1 /* 2 * Copyright (C) 2011 Dan Carpenter. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 2 7 * of the License, or (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt 16 */ 17 18 /* 19 * There are a couple checks that try to see if a variable 20 * comes from the user. It would be better to unify them 21 * into one place. Also it we should follow the data down 22 * the call paths. Hence this file. 23 */ 24 25 #include "smatch.h" 26 #include "smatch_slist.h" 27 #include "smatch_extra.h" 28 29 static int my_id; 30 static int my_call_id; 31 32 STATE(called); 33 static bool func_gets_user_data; 34 35 static const char *kstr_funcs[] = { 36 "kstrtoull", "kstrtoll", "kstrtoul", "kstrtol", "kstrtouint", 37 "kstrtoint", "kstrtou64", "kstrtos64", "kstrtou32", "kstrtos32", 38 "kstrtou16", "kstrtos16", "kstrtou8", "kstrtos8", "kstrtoull_from_user" 39 "kstrtoll_from_user", "kstrtoul_from_user", "kstrtol_from_user", 40 "kstrtouint_from_user", "kstrtoint_from_user", "kstrtou16_from_user", 41 "kstrtos16_from_user", "kstrtou8_from_user", "kstrtos8_from_user", 42 "kstrtou64_from_user", "kstrtos64_from_user", "kstrtou32_from_user", 43 "kstrtos32_from_user", 44 }; 45 46 static const char *returns_user_data[] = { 47 "simple_strtol", "simple_strtoll", "simple_strtoul", "simple_strtoull", 48 "kvm_register_read", 49 }; 50 51 static const char *returns_pointer_to_user_data[] = { 52 "nlmsg_data", "nla_data", "memdup_user", "kmap_atomic", "skb_network_header", 53 }; 54 55 static void set_points_to_user_data(struct expression *expr); 56 57 static struct stree *start_states; 58 static struct stree_stack *saved_stack; 59 static void save_start_states(struct statement *stmt) 60 { 61 start_states = clone_stree(__get_cur_stree()); 62 } 63 64 static void free_start_states(void) 65 { 66 free_stree(&start_states); 67 } 68 69 static void match_save_states(struct expression *expr) 70 { 71 push_stree(&saved_stack, start_states); 72 start_states = NULL; 73 } 74 75 static void match_restore_states(struct expression *expr) 76 { 77 free_stree(&start_states); 78 start_states = pop_stree(&saved_stack); 79 } 80 81 static struct smatch_state *empty_state(struct sm_state *sm) 82 { 83 return alloc_estate_empty(); 84 } 85 86 static void pre_merge_hook(struct sm_state *sm) 87 { 88 struct smatch_state *user; 89 struct smatch_state *extra; 90 struct smatch_state *state; 91 struct range_list *rl; 92 sval_t dummy; 93 sval_t sval_100; 94 95 sval_100.value = 100; 96 sval_100.type = &int_ctype; 97 98 user = __get_state(my_id, sm->name, sm->sym); 99 if (!user || !estate_rl(user)) 100 return; 101 extra = __get_state(SMATCH_EXTRA, sm->name, sm->sym); 102 if (!extra) 103 return; 104 rl = rl_intersection(estate_rl(user), estate_rl(extra)); 105 if (rl_to_sval(rl, &dummy)) 106 rl = NULL; 107 state = alloc_estate_rl(clone_rl(rl)); 108 if (estate_capped(user) || is_capped_var_sym(sm->name, sm->sym)) 109 estate_set_capped(state); 110 set_state(my_id, sm->name, sm->sym, state); 111 } 112 113 static void extra_nomod_hook(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state) 114 { 115 struct smatch_state *user, *new; 116 struct range_list *rl; 117 118 user = __get_state(my_id, name, sym); 119 if (!user) 120 return; 121 rl = rl_intersection(estate_rl(user), estate_rl(state)); 122 if (rl_equiv(rl, estate_rl(user))) 123 return; 124 new = alloc_estate_rl(rl); 125 if (estate_capped(user)) 126 estate_set_capped(new); 127 set_state(my_id, name, sym, new); 128 } 129 130 static bool binop_capped(struct expression *expr) 131 { 132 struct range_list *left_rl; 133 int comparison; 134 135 if (expr->op == '-' && get_user_rl(expr->left, &left_rl)) { 136 if (user_rl_capped(expr->left)) 137 return true; 138 comparison = get_comparison(expr->left, expr->right); 139 if (comparison && show_special(comparison)[0] == '>') 140 return true; 141 return false; 142 } 143 144 if (expr->op == '&' || expr->op == '%') { 145 if (is_capped(expr->left) || is_capped(expr->right)) 146 return true; 147 if (user_rl_capped(expr->left) || user_rl_capped(expr->right)) 148 return true; 149 return false; 150 } 151 152 if (user_rl_capped(expr->left) && 153 user_rl_capped(expr->right)) 154 return true; 155 return false; 156 } 157 158 bool user_rl_capped(struct expression *expr) 159 { 160 struct smatch_state *state; 161 struct range_list *rl; 162 sval_t sval; 163 164 expr = strip_expr(expr); 165 if (!expr) 166 return false; 167 if (get_value(expr, &sval)) 168 return true; 169 if (expr->type == EXPR_BINOP) 170 return binop_capped(expr); 171 if ((expr->type == EXPR_PREOP || expr->type == EXPR_POSTOP) && 172 (expr->op == SPECIAL_INCREMENT || expr->op == SPECIAL_DECREMENT)) 173 return user_rl_capped(expr->unop); 174 state = get_state_expr(my_id, expr); 175 if (state) 176 return estate_capped(state); 177 178 if (get_user_rl(expr, &rl)) 179 return false; /* uncapped user data */ 180 181 return true; /* not actually user data */ 182 } 183 184 static void tag_inner_struct_members(struct expression *expr, struct symbol *member) 185 { 186 struct expression *edge_member; 187 struct symbol *base = get_real_base_type(member); 188 struct symbol *tmp; 189 190 if (member->ident) 191 expr = member_expression(expr, '.', member->ident); 192 193 FOR_EACH_PTR(base->symbol_list, tmp) { 194 struct symbol *type; 195 196 type = get_real_base_type(tmp); 197 if (!type) 198 continue; 199 200 if (type->type == SYM_UNION || type->type == SYM_STRUCT) { 201 tag_inner_struct_members(expr, tmp); 202 continue; 203 } 204 205 if (!tmp->ident) 206 continue; 207 208 edge_member = member_expression(expr, '.', tmp->ident); 209 set_state_expr(my_id, edge_member, alloc_estate_whole(type)); 210 } END_FOR_EACH_PTR(tmp); 211 } 212 213 static void tag_struct_members(struct symbol *type, struct expression *expr) 214 { 215 struct symbol *tmp; 216 struct expression *member; 217 int op = '*'; 218 219 if (expr->type == EXPR_PREOP && expr->op == '&') { 220 expr = strip_expr(expr->unop); 221 op = '.'; 222 } 223 224 FOR_EACH_PTR(type->symbol_list, tmp) { 225 type = get_real_base_type(tmp); 226 if (!type) 227 continue; 228 229 if (type->type == SYM_UNION || type->type == SYM_STRUCT) { 230 tag_inner_struct_members(expr, tmp); 231 continue; 232 } 233 234 if (!tmp->ident) 235 continue; 236 237 member = member_expression(expr, op, tmp->ident); 238 set_state_expr(my_id, member, alloc_estate_whole(get_type(member))); 239 240 if (type->type == SYM_ARRAY) 241 set_points_to_user_data(member); 242 } END_FOR_EACH_PTR(tmp); 243 } 244 245 static void tag_base_type(struct expression *expr) 246 { 247 if (expr->type == EXPR_PREOP && expr->op == '&') 248 expr = strip_expr(expr->unop); 249 else 250 expr = deref_expression(expr); 251 set_state_expr(my_id, expr, alloc_estate_whole(get_type(expr))); 252 } 253 254 static void tag_as_user_data(struct expression *expr) 255 { 256 struct symbol *type; 257 258 expr = strip_expr(expr); 259 260 type = get_type(expr); 261 if (!type || type->type != SYM_PTR) 262 return; 263 type = get_real_base_type(type); 264 if (!type) 265 return; 266 if (type == &void_ctype) { 267 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype)); 268 return; 269 } 270 if (type->type == SYM_BASETYPE) 271 tag_base_type(expr); 272 if (type->type == SYM_STRUCT || type->type == SYM_UNION) { 273 if (expr->type != EXPR_PREOP || expr->op != '&') 274 expr = deref_expression(expr); 275 else 276 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype)); 277 tag_struct_members(type, expr); 278 } 279 } 280 281 static void match_user_copy(const char *fn, struct expression *expr, void *_param) 282 { 283 int param = PTR_INT(_param); 284 struct expression *dest; 285 286 func_gets_user_data = true; 287 288 dest = get_argument_from_call_expr(expr->args, param); 289 dest = strip_expr(dest); 290 if (!dest) 291 return; 292 tag_as_user_data(dest); 293 } 294 295 static int is_dev_attr_name(struct expression *expr) 296 { 297 char *name; 298 int ret = 0; 299 300 name = expr_to_str(expr); 301 if (!name) 302 return 0; 303 if (strstr(name, "->attr.name")) 304 ret = 1; 305 free_string(name); 306 return ret; 307 } 308 309 static int ends_in_n(struct expression *expr) 310 { 311 struct string *str; 312 313 if (!expr) 314 return 0; 315 if (expr->type != EXPR_STRING || !expr->string) 316 return 0; 317 318 str = expr->string; 319 if (str->length < 3) 320 return 0; 321 322 if (str->data[str->length - 3] == '%' && 323 str->data[str->length - 2] == 'n') 324 return 1; 325 return 0; 326 } 327 328 static void match_sscanf(const char *fn, struct expression *expr, void *unused) 329 { 330 struct expression *str, *format, *arg; 331 int i, last; 332 333 func_gets_user_data = true; 334 335 str = get_argument_from_call_expr(expr->args, 0); 336 if (is_dev_attr_name(str)) 337 return; 338 339 format = get_argument_from_call_expr(expr->args, 1); 340 if (is_dev_attr_name(format)) 341 return; 342 343 last = ptr_list_size((struct ptr_list *)expr->args) - 1; 344 345 i = -1; 346 FOR_EACH_PTR(expr->args, arg) { 347 i++; 348 if (i < 2) 349 continue; 350 if (i == last && ends_in_n(format)) 351 continue; 352 tag_as_user_data(arg); 353 } END_FOR_EACH_PTR(arg); 354 } 355 356 static int is_skb_data(struct expression *expr) 357 { 358 struct symbol *sym; 359 360 if (!expr) 361 return 0; 362 363 if (expr->type == EXPR_BINOP && expr->op == '+') 364 return is_skb_data(expr->left); 365 366 expr = strip_expr(expr); 367 if (!expr) 368 return 0; 369 if (expr->type != EXPR_DEREF || expr->op != '.') 