1 /*
2 * Copyright (C) 2011 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * There are a couple checks that try to see if a variable
20 * comes from the user. It would be better to unify them
21 * into one place. Also it we should follow the data down
22 * the call paths. Hence this file.
23 */
24
25 #include "smatch.h"
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
28
29 static int my_id;
30 static int my_call_id;
31
32 STATE(called);
33 static bool func_gets_user_data;
34
35 static const char *kstr_funcs[] = {
36 "kstrtoull", "kstrtoll", "kstrtoul", "kstrtol", "kstrtouint",
37 "kstrtoint", "kstrtou64", "kstrtos64", "kstrtou32", "kstrtos32",
38 "kstrtou16", "kstrtos16", "kstrtou8", "kstrtos8", "kstrtoull_from_user"
39 "kstrtoll_from_user", "kstrtoul_from_user", "kstrtol_from_user",
40 "kstrtouint_from_user", "kstrtoint_from_user", "kstrtou16_from_user",
41 "kstrtos16_from_user", "kstrtou8_from_user", "kstrtos8_from_user",
42 "kstrtou64_from_user", "kstrtos64_from_user", "kstrtou32_from_user",
43 "kstrtos32_from_user",
44 };
45
46 static const char *returns_user_data[] = {
47 "simple_strtol", "simple_strtoll", "simple_strtoul", "simple_strtoull",
48 "kvm_register_read",
49 };
50
51 static const char *returns_pointer_to_user_data[] = {
52 "nlmsg_data", "nla_data", "memdup_user", "kmap_atomic", "skb_network_header",
53 };
54
55 static void set_points_to_user_data(struct expression *expr);
56
57 static struct stree *start_states;
58 static struct stree_stack *saved_stack;
59 static void save_start_states(struct statement *stmt)
60 {
61 start_states = clone_stree(__get_cur_stree());
62 }
63
64 static void free_start_states(void)
65 {
66 free_stree(&start_states);
67 }
68
69 static void match_save_states(struct expression *expr)
70 {
71 push_stree(&saved_stack, start_states);
72 start_states = NULL;
73 }
74
75 static void match_restore_states(struct expression *expr)
76 {
77 free_stree(&start_states);
78 start_states = pop_stree(&saved_stack);
79 }
80
81 static struct smatch_state *empty_state(struct sm_state *sm)
82 {
83 return alloc_estate_empty();
84 }
85
86 static void pre_merge_hook(struct sm_state *cur, struct sm_state *other)
87 {
88 struct smatch_state *user = cur->state;
89 struct smatch_state *extra;
90 struct smatch_state *state;
91 struct range_list *rl;
92
93 extra = __get_state(SMATCH_EXTRA, cur->name, cur->sym);
94 if (!extra)
95 return;
96 rl = rl_intersection(estate_rl(user), estate_rl(extra));
97 state = alloc_estate_rl(clone_rl(rl));
98 if (estate_capped(user) || is_capped_var_sym(cur->name, cur->sym))
99 estate_set_capped(state);
100 if (estate_treat_untagged(user))
101 estate_set_treat_untagged(state);
102 set_state(my_id, cur->name, cur->sym, state);
103 }
104
105 static void extra_nomod_hook(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
106 {
107 struct smatch_state *user, *new;
108 struct range_list *rl;
109
110 user = __get_state(my_id, name, sym);
111 if (!user)
112 return;
113 rl = rl_intersection(estate_rl(user), estate_rl(state));
114 if (rl_equiv(rl, estate_rl(user)))
115 return;
116 new = alloc_estate_rl(rl);
117 if (estate_capped(user))
118 estate_set_capped(new);
119 if (estate_treat_untagged(user))
120 estate_set_treat_untagged(new);
121 set_state(my_id, name, sym, new);
122 }
123
124 static bool binop_capped(struct expression *expr)
125 {
126 struct range_list *left_rl;
127 int comparison;
128
129 if (expr->op == '-' && get_user_rl(expr->left, &left_rl)) {
130 if (user_rl_capped(expr->left))
131 return true;
132 comparison = get_comparison(expr->left, expr->right);
133 if (comparison && show_special(comparison)[0] == '>')
134 return true;
135 return false;
136 }
137
138 if (expr->op == '&' || expr->op == '%') {
139 if (is_capped(expr->left) || is_capped(expr->right))
140 return true;
141 if (user_rl_capped(expr->left) || user_rl_capped(expr->right))
142 return true;
143 return false;
144 }
145
146 if (user_rl_capped(expr->left) &&
147 user_rl_capped(expr->right))
148 return true;
149 return false;
150 }
151
152 bool user_rl_capped(struct expression *expr)
153 {
154 struct smatch_state *state;
155 struct range_list *rl;
156 sval_t sval;
157
158 expr = strip_expr(expr);
159 if (!expr)
160 return false;
161 if (get_value(expr, &sval))
162 return true;
163 if (expr->type == EXPR_BINOP)
164 return binop_capped(expr);
165 if ((expr->type == EXPR_PREOP || expr->type == EXPR_POSTOP) &&
166 (expr->op == SPECIAL_INCREMENT || expr->op == SPECIAL_DECREMENT))
167 return user_rl_capped(expr->unop);
168 state = get_state_expr(my_id, expr);
169 if (state)
170 return estate_capped(state);
171
172 if (get_user_rl(expr, &rl))
173 return false; /* uncapped user data */
174
175 return true; /* not actually user data */
176 }
177
178 bool user_rl_treat_untagged(struct expression *expr)
179 {
180 struct smatch_state *state;
181 struct range_list *rl;
182 sval_t sval;
