1/*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18/*
19 * Looks for integers that we get from the user which can be attacked
20 * with an integer overflow.
21 *
22 */
23
24#include "smatch.h"
25#include "smatch_slist.h"
26
27static int my_max_id;
28static int my_min_id;
29
30STATE(capped);
31STATE(user_data);
32
33static void match_condition(struct expression *expr)
34{
35	struct smatch_state *left_max_true = NULL;
36	struct smatch_state *left_max_false = NULL;
37	struct smatch_state *right_max_true = NULL;
38	struct smatch_state *right_max_false = NULL;
39
40	struct smatch_state *left_min_true = NULL;
41	struct smatch_state *left_min_false = NULL;
42	struct smatch_state *right_min_true = NULL;
43	struct smatch_state *right_min_false = NULL;
44
45	if (expr->type != EXPR_COMPARE)
46		return;
47
48	switch (expr->op) {
49	case '<':
50	case SPECIAL_LTE:
51	case SPECIAL_UNSIGNED_LT:
52	case SPECIAL_UNSIGNED_LTE:
53		left_max_true = &capped;
54		right_max_false = &capped;
55		right_min_true = &capped;
56		left_min_false = &capped;
57		break;
58	case '>':
59	case SPECIAL_GTE:
60	case SPECIAL_UNSIGNED_GT:
61	case SPECIAL_UNSIGNED_GTE:
62		left_max_false = &capped;
63		right_max_true = &capped;
64		left_min_true = &capped;
65		right_min_false = &capped;
66		break;
67	case SPECIAL_EQUAL:
68		left_max_true = &capped;
69		right_max_true = &capped;
70		left_min_true = &capped;
71		right_min_true = &capped;
72		break;
73	case SPECIAL_NOTEQUAL:
74		left_max_false = &capped;
75		right_max_false = &capped;
76		left_min_false = &capped;
77		right_min_false = &capped;
78		break;
79	default:
80		return;
81	}
82
83	if (get_state_expr(my_max_id, expr->left)) {
84		set_true_false_states_expr(my_max_id, expr->left, left_max_true, left_max_false);
85		set_true_false_states_expr(my_min_id, expr->left, left_min_true, left_min_false);
86	}
87	if (get_state_expr(my_max_id, expr->right)) {
88		set_true_false_states_expr(my_max_id, expr->right, right_max_true, right_max_false);
89		set_true_false_states_expr(my_min_id, expr->right, right_min_true, right_min_false);
90	}
91}
92
93static void match_normal_assign(struct expression *expr)
94{
95	if (get_state_expr(my_max_id, expr->left)) {
96		set_state_expr(my_max_id, expr->left, &capped);
97		set_state_expr(my_min_id, expr->left, &capped);
98	}
99}
100
101static void match_assign(struct expression *expr)
102{
103	char *name;
104
105	name = get_macro_name(expr->pos);
106	if (!name || strcmp(name, "get_user") != 0) {
107		match_normal_assign(expr);
108		return;
109	}
110	name = expr_to_var(expr->right);
111	if (!name || (strcmp(name, "__val_gu") != 0 && strcmp(name, "__gu_val")))
112		goto free;
113	set_state_expr(my_max_id, expr->left, &user_data);
114	set_state_expr(my_min_id, expr->left, &user_data);
115free:
116	free_string(name);
117}
118
119static void check_expr(struct expression *expr)
120{
121	struct sm_state *sm;
122	sval_t max;
123	sval_t sval;
124	char *name;
125	int overflow = 0;
126	int underflow = 0;
127
128	sm = get_sm_state_expr(my_max_id, expr);
129	if (sm && slist_has_state(sm->possible, &user_data)) {
130		get_absolute_max(expr, &max);
131		if (sval_cmp_val(max, 20000) > 0)
132			overflow = 1;
133	}
134
135	sm = get_sm_state_expr(my_min_id, expr);
136	if (sm && slist_has_state(sm->possible, &user_data)) {
137		get_absolute_min(expr, &sval);
138		if (sval_is_negative(sval) && sval_cmp_val(sval, -20000) < 0)
139			underflow = 1;
140	}
141
142	if (!overflow && !underflow)
143		return;
144
145	name = expr_to_var_sym(expr, NULL);
146	if (overflow && underflow)
147		sm_warning("check for integer over/underflow '%s'", name);
148	else if (underflow)
149		sm_warning("check for integer underflow '%s'", name);
150	else
151		sm_warning("check for integer overflow '%s'", name);
152	free_string(name);
153
154	set_state_expr(my_max_id, expr, &capped);
155	set_state_expr(my_min_id, expr, &capped);
156}
157
158static void match_binop(struct expression *expr)
159{
160	if (expr->op == '^')
161		return;
162	if (expr->op == '&')
163		return;
164	if (expr->op == '|')
165		return;
166	if (expr->op == SPECIAL_RIGHTSHIFT)
167		return;
168	if (expr->op == SPECIAL_LEFTSHIFT)
169		return;
170
171	check_expr(expr->left);
172	check_expr(expr->right);
173}
174
175void check_get_user_overflow(int id)
176{
177	if (option_project != PROJ_KERNEL)
178		return;
179	my_max_id = id;
180	add_hook(&match_condition, CONDITION_HOOK);
181	add_hook(&match_assign, ASSIGNMENT_HOOK);
182	add_hook(&match_binop, BINOP_HOOK);
183}
184
185void check_get_user_overflow2(int id)
186{
187	my_min_id = id;
188}
189