370 return 0; 371 372 if (!expr->member) 373 return 0; 374 if (strcmp(expr->member->name, "data") != 0) 375 return 0; 376 377 sym = expr_to_sym(expr->deref); 378 if (!sym) 379 return 0; 380 sym = get_real_base_type(sym); 381 if (!sym || sym->type != SYM_PTR) 382 return 0; 383 sym = get_real_base_type(sym); 384 if (!sym || sym->type != SYM_STRUCT || !sym->ident) 385 return 0; 386 if (strcmp(sym->ident->name, "sk_buff") != 0) 387 return 0; 388 389 return 1; 390 } 391 392 static bool is_points_to_user_data_fn(struct expression *expr) 393 { 394 int i; 395 396 expr = strip_expr(expr); 397 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL || 398 !expr->fn->symbol) 399 return false; 400 expr = expr->fn; 401 for (i = 0; i < ARRAY_SIZE(returns_pointer_to_user_data); i++) { 402 if (sym_name_is(returns_pointer_to_user_data[i], expr)) 403 return true; 404 } 405 return false; 406 } 407 408 static int get_rl_from_function(struct expression *expr, struct range_list **rl) 409 { 410 int i; 411 412 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL || 413 !expr->fn->symbol_name || !expr->fn->symbol_name->name) 414 return 0; 415 416 for (i = 0; i < ARRAY_SIZE(returns_user_data); i++) { 417 if (strcmp(expr->fn->symbol_name->name, returns_user_data[i]) == 0) { 418 *rl = alloc_whole_rl(get_type(expr)); 419 return 1; 420 } 421 } 422 return 0; 423 } 424 425 int points_to_user_data(struct expression *expr) 426 { 427 struct smatch_state *state; 428 struct range_list *rl; 429 char buf[256]; 430 struct symbol *sym; 431 char *name; 432 int ret = 0; 433 434 expr = strip_expr(expr); 435 if (!expr) 436 return 0; 437 if (is_skb_data(expr)) 438 return 1; 439 if (is_points_to_user_data_fn(expr)) 440 return 1; 441 if (get_rl_from_function(expr, &rl)) 442 return 1; 443 444 if (expr->type == EXPR_BINOP && expr->op == '+') { 445 if (points_to_user_data(expr->left)) 446 return 1; 447 if (points_to_user_data(expr->right)) 448 return 1; 449 return 0; 450 } 451 452 name = expr_to_var_sym(expr, &sym); 453 if (!name || !sym) 454 goto free; 455 snprintf(buf, sizeof(buf), "*%s", name); 456 state = __get_state(my_id, buf, sym); 457 if (state && estate_rl(state)) 458 ret = 1; 459 free: 460 free_string(name); 461 return ret; 462 } 463 464 static void set_points_to_user_data(struct expression *expr) 465 { 466 char *name; 467 struct symbol *sym; 468 char buf[256]; 469 struct symbol *type; 470 471 name = expr_to_var_sym(expr, &sym); 472 if (!name || !sym) 473 goto free; 474 snprintf(buf, sizeof(buf), "*%s", name); 475 type = get_type(expr); 476 if (type && type->type == SYM_PTR) 477 type = get_real_base_type(type); 478 if (!type || type->type != SYM_BASETYPE) 479 type = &llong_ctype; 480 set_state(my_id, buf, sym, alloc_estate_whole(type)); 481 free: 482 free_string(name); 483 } 484 485 static int comes_from_skb_data(struct expression *expr) 486 { 487 expr = strip_expr(expr); 488 if (!expr || expr->type != EXPR_PREOP || expr->op != '*') 489 return 0; 490 491 expr = strip_expr(expr->unop); 492 if (!expr) 493 return 0; 494 if (expr->type == EXPR_BINOP && expr->op == '+') 495 expr = strip_expr(expr->left); 496 497 return is_skb_data(expr); 498 } 499 500 static int handle_struct_assignment(struct expression *expr) 501 { 502 struct expression *right; 503 struct symbol *left_type, *right_type; 504 505 left_type = get_type(expr->left); 506 if (!left_type || left_type->type != SYM_PTR) 507 return 0; 508 left_type = get_real_base_type(left_type); 509 if (!left_type) 510 return 0; 511 if (left_type->type != SYM_STRUCT && 512 left_type->type != SYM_UNION) 513 return 0; 514 515 /* 516 * Ignore struct to struct assignments because for those we look at the 517 * individual members. 518 */ 519 right = strip_expr(expr->right); 520 right_type = get_type(right); 521 if (!right_type || right_type->type != SYM_PTR) 522 return 0; 523 524 /* If we are assigning struct members then normally that is handled 525 * by fake assignments, however if we cast one struct to a different 526 * of struct then we handle that here. 527 */ 528 right_type = get_real_base_type(right_type); 529 if (right_type == left_type) 530 return 0; 531 532 if (!points_to_user_data(right)) 533 return 0; 534 535 tag_as_user_data(expr->left); 536 return 1; 537 } 538 539 static int handle_get_user(struct expression *expr) 540 { 541 char *name; 542 int ret = 0; 543 544 name = get_macro_name(expr->pos); 545 if (!name || strcmp(name, "get_user") != 0) 546 return 0; 547 548 name = expr_to_var(expr->right); 549 if (!name || strcmp(name, "__val_gu") != 0) 550 goto free; 551 set_state_expr(my_id, expr->left, alloc_estate_whole(get_type(expr->left))); 552 ret = 1; 553 free: 554 free_string(name); 555 return ret; 556 } 557 558 static bool handle_op_assign(struct expression *expr) 559 { 560 struct expression *binop_expr; 561 struct smatch_state *state; 562 struct range_list *rl; 563 564 switch (expr->op) { 565 case SPECIAL_ADD_ASSIGN: 566 case SPECIAL_SUB_ASSIGN: 567 case SPECIAL_AND_ASSIGN: 568 case SPECIAL_MOD_ASSIGN: 569 case SPECIAL_SHL_ASSIGN: 570 case SPECIAL_SHR_ASSIGN: 571 case SPECIAL_OR_ASSIGN: 572 case SPECIAL_XOR_ASSIGN: 573 case SPECIAL_MUL_ASSIGN: 574 case SPECIAL_DIV_ASSIGN: 575 binop_expr = binop_expression(expr->left, 576 op_remove_assign(expr->op), 577 expr->right); 578 if (!get_user_rl(binop_expr, &rl)) 579 return true; 580 581 rl = cast_rl(get_type(expr->left), rl); 582 state = alloc_estate_rl(rl); 583 if (user_rl_capped(binop_expr)) 584 estate_set_capped(state); 585 set_state_expr(my_id, expr->left, state); 586 return true; 587 } 588 return false; 589 } 590 591 static void match_assign(struct expression *expr) 592 { 593 struct range_list *rl; 594 static struct expression *handled; 595 struct smatch_state *state; 596 struct expression *faked; 597 598 faked = get_faked_expression(); 599 if (faked && faked == handled) 600 return; 601 if (is_fake_call(expr->right)) 602 goto clear_old_state; 603 if (handle_get_user(expr)) 604 return; 605 if (points_to_user_data(expr->right)) { 606 handled = expr; 607 set_points_to_user_data(expr->left); 608 } 609 if (handle_struct_assignment(expr)) 610 return; 611 612 if (handle_op_assign(expr)) 613 return; 614 if (expr->op != '=') 615 goto clear_old_state; 616 617 /* Handled by DB code */ 618 if (expr->right->type == EXPR_CALL || __in_fake_parameter_assign) 619 return; 620 621 if (!get_user_rl(expr->right, &rl)) 622 goto clear_old_state; 623 624 rl = cast_rl(get_type(expr->left), rl); 625 state = alloc_estate_rl(rl); 626 if (user_rl_capped(expr->right)) 627 estate_set_capped(state); 628 set_state_expr(my_id, expr->left, state); 629 630 return; 631 632 clear_old_state: 633 if (get_state_expr(my_id, expr->left)) 634 set_state_expr(my_id, expr->left, alloc_estate_empty()); 635 } 636 637 static void handle_eq_noteq(struct expression *expr) 638 { 639 struct smatch_state *left_orig, *right_orig; 640 641 left_orig = get_state_expr(my_id, expr->left); 642 right_orig = get_state_expr(my_id, expr->right); 643 644 if (!left_orig && !right_orig) 645 return; 646 if (left_orig && right_orig) 647 return; 648 649 if (left_orig) { 650 set_true_false_states_expr(my_id, expr->left, 651 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL, 652 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty()); 653 } else { 654 set_true_false_states_expr(my_id, expr->right, 655 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL, 656 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty()); 657 } 658 } 659 660 static struct range_list *strip_negatives(struct range_list *rl) 661 { 662 sval_t min = rl_min(rl); 663 sval_t minus_one; 664 sval_t over; 665 sval_t max = sval_type_max(rl_type(rl)); 666 667 minus_one.type = rl_type(rl); 668 minus_one.value = INT_MAX + 1ULL; 669 over.type = rl_type(rl); 670 over.value = -1; 671 672 if (!rl) 673 return NULL; 674 675 if (type_unsigned(rl_type(rl)) && type_bits(rl_type(rl)) > 31) 676 return remove_range(rl, over, max); 677 678 return remove_range(rl, min, minus_one); 679 } 680 681 static void handle_compare(struct expression *expr) 682 { 683 struct expression *left, *right; 684 struct range_list *left_rl = NULL; 685 struct range_list *right_rl = NULL; 686 struct range_list *user_rl; 687 struct smatch_state *capped_state; 688 struct smatch_state *left_true = NULL; 689 struct smatch_state *left_false = NULL; 690 struct smatch_state *right_true = NULL; 691 struct smatch_state *right_false = NULL; 692 struct symbol *type; 693 sval_t sval; 694 695 left = strip_expr(expr->left); 696 right = strip_expr(expr->right); 697 698 while (left->type == EXPR_ASSIGNMENT) 699 left = strip_expr(left->left); 700 701 /* 702 * Conditions are mostly handled by smatch_extra.c, but there are some 703 * times where the exact values are not known so we can't do that. 704 * 705 * Normally, we might consider using smatch_capped.c to supliment smatch 706 * extra but that doesn't work when we merge unknown uncapped kernel 707 * data with unknown capped user data. The result is uncapped user 708 * data. We need to keep it separate and say that the user data is 709 * capped. In the past, I would have marked this as just regular 710 * kernel data (not user data) but we can't do that these days because 711 * we need to track user data for Spectre. 712 * 713 * The other situation which we have to handle is when we do have an 714 * int and we compare against an unknown unsigned kernel variable. In 715 * that situation we assume that the kernel data is less than INT_MAX. 716 * Otherwise then we get all sorts of array underflow false positives. 717 * 718 */ 719 720 /* Handled in smatch_extra.c */ 721 if (get_implied_value(left, &sval) || 722 get_implied_value(right, &sval)) 723 return; 724 725 get_user_rl(left, &left_rl); 726 get_user_rl(right, &right_rl); 727 728 /* nothing to do */ 729 if (!left_rl && !right_rl) 730 return; 731 /* if both sides are user data that's not a good limit */ 732 if (left_rl && right_rl) 733 return; 734 735 if (left_rl) 736 user_rl = left_rl; 737 else 738 user_rl = right_rl; 739 740 type = get_type(expr); 741 if (type_unsigned(type)) 742 user_rl = strip_negatives(user_rl); 743 capped_state = alloc_estate_rl(user_rl); 744 estate_set_capped(capped_state); 745 746 switch (expr->op) { 747 case '<': 748 case SPECIAL_UNSIGNED_LT: 749 case SPECIAL_LTE: 750 case SPECIAL_UNSIGNED_LTE: 751 if (left_rl) 752 left_true = capped_state; 753 else 754 right_false = capped_state; 755 break; 756 case '>': 757 case SPECIAL_UNSIGNED_GT: 758 case SPECIAL_GTE: 759 case SPECIAL_UNSIGNED_GTE: 760 if (left_rl) 761 left_false = capped_state; 762 else 763 right_true = capped_state; 764 break; 765 } 766 767 set_true_false_states_expr(my_id, left, left_true, left_false); 768 set_true_false_states_expr(my_id, right, right_true, right_false); 769 } 770 771 static void match_condition(struct expression *expr) 772 { 773 if (expr->type != EXPR_COMPARE) 774 return; 775 776 if (expr->op == SPECIAL_EQUAL || 777 expr->op == SPECIAL_NOTEQUAL) { 778 handle_eq_noteq(expr); 779 return; 780 } 781 782 handle_compare(expr); 783 } 784 785 static void match_user_assign_function(const char *fn, struct expression *expr, void *unused) 786 { 787 tag_as_user_data(expr->left); 788 set_points_to_user_data(expr->left); 789 } 790 791 static void match_returns_user_rl(const char *fn, struct expression *expr, void *unused) 792 { 793 func_gets_user_data = true; 794 } 795 796 static int get_user_macro_rl(struct expression *expr, struct range_list **rl) 797 { 798 struct expression *parent; 799 char *macro; 800 801 if (!expr) 802 return 0; 803 804 macro = get_macro_name(expr->pos); 805 if (!macro) 806 return 0; 807 808 /* handle ntohl(foo[i]) where "i" is trusted */ 809 parent = expr_get_parent_expr(expr); 810 while (parent && parent->type != EXPR_BINOP) 811 parent = expr_get_parent_expr(parent); 812 if (parent && parent->type == EXPR_BINOP) { 813 char *parent_macro = get_macro_name(parent->pos); 814 815 if (parent_macro && strcmp(macro, parent_macro) == 0) 816 return 0; 817 } 818 819 if (strcmp(macro, "ntohl") == 0) { 820 *rl = alloc_whole_rl(&uint_ctype); 821 return 1; 822 } 823 if (strcmp(macro, "ntohs") == 0) { 824 *rl = alloc_whole_rl(&ushort_ctype); 825 return 1; 826 } 827 return 0; 828 } 829 830 static int has_user_data(struct symbol *sym) 831 { 832 struct sm_state *tmp; 833 834 FOR_EACH_MY_SM(my_id, __get_cur_stree(), tmp) { 835 if (tmp->sym == sym) 836 return 1; 837 } END_FOR_EACH_SM(tmp); 838 return 0; 839 } 840 841 static int we_pass_user_data(struct expression *call) 842 { 843 struct expression *arg; 844 struct symbol *sym; 845 846 FOR_EACH_PTR(call->args, arg) { 847 sym = expr_to_sym(arg); 848 if (!sym) 849 continue; 850 if (has_user_data(sym)) 851 return 1; 852 } END_FOR_EACH_PTR(arg); 853 854 return 0; 855 } 856 857 static int db_returned_user_rl(struct expression *call, struct range_list **rl) 858 { 859 struct smatch_state *state; 860 char buf[48]; 861 862 if (is_fake_call(call)) 863 return 0; 864 snprintf(buf, sizeof(buf), "return %p", call); 865 state = get_state(my_id, buf, NULL); 866 if (!state || !estate_rl(state)) 867 return 0; 868 *rl = estate_rl(state); 869 return 1; 870 } 871 872 struct stree *get_user_stree(void) 873 { 874 return get_all_states_stree(my_id); 875 } 876 877 static int user_data_flag; 878 static int no_user_data_flag; 879 struct range_list *var_user_rl(struct expression *expr) 880 { 881 struct smatch_state *state; 882 struct range_list *rl; 883 struct range_list *absolute_rl; 884 885 if (expr->type == EXPR_PREOP && expr->op == '&') { 886 no_user_data_flag = 1; 887 return NULL; 888 } 889 890 if (expr->type == EXPR_BINOP && expr->op == '%') { 891 struct range_list *left, *right; 892 893 if (!get_user_rl(expr->right, &right)) 894 return NULL; 895 get_absolute_rl(expr->left, &left); 896 rl = rl_binop(left, '%', right); 897 goto found; 898 } 899 900 if (expr->type == EXPR_BINOP && expr->op == '/') { 901 struct range_list *left = NULL; 902 struct range_list *right = NULL; 903 struct range_list *abs_right; 904 905 /* 906 * The specific bug I'm dealing with is: 907 * 908 * foo = capped_user / unknown; 909 * 910 * Instead of just saying foo is now entirely user_rl we should 911 * probably say instead that it is not at all user data. 912 * 913 */ 914 915 get_user_rl(expr->left, &left); 916 get_user_rl(expr->right, &right); 917 get_absolute_rl(expr->right, &abs_right); 918 919 if (left && !right) { 920 rl = rl_binop(left, '/', abs_right); 921 if (sval_cmp(rl_max(left), rl_max(rl)) < 0) 922 no_user_data_flag = 1; 923 } 924 925 return NULL; 926 } 927 928 if (get_rl_from_function(expr, &rl)) 929 goto found; 930 931 if (get_user_macro_rl(expr, &rl)) 932 goto found; 933 934 if (comes_from_skb_data(expr)) { 935 rl = alloc_whole_rl(get_type(expr)); 936 goto found; 937 } 938 939 state = get_state_expr(my_id, expr); 940 if (state && estate_rl(state)) { 941 rl = estate_rl(state); 942 goto found; 943 } 944 945 if (expr->type == EXPR_CALL && db_returned_user_rl(expr, &rl)) 946 goto found; 947 948 if (is_array(expr)) { 949 struct expression *array = get_array_base(expr); 950 951 if (!get_state_expr(my_id, array)) { 952 no_user_data_flag = 1; 953 return NULL; 954 } 955 } 956 957 if (expr->type == EXPR_PREOP && expr->op == '*' && 958 is_user_rl(expr->unop)) { 959 rl = var_to_absolute_rl(expr); 960 goto found; 961 } 962 963 return NULL; 964 found: 965 user_data_flag = 1; 966 absolute_rl = var_to_absolute_rl(expr); 967 return clone_rl(rl_intersection(rl, absolute_rl)); 968 } 969 970 static bool is_ptr_subtract(struct expression *expr) 971 { 972 expr = strip_expr(expr); 973 if (!expr) 974 return false; 975 if (expr->type == EXPR_BINOP && expr->op == '-' && 976 type_is_ptr(get_type(expr->left))) { 977 return true; 978 } 979 return false; 980 } 981 982 int get_user_rl(struct expression *expr, struct range_list **rl) 983 { 984 if (is_ptr_subtract(expr)) 985 return 0; 986 987 user_data_flag = 0; 988 no_user_data_flag = 0; 989 custom_get_absolute_rl(expr, &var_user_rl, rl); 990 if (!user_data_flag || no_user_data_flag) 991 *rl = NULL; 992 993 return !!