183
184 expr = strip_expr(expr);
185 if (!expr)
186 return false;
187 if (get_value(expr, &sval))
188 return true;
189
190 state = get_state_expr(my_id, expr);
191 if (state)
192 return estate_treat_untagged(state);
193
194 if (get_user_rl(expr, &rl))
195 return false; /* uncapped user data */
196
197 return true; /* not actually user data */
198 }
199
200 static void tag_inner_struct_members(struct expression *expr, struct symbol *member)
201 {
202 struct expression *edge_member;
203 struct symbol *base = get_real_base_type(member);
204 struct symbol *tmp;
205
206 if (member->ident)
207 expr = member_expression(expr, '.', member->ident);
208
209 FOR_EACH_PTR(base->symbol_list, tmp) {
210 struct symbol *type;
211
212 type = get_real_base_type(tmp);
213 if (!type)
214 continue;
215
216 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
217 tag_inner_struct_members(expr, tmp);
218 continue;
219 }
220
221 if (!tmp->ident)
222 continue;
223
224 edge_member = member_expression(expr, '.', tmp->ident);
225 set_state_expr(my_id, edge_member, alloc_estate_whole(type));
226 } END_FOR_EACH_PTR(tmp);
227 }
228
229 static void tag_struct_members(struct symbol *type, struct expression *expr)
230 {
231 struct symbol *tmp;
232 struct expression *member;
233 int op = '*';
234
235 if (expr->type == EXPR_PREOP && expr->op == '&') {
236 expr = strip_expr(expr->unop);
237 op = '.';
238 }
239
240 FOR_EACH_PTR(type->symbol_list, tmp) {
241 type = get_real_base_type(tmp);
242 if (!type)
243 continue;
244
245 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
246 tag_inner_struct_members(expr, tmp);
247 continue;
248 }
249
250 if (!tmp->ident)
251 continue;
252
253 member = member_expression(expr, op, tmp->ident);
254 set_state_expr(my_id, member, alloc_estate_whole(get_type(member)));
255
256 if (type->type == SYM_ARRAY)
257 set_points_to_user_data(member);
258 } END_FOR_EACH_PTR(tmp);
259 }
260
261 static void tag_base_type(struct expression *expr)
262 {
263 if (expr->type == EXPR_PREOP && expr->op == '&')
264 expr = strip_expr(expr->unop);
265 else
266 expr = deref_expression(expr);
267 set_state_expr(my_id, expr, alloc_estate_whole(get_type(expr)));
268 }
269
270 static void tag_as_user_data(struct expression *expr)
271 {
272 struct symbol *type;
273
274 expr = strip_expr(expr);
275
276 type = get_type(expr);
277 if (!type || type->type != SYM_PTR)
278 return;
279 type = get_real_base_type(type);
280 if (!type)
281 return;
282 if (type == &void_ctype) {
283 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype));
284 return;
285 }
286 if (type->type == SYM_BASETYPE)
287 tag_base_type(expr);
288 if (type->type == SYM_STRUCT || type->type == SYM_UNION) {
289 if (expr->type != EXPR_PREOP || expr->op != '&')
290 expr = deref_expression(expr);
291 else
292 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype));
293 tag_struct_members(type, expr);
294 }
295 }
296
297 static void match_user_copy(const char *fn, struct expression *expr, void *_param)
298 {
299 int param = PTR_INT(_param);
300 struct expression *dest;
301
302 func_gets_user_data = true;
303
304 dest = get_argument_from_call_expr(expr->args, param);
305 dest = strip_expr(dest);
306 if (!dest)
307 return;
308 tag_as_user_data(dest);
309 }
310
311 static int is_dev_attr_name(struct expression *expr)
312 {
313 char *name;
314 int ret = 0;
315
316 name = expr_to_str(expr);
317 if (!name)
318 return 0;
319 if (strstr(name, "->attr.name"))
320 ret = 1;
321 free_string(name);
322 return ret;
323 }
324
325 static int ends_in_n(struct expression *expr)
326 {
327 struct string *str;
328
329 if (!expr)
330 return 0;
331 if (expr->type != EXPR_STRING || !expr->string)
332 return 0;
333
334 str = expr->string;
335 if (str->length < 3)
336 return 0;
337
338 if (str->data[str->length - 3] == '%' &&
339 str->data[str->length - 2] == 'n')
340 return 1;
341 return 0;
342 }
343
344 static void match_sscanf(const char *fn, struct expression *expr, void *unused)
345 {
346 struct expression *str, *format, *arg;
347 int i, last;
348
349 func_gets_user_data = true;
350
351 str = get_argument_from_call_expr(expr->args, 0);
352 if (is_dev_attr_name(str))
353 return;
354
355 format = get_argument_from_call_expr(expr->args, 1);
356 if (is_dev_attr_name(format))
357 return;
358
359 last = ptr_list_size((struct ptr_list *)expr->args) - 1;
360
361 i = -1;
362 FOR_EACH_PTR(expr->args, arg) {
363 i++;
364 if (i < 2)
365 continue;
366 if (i == last && ends_in_n(format))
367 continue;
368 tag_as_user_data(arg);
369 } END_FOR_EACH_PTR(arg);
370 }
371
372 static int is_skb_data(struct expression *expr)
373 {
374 struct symbol *sym;
375
376 if (!expr)
377 return 0;
378
379 if (expr->type == EXPR_BINOP && expr->op == '+')
380 return is_skb_data(expr->left);
381
382 expr = strip_expr(expr);
383 if (!expr)
384 return 0;
385 if (expr->type != EXPR_DEREF || expr->op != '.')
