12013 fix GCC4 as primary compiler
1 /*
2 * Copyright (C) 2011 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * There are a couple checks that try to see if a variable
20 * comes from the user. It would be better to unify them
21 * into one place. Also it we should follow the data down
22 * the call paths. Hence this file.
23 */
24
25 #include "smatch.h"
26 #include "smatch_slist.h"
27 #include "smatch_extra.h"
28
29 static int my_id;
30 static int my_call_id;
31
32 STATE(called);
33 static bool func_gets_user_data;
34
35 static const char *kstr_funcs[] = {
36 "kstrtoull", "kstrtoll", "kstrtoul", "kstrtol", "kstrtouint",
37 "kstrtoint", "kstrtou64", "kstrtos64", "kstrtou32", "kstrtos32",
38 "kstrtou16", "kstrtos16", "kstrtou8", "kstrtos8", "kstrtoull_from_user"
39 "kstrtoll_from_user", "kstrtoul_from_user", "kstrtol_from_user",
40 "kstrtouint_from_user", "kstrtoint_from_user", "kstrtou16_from_user",
41 "kstrtos16_from_user", "kstrtou8_from_user", "kstrtos8_from_user",
42 "kstrtou64_from_user", "kstrtos64_from_user", "kstrtou32_from_user",
43 "kstrtos32_from_user",
44 };
45
46 static const char *returns_user_data[] = {
47 "simple_strtol", "simple_strtoll", "simple_strtoul", "simple_strtoull",
48 "kvm_register_read",
49 };
50
51 static const char *returns_pointer_to_user_data[] = {
52 "nlmsg_data", "nla_data", "memdup_user", "kmap_atomic", "skb_network_header",
53 };
54
55 static void set_points_to_user_data(struct expression *expr);
56
57 static struct stree *start_states;
58 static struct stree_stack *saved_stack;
59 static void save_start_states(struct statement *stmt)
60 {
61 start_states = clone_stree(__get_cur_stree());
62 }
63
64 static void free_start_states(void)
65 {
66 free_stree(&start_states);
67 }
68
69 static void match_save_states(struct expression *expr)
70 {
71 push_stree(&saved_stack, start_states);
72 start_states = NULL;
73 }
74
75 static void match_restore_states(struct expression *expr)
76 {
77 free_stree(&start_states);
78 start_states = pop_stree(&saved_stack);
79 }
80
81 static struct smatch_state *empty_state(struct sm_state *sm)
82 {
83 return alloc_estate_empty();
84 }
85
86 static void pre_merge_hook(struct sm_state *cur, struct sm_state *other)
87 {
88 struct smatch_state *user = cur->state;
89 struct smatch_state *extra;
90 struct smatch_state *state;
91 struct range_list *rl;
92
93 extra = __get_state(SMATCH_EXTRA, cur->name, cur->sym);
94 if (!extra)
95 return;
96 rl = rl_intersection(estate_rl(user), estate_rl(extra));
97 state = alloc_estate_rl(clone_rl(rl));
98 if (estate_capped(user) || is_capped_var_sym(cur->name, cur->sym))
99 estate_set_capped(state);
100 if (estate_treat_untagged(user))
101 estate_set_treat_untagged(state);
102 set_state(my_id, cur->name, cur->sym, state);
103 }
104
105 static void extra_nomod_hook(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
106 {
107 struct smatch_state *user, *new;
108 struct range_list *rl;
109
110 user = __get_state(my_id, name, sym);
111 if (!user)
112 return;
113 rl = rl_intersection(estate_rl(user), estate_rl(state));
114 if (rl_equiv(rl, estate_rl(user)))
115 return;
116 new = alloc_estate_rl(rl);
117 if (estate_capped(user))
118 estate_set_capped(new);
119 if (estate_treat_untagged(user))
120 estate_set_treat_untagged(new);
121 set_state(my_id, name, sym, new);
122 }
123
124 static bool binop_capped(struct expression *expr)
125 {
126 struct range_list *left_rl;
127 int comparison;
128
129 if (expr->op == '-' && get_user_rl(expr->left, &left_rl)) {
130 if (user_rl_capped(expr->left))
131 return true;
132 comparison = get_comparison(expr->left, expr->right);
133 if (comparison && show_special(comparison)[0] == '>')
134 return true;
135 return false;
136 }
137
138 if (expr->op == '&' || expr->op == '%') {
139 if (is_capped(expr->left) || is_capped(expr->right))
140 return true;
141 if (user_rl_capped(expr->left) || user_rl_capped(expr->right))
142 return true;
143 return false;
144 }
145
146 if (user_rl_capped(expr->left) &&
147 user_rl_capped(expr->right))
148 return true;
149 return false;
150 }
151
152 bool user_rl_capped(struct expression *expr)
153 {
154 struct smatch_state *state;
155 struct range_list *rl;
156 sval_t sval;
157
158 expr = strip_expr(expr);
159 if (!expr)
160 return false;
161 if (get_value(expr, &sval))
162 return true;
163 if (expr->type == EXPR_BINOP)
164 return binop_capped(expr);
165 if ((expr->type == EXPR_PREOP || expr->type == EXPR_POSTOP) &&
166 (expr->op == SPECIAL_INCREMENT || expr->op == SPECIAL_DECREMENT))
167 return user_rl_capped(expr->unop);
168 state = get_state_expr(my_id, expr);
169 if (state)
170 return estate_capped(state);
171
172 if (get_user_rl(expr, &rl))
173 return false; /* uncapped user data */
174
175 return true; /* not actually user data */
176 }
177
178 bool user_rl_treat_untagged(struct expression *expr)
179 {
180 struct smatch_state *state;
181 struct range_list *rl;
