xref: /illumos-gate/usr/src/tools/smatch/src/check_get_user_overflow.c (revision 1f5207b7604fb44407eb4342aff613f7c4508508) 
1 /*
2  * Copyright (C) 2010 Dan Carpenter.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License
6  * as published by the Free Software Foundation; either version 2
7  * of the License, or (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16  */
17 
18 /*
19  * Looks for integers that we get from the user which can be attacked
20  * with an integer overflow.
21  *
22  */
23 
24 #include "smatch.h"
25 #include "smatch_slist.h"
26 
27 static int my_max_id;
28 static int my_min_id;
29 
30 STATE(capped);
31 STATE(user_data);
32 
33 static void match_condition(struct expression *expr)
34 {
35 	struct smatch_state *left_max_true = NULL;
36 	struct smatch_state *left_max_false = NULL;
37 	struct smatch_state *right_max_true = NULL;
38 	struct smatch_state *right_max_false = NULL;
39 
40 	struct smatch_state *left_min_true = NULL;
41 	struct smatch_state *left_min_false = NULL;
42 	struct smatch_state *right_min_true = NULL;
43 	struct smatch_state *right_min_false = NULL;
44 
45 	if (expr->type != EXPR_COMPARE)
46 		return;
47 
48 	switch (expr->op) {
49 	case '<':
50 	case SPECIAL_LTE:
51 	case SPECIAL_UNSIGNED_LT:
52 	case SPECIAL_UNSIGNED_LTE:
53 		left_max_true = &capped;
54 		right_max_false = &capped;
55 		right_min_true = &capped;
56 		left_min_false = &capped;
57 		break;
58 	case '>':
59 	case SPECIAL_GTE:
60 	case SPECIAL_UNSIGNED_GT:
61 	case SPECIAL_UNSIGNED_GTE:
62 		left_max_false = &capped;
63 		right_max_true = &capped;
64 		left_min_true = &capped;
65 		right_min_false = &capped;
66 		break;
67 	case SPECIAL_EQUAL:
68 		left_max_true = &capped;
69 		right_max_true = &capped;
70 		left_min_true = &capped;
71 		right_min_true = &capped;
72 		break;
73 	case SPECIAL_NOTEQUAL:
74 		left_max_false = &capped;
75 		right_max_false = &capped;
76 		left_min_false = &capped;
77 		right_min_false = &capped;
78 		break;
79 	default:
80 		return;
81 	}
82 
83 	if (get_state_expr(my_max_id, expr->left)) {
84 		set_true_false_states_expr(my_max_id, expr->left, left_max_true, left_max_false);
85 		set_true_false_states_expr(my_min_id, expr->left, left_min_true, left_min_false);
86 	}
87 	if (get_state_expr(my_max_id, expr->right)) {
88 		set_true_false_states_expr(my_max_id, expr->right, right_max_true, right_max_false);
89 		set_true_false_states_expr(my_min_id, expr->right, right_min_true, right_min_false);
90 	}
91 }
92 
93 static void match_normal_assign(struct expression *expr)
94 {
95 	if (get_state_expr(my_max_id, expr->left)) {
96 		set_state_expr(my_max_id, expr->left, &capped);
97 		set_state_expr(my_min_id, expr->left, &capped);
98 	}
99 }
100 
101 static void match_assign(struct expression *expr)
102 {
103 	char *name;
104 
105 	name = get_macro_name(expr->pos);
106 	if (!name || strcmp(name, "get_user") != 0) {
107 		match_normal_assign(expr);
108 		return;
109 	}
110 	name = expr_to_var(expr->right);
111 	if (!name || strcmp(name, "__val_gu") != 0)
112 		goto free;
113 	set_state_expr(my_max_id, expr->left, &user_data);
114 	set_state_expr(my_min_id, expr->left, &user_data);
115 free:
116 	free_string(name);
117 }
118 
119 static void check_expr(struct expression *expr)
120 {
121 	struct sm_state *sm;
122 	sval_t max;
123 	sval_t sval;
124 	char *name;
125 	int overflow = 0;
126 	int underflow = 0;
127 
128 	sm = get_sm_state_expr(my_max_id, expr);
129 	if (sm && slist_has_state(sm->possible, &user_data)) {
130 		if (!get_absolute_max(expr, &max) || sval_cmp_val(max, 20000) > 0)
131 			overflow = 1;
132 	}
133 
134 	sm = get_sm_state_expr(my_min_id, expr);
135 	if (sm && slist_has_state(sm->possible, &user_data)) {
136 		if (!get_absolute_min(expr, &sval) ||
137 		    (sval_is_negative(sval) && sval_cmp_val(sval, -20000) < 0))
138 			underflow = 1;
139 	}
140 
141 	if (!overflow && !underflow)
142 		return;
143 
144 	name = expr_to_var_sym(expr, NULL);
145 	if (overflow && underflow)
146 		sm_warning("check for integer over/underflow '%s'", name);
147 	else if (underflow)
148 		sm_warning("check for integer underflow '%s'", name);
149 	else
150 		sm_warning("check for integer overflow '%s'", name);
151 	free_string(name);
152 
153 	set_state_expr(my_max_id, expr, &capped);
154 	set_state_expr(my_min_id, expr, &capped);
155 }
156 
157 static void match_binop(struct expression *expr)
158 {
159 	if (expr->op == '^')
160 		return;
161 	if (expr->op == '&')
162 		return;
163 	if (expr->op == '|')
164 		return;
165 	if (expr->op == SPECIAL_RIGHTSHIFT)
166 		return;
167 	if (expr->op == SPECIAL_LEFTSHIFT)
168 		return;
169 
170 	check_expr(expr->left);
171 	check_expr(expr->right);
172 }
173 
174 void check_get_user_overflow(int id)
175 {
176 	if (option_project != PROJ_KERNEL)
177 		return;
178 	my_max_id = id;
179 	add_hook(&match_condition, CONDITION_HOOK);
180 	add_hook(&match_assign, ASSIGNMENT_HOOK);
181 	add_hook(&match_binop, BINOP_HOOK);
182 }
183 
184 void check_get_user_overflow2(int id)
185 {
186 	my_min_id = id;
187 }
188