386 return 0;
387
388 if (!expr->member)
389 return 0;
390 if (strcmp(expr->member->name, "data") != 0)
391 return 0;
392
393 sym = expr_to_sym(expr->deref);
394 if (!sym)
395 return 0;
396 sym = get_real_base_type(sym);
397 if (!sym || sym->type != SYM_PTR)
398 return 0;
399 sym = get_real_base_type(sym);
400 if (!sym || sym->type != SYM_STRUCT || !sym->ident)
401 return 0;
402 if (strcmp(sym->ident->name, "sk_buff") != 0)
403 return 0;
404
405 return 1;
406 }
407
408 static bool is_points_to_user_data_fn(struct expression *expr)
409 {
410 int i;
411
412 expr = strip_expr(expr);
413 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL ||
414 !expr->fn->symbol)
415 return false;
416 expr = expr->fn;
417 for (i = 0; i < ARRAY_SIZE(returns_pointer_to_user_data); i++) {
418 if (sym_name_is(returns_pointer_to_user_data[i], expr))
419 return true;
420 }
421 return false;
422 }
423
424 static int get_rl_from_function(struct expression *expr, struct range_list **rl)
425 {
426 int i;
427
428 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL ||
429 !expr->fn->symbol_name || !expr->fn->symbol_name->name)
430 return 0;
431
432 for (i = 0; i < ARRAY_SIZE(returns_user_data); i++) {
433 if (strcmp(expr->fn->symbol_name->name, returns_user_data[i]) == 0) {
434 *rl = alloc_whole_rl(get_type(expr));
435 return 1;
436 }
437 }
438 return 0;
439 }
440
441 int points_to_user_data(struct expression *expr)
442 {
443 struct smatch_state *state;
444 struct range_list *rl;
445 char buf[256];
446 struct symbol *sym;
447 char *name;
448 int ret = 0;
449
450 expr = strip_expr(expr);
451 if (!expr)
452 return 0;
453 if (is_skb_data(expr))
454 return 1;
455 if (is_points_to_user_data_fn(expr))
456 return 1;
457 if (get_rl_from_function(expr, &rl))
458 return 1;
459
460 if (expr->type == EXPR_BINOP && expr->op == '+') {
461 if (points_to_user_data(expr->left))
462 return 1;
463 if (points_to_user_data(expr->right))
464 return 1;
465 return 0;
466 }
467
468 name = expr_to_var_sym(expr, &sym);
469 if (!name || !sym)
470 goto free;
471 snprintf(buf, sizeof(buf), "*%s", name);
472 state = __get_state(my_id, buf, sym);
473 if (state && estate_rl(state))
474 ret = 1;
475 free:
476 free_string(name);
477 return ret;
478 }
479
480 static void set_points_to_user_data(struct expression *expr)
481 {
482 char *name;
483 struct symbol *sym;
484 char buf[256];
485 struct symbol *type;
486
487 name = expr_to_var_sym(expr, &sym);
488 if (!name || !sym)
489 goto free;
490 snprintf(buf, sizeof(buf), "*%s", name);
491 type = get_type(expr);
492 if (type && type->type == SYM_PTR)
493 type = get_real_base_type(type);
494 if (!type || type->type != SYM_BASETYPE)
495 type = &llong_ctype;
496 set_state(my_id, buf, sym, alloc_estate_whole(type));
497 free:
498 free_string(name);
499 }
500
501 static int comes_from_skb_data(struct expression *expr)
502 {
503 expr = strip_expr(expr);
504 if (!expr || expr->type != EXPR_PREOP || expr->op != '*')
505 return 0;
506
507 expr = strip_expr(expr->unop);
508 if (!expr)
509 return 0;
510 if (expr->type == EXPR_BINOP && expr->op == '+')
511 expr = strip_expr(expr->left);
512
513 return is_skb_data(expr);
514 }
515
516 static int handle_struct_assignment(struct expression *expr)
517 {
518 struct expression *right;
519 struct symbol *left_type, *right_type;
520
521 left_type = get_type(expr->left);
522 if (!left_type || left_type->type != SYM_PTR)
523 return 0;
524 left_type = get_real_base_type(left_type);
525 if (!left_type)
526 return 0;
527 if (left_type->type != SYM_STRUCT &&
528 left_type->type != SYM_UNION)
529 return 0;
530
531 /*
532 * Ignore struct to struct assignments because for those we look at the
533 * individual members.
534 */
535 right = strip_expr(expr->right);
536 right_type = get_type(right);
537 if (!right_type || right_type->type != SYM_PTR)
538 return 0;
539
540 /* If we are assigning struct members then normally that is handled
541 * by fake assignments, however if we cast one struct to a different
542 * of struct then we handle that here.
543 */
544 right_type = get_real_base_type(right_type);
545 if (right_type == left_type)
546 return 0;
547
548 if (!points_to_user_data(right))
549 return 0;
550
551 tag_as_user_data(expr->left);
552 return 1;
553 }
554
555 static int handle_get_user(struct expression *expr)
556 {
557 char *name;
558 int ret = 0;
559
560 name = get_macro_name(expr->pos);
561 if (!name || strcmp(name, "get_user") != 0)
562 return 0;
563
564 name = expr_to_var(expr->right);
565 if (!name || (strcmp(name, "__val_gu") != 0 && strcmp(name, "__gu_val") != 0))
566 goto free;
567 set_state_expr(my_id, expr->left, alloc_estate_whole(get_type(expr->left)));
568 ret = 1;
569 free:
570 free_string(name);
571 return ret;
572 }
573
574 static bool handle_op_assign(struct expression *expr)
575 {
576 struct expression *binop_expr;
577 struct smatch_state *state;
578 struct range_list *rl;
579
580 switch (expr->op) {
581 case SPECIAL_ADD_ASSIGN:
582 case SPECIAL_SUB_ASSIGN:
583 case SPECIAL_AND_ASSIGN:
584 case SPECIAL_MOD_ASSIGN:
585 case SPECIAL_SHL_ASSIGN:
586 case SPECIAL_SHR_ASSIGN:
587 case SPECIAL_OR_ASSIGN:
588 case SPECIAL_XOR_ASSIGN:
589 case SPECIAL_MUL_ASSIGN:
590 case SPECIAL_DIV_ASSIGN:
591 binop_expr = binop_expression(expr->left,
592 op_remove_assign(expr->op),