182 sval_t sval;
183
184 expr = strip_expr(expr);
185 if (!expr)
186 return false;
187 if (get_value(expr, &sval))
188 return true;
189
190 state = get_state_expr(my_id, expr);
191 if (state)
192 return estate_treat_untagged(state);
193
194 if (get_user_rl(expr, &rl))
195 return false; /* uncapped user data */
196
197 return true; /* not actually user data */
198 }
199
200 static void tag_inner_struct_members(struct expression *expr, struct symbol *member)
201 {
202 struct expression *edge_member;
203 struct symbol *base = get_real_base_type(member);
204 struct symbol *tmp;
205
206 if (member->ident)
207 expr = member_expression(expr, '.', member->ident);
208
209 FOR_EACH_PTR(base->symbol_list, tmp) {
210 struct symbol *type;
211
212 type = get_real_base_type(tmp);
213 if (!type)
214 continue;
215
216 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
217 tag_inner_struct_members(expr, tmp);
218 continue;
219 }
220
221 if (!tmp->ident)
222 continue;
223
224 edge_member = member_expression(expr, '.', tmp->ident);
225 set_state_expr(my_id, edge_member, alloc_estate_whole(type));
226 } END_FOR_EACH_PTR(tmp);
227 }
228
229 static void tag_struct_members(struct symbol *type, struct expression *expr)
230 {
231 struct symbol *tmp;
232 struct expression *member;
233 int op = '*';
234
235 if (expr->type == EXPR_PREOP && expr->op == '&') {
236 expr = strip_expr(expr->unop);
237 op = '.';
238 }
239
240 FOR_EACH_PTR(type->symbol_list, tmp) {
241 type = get_real_base_type(tmp);
242 if (!type)
243 continue;
244
245 if (type->type == SYM_UNION || type->type == SYM_STRUCT) {
246 tag_inner_struct_members(expr, tmp);
247 continue;
248 }
249
250 if (!tmp->ident)
251 continue;
252
253 member = member_expression(expr, op, tmp->ident);
254 set_state_expr(my_id, member, alloc_estate_whole(get_type(member)));
255
256 if (type->type == SYM_ARRAY)
257 set_points_to_user_data(member);
258 } END_FOR_EACH_PTR(tmp);
259 }
260
261 static void tag_base_type(struct expression *expr)
262 {
263 if (expr->type == EXPR_PREOP && expr->op == '&')
264 expr = strip_expr(expr->unop);
265 else
266 expr = deref_expression(expr);
267 set_state_expr(my_id, expr, alloc_estate_whole(get_type(expr)));
268 }
269
270 static void tag_as_user_data(struct expression *expr)
271 {
272 struct symbol *type;
273
274 expr = strip_expr(expr);
275
276 type = get_type(expr);
277 if (!type || type->type != SYM_PTR)
278 return;
279 type = get_real_base_type(type);
280 if (!type)
281 return;
282 if (type == &void_ctype) {
283 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype));
284 return;
285 }
286 if (type->type == SYM_BASETYPE)
287 tag_base_type(expr);
288 if (type->type == SYM_STRUCT || type->type == SYM_UNION) {
289 if (expr->type != EXPR_PREOP || expr->op != '&')
290 expr = deref_expression(expr);
291 else
292 set_state_expr(my_id, deref_expression(expr), alloc_estate_whole(&ulong_ctype));
293 tag_struct_members(type, expr);
294 }
295 }
296
297 static void match_user_copy(const char *fn, struct expression *expr, void *_param)
298 {
299 int param = PTR_INT(_param);
300 struct expression *dest;
301
302 func_gets_user_data = true;
303
304 dest = get_argument_from_call_expr(expr->args, param);
305 dest = strip_expr(dest);
306 if (!dest)
307 return;
308 tag_as_user_data(dest);
309 }
310
311 static int is_dev_attr_name(struct expression *expr)
312 {
313 char *name;
314 int ret = 0;
315
316 name = expr_to_str(expr);
317 if (!name)
318 return 0;
319 if (strstr(name, "->attr.name"))
320 ret = 1;
321 free_string(name);
322 return ret;
323 }
324
325 static int ends_in_n(struct expression *expr)
326 {
327 struct string *str;
328
329 if (!expr)
330 return 0;
331 if (expr->type != EXPR_STRING || !expr->string)
332 return 0;
333
334 str = expr->string;
335 if (str->length < 3)
336 return 0;
337
338 if (str->data[str->length - 3] == '%' &&
339 str->data[str->length - 2] == 'n')
340 return 1;
341 return 0;
342 }
343
344 static void match_sscanf(const char *fn, struct expression *expr, void *unused)
345 {
346 struct expression *str, *format, *arg;
347 int i, last;
348
349 func_gets_user_data = true;
350
351 str = get_argument_from_call_expr(expr->args, 0);
352 if (is_dev_attr_name(str))
353 return;
354
355 format = get_argument_from_call_expr(expr->args, 1);
356 if (is_dev_attr_name(format))
357 return;
358
359 last = ptr_list_size((struct ptr_list *)expr->args) - 1;
360
361 i = -1;
362 FOR_EACH_PTR(expr->args, arg) {
363 i++;
364 if (i < 2)
365 continue;
366 if (i == last && ends_in_n(format))
367 continue;
368 tag_as_user_data(arg);
369 } END_FOR_EACH_PTR(arg);
370 }
371
372 static int is_skb_data(struct expression *expr)
373 {
374 struct symbol *sym;
375
376 if (!expr)
377 return 0;
378
379 if (expr->type == EXPR_BINOP && expr->op == '+')
380 return is_skb_data(expr->left);
381
382 expr = strip_expr(expr);
383 if (!expr)
384 return 0;
385 if (expr->type != EXPR_DEREF || expr->op != '.')
