sym, &ok); 37 } 38 39 static void match_copy(const char *fn, struct expression *expr, void *unused) 40 { 41 if (expr->op == SPECIAL_SUB_ASSIGN) 42 return; 43 set_state_expr(my_id, expr->left, &remaining); 44 } 45 46 static void match_condition(struct expression *expr) 47 { 48 if (!get_state_expr(my_id, expr)) 49 return; 50 /* If the variable is zero that's ok */ 51 set_true_false_states_expr(my_id, expr, NULL, &ok); 52 } 53 54 /* 55 * This function is biased in favour of print out errors. 56 * The heuristic to print is: 57 * If we have a potentially positive return from copy_to_user 58 * and there is a possibility that we return negative as well 59 * then complain. 60 */ 61 static void match_return_var(struct expression *ret_value) 62 { 63 struct smatch_state *state; 64 struct sm_state *sm; 65 sval_t min; 66 67 sm = get_sm_state_expr(my_id, ret_value); 68 if (!sm) 69 return; 70 if (!slist_has_state(sm->possible, &remaining)) 71 return; 72 state = get_state_expr(SMATCH_EXTRA, ret_value); 73 if (!state) 74 return; 75 if (!get_absolute_min(ret_value, &min)) 76 return; 77 if (min.value == 0) 78 return; 79 sm_warning("maybe return -EFAULT instead of the bytes remaining?"); 80 } 81 82 static void match_return_call(struct expression *ret_value) 83 { 84 struct expression *fn; 85 struct range_list *rl; 86 const char *fn_name; 87 char *cur_func; 88 89 if (!ret_value || ret_value->type != EXPR_CALL) 90 return; 91 cur_func = get_function(); 92 if (!cur_func) 93 return; 94 if (strstr(cur_func, "_to_user") || 95 strstr(cur_func, "_from_user")) 96 return; 97 98 fn = strip_expr(ret_value->fn); 99 if (fn->type != EXPR_SYMBOL) 100 return; 101 fn_name = fn->symbol_name->name; 102 if (strcmp(fn_name, "copy_to_user") != 0 && 103 strcmp(fn_name, "__copy_to_user") != 0 && 104 strcmp(fn_name, "copy_from_user") != 0 && 105 strcmp(fn_name, "__copy_from_user")) 106 return; 107 108 rl = db_return_vals_from_str(get_function()); 109 if (!rl) 110 return; 111 112 if (!sval_is_negative(rl_min(rl))) 113 return; 114 sm_warning("maybe return -EFAULT instead of the bytes remaining?"); 115 } 116 117 void check_return_efault(int id) 118 { 119 if (option_project != PROJ_KERNEL) 120 return; 121 122 my_id = id; 123 add_function_assign_hook("copy_to_user", &match_copy, NULL); 124 add_function_assign_hook("__copy_to_user", &match_copy, NULL); 125 add_function_assign_hook("copy_from_user", &match_copy, NULL); 126 add_function_assign_hook("__copy_from_user", &match_copy, NULL); 127 add_function_assign_hook("clear_user", &match_copy, NULL); 128 add_hook(&match_condition, CONDITION_HOOK); 129 add_hook(&match_return_var, RETURN_HOOK); 130 add_hook(&match_return_call, RETURN_HOOK); 131 add_modification_hook(my_id, &ok_to_use); 132 } 133