593 expr->right);
594 if (!get_user_rl(binop_expr, &rl))
595 return true;
596
597 rl = cast_rl(get_type(expr->left), rl);
598 state = alloc_estate_rl(rl);
599 if (user_rl_capped(binop_expr))
600 estate_set_capped(state);
601 if (user_rl_treat_untagged(expr->left))
602 estate_set_treat_untagged(state);
603 set_state_expr(my_id, expr->left, state);
604 return true;
605 }
606 return false;
607 }
608
609 static void match_assign(struct expression *expr)
610 {
611 struct range_list *rl;
612 static struct expression *handled;
613 struct smatch_state *state;
614 struct expression *faked;
615
616 faked = get_faked_expression();
617 if (faked && faked == handled)
618 return;
619 if (is_fake_call(expr->right))
620 goto clear_old_state;
621 if (handle_get_user(expr))
622 return;
623 if (points_to_user_data(expr->right)) {
624 handled = expr;
625 set_points_to_user_data(expr->left);
626 }
627 if (handle_struct_assignment(expr))
628 return;
629
630 if (handle_op_assign(expr))
631 return;
632 if (expr->op != '=')
633 goto clear_old_state;
634
635 /* Handled by DB code */
636 if (expr->right->type == EXPR_CALL || __in_fake_parameter_assign)
637 return;
638
639 if (!get_user_rl(expr->right, &rl))
640 goto clear_old_state;
641
642 rl = cast_rl(get_type(expr->left), rl);
643 state = alloc_estate_rl(rl);
644
645 if (user_rl_capped(expr->right))
646 estate_set_capped(state);
647 if (user_rl_treat_untagged(expr->right))
648 estate_set_treat_untagged(state);
649 set_state_expr(my_id, expr->left, state);
650
651 return;
652
653 clear_old_state:
654 if (get_state_expr(my_id, expr->left))
655 set_state_expr(my_id, expr->left, alloc_estate_empty());
656 }
657
658 static void handle_eq_noteq(struct expression *expr)
659 {
660 struct smatch_state *left_orig, *right_orig;
661
662 left_orig = get_state_expr(my_id, expr->left);
663 right_orig = get_state_expr(my_id, expr->right);
664
665 if (!left_orig && !right_orig)
666 return;
667 if (left_orig && right_orig)
668 return;
669
670 if (left_orig) {
671 set_true_false_states_expr(my_id, expr->left,
672 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL,
673 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty());
674 } else {
675 set_true_false_states_expr(my_id, expr->right,
676 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL,
677 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty());
678 }
679 }
680
681 static struct range_list *strip_negatives(struct range_list *rl)
682 {
683 sval_t min = rl_min(rl);
684 sval_t minus_one;
685 sval_t over;
686 sval_t max = sval_type_max(rl_type(rl));
687
688 minus_one.type = rl_type(rl);
689 minus_one.value = -1;
690 over.type = rl_type(rl);
691 over.value = INT_MAX + 1ULL;
692
693 if (!rl)
694 return NULL;
695
696 if (type_unsigned(rl_type(rl)) && type_bits(rl_type(rl)) > 31)
697 return remove_range(rl, over, max);
698
699 return remove_range(rl, min, minus_one);
700 }
701
702 static void handle_compare(struct expression *expr)
703 {
704 struct expression *left, *right;
705 struct range_list *left_rl = NULL;
706 struct range_list *right_rl = NULL;
707 struct range_list *user_rl;
708 struct smatch_state *capped_state;
709 struct smatch_state *left_true = NULL;
710 struct smatch_state *left_false = NULL;
711 struct smatch_state *right_true = NULL;
712 struct smatch_state *right_false = NULL;
713 struct symbol *type;
714 sval_t sval;
715
716 left = strip_expr(expr->left);
717 right = strip_expr(expr->right);
718
719 while (left->type == EXPR_ASSIGNMENT)
720 left = strip_expr(left->left);
721
722 /*
723 * Conditions are mostly handled by smatch_extra.c, but there are some
724 * times where the exact values are not known so we can't do that.
725 *
726 * Normally, we might consider using smatch_capped.c to supliment smatch
727 * extra but that doesn't work when we merge unknown uncapped kernel
728 * data with unknown capped user data. The result is uncapped user
729 * data. We need to keep it separate and say that the user data is
730 * capped. In the past, I would have marked this as just regular
731 * kernel data (not user data) but we can't do that these days because
732 * we need to track user data for Spectre.
733 *
734 * The other situation which we have to handle is when we do have an
735 * int and we compare against an unknown unsigned kernel variable. In
736 * that situation we assume that the kernel data is less than INT_MAX.
737 * Otherwise then we get all sorts of array underflow false positives.
738 *
739 */
740
741 /* Handled in smatch_extra.c */
742 if (get_implied_value(left, &sval) ||
743 get_implied_value(right, &sval))
744 return;
745
746 get_user_rl(left, &left_rl);
747 get_user_rl(right, &right_rl);
748
749 /* nothing to do */
750 if (!left_rl && !right_rl)
751 return;
752 /* if both sides are user data that's not a good limit */
753 if (left_rl && right_rl)
754 return;
755
756 if (left_rl)
757 user_rl = left_rl;
758 else
759 user_rl = right_rl;
760
761 type = get_type(expr);
762 if (type_unsigned(type))
763 user_rl = strip_negatives(user_rl);
764 capped_state = alloc_estate_rl(user_rl);
765 estate_set_capped(capped_state);
766
767 switch (expr->op) {
768 case '<':
769 case SPECIAL_UNSIGNED_LT:
770 case SPECIAL_LTE:
771 case SPECIAL_UNSIGNED_LTE:
772 if (left_rl)