386 return 0;
387
388 if (!expr->member)
389 return 0;
390 if (strcmp(expr->member->name, "data") != 0)
391 return 0;
392
393 sym = expr_to_sym(expr->deref);
394 if (!sym)
395 return 0;
396 sym = get_real_base_type(sym);
397 if (!sym || sym->type != SYM_PTR)
398 return 0;
399 sym = get_real_base_type(sym);
400 if (!sym || sym->type != SYM_STRUCT || !sym->ident)
401 return 0;
402 if (strcmp(sym->ident->name, "sk_buff") != 0)
403 return 0;
404
405 return 1;
406 }
407
408 static bool is_points_to_user_data_fn(struct expression *expr)
409 {
410 int i;
411
412 expr = strip_expr(expr);
413 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL ||
414 !expr->fn->symbol)
415 return false;
416 expr = expr->fn;
417 for (i = 0; i < ARRAY_SIZE(returns_pointer_to_user_data); i++) {
418 if (sym_name_is(returns_pointer_to_user_data[i], expr))
419 return true;
420 }
421 return false;
422 }
423
424 static int get_rl_from_function(struct expression *expr, struct range_list **rl)
425 {
426 int i;
427
428 if (expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL ||
429 !expr->fn->symbol_name || !expr->fn->symbol_name->name)
430 return 0;
431
432 for (i = 0; i < ARRAY_SIZE(returns_user_data); i++) {
433 if (strcmp(expr->fn->symbol_name->name, returns_user_data[i]) == 0) {
434 *rl = alloc_whole_rl(get_type(expr));
435 return 1;
436 }
437 }
438 return 0;
439 }
440
441 int points_to_user_data(struct expression *expr)
442 {
443 struct smatch_state *state;
444 struct range_list *rl;
445 char buf[256];
446 struct symbol *sym;
447 char *name;
448 int ret = 0;
449
450 expr = strip_expr(expr);
451 if (!expr)
452 return 0;
453 if (is_skb_data(expr))
454 return 1;
455 if (is_points_to_user_data_fn(expr))
456 return 1;
457 if (get_rl_from_function(expr, &rl))
458 return 1;
459
460 if (expr->type == EXPR_BINOP && expr->op == '+') {
461 if (points_to_user_data(expr->left))
462 return 1;
463 if (points_to_user_data(expr->right))
464 return 1;
465 return 0;
466 }
467
468 name = expr_to_var_sym(expr, &sym);
469 if (!name || !sym)
470 goto free;
471 snprintf(buf, sizeof(buf), "*%s", name);
472 state = __get_state(my_id, buf, sym);
473 if (state && estate_rl(state))
474 ret = 1;
475 free:
476 free_string(name);
477 return ret;
478 }
479
480 static void set_points_to_user_data(struct expression *expr)
481 {
482 char *name;
483 struct symbol *sym;
484 char buf[256];
485 struct symbol *type;
486
487 name = expr_to_var_sym(expr, &sym);
488 if (!name || !sym)
489 goto free;
490 snprintf(buf, sizeof(buf), "*%s", name);
491 type = get_type(expr);
492 if (type && type->type == SYM_PTR)
493 type = get_real_base_type(type);
494 if (!type || type->type != SYM_BASETYPE)
495 type = &llong_ctype;
496 set_state(my_id, buf, sym, alloc_estate_whole(type));
497 free:
498 free_string(name);
499 }
500
501 static int comes_from_skb_data(struct expression *expr)
502 {
503 expr = strip_expr(expr);
504 if (!expr || expr->type != EXPR_PREOP || expr->op != '*')
505 return 0;
506
507 expr = strip_expr(expr->unop);
508 if (!expr)
509 return 0;
510 if (expr->type == EXPR_BINOP && expr->op == '+')
511 expr = strip_expr(expr->left);
512
513 return is_skb_data(expr);
514 }
515
516 static int handle_struct_assignment(struct expression *expr)
517 {
518 struct expression *right;
519 struct symbol *left_type, *right_type;
520
521 left_type = get_type(expr->left);
522 if (!left_type || left_type->type != SYM_PTR)
523 return 0;
524 left_type = get_real_base_type(left_type);
525 if (!left_type)
526 return 0;
527 if (left_type->type != SYM_STRUCT &&
528 left_type->type != SYM_UNION)
529 return 0;
530
531 /*
532 * Ignore struct to struct assignments because for those we look at the
533 * individual members.
534 */
535 right = strip_expr(expr->right);
536 right_type = get_type(right);
537 if (!right_type || right_type->type != SYM_PTR)
538 return 0;
539
540 /* If we are assigning struct members then normally that is handled
541 * by fake assignments, however if we cast one struct to a different
542 * of struct then we handle that here.