*rl; 994 } 995 996 int is_user_rl(struct expression *expr) 997 { 998 struct range_list *tmp; 999 1000 return !!get_user_rl(expr, &tmp); 1001 } 1002 1003 int get_user_rl_var_sym(const char *name, struct symbol *sym, struct range_list **rl) 1004 { 1005 struct smatch_state *state; 1006 1007 state = get_state(my_id, name, sym); 1008 if (state && estate_rl(state)) { 1009 *rl = estate_rl(state); 1010 return 1; 1011 } 1012 return 0; 1013 } 1014 1015 static char *get_user_rl_str(struct expression *expr, struct symbol *type) 1016 { 1017 struct range_list *rl; 1018 static char buf[64]; 1019 1020 if (!get_user_rl(expr, &rl)) 1021 return NULL; 1022 rl = cast_rl(type, rl); 1023 snprintf(buf, sizeof(buf), "%s%s", 1024 show_rl(rl), user_rl_capped(expr) ? "[c]" : ""); 1025 return buf; 1026 } 1027 1028 static void match_call_info(struct expression *expr) 1029 { 1030 struct expression *arg; 1031 struct symbol *type; 1032 char *str; 1033 int i; 1034 1035 i = -1; 1036 FOR_EACH_PTR(expr->args, arg) { 1037 i++; 1038 type = get_arg_type(expr->fn, i); 1039 str = get_user_rl_str(arg, type); 1040 if (!str) 1041 continue; 1042 1043 sql_insert_caller_info(expr, USER_DATA, i, "$", str); 1044 } END_FOR_EACH_PTR(arg); 1045 } 1046 1047 static int is_struct_ptr(struct symbol *sym) 1048 { 1049 struct symbol *type; 1050 1051 if (!sym) 1052 return 0; 1053 type = get_real_base_type(sym); 1054 if (!type || type->type != SYM_PTR) 1055 return 0; 1056 type = get_real_base_type(type); 1057 if (!type || type->type != SYM_STRUCT) 1058 return 0; 1059 return 1; 1060 } 1061 1062 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm) 1063 { 1064 struct smatch_state *state; 1065 struct range_list *rl; 1066 struct symbol *type; 1067 char buf[64]; 1068 1069 /* 1070 * Smatch uses a hack where if we get an unsigned long we say it's 1071 * both user data and it points to user data. But if we pass it to a 1072 * function which takes an int, then it's just user data. There's not 1073 * enough bytes for it to be a pointer. 1074 * 1075 */ 1076 type = get_arg_type(call->fn, param); 1077 if (type && type_bits(type) < type_bits(&ptr_ctype)) 1078 return; 1079 1080 if (strcmp(sm->state->name, "") == 0) 1081 return; 1082 1083 if (strcmp(printed_name, "*$") == 0 && 1084 is_struct_ptr(sm->sym)) 1085 return; 1086 1087 state = __get_state(SMATCH_EXTRA, sm->name, sm->sym); 1088 if (!state || !estate_rl(state)) 1089 rl = estate_rl(sm->state); 1090 else 1091 rl = rl_intersection(estate_rl(sm->state), estate_rl(state)); 1092 1093 if (!rl) 1094 return; 1095 1096 snprintf(buf, sizeof(buf), "%s%s", show_rl(rl), 1097 estate_capped(sm->state) ? "[c]" : ""); 1098 sql_insert_caller_info(call, USER_DATA, param, printed_name, buf); 1099 } 1100 1101 static void db_param_set(struct expression *expr, int param, char *key, char *value) 1102 { 1103 struct expression *arg; 1104 char *name; 1105 struct symbol *sym; 1106 struct smatch_state *state; 1107 1108 while (expr->type == EXPR_ASSIGNMENT) 1109 expr = strip_expr(expr->right); 1110 if (expr->type != EXPR_CALL) 1111 return; 1112 1113 arg = get_argument_from_call_expr(expr->args, param); 1114 if (!arg) 1115 return; 1116 name = get_variable_from_key(arg, key, &sym); 1117 if (!name || !sym) 1118 goto free; 1119 1120 state = get_state(my_id, name, sym); 1121 if (!state) 1122 goto free; 1123 1124 set_state(my_id, name, sym, alloc_estate_empty()); 1125 free: 1126 free_string(name); 1127 } 1128 1129 static bool param_data_capped(const char *value) 1130 { 1131 if (strstr(value, ",c") || strstr(value, "[c")) 1132 return true; 1133 return false; 1134 } 1135 1136 static void set_param_user_data(const char *name, struct symbol *sym, char *key, char *value) 1137 { 1138 struct range_list *rl = NULL; 1139 struct smatch_state *state; 1140 struct expression *expr; 1141 struct symbol *type; 1142 char fullname[256]; 1143 char *key_orig = key; 1144 bool add_star = false; 1145 1146 if (strcmp(key, "**$") == 0) { 1147 snprintf(fullname, sizeof(fullname), "**%s", name); 1148 } else { 1149 if (key[0] == '*') { 1150 add_star = true; 1151 key++; 1152 } 1153 1154 snprintf(fullname, 256, "%s%s%s", add_star ? "*" : "", name, key + 1); 1155 } 1156 1157 expr = symbol_expression(sym); 1158 type = get_member_type_from_key(expr, key_orig); 1159 1160 /* 1161 * Say this function takes a struct ponter but the caller passes 1162 * this_function(skb->data). We have two options, we could pass *$ 1163 * as user data or we could pass foo->bar, foo->baz as user data. 1164 * The second option is easier to implement so we do that. 1165 * 1166 */ 1167 if (strcmp(key_orig, "*$") == 0) { 1168 struct symbol *tmp = type; 1169 1170 while (tmp && tmp->type == SYM_PTR) 1171 tmp = get_real_base_type(tmp); 1172 1173 if (tmp && (tmp->type == SYM_STRUCT || tmp->type == SYM_UNION)) { 1174 tag_as_user_data(symbol_expression(sym)); 1175 return; 1176 } 1177 } 1178 1179 str_to_rl(type, value, &rl); 1180 state = alloc_estate_rl(rl); 1181 if (param_data_capped(value) || is_capped(expr)) 1182 estate_set_capped(state); 1183 set_state(my_id, fullname, sym, state); 