773 left_true = capped_state;
774 else
775 right_false = capped_state;
776 break;
777 case '>':
778 case SPECIAL_UNSIGNED_GT:
779 case SPECIAL_GTE:
780 case SPECIAL_UNSIGNED_GTE:
781 if (left_rl)
782 left_false = capped_state;
783 else
784 right_true = capped_state;
785 break;
786 }
787
788 set_true_false_states_expr(my_id, left, left_true, left_false);
789 set_true_false_states_expr(my_id, right, right_true, right_false);
790 }
791
792 static void match_condition(struct expression *expr)
793 {
794 if (expr->type != EXPR_COMPARE)
795 return;
796
797 if (expr->op == SPECIAL_EQUAL ||
798 expr->op == SPECIAL_NOTEQUAL) {
799 handle_eq_noteq(expr);
800 return;
801 }
802
803 handle_compare(expr);
804 }
805
806 static void match_user_assign_function(const char *fn, struct expression *expr, void *unused)
807 {
808 tag_as_user_data(expr->left);
809 set_points_to_user_data(expr->left);
810 }
811
812 static void match_returns_user_rl(const char *fn, struct expression *expr, void *unused)
813 {
814 func_gets_user_data = true;
815 }
816
817 static int get_user_macro_rl(struct expression *expr, struct range_list **rl)
818 {
819 struct expression *parent;
820 char *macro;
821
822 if (!expr)
823 return 0;
824
825 macro = get_macro_name(expr->pos);
826 if (!macro)
827 return 0;
828
829 /* handle ntohl(foo[i]) where "i" is trusted */
830 parent = expr_get_parent_expr(expr);
831 while (parent && parent->type != EXPR_BINOP)
832 parent = expr_get_parent_expr(parent);
833 if (parent && parent->type == EXPR_BINOP) {
834 char *parent_macro = get_macro_name(parent->pos);
835
836 if (parent_macro && strcmp(macro, parent_macro) == 0)
837 return 0;
838 }
839
840 if (strcmp(macro, "ntohl") == 0) {
841 *rl = alloc_whole_rl(&uint_ctype);
842 return 1;
843 }
844 if (strcmp(macro, "ntohs") == 0) {
845 *rl = alloc_whole_rl(&ushort_ctype);
846 return 1;
847 }
848 return 0;
849 }
850
851 static int has_user_data(struct symbol *sym)
852 {
853 struct sm_state *tmp;
854
855 FOR_EACH_MY_SM(my_id, __get_cur_stree(), tmp) {
856 if (tmp->sym == sym)
857 return 1;
858 } END_FOR_EACH_SM(tmp);
859 return 0;
860 }
861
862 static int we_pass_user_data(struct expression *call)
863 {
864 struct expression *arg;
865 struct symbol *sym;
866
867 FOR_EACH_PTR(call->args, arg) {
868 sym = expr_to_sym(arg);
869 if (!sym)
870 continue;
871 if (has_user_data(sym))
872 return 1;
873 } END_FOR_EACH_PTR(arg);
874
875 return 0;
876 }
877
878 static int db_returned_user_rl(struct expression *call, struct range_list **rl)
879 {
880 struct smatch_state *state;
881 char buf[48];
882
883 if (is_fake_call(call))
884 return 0;
885 snprintf(buf, sizeof(buf), "return %p", call);
886 state = get_state(my_id, buf, NULL);
887 if (!state || !estate_rl(state))
888 return 0;
889 *rl = estate_rl(state);
890 return 1;
891 }
892
893 struct stree *get_user_stree(void)
894 {
895 return get_all_states_stree(my_id);
896 }
897
898 static int user_data_flag;
899 static int no_user_data_flag;
900 struct range_list *var_user_rl(struct expression *expr)
901 {
902 struct smatch_state *state;
903 struct range_list *rl;
904 struct range_list *absolute_rl;
905
906 if (expr->type == EXPR_PREOP && expr->op == '&') {
907 no_user_data_flag = 1;
908 return NULL;
909 }
910
911 if (expr->type == EXPR_BINOP && expr->op == '%') {
912 struct range_list *left, *right;
913
914 if (!get_user_rl(expr->right, &right))
915 return NULL;
916 get_absolute_rl(expr->left, &left);
917 rl = rl_binop(left, '%', right);
918 goto found;
919 }
920
921 if (expr->type == EXPR_BINOP && expr->op == '/') {
922 struct range_list *left = NULL;
923 struct range_list *right = NULL;
924 struct range_list *abs_right;
925
926 /*
927 * The specific bug I'm dealing with is:
928 *
929 * foo = capped_user / unknown;
930 *
931 * Instead of just saying foo is now entirely user_rl we should
932 * probably say instead that it is not at all user data.
933 *
934 */
935
936 get_user_rl(expr->left, &left);
937 get_user_rl(expr->right, &right);
938 get_absolute_rl(expr->right, &abs_right);
939
940 if (left && !right) {
941 rl = rl_binop(left, '/', abs_right);
942 if (sval_cmp(rl_max(left), rl_max(rl)) < 0)
943 no_user_data_flag = 1;
944 }
945
946 return NULL;
947 }
948
949 if (get_rl_from_function(expr, &rl))
950 goto found;
951
952 if (get_user_macro_rl(expr, &rl))
953 goto found;
954
955 if (comes_from_skb_data(expr)) {
956 rl = alloc_whole_rl(get_type(expr));
957 goto found;
958 }
959
960 state = get_state_expr(my_id, expr);
961 if (state && estate_rl(state)) {
962 rl = estate_rl(state);
963 goto found;
964 }
965
966 if (expr->type == EXPR_CALL && db_returned_user_rl(expr, &rl))
967 goto found;
968
969 if (is_array(expr)) {
970 struct expression *array = get_array_base(expr);
971
972 if (!get_state_expr(my_id, array)) {
973 no_user_data_flag = 1;
974 return NULL;
975 }
976 }
977
978 if (expr->type == EXPR_PREOP && expr->op == '*' &&
979 is_user_rl(expr->unop)) {
980 rl = var_to_absolute_rl(expr);
981 goto found;
982 }
983
984 return NULL;
985 found:
986 user_data_flag = 1;
987 absolute_rl = var_to_absolute_rl(expr);
988 return clone_rl(rl_intersection(rl, absolute_rl));
989 }
990
991 static bool is_ptr_subtract(struct expression *expr)
992 {
993 expr = strip_expr(expr);
994 if (!expr)
995 return false;