543 */
544 right_type = get_real_base_type(right_type);
545 if (right_type == left_type)
546 return 0;
547
548 if (!points_to_user_data(right))
549 return 0;
550
551 tag_as_user_data(expr->left);
552 return 1;
553 }
554
555 static int handle_get_user(struct expression *expr)
556 {
557 char *name;
558 int ret = 0;
559
560 name = get_macro_name(expr->pos);
561 if (!name || strcmp(name, "get_user") != 0)
562 return 0;
563
564 name = expr_to_var(expr->right);
565 if (!name || (strcmp(name, "__val_gu") != 0 && strcmp(name, "__gu_val") != 0))
566 goto free;
567 set_state_expr(my_id, expr->left, alloc_estate_whole(get_type(expr->left)));
568 ret = 1;
569 free:
570 free_string(name);
571 return ret;
572 }
573
574 static bool handle_op_assign(struct expression *expr)
575 {
576 struct expression *binop_expr;
577 struct smatch_state *state;
578 struct range_list *rl;
579
580 switch (expr->op) {
581 case SPECIAL_ADD_ASSIGN:
582 case SPECIAL_SUB_ASSIGN:
583 case SPECIAL_AND_ASSIGN:
584 case SPECIAL_MOD_ASSIGN:
585 case SPECIAL_SHL_ASSIGN:
586 case SPECIAL_SHR_ASSIGN:
587 case SPECIAL_OR_ASSIGN:
588 case SPECIAL_XOR_ASSIGN:
589 case SPECIAL_MUL_ASSIGN:
590 case SPECIAL_DIV_ASSIGN:
591 binop_expr = binop_expression(expr->left,
592 op_remove_assign(expr->op),
593 expr->right);
594 if (!get_user_rl(binop_expr, &rl))
595 return true;
596
597 rl = cast_rl(get_type(expr->left), rl);
598 state = alloc_estate_rl(rl);
599 if (user_rl_capped(binop_expr))
600 estate_set_capped(state);
601 if (user_rl_treat_untagged(expr->left))
602 estate_set_treat_untagged(state);
603 set_state_expr(my_id, expr->left, state);
604 return true;
605 }
606 return false;
607 }
608
609 static void match_assign(struct expression *expr)
610 {
611 struct range_list *rl;
612 static struct expression *handled;
613 struct smatch_state *state;
614 struct expression *faked;
615
616 faked = get_faked_expression();
617 if (faked && faked == handled)
618 return;
619 if (is_fake_call(expr->right))
620 goto clear_old_state;
621 if (handle_get_user(expr))
622 return;
623 if (points_to_user_data(expr->right)) {
624 handled = expr;
625 set_points_to_user_data(expr->left);
626 }
627 if (handle_struct_assignment(expr))
628 return;
629
630 if (handle_op_assign(expr))
631 return;
632 if (expr->op != '=')
633 goto clear_old_state;
634
635 /* Handled by DB code */
636 if (expr->right->type == EXPR_CALL || __in_fake_parameter_assign)
637 return;
638
639 if (!get_user_rl(expr->right, &rl))
640 goto clear_old_state;
641
642 rl = cast_rl(get_type(expr->left), rl);
643 state = alloc_estate_rl(rl);
644
645 if (user_rl_capped(expr->right))
646 estate_set_capped(state);
647 if (user_rl_treat_untagged(expr->right))
648 estate_set_treat_untagged(state);
649 set_state_expr(my_id, expr->left, state);
650
651 return;
652
653 clear_old_state:
654 if (get_state_expr(my_id, expr->left))
655 set_state_expr(my_id, expr->left, alloc_estate_empty());
656 }
657
658 static void handle_eq_noteq(struct expression *expr)
659 {
660 struct smatch_state *left_orig, *right_orig;
661
662 left_orig = get_state_expr(my_id, expr->left);
663 right_orig = get_state_expr(my_id, expr->right);
664
665 if (!left_orig && !right_orig)
666 return;
667 if (left_orig && right_orig)
668 return;
669
670 if (left_orig) {
671 set_true_false_states_expr(my_id, expr->left,
672 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL,
673 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty());
674 } else {
675 set_true_false_states_expr(my_id, expr->right,
676 expr->op == SPECIAL_EQUAL ? alloc_estate_empty() : NULL,
677 expr->op == SPECIAL_EQUAL ? NULL : alloc_estate_empty());
678 }
679 }
680
681 static struct range_list *strip_negatives(struct range_list *rl)
682 {
683 sval_t min = rl_min(rl);
684 sval_t minus_one = { .type = rl_type(rl), .value = -1 };
685 sval_t over = { .type = rl_type(rl), .value = INT_MAX + 1ULL };
686 sval_t max = sval_type_max(rl_type(rl));
687
688 if (!rl)
689 return NULL;
690
691 if (type_unsigned(rl_type(rl)) && type_bits(rl_type(rl)) > 31)
692 return remove_range(rl, over, max);
693
694 return remove_range(rl, min, minus_one);
695 }
696
697 static void handle_compare(struct expression *expr)
698 {
699 struct expression *left, *right;
700 struct range_list *left_rl = NULL;
701 struct range_list *right_rl = NULL;
702 struct range_list *user_rl;
703 struct smatch_state *capped_state;
704 struct smatch_state *left_true = NULL;
705 struct smatch_state *left_false = NULL;
706 struct smatch_state *right_true = NULL;
707 struct smatch_state *right_false = NULL;
708 struct symbol *type;
709 sval_t sval;
710
711 left = strip_expr(expr->left);
712 right = strip_expr(expr->right);
713
714 while (left->type == EXPR_ASSIGNMENT)
715 left = strip_expr(left->left);
716
717 /*
718 * Conditions are mostly handled by smatch_extra.c, but there are some
719 * times where the exact values are not known so we can't do that.
720 *
721 * Normally, we might consider using smatch_capped.c to supliment smatch
722 * extra but that doesn't work when we merge unknown uncapped kernel
723 * data with unknown capped user data. The result is uncapped user
724 * data. We need to keep it separate and say that the user data is
725 * capped. In the past, I would have marked this as just regular
726 * kernel data (not user data) but we can't do that these days because
727 * we need to track user data for Spectre.
728 *
729 * The other situation which we have to handle is when we do have an
730 * int and we compare against an unknown unsigned kernel variable. In
731 * that situation we assume that the kernel data is less than INT_MAX.
732 * Otherwise then we get all sorts of array underflow false positives.