1184 } 1185 1186 static void set_called(const char *name, struct symbol *sym, char *key, char *value) 1187 { 1188 set_state(my_call_id, "this_function", NULL, &called); 1189 } 1190 1191 static void match_syscall_definition(struct symbol *sym) 1192 { 1193 struct symbol *arg; 1194 char *macro; 1195 char *name; 1196 int is_syscall = 0; 1197 1198 macro = get_macro_name(sym->pos); 1199 if (macro && 1200 (strncmp("SYSCALL_DEFINE", macro, strlen("SYSCALL_DEFINE")) == 0 || 1201 strncmp("COMPAT_SYSCALL_DEFINE", macro, strlen("COMPAT_SYSCALL_DEFINE")) == 0)) 1202 is_syscall = 1; 1203 1204 name = get_function(); 1205 if (!option_no_db && get_state(my_call_id, "this_function", NULL) != &called) { 1206 if (name && strncmp(name, "sys_", 4) == 0) 1207 is_syscall = 1; 1208 } 1209 1210 if (name && strncmp(name, "compat_sys_", 11) == 0) 1211 is_syscall = 1; 1212 1213 if (!is_syscall) 1214 return; 1215 1216 FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) { 1217 set_state(my_id, arg->ident->name, arg, alloc_estate_whole(get_real_base_type(arg))); 1218 } END_FOR_EACH_PTR(arg); 1219 } 1220 1221 static void store_user_data_return(struct expression *expr, char *key, char *value) 1222 { 1223 struct range_list *rl; 1224 struct symbol *type; 1225 char buf[48]; 1226 1227 if (strcmp(key, "$") != 0) 1228 return; 1229 1230 type = get_type(expr); 1231 snprintf(buf, sizeof(buf), "return %p", expr); 1232 call_results_to_rl(expr, type, value, &rl); 1233 1234 set_state(my_id, buf, NULL, alloc_estate_rl(rl)); 1235 } 1236 1237 static void set_to_user_data(struct expression *expr, char *key, char *value) 1238 { 1239 struct smatch_state *state; 1240 char *name; 1241 struct symbol *sym; 1242 struct symbol *type; 1243 struct range_list *rl = NULL; 1244 1245 type = get_member_type_from_key(expr, key); 1246 name = get_variable_from_key(expr, key, &sym); 1247 if (!name || !sym) 1248 goto free; 1249 1250 call_results_to_rl(expr, type, value, &rl); 1251 1252 state = alloc_estate_rl(rl); 1253 if (param_data_capped(value)) 1254 estate_set_capped(state); 1255 set_state(my_id, name, sym, state); 1256 free: 1257 free_string(name); 1258 } 1259 1260 static void returns_param_user_data(struct expression *expr, int param, char *key, char *value) 1261 { 1262 struct expression *arg; 1263 struct expression *call; 1264 1265 call = expr; 1266 while (call->type == EXPR_ASSIGNMENT) 1267 call = strip_expr(call->right); 1268 if (call->type != EXPR_CALL) 1269 return; 1270 1271 if (!we_pass_user_data(call)) 1272 return; 1273 1274 if (param == -1) { 1275 if (expr->type != EXPR_ASSIGNMENT) { 1276 store_user_data_return(expr, key, value); 1277 return; 1278 } 1279 set_to_user_data(expr->left, key, value); 1280 return; 1281 } 1282 1283 arg = get_argument_from_call_expr(call->args, param); 1284 if (!arg) 1285 return; 1286 set_to_user_data(arg, key, value); 1287 } 1288 1289 static void returns_param_user_data_set(struct expression *expr, int param, char *key, char *value) 1290 { 1291 struct expression *arg; 1292 1293 func_gets_user_data = true; 1294 1295 if (param == -1) { 1296 if (expr->type != EXPR_ASSIGNMENT) { 1297 store_user_data_return(expr, key, value); 1298 return; 1299 } 1300 if (strcmp(key, "*$") == 0) { 1301 set_points_to_user_data(expr->left); 1302 tag_as_user_data(expr->left); 1303 } else { 1304 set_to_user_data(expr->left, key, value); 1305 } 1306 return; 1307 } 1308 1309 while (expr->type == EXPR_ASSIGNMENT) 1310 expr = strip_expr(expr->right); 1311 if (expr->type != EXPR_CALL) 1312 return; 1313 1314 arg = get_argument_from_call_expr(expr->args, param); 1315 if (!arg) 1316 return; 1317 set_to_user_data(arg, key, value); 1318 } 1319 1320 static void param_set_to_user_data(int return_id, char *return_ranges, struct expression *expr) 1321 { 1322 struct sm_state *sm; 1323 struct smatch_state *start_state; 1324 struct range_list *rl; 1325 int param; 1326 char *return_str; 1327 const char *param_name; 1328 struct symbol *ret_sym; 1329 bool return_found = false; 1330 bool pointed_at_found = false; 1331 char buf[64]; 1332 1333 expr = strip_expr(expr); 1334 return_str = expr_to_str(expr); 1335 ret_sym = expr_to_sym(expr); 1336 1337 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) { 1338 param = get_param_num_from_sym(sm->sym); 1339 if (param < 0) 1340 continue; 1341 1342 if (!param_was_set_var_sym(sm->name, sm->sym)) 1343 continue; 1344 1345 /* The logic here was that if we were passed in a user data then 1346 * we don't record that. It's like the difference between 1347 * param_filter and param_set. When I think about it, I'm not 1348 * sure it actually works. It's probably harmless because we 1349 * checked earlier that we're not returning a parameter... 