996 if (expr->type == EXPR_BINOP && expr->op == '-' &&
997 type_is_ptr(get_type(expr->left))) {
998 return true;
999 }
1000 return false;
1001 }
1002
1003 int get_user_rl(struct expression *expr, struct range_list **rl)
1004 {
1005 if (is_ptr_subtract(expr))
1006 return 0;
1007
1008 user_data_flag = 0;
1009 no_user_data_flag = 0;
1010 custom_get_absolute_rl(expr, &var_user_rl, rl);
1011 if (!user_data_flag || no_user_data_flag)
1012 *rl = NULL;
1013
1014 return !!*rl;
1015 }
1016
1017 int is_user_rl(struct expression *expr)
1018 {
1019 struct range_list *tmp;
1020
1021 return !!get_user_rl(expr, &tmp);
1022 }
1023
1024 int get_user_rl_var_sym(const char *name, struct symbol *sym, struct range_list **rl)
1025 {
1026 struct smatch_state *state;
1027
1028 state = get_state(my_id, name, sym);
1029 if (state && estate_rl(state)) {
1030 *rl = estate_rl(state);
1031 return 1;
1032 }
1033 return 0;
1034 }
1035
1036 static char *get_user_rl_str(struct expression *expr, struct symbol *type)
1037 {
1038 struct range_list *rl;
1039 static char buf[64];
1040
1041 if (!get_user_rl(expr, &rl))
1042 return NULL;
1043 rl = cast_rl(type, rl);
1044 snprintf(buf, sizeof(buf), "%s%s%s",
1045 show_rl(rl),
1046 user_rl_capped(expr) ? "[c]" : "",
1047 user_rl_treat_untagged(expr) ? "[u]" : "");
1048 return buf;
1049 }
1050
1051 static void match_call_info(struct expression *expr)
1052 {
1053 struct expression *arg;
1054 struct symbol *type;
1055 char *str;
1056 int i;
1057
1058 i = -1;
1059 FOR_EACH_PTR(expr->args, arg) {
1060 i++;
1061 type = get_arg_type(expr->fn, i);
1062 str = get_user_rl_str(arg, type);
1063 if (!str)
1064 continue;
1065
1066 sql_insert_caller_info(expr, USER_DATA, i, "$", str);
1067 } END_FOR_EACH_PTR(arg);
1068 }
1069
1070 static int is_struct_ptr(struct symbol *sym)
1071 {
1072 struct symbol *type;
1073
1074 if (!sym)
1075 return 0;
1076 type = get_real_base_type(sym);
1077 if (!type || type->type != SYM_PTR)
1078 return 0;
1079 type = get_real_base_type(type);
1080 if (!type || type->type != SYM_STRUCT)
1081 return 0;
1082 return 1;
1083 }
1084
1085 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
1086 {
1087 struct smatch_state *state;
1088 struct range_list *rl;
1089 struct symbol *type;
1090 char buf[64];
1091
1092 /*
1093 * Smatch uses a hack where if we get an unsigned long we say it's
1094 * both user data and it points to user data. But if we pass it to a
1095 * function which takes an int, then it's just user data. There's not
1096 * enough bytes for it to be a pointer.
1097 *
1098 */
1099 type = get_arg_type(call->fn, param);
1100 if (type && type_bits(type) < type_bits(&ptr_ctype))
1101 return;
1102
1103 if (strcmp(sm->state->name, "") == 0)
1104 return;
1105
1106 if (strcmp(printed_name, "*$") == 0 &&
1107 is_struct_ptr(sm->sym))
1108 return;
1109
1110 state = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
1111 if (!state || !estate_rl(state))
1112 rl = estate_rl(sm->state);
1113 else
1114 rl = rl_intersection(estate_rl(sm->state), estate_rl(state));
1115
1116 if (!rl)
1117 return;
1118
1119 snprintf(buf, sizeof(buf), "%s%s%s", show_rl(rl),
1120 estate_capped(sm->state) ? "[c]" : "",
1121 estate_treat_untagged(sm->state) ? "[u]" : "");
1122 sql_insert_caller_info(call, USER_DATA, param, printed_name, buf);
1123 }
1124
1125 static void db_param_set(struct expression *expr, int param, char *key, char *value)
1126 {
1127 struct expression *arg;
1128 char *name;
1129 struct symbol *sym;
1130 struct smatch_state *state;
1131
1132 while (expr->type == EXPR_ASSIGNMENT)
1133 expr = strip_expr(expr->right);
1134 if (expr->type != EXPR_CALL)
1135 return;
1136
1137 arg = get_argument_from_call_expr(expr->args, param);
1138 if (!arg)
1139 return;
1140 name = get_variable_from_key(arg, key, &sym);
1141 if (!name || !sym)
1142 goto free;
1143
1144 state = get_state(my_id, name, sym);
1145 if (!state)
1146 goto free;
1147
1148 set_state(my_id, name, sym, alloc_estate_empty());
1149 free:
1150 free_string(name);
1151 }
1152
1153 static bool param_data_capped(const char *value)
1154 {
1155 if (strstr(value, ",c") || strstr(value, "[c"))
1156 return true;
1157 return false;
1158 }
1159
1160 static bool param_data_treat_untagged(const char *value)
1161 {
1162 if (strstr(value, ",u") || strstr(value, "[u"))
1163 return true;
1164 return false;
1165 }
1166
1167 static void set_param_user_data(const char *name, struct symbol *sym, char *key, char *value)
1168 {
1169 struct range_list *rl = NULL;
1170 struct smatch_state *state;
1171 struct expression *expr;
1172 struct symbol *type;
1173 char fullname[256];
1174 char *key_orig = key;
1175 bool add_star = false;
1176
1177 if (strcmp(key, "**$") == 0) {
1178 snprintf(fullname, sizeof(fullname), "**%s", name);
1179 } else {
1180 if (key[0] == '*') {
1181 add_star = true;
1182 key++;
1183 }
1184
1185 snprintf(fullname, 256, "%s%s%s", add_star ? "*" : "", name, key + 1);
1186 }
1187
1188 expr = symbol_expression(sym);
1189 type = get_member_type_from_key(expr, key_orig);
1190
1191 /*
1192 * Say this function takes a struct ponter but the caller passes
1193 * this_function(skb->data). We have two options, we could pass *$
1194 * as user data or we could pass foo->bar, foo->baz as user data.
1195 * The second option is easier to implement so we do that.