733 *
734 */
735
736 /* Handled in smatch_extra.c */
737 if (get_implied_value(left, &sval) ||
738 get_implied_value(right, &sval))
739 return;
740
741 get_user_rl(left, &left_rl);
742 get_user_rl(right, &right_rl);
743
744 /* nothing to do */
745 if (!left_rl && !right_rl)
746 return;
747 /* if both sides are user data that's not a good limit */
748 if (left_rl && right_rl)
749 return;
750
751 if (left_rl)
752 user_rl = left_rl;
753 else
754 user_rl = right_rl;
755
756 type = get_type(expr);
757 if (type_unsigned(type))
758 user_rl = strip_negatives(user_rl);
759 capped_state = alloc_estate_rl(user_rl);
760 estate_set_capped(capped_state);
761
762 switch (expr->op) {
763 case '<':
764 case SPECIAL_UNSIGNED_LT:
765 case SPECIAL_LTE:
766 case SPECIAL_UNSIGNED_LTE:
767 if (left_rl)
768 left_true = capped_state;
769 else
770 right_false = capped_state;
771 break;
772 case '>':
773 case SPECIAL_UNSIGNED_GT:
774 case SPECIAL_GTE:
775 case SPECIAL_UNSIGNED_GTE:
776 if (left_rl)
777 left_false = capped_state;
778 else
779 right_true = capped_state;
780 break;
781 }
782
783 set_true_false_states_expr(my_id, left, left_true, left_false);
784 set_true_false_states_expr(my_id, right, right_true, right_false);
785 }
786
787 static void match_condition(struct expression *expr)
788 {
789 if (expr->type != EXPR_COMPARE)
790 return;
791
792 if (expr->op == SPECIAL_EQUAL ||
793 expr->op == SPECIAL_NOTEQUAL) {
794 handle_eq_noteq(expr);
795 return;
796 }
797
798 handle_compare(expr);
799 }
800
801 static void match_user_assign_function(const char *fn, struct expression *expr, void *unused)
802 {
803 tag_as_user_data(expr->left);
804 set_points_to_user_data(expr->left);
805 }
806
807 static void match_returns_user_rl(const char *fn, struct expression *expr, void *unused)
808 {
809 func_gets_user_data = true;
810 }
811
812 static int get_user_macro_rl(struct expression *expr, struct range_list **rl)
813 {
814 struct expression *parent;
815 char *macro;
816
817 if (!expr)
818 return 0;
819
820 macro = get_macro_name(expr->pos);
821 if (!macro)
822 return 0;
823
824 /* handle ntohl(foo[i]) where "i" is trusted */
825 parent = expr_get_parent_expr(expr);
826 while (parent && parent->type != EXPR_BINOP)
827 parent = expr_get_parent_expr(parent);
828 if (parent && parent->type == EXPR_BINOP) {
829 char *parent_macro = get_macro_name(parent->pos);
830
831 if (parent_macro && strcmp(macro, parent_macro) == 0)
832 return 0;
833 }
834
835 if (strcmp(macro, "ntohl") == 0) {
836 *rl = alloc_whole_rl(&uint_ctype);
837 return 1;
838 }
839 if (strcmp(macro, "ntohs") == 0) {
840 *rl = alloc_whole_rl(&ushort_ctype);
841 return 1;
842 }
843 return 0;
844 }
845
846 static int has_user_data(struct symbol *sym)
847 {
848 struct sm_state *tmp;
849
850 FOR_EACH_MY_SM(my_id, __get_cur_stree(), tmp) {
851 if (tmp->sym == sym)
852 return 1;
853 } END_FOR_EACH_SM(tmp);
854 return 0;
855 }
856
857 static int we_pass_user_data(struct expression *call)
858 {
859 struct expression *arg;
860 struct symbol *sym;
861
862 FOR_EACH_PTR(call->args, arg) {
863 sym = expr_to_sym(arg);
864 if (!sym)
865 continue;
866 if (has_user_data(sym))
867 return 1;
868 } END_FOR_EACH_PTR(arg);
869
870 return 0;
871 }
872
873 static int db_returned_user_rl(struct expression *call, struct range_list **rl)
874 {
875 struct smatch_state *state;
876 char buf[48];
877
878 if (is_fake_call(call))
879 return 0;
880 snprintf(buf, sizeof(buf), "return %p", call);
881 state = get_state(my_id, buf, NULL);
882 if (!state || !estate_rl(state))
883 return 0;
884 *rl = estate_rl(state);
885 return 1;
886 }
887
888 struct stree *get_user_stree(void)
889 {
890 return get_all_states_stree(my_id);
891 }
892
893 static int user_data_flag;
894 static int no_user_data_flag;
895 struct range_list *var_user_rl(struct expression *expr)
896 {
897 struct smatch_state *state;
898 struct range_list *rl;
899 struct range_list *absolute_rl;
900
901 if (expr->type == EXPR_PREOP && expr->op == '&') {
902 no_user_data_flag = 1;
903 return NULL;
904 }
905
906 if (expr->type == EXPR_BINOP && expr->op == '%') {
907 struct range_list *left, *right;
908
909 if (!get_user_rl(expr->right, &right))
910 return NULL;
911 get_absolute_rl(expr->left, &left);
912 rl = rl_binop(left, '%', right);
913 goto found;
914 }
915
916 if (expr->type == EXPR_BINOP && expr->op == '/') {
917 struct range_list *left = NULL;
918 struct range_list *right = NULL;
919 struct range_list *abs_right;
920
921 /*
922 * The specific bug I'm dealing with is:
923 *
924 * foo = capped_user / unknown;
925 *
926 * Instead of just saying foo is now entirely user_rl we should
927 * probably say instead that it is not at all user data.
