Mercurial > illumos > git > illumos-gate

view usr/src/tools/smatch/src/check_get_user_overflow.c @ 19241:79022555a4a9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
11972 resync smatch Reviewed by: Robert Mustacchi <rm@fingolfin.org> Approved by: Dan McDonald <danmcd@joyent.com>
author John Levon <john.levon@joyent.com>
date Mon, 11 Nov 2019 16:23:50 +0000
parents b73b4fe381d3
children
line wrap: on
line source

/*
 * Copyright (C) 2010 Dan Carpenter.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
 */

/*
 * Looks for integers that we get from the user which can be attacked
 * with an integer overflow.
 *
 */

#include "smatch.h"
#include "smatch_slist.h"

static int my_max_id;
static int my_min_id;

STATE(capped);
STATE(user_data);

static void match_condition(struct expression *expr)
{
	struct smatch_state *left_max_true = NULL;
	struct smatch_state *left_max_false = NULL;
	struct smatch_state *right_max_true = NULL;
	struct smatch_state *right_max_false = NULL;

	struct smatch_state *left_min_true = NULL;
	struct smatch_state *left_min_false = NULL;
	struct smatch_state *right_min_true = NULL;
	struct smatch_state *right_min_false = NULL;

	if (expr->type != EXPR_COMPARE)
		return;

	switch (expr->op) {
	case '<':
	case SPECIAL_LTE:
	case SPECIAL_UNSIGNED_LT:
	case SPECIAL_UNSIGNED_LTE:
		left_max_true = &capped;
		right_max_false = &capped;
		right_min_true = &capped;
		left_min_false = &capped;
		break;
	case '>':
	case SPECIAL_GTE:
	case SPECIAL_UNSIGNED_GT:
	case SPECIAL_UNSIGNED_GTE:
		left_max_false = &capped;
		right_max_true = &capped;
		left_min_true = &capped;
		right_min_false = &capped;
		break;
	case SPECIAL_EQUAL:
		left_max_true = &capped;
		right_max_true = &capped;
		left_min_true = &capped;
		right_min_true = &capped;
		break;
	case SPECIAL_NOTEQUAL:
		left_max_false = &capped;
		right_max_false = &capped;
		left_min_false = &capped;
		right_min_false = &capped;
		break;
	default:
		return;
	}

	if (get_state_expr(my_max_id, expr->left)) {
		set_true_false_states_expr(my_max_id, expr->left, left_max_true, left_max_false);
		set_true_false_states_expr(my_min_id, expr->left, left_min_true, left_min_false);
	}
	if (get_state_expr(my_max_id, expr->right)) {
		set_true_false_states_expr(my_max_id, expr->right, right_max_true, right_max_false);
		set_true_false_states_expr(my_min_id, expr->right, right_min_true, right_min_false);
	}
}

static void match_normal_assign(struct expression *expr)
{
	if (get_state_expr(my_max_id, expr->left)) {
		set_state_expr(my_max_id, expr->left, &capped);
		set_state_expr(my_min_id, expr->left, &capped);
	}
}

static void match_assign(struct expression *expr)
{
	char *name;

	name = get_macro_name(expr->pos);
	if (!name || strcmp(name, "get_user") != 0) {
		match_normal_assign(expr);
		return;
	}
	name = expr_to_var(expr->right);
	if (!name || (strcmp(name, "__val_gu") != 0 && strcmp(name, "__gu_val")))
		goto free;
	set_state_expr(my_max_id, expr->left, &user_data);
	set_state_expr(my_min_id, expr->left, &user_data);
free:
	free_string(name);
}

static void check_expr(struct expression *expr)
{
	struct sm_state *sm;
	sval_t max;
	sval_t sval;
	char *name;
	int overflow = 0;
	int underflow = 0;

	sm = get_sm_state_expr(my_max_id, expr);
	if (sm && slist_has_state(sm->possible, &user_data)) {
		get_absolute_max(expr, &max);
		if (sval_cmp_val(max, 20000) > 0)
			overflow = 1;
	}

	sm = get_sm_state_expr(my_min_id, expr);
	if (sm && slist_has_state(sm->possible, &user_data)) {
		get_absolute_min(expr, &sval);
		if (sval_is_negative(sval) && sval_cmp_val(sval, -20000) < 0)
			underflow = 1;
	}

	if (!overflow && !underflow)
		return;

	name = expr_to_var_sym(expr, NULL);
	if (overflow && underflow)
		sm_warning("check for integer over/underflow '%s'", name);
	else if (underflow)
		sm_warning("check for integer underflow '%s'", name);
	else
		sm_warning("check for integer overflow '%s'", name);
	free_string(name);

	set_state_expr(my_max_id, expr, &capped);
	set_state_expr(my_min_id, expr, &capped);
}

static void match_binop(struct expression *expr)
{
	if (expr->op == '^')
		return;
	if (expr->op == '&')
		return;
	if (expr->op == '|')
		return;
	if (expr->op == SPECIAL_RIGHTSHIFT)
		return;
	if (expr->op == SPECIAL_LEFTSHIFT)
		return;

	check_expr(expr->left);
	check_expr(expr->right);
}

void check_get_user_overflow(int id)
{
	if (option_project != PROJ_KERNEL)
		return;
	my_max_id = id;
	add_hook(&match_condition, CONDITION_HOOK);
	add_hook(&match_assign, ASSIGNMENT_HOOK);
	add_hook(&match_binop, BINOP_HOOK);
}

void check_get_user_overflow2(int id)
{
	my_min_id = id;
}