1196 *
1197 */
1198 if (strcmp(key_orig, "*$") == 0) {
1199 struct symbol *tmp = type;
1200
1201 while (tmp && tmp->type == SYM_PTR)
1202 tmp = get_real_base_type(tmp);
1203
1204 if (tmp && (tmp->type == SYM_STRUCT || tmp->type == SYM_UNION)) {
1205 tag_as_user_data(symbol_expression(sym));
1206 return;
1207 }
1208 }
1209
1210 str_to_rl(type, value, &rl);
1211 state = alloc_estate_rl(rl);
1212 if (param_data_capped(value) || is_capped(expr))
1213 estate_set_capped(state);
1214 if (param_data_treat_untagged(value) || sym->ctype.as == 5)
1215 estate_set_treat_untagged(state);
1216 set_state(my_id, fullname, sym, state);
1217 }
1218
1219 static void set_called(const char *name, struct symbol *sym, char *key, char *value)
1220 {
1221 set_state(my_call_id, "this_function", NULL, &called);
1222 }
1223
1224 static void match_syscall_definition(struct symbol *sym)
1225 {
1226 struct symbol *arg;
1227 char *macro;
1228 char *name;
1229 int is_syscall = 0;
1230
1231 macro = get_macro_name(sym->pos);
1232 if (macro &&
1233 (strncmp("SYSCALL_DEFINE", macro, strlen("SYSCALL_DEFINE")) == 0 ||
1234 strncmp("COMPAT_SYSCALL_DEFINE", macro, strlen("COMPAT_SYSCALL_DEFINE")) == 0))
1235 is_syscall = 1;
1236
1237 name = get_function();
1238 if (!option_no_db && get_state(my_call_id, "this_function", NULL) != &called) {
1239 if (name && strncmp(name, "sys_", 4) == 0)
1240 is_syscall = 1;
1241 }
1242
1243 if (name && strncmp(name, "compat_sys_", 11) == 0)
1244 is_syscall = 1;
1245
1246 if (!is_syscall)
1247 return;
1248
1249 FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) {
1250 set_state(my_id, arg->ident->name, arg, alloc_estate_whole(get_real_base_type(arg)));
1251 } END_FOR_EACH_PTR(arg);
1252 }
1253
1254 static void store_user_data_return(struct expression *expr, char *key, char *value)
1255 {
1256 struct range_list *rl;
1257 struct symbol *type;
1258 char buf[48];
1259
1260 if (strcmp(key, "$") != 0)
1261 return;
1262
1263 type = get_type(expr);
1264 snprintf(buf, sizeof(buf), "return %p", expr);
1265 call_results_to_rl(expr, type, value, &rl);
1266
1267 set_state(my_id, buf, NULL, alloc_estate_rl(rl));
1268 }
1269
1270 static void set_to_user_data(struct expression *expr, char *key, char *value)
1271 {
1272 struct smatch_state *state;
1273 char *name;
1274 struct symbol *sym;
1275 struct symbol *type;
1276 struct range_list *rl = NULL;
1277
1278 type = get_member_type_from_key(expr, key);
1279 name = get_variable_from_key(expr, key, &sym);
1280 if (!name || !sym)
1281 goto free;
1282
1283 call_results_to_rl(expr, type, value, &rl);
1284
1285 state = alloc_estate_rl(rl);
1286 if (param_data_capped(value))
1287 estate_set_capped(state);
1288 if (param_data_treat_untagged(value))
1289 estate_set_treat_untagged(state);
1290 set_state(my_id, name, sym, state);
1291 free:
1292 free_string(name);
1293 }
1294
1295 static void returns_param_user_data(struct expression *expr, int param, char *key, char *value)
1296 {
1297 struct expression *arg;
1298 struct expression *call;
1299
1300 call = expr;
1301 while (call->type == EXPR_ASSIGNMENT)
1302 call = strip_expr(call->right);
1303 if (call->type != EXPR_CALL)
1304 return;
1305
1306 if (!we_pass_user_data(call))
1307 return;
1308
1309 if (param == -1) {
1310 if (expr->type != EXPR_ASSIGNMENT) {
1311 store_user_data_return(expr, key, value);
1312 return;
1313 }
1314 set_to_user_data(expr->left, key, value);
1315 return;
1316 }
1317
1318 arg = get_argument_from_call_expr(call->args, param);
1319 if (!arg)
1320 return;
1321 set_to_user_data(arg, key, value);
1322 }
1323
1324 static void returns_param_user_data_set(struct expression *expr, int param, char *key, char *value)
1325 {
1326 struct expression *arg;
1327
1328 func_gets_user_data = true;
1329
1330 if (param == -1) {
1331 if (expr->type != EXPR_ASSIGNMENT) {
1332 store_user_data_return(expr, key, value);
1333 return;
1334 }
1335 if (strcmp(key, "*$") == 0) {
1336 set_points_to_user_data(expr->left);
1337 tag_as_user_data(expr->left);
1338 } else {
1339 set_to_user_data(expr->left, key, value);
1340 }
1341 return;
1342 }
1343
1344 while (expr->type == EXPR_ASSIGNMENT)
1345 expr = strip_expr(expr->right);
1346 if (expr->type != EXPR_CALL)
1347 return;
1348
1349 arg = get_argument_from_call_expr(expr->args, param);
1350 if (!arg)
1351 return;
1352 set_to_user_data(arg, key, value);
1353 }
1354
1355 static void param_set_to_user_data(int return_id, char *return_ranges, struct expression *expr)
1356 {
1357 struct sm_state *sm;
1358 struct smatch_state *start_state;
1359 struct range_list *rl;
1360 int param;
1361 char *return_str;
1362 const char *param_name;
1363 struct symbol *ret_sym;
1364 bool return_found = false;
1365 bool pointed_at_found = false;
1366 char buf[64];
1367
1368 expr = strip_expr(expr);
1369 return_str = expr_to_str(expr);
1370 ret_sym = expr_to_sym(expr);
1371
1372 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
1373 param = get_param_num_from_sym(sm->sym);
1374 if (param < 0)
1375 continue;
1376
1377 if (!param_was_set_var_sym(sm->name, sm->sym))
1378 continue;
1379
1380 /* The logic here was that if we were passed in a user data then
1381 * we don't record that. It's like the difference between
1382 * param_filter and param_set. When I think about it, I'm not
1383 * sure it actually works. It's probably harmless because we
1384 * checked earlier that we're not returning a parameter...
1385 * Let's mark this as a TODO.