928 *
929 */
930
931 get_user_rl(expr->left, &left);
932 get_user_rl(expr->right, &right);
933 get_absolute_rl(expr->right, &abs_right);
934
935 if (left && !right) {
936 rl = rl_binop(left, '/', abs_right);
937 if (sval_cmp(rl_max(left), rl_max(rl)) < 0)
938 no_user_data_flag = 1;
939 }
940
941 return NULL;
942 }
943
944 if (get_rl_from_function(expr, &rl))
945 goto found;
946
947 if (get_user_macro_rl(expr, &rl))
948 goto found;
949
950 if (comes_from_skb_data(expr)) {
951 rl = alloc_whole_rl(get_type(expr));
952 goto found;
953 }
954
955 state = get_state_expr(my_id, expr);
956 if (state && estate_rl(state)) {
957 rl = estate_rl(state);
958 goto found;
959 }
960
961 if (expr->type == EXPR_CALL && db_returned_user_rl(expr, &rl))
962 goto found;
963
964 if (is_array(expr)) {
965 struct expression *array = get_array_base(expr);
966
967 if (!get_state_expr(my_id, array)) {
968 no_user_data_flag = 1;
969 return NULL;
970 }
971 }
972
973 if (expr->type == EXPR_PREOP && expr->op == '*' &&
974 is_user_rl(expr->unop)) {
975 rl = var_to_absolute_rl(expr);
976 goto found;
977 }
978
979 return NULL;
980 found:
981 user_data_flag = 1;
982 absolute_rl = var_to_absolute_rl(expr);
983 return clone_rl(rl_intersection(rl, absolute_rl));
984 }
985
986 static bool is_ptr_subtract(struct expression *expr)
987 {
988 expr = strip_expr(expr);
989 if (!expr)
990 return false;
991 if (expr->type == EXPR_BINOP && expr->op == '-' &&
992 type_is_ptr(get_type(expr->left))) {
993 return true;
994 }
995 return false;
996 }
997
998 int get_user_rl(struct expression *expr, struct range_list **rl)
999 {
1000 if (is_ptr_subtract(expr))
1001 return 0;
1002
1003 user_data_flag = 0;
1004 no_user_data_flag = 0;
1005 custom_get_absolute_rl(expr, &var_user_rl, rl);
1006 if (!user_data_flag || no_user_data_flag)
1007 *rl = NULL;
1008
1009 return !!*rl;
1010 }
1011
1012 int is_user_rl(struct expression *expr)
1013 {
1014 struct range_list *tmp;
1015
1016 return !!get_user_rl(expr, &tmp);
1017 }
1018
1019 int get_user_rl_var_sym(const char *name, struct symbol *sym, struct range_list **rl)
1020 {
1021 struct smatch_state *state;
1022
1023 state = get_state(my_id, name, sym);
1024 if (state && estate_rl(state)) {
1025 *rl = estate_rl(state);
1026 return 1;
1027 }
1028 return 0;
1029 }
1030
1031 static char *get_user_rl_str(struct expression *expr, struct symbol *type)
1032 {
1033 struct range_list *rl;
1034 static char buf[64];
1035
1036 if (!get_user_rl(expr, &rl))
1037 return NULL;
1038 rl = cast_rl(type, rl);
1039 snprintf(buf, sizeof(buf), "%s%s%s",
1040 show_rl(rl),
1041 user_rl_capped(expr) ? "[c]" : "",
1042 user_rl_treat_untagged(expr) ? "[u]" : "");
1043 return buf;
1044 }
1045
1046 static void match_call_info(struct expression *expr)
1047 {
1048 struct expression *arg;
1049 struct symbol *type;
1050 char *str;
1051 int i;
1052
1053 i = -1;
1054 FOR_EACH_PTR(expr->args, arg) {
1055 i++;
1056 type = get_arg_type(expr->fn, i);
1057 str = get_user_rl_str(arg, type);
1058 if (!str)
1059 continue;
1060
1061 sql_insert_caller_info(expr, USER_DATA, i, "$", str);
1062 } END_FOR_EACH_PTR(arg);
1063 }
1064
1065 static int is_struct_ptr(struct symbol *sym)
1066 {
1067 struct symbol *type;
1068
1069 if (!sym)
1070 return 0;
1071 type = get_real_base_type(sym);
1072 if (!type || type->type != SYM_PTR)
1073 return 0;
1074 type = get_real_base_type(type);
1075 if (!type || type->type != SYM_STRUCT)
1076 return 0;
1077 return 1;
1078 }
1079
1080 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
1081 {
1082 struct smatch_state *state;
1083 struct range_list *rl;
1084 struct symbol *type;
1085 char buf[64];
1086
1087 /*
1088 * Smatch uses a hack where if we get an unsigned long we say it's
1089 * both user data and it points to user data. But if we pass it to a
1090 * function which takes an int, then it's just user data. There's not
1091 * enough bytes for it to be a pointer.