1350 * Let's mark this as a TODO. 1351 */ 1352 start_state = get_state_stree(start_states, my_id, sm->name, sm->sym); 1353 if (start_state && rl_equiv(estate_rl(sm->state), estate_rl(start_state))) 1354 continue; 1355 1356 param_name = get_param_name(sm); 1357 if (!param_name) 1358 continue; 1359 if (strcmp(param_name, "$") == 0) /* The -1 param is handled after the loop */ 1360 continue; 1361 1362 snprintf(buf, sizeof(buf), "%s%s", 1363 show_rl(estate_rl(sm->state)), 1364 estate_capped(sm->state) ? "[c]" : ""); 1365 sql_insert_return_states(return_id, return_ranges, 1366 func_gets_user_data ? USER_DATA_SET : USER_DATA, 1367 param, param_name, buf); 1368 } END_FOR_EACH_SM(sm); 1369 1370 /* This if for "return foo;" where "foo->bar" is user data. */ 1371 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) { 1372 if (!ret_sym) 1373 break; 1374 if (ret_sym != sm->sym) 1375 continue; 1376 1377 param_name = state_name_to_param_name(sm->name, return_str); 1378 if (!param_name) 1379 continue; 1380 if (strcmp(param_name, "$") == 0) 1381 return_found = true; 1382 if (strcmp(param_name, "*$") == 0) 1383 pointed_at_found = true; 1384 snprintf(buf, sizeof(buf), "%s%s", 1385 show_rl(estate_rl(sm->state)), 1386 estate_capped(sm->state) ? "[c]" : ""); 1387 sql_insert_return_states(return_id, return_ranges, 1388 func_gets_user_data ? USER_DATA_SET : USER_DATA, 1389 -1, param_name, buf); 1390 } END_FOR_EACH_SM(sm); 1391 1392 /* This if for "return ntohl(foo);" */ 1393 if (!return_found && get_user_rl(expr, &rl)) { 1394 snprintf(buf, sizeof(buf), "%s%s", 1395 show_rl(rl), user_rl_capped(expr) ? "[c]" : ""); 1396 sql_insert_return_states(return_id, return_ranges, 1397 func_gets_user_data ? USER_DATA_SET : USER_DATA, 1398 -1, "$", buf); 1399 } 1400 1401 /* 1402 * This is to handle things like return skb->data where we don't set a 1403 * state for that. 1404 */ 1405 if (!pointed_at_found && points_to_user_data(expr)) { 1406 sql_insert_return_states(return_id, return_ranges, 1407 (is_skb_data(expr) || func_gets_user_data) ? 1408 USER_DATA_SET : USER_DATA, 1409 -1, "*$", "s64min-s64max"); 1410 } 1411 1412 free_string(return_str); 1413 } 1414 1415 static void returns_param_capped(struct expression *expr, int param, char *key, char *value) 1416 { 1417 struct smatch_state *state, *new; 1418 struct symbol *sym; 1419 char *name; 1420 1421 name = return_state_to_var_sym(expr, param, key, &sym); 1422 if (!name || !sym) 1423 goto free; 1424 1425 state = get_state(my_id, name, sym); 1426 if (!state || estate_capped(state)) 1427 goto free; 1428 1429 new = clone_estate(state); 1430 estate_set_capped(new); 1431 1432 set_state(my_id, name, sym, new); 1433 free: 1434 free_string(name); 1435 } 1436 1437 static struct int_stack *gets_data_stack; 1438 static void match_function_def(struct symbol *sym) 1439 { 1440 func_gets_user_data = false; 1441 } 1442 1443 static void match_inline_start(struct expression *expr) 1444 { 1445 push_int(&gets_data_stack, func_gets_user_data); 1446 } 1447 1448 static void match_inline_end(struct expression *expr) 1449 { 1450 func_gets_user_data = pop_int(&gets_data_stack); 1451 } 1452 1453 void register_kernel_user_data(int id) 1454 { 1455 int i; 1456 1457 my_id = id; 1458 1459 if (option_project != PROJ_KERNEL) 1460 return; 1461 1462 set_dynamic_states(my_id); 1463 1464 add_hook(&match_function_def, FUNC_DEF_HOOK); 1465 add_hook(&match_inline_start, INLINE_FN_START); 1466 add_hook(&match_inline_end, INLINE_FN_END); 1467 1468 add_hook(&save_start_states, AFTER_DEF_HOOK); 1469 add_hook(&free_start_states, AFTER_FUNC_HOOK); 1470 add_hook(&match_save_states, INLINE_FN_START); 1471 add_hook(&match_restore_states, INLINE_FN_END); 1472 1473 add_unmatched_state_hook(my_id, &empty_state); 1474 add_extra_nomod_hook(&extra_nomod_hook); 1475 add_pre_merge_hook(my_id, &pre_merge_hook); 1476 add_merge_hook(my_id, &merge_estates); 1477 1478 add_function_hook("copy_from_user", &match_user_copy, INT_PTR(0)); 1479 add_function_hook("__copy_from_user", &match_user_copy, INT_PTR(0)); 1480 add_function_hook("memcpy_fromiovec", &match_user_copy, INT_PTR(0)); 1481 for (i = 0; i < ARRAY_SIZE(kstr_funcs); i++) 1482 add_function_hook(kstr_funcs[i], &match_user_copy, INT_PTR(2)); 1483 add_function_hook("usb_control_msg", &match_user_copy, INT_PTR(6)); 1484 1485 for (i = 0; i < ARRAY_SIZE(returns_user_data); i++) { 1486 add_function_assign_hook(returns_user_data[i], &match_user_assign_function, NULL); 1487 add_function_hook(returns_user_data[i], &match_returns_user_rl, NULL); 1488 } 1489 1490 add_function_hook("sscanf", &match_sscanf, NULL); 1491 1492 add_hook(&match_syscall_definition, AFTER_DEF_HOOK); 1493 1494 add_hook(&match_assign, ASSIGNMENT_HOOK); 1495 select_return_states_hook(PARAM_SET, &db_param_set); 1496 add_hook(&match_condition, CONDITION_HOOK); 1497 1498 add_hook(&match_call_info, FUNCTION_CALL_HOOK); 1499 add_member_info_callback(my_id, struct_member_callback); 1500 select_caller_info_hook(set_param_user_data, USER_DATA); 1501 select_return_states_hook(USER_DATA, &returns_param_user_data); 1502 select_return_states_hook(USER_DATA_SET, &returns_param_user_data_set); 1503 select_return_states_hook(CAPPED_DATA, &returns_param_capped); 1504 add_split_return_callback(¶m_set_to_user_data); 1505 } 1506 1507 void register_kernel_user_data2(int id) 1508 { 1509 my_call_id = id; 1510 1511 if (option_project != PROJ_KERNEL) 1512 return; 1513 select_caller_info_hook(set_called, INTERNAL); 1514 } 1515