1386 */
1387 start_state = get_state_stree(start_states, my_id, sm->name, sm->sym);
1388 if (start_state && rl_equiv(estate_rl(sm->state), estate_rl(start_state)))
1389 continue;
1390
1391 param_name = get_param_name(sm);
1392 if (!param_name)
1393 continue;
1394 if (strcmp(param_name, "$") == 0) /* The -1 param is handled after the loop */
1395 continue;
1396
1397 snprintf(buf, sizeof(buf), "%s%s%s",
1398 show_rl(estate_rl(sm->state)),
1399 estate_capped(sm->state) ? "[c]" : "",
1400 estate_treat_untagged(sm->state) ? "[u]" : "");
1401 sql_insert_return_states(return_id, return_ranges,
1402 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1403 param, param_name, buf);
1404 } END_FOR_EACH_SM(sm);
1405
1406 /* This if for "return foo;" where "foo->bar" is user data. */
1407 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
1408 if (!ret_sym)
1409 break;
1410 if (ret_sym != sm->sym)
1411 continue;
1412
1413 param_name = state_name_to_param_name(sm->name, return_str);
1414 if (!param_name)
1415 continue;
1416 if (strcmp(param_name, "$") == 0)
1417 return_found = true;
1418 if (strcmp(param_name, "*$") == 0)
1419 pointed_at_found = true;
1420 snprintf(buf, sizeof(buf), "%s%s%s",
1421 show_rl(estate_rl(sm->state)),
1422 estate_capped(sm->state) ? "[c]" : "",
1423 estate_treat_untagged(sm->state) ? "[u]" : "");
1424 sql_insert_return_states(return_id, return_ranges,
1425 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1426 -1, param_name, buf);
1427 } END_FOR_EACH_SM(sm);
1428
1429 /* This if for "return ntohl(foo);" */
1430 if (!return_found && get_user_rl(expr, &rl)) {
1431 snprintf(buf, sizeof(buf), "%s%s%s",
1432 show_rl(rl),
1433 user_rl_capped(expr) ? "[c]" : "",
1434 user_rl_treat_untagged(expr) ? "[u]" : "");
1435 sql_insert_return_states(return_id, return_ranges,
1436 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1437 -1, "$", buf);
1438 }
1439
1440 /*
1441 * This is to handle things like return skb->data where we don't set a
1442 * state for that.
1443 */
1444 if (!pointed_at_found && points_to_user_data(expr)) {
1445 sql_insert_return_states(return_id, return_ranges,
1446 (is_skb_data(expr) || func_gets_user_data) ?
1447 USER_DATA_SET : USER_DATA,
1448 -1, "*$", "s64min-s64max");
1449 }
1450
1451 free_string(return_str);
1452 }
1453
1454 static void returns_param_capped(struct expression *expr, int param, char *key, char *value)
1455 {
1456 struct smatch_state *state, *new;
1457 struct symbol *sym;
1458 char *name;
1459
1460 name = return_state_to_var_sym(expr, param, key, &sym);
1461 if (!name || !sym)
1462 goto free;
1463
1464 state = get_state(my_id, name, sym);
1465 if (!state || estate_capped(state))
1466 goto free;
1467
1468 new = clone_estate(state);
1469 estate_set_capped(new);
1470
1471 set_state(my_id, name, sym, new);
1472 free:
1473 free_string(name);
1474 }
1475
1476 static struct int_stack *gets_data_stack;
1477 static void match_function_def(struct symbol *sym)
1478 {
1479 func_gets_user_data = false;
1480 }
1481
1482 static void match_inline_start(struct expression *expr)
1483 {
1484 push_int(&gets_data_stack, func_gets_user_data);
1485 }
1486
1487 static void match_inline_end(struct expression *expr)
1488 {
1489 func_gets_user_data = pop_int(&gets_data_stack);
1490 }
1491
1492 void register_kernel_user_data(int id)
1493 {
1494 int i;
1495
1496 my_id = id;
1497
1498 if (option_project != PROJ_KERNEL)
1499 return;
1500
1501 set_dynamic_states(my_id);
1502
1503 add_hook(&match_function_def, FUNC_DEF_HOOK);
1504 add_hook(&match_inline_start, INLINE_FN_START);
1505 add_hook(&match_inline_end, INLINE_FN_END);
1506
1507 add_hook(&save_start_states, AFTER_DEF_HOOK);
1508 add_hook(&free_start_states, AFTER_FUNC_HOOK);
1509 add_hook(&match_save_states, INLINE_FN_START);
1510 add_hook(&match_restore_states, INLINE_FN_END);
1511
1512 add_unmatched_state_hook(my_id, &empty_state);
1513 add_extra_nomod_hook(&extra_nomod_hook);
1514 add_pre_merge_hook(my_id, &pre_merge_hook);
1515 add_merge_hook(my_id, &merge_estates);
1516
1517 add_function_hook("copy_from_user", &match_user_copy, INT_PTR(0));
1518 add_function_hook("__copy_from_user", &match_user_copy, INT_PTR(0));
1519 add_function_hook("memcpy_fromiovec", &match_user_copy, INT_PTR(0));
1520 for (i = 0; i < ARRAY_SIZE(kstr_funcs); i++)
1521 add_function_hook(kstr_funcs[i], &match_user_copy, INT_PTR(2));
1522 add_function_hook("usb_control_msg", &match_user_copy, INT_PTR(6));
1523
1524 for (i = 0; i < ARRAY_SIZE(returns_user_data); i++) {
1525 add_function_assign_hook(returns_user_data[i], &match_user_assign_function, NULL);
1526 add_function_hook(returns_user_data[i], &match_returns_user_rl, NULL);
1527 }
1528
1529 add_function_hook("sscanf", &match_sscanf, NULL);
1530
1531 add_hook(&match_syscall_definition, AFTER_DEF_HOOK);
1532
1533 add_hook(&match_assign, ASSIGNMENT_HOOK);
1534 select_return_states_hook(PARAM_SET, &db_param_set);
1535 add_hook(&match_condition, CONDITION_HOOK);
1536
1537 add_hook(&match_call_info, FUNCTION_CALL_HOOK);
1538 add_member_info_callback(my_id, struct_member_callback);
1539 select_caller_info_hook(set_param_user_data, USER_DATA);
1540 select_return_states_hook(USER_DATA, &returns_param_user_data);
1541 select_return_states_hook(USER_DATA_SET, &returns_param_user_data_set);
1542 select_return_states_hook(CAPPED_DATA, &returns_param_capped);
1543 add_split_return_callback(¶m_set_to_user_data);
1544 }
1545
1546 void register_kernel_user_data2(int id)
1547 {
1548 my_call_id = id;
1549
1550 if (option_project != PROJ_KERNEL)
1551 return;
1552 select_caller_info_hook(set_called, INTERNAL);
1553 }
1554