1092 *
1093 */
1094 type = get_arg_type(call->fn, param);
1095 if (type && type_bits(type) < type_bits(&ptr_ctype))
1096 return;
1097
1098 if (strcmp(sm->state->name, "") == 0)
1099 return;
1100
1101 if (strcmp(printed_name, "*$") == 0 &&
1102 is_struct_ptr(sm->sym))
1103 return;
1104
1105 state = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
1106 if (!state || !estate_rl(state))
1107 rl = estate_rl(sm->state);
1108 else
1109 rl = rl_intersection(estate_rl(sm->state), estate_rl(state));
1110
1111 if (!rl)
1112 return;
1113
1114 snprintf(buf, sizeof(buf), "%s%s%s", show_rl(rl),
1115 estate_capped(sm->state) ? "[c]" : "",
1116 estate_treat_untagged(sm->state) ? "[u]" : "");
1117 sql_insert_caller_info(call, USER_DATA, param, printed_name, buf);
1118 }
1119
1120 static void db_param_set(struct expression *expr, int param, char *key, char *value)
1121 {
1122 struct expression *arg;
1123 char *name;
1124 struct symbol *sym;
1125 struct smatch_state *state;
1126
1127 while (expr->type == EXPR_ASSIGNMENT)
1128 expr = strip_expr(expr->right);
1129 if (expr->type != EXPR_CALL)
1130 return;
1131
1132 arg = get_argument_from_call_expr(expr->args, param);
1133 if (!arg)
1134 return;
1135 name = get_variable_from_key(arg, key, &sym);
1136 if (!name || !sym)
1137 goto free;
1138
1139 state = get_state(my_id, name, sym);
1140 if (!state)
1141 goto free;
1142
1143 set_state(my_id, name, sym, alloc_estate_empty());
1144 free:
1145 free_string(name);
1146 }
1147
1148 static bool param_data_capped(const char *value)
1149 {
1150 if (strstr(value, ",c") || strstr(value, "[c"))
1151 return true;
1152 return false;
1153 }
1154
1155 static bool param_data_treat_untagged(const char *value)
1156 {
1157 if (strstr(value, ",u") || strstr(value, "[u"))
1158 return true;
1159 return false;
1160 }
1161
1162 static void set_param_user_data(const char *name, struct symbol *sym, char *key, char *value)
1163 {
1164 struct range_list *rl = NULL;
1165 struct smatch_state *state;
1166 struct expression *expr;
1167 struct symbol *type;
1168 char fullname[256];
1169 char *key_orig = key;
1170 bool add_star = false;
1171
1172 if (strcmp(key, "**$") == 0) {
1173 snprintf(fullname, sizeof(fullname), "**%s", name);
1174 } else {
1175 if (key[0] == '*') {
1176 add_star = true;
1177 key++;
1178 }
1179
1180 snprintf(fullname, 256, "%s%s%s", add_star ? "*" : "", name, key + 1);
1181 }
1182
1183 expr = symbol_expression(sym);
1184 type = get_member_type_from_key(expr, key_orig);
1185
1186 /*
1187 * Say this function takes a struct ponter but the caller passes
1188 * this_function(skb->data). We have two options, we could pass *$
1189 * as user data or we could pass foo->bar, foo->baz as user data.
1190 * The second option is easier to implement so we do that.
1191 *
1192 */
1193 if (strcmp(key_orig, "*$") == 0) {
1194 struct symbol *tmp = type;
1195
1196 while (tmp && tmp->type == SYM_PTR)
1197 tmp = get_real_base_type(tmp);
1198
1199 if (tmp && (tmp->type == SYM_STRUCT || tmp->type == SYM_UNION)) {
1200 tag_as_user_data(symbol_expression(sym));
1201 return;
1202 }
1203 }
1204
1205 str_to_rl(type, value, &rl);
1206 state = alloc_estate_rl(rl);
1207 if (param_data_capped(value) || is_capped(expr))
1208 estate_set_capped(state);
1209 if (param_data_treat_untagged(value) || sym->ctype.as == 5)
1210 estate_set_treat_untagged(state);
1211 set_state(my_id, fullname, sym, state);
1212 }
1213
1214 static void set_called(const char *name, struct symbol *sym, char *key, char *value)
1215 {
1216 set_state(my_call_id, "this_function", NULL, &called);
1217 }
1218
1219 static void match_syscall_definition(struct symbol *sym)
1220 {
1221 struct symbol *arg;
1222 char *macro;
1223 char *name;
1224 int is_syscall = 0;
1225
1226 macro = get_macro_name(sym->pos);
1227 if (macro &&
1228 (strncmp("SYSCALL_DEFINE", macro, strlen("SYSCALL_DEFINE")) == 0 ||
1229 strncmp("COMPAT_SYSCALL_DEFINE", macro, strlen("COMPAT_SYSCALL_DEFINE")) == 0))
1230 is_syscall = 1;
1231
1232 name = get_function();
1233 if (!option_no_db && get_state(my_call_id, "this_function", NULL) != &called) {
1234 if (name && strncmp(name, "sys_", 4) == 0)
1235 is_syscall = 1;
1236 }
1237
1238 if (name && strncmp(name, "compat_sys_", 11) == 0)
1239 is_syscall = 1;
1240
1241 if (!is_syscall)
1242 return;
1243
1244 FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) {
1245 set_state(my_id, arg->ident->name, arg, alloc_estate_whole(get_real_base_type(arg)));
1246 } END_FOR_EACH_PTR(arg);
1247 }
1248
1249 static void store_user_data_return(struct expression *expr, char *key, char *value)
1250 {
1251 struct range_list *rl;
1252 struct symbol *type;
1253 char buf[48];
1254
1255 if (strcmp(key, "$") != 0)
1256 return;
1257
1258 type = get_type(expr);
1259 snprintf(buf, sizeof(buf), "return %p", expr);
1260 call_results_to_rl(expr, type, value, &rl);
1261
1262 set_state(my_id, buf, NULL, alloc_estate_rl(rl));
1263 }
1264
1265 static void set_to_user_data(struct expression *expr, char *key, char *value)
1266 {
1267 struct smatch_state *state;
1268 char *name;
1269 struct symbol *sym;
1270 struct symbol *type;
1271 struct range_list *rl = NULL;
1272
1273 type = get_member_type_from_key(expr, key);
1274 name = get_variable_from_key(expr, key, &sym);
1275 if (!name || !sym)
1276 goto free;
1277
1278 call_results_to_rl(expr, type, value, &rl);
1279
1280 state = alloc_estate_rl(rl);
1281 if (param_data_capped(value))
1282 estate_set_capped(state);
1283 if (param_data_treat_untagged(value))
1284 estate_set_treat_untagged(state);
1285 set_state(my_id, name, sym, state);
1286 free:
1287 free_string(name);
1288 }
1289
1290 static void returns_param_user_data(struct expression *expr, int param, char *key, char *value)
1291 {
1292 struct expression *arg;
1293 struct expression *call;
1294
1295 call = expr;
1296 while (call->type == EXPR_ASSIGNMENT)
1297 call = strip_expr(call->right);
1298 if (call->type != EXPR_CALL)
1299 return;
1300
1301 if (!we_pass_user_data(call))
1302 return;
1303
1304 if (param == -1) {
1305 if (expr->type != EXPR_ASSIGNMENT) {
1306 store_user_data_return(expr, key, value);
1307 return;
1308 }
1309 set_to_user_data(expr->left, key, value);
1310 return;
1311 }
1312
1313 arg = get_argument_from_call_expr(call->args, param);
1314 if (!arg)
1315 return;
1316 set_to_user_data(arg, key, value);
1317 }
1318
1319 static void returns_param_user_data_set(struct expression *expr, int param, char *key, char *value)
1320 {
1321 struct expression *arg;
1322
1323 func_gets_user_data = true;
1324
1325 if (param == -1) {
1326 if (expr->type != EXPR_ASSIGNMENT) {
1327 store_user_data_return(expr, key, value);
1328 return;
1329 }
1330 if (strcmp(key, "*$") == 0) {
1331 set_points_to_user_data(expr->left);
1332 tag_as_user_data(expr->left);
1333 } else {
1334 set_to_user_data(expr->left, key, value);
1335 }
1336 return;
1337 }
1338
1339 while (expr->type == EXPR_ASSIGNMENT)
1340 expr = strip_expr(expr->right);
1341 if (expr->type != EXPR_CALL)
1342 return;
1343
1344 arg = get_argument_from_call_expr(expr->args, param);
1345 if (!arg)
1346 return;
1347 set_to_user_data(arg, key, value);
1348 }
1349
1350 static void param_set_to_user_data(int return_id, char *return_ranges, struct expression *expr)
1351 {
1352 struct sm_state *sm;
1353 struct smatch_state *start_state;
1354 struct range_list *rl;
1355 int param;
1356 char *return_str;
1357 const char *param_name;
1358 struct symbol *ret_sym;
1359 bool return_found = false;
1360 bool pointed_at_found = false;
1361 char buf[64];
1362
1363 expr = strip_expr(expr);
1364 return_str = expr_to_str(expr);
1365 ret_sym = expr_to_sym(expr);
1366
1367 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
1368 param = get_param_num_from_sym(sm->sym);
1369 if (param < 0)
1370 continue;
1371
1372 if (!param_was_set_var_sym(sm->name, sm->sym))
1373 continue;
1374
1375 /* The logic here was that if we were passed in a user data then
1376 * we don't record that. It's like the difference between
1377 * param_filter and param_set. When I think about it, I'm not
1378 * sure it actually works. It's probably harmless because we
1379 * checked earlier that we're not returning a parameter...
1380 * Let's mark this as a TODO.
1381 */
1382 start_state = get_state_stree(start_states, my_id, sm->name, sm->sym);
1383 if (start_state && rl_equiv(estate_rl(sm->state), estate_rl(start_state)))
1384 continue;
1385
1386 param_name = get_param_name(sm);
1387 if (!param_name)
1388 continue;
1389 if (strcmp(param_name, "$") == 0) /* The -1 param is handled after the loop */
1390 continue;
1391
1392 snprintf(buf, sizeof(buf), "%s%s%s",
1393 show_rl(estate_rl(sm->state)),
1394 estate_capped(sm->state) ? "[c]" : "",
1395 estate_treat_untagged(sm->state) ? "[u]" : "");
1396 sql_insert_return_states(return_id, return_ranges,
1397 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1398 param, param_name, buf);
1399 } END_FOR_EACH_SM(sm);
1400
1401 /* This if for "return foo;" where "foo->bar" is user data. */
1402 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
1403 if (!ret_sym)
1404 break;
1405 if (ret_sym != sm->sym)
1406 continue;
1407
1408 param_name = state_name_to_param_name(sm->name, return_str);
1409 if (!param_name)
1410 continue;
1411 if (strcmp(param_name, "$") == 0)
1412 return_found = true;
1413 if (strcmp(param_name, "*$") == 0)
1414 pointed_at_found = true;
1415 snprintf(buf, sizeof(buf), "%s%s%s",
1416 show_rl(estate_rl(sm->state)),
1417 estate_capped(sm->state) ? "[c]" : "",
1418 estate_treat_untagged(sm->state) ? "[u]" : "");
1419 sql_insert_return_states(return_id, return_ranges,
1420 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1421 -1, param_name, buf);
1422 } END_FOR_EACH_SM(sm);
1423
1424 /* This if for "return ntohl(foo);" */
1425 if (!return_found && get_user_rl(expr, &rl)) {
1426 snprintf(buf, sizeof(buf), "%s%s%s",
1427 show_rl(rl),
1428 user_rl_capped(expr) ? "[c]" : "",
1429 user_rl_treat_untagged(expr) ? "[u]" : "");
1430 sql_insert_return_states(return_id, return_ranges,
1431 func_gets_user_data ? USER_DATA_SET : USER_DATA,
1432 -1, "$", buf);
1433 }
1434
1435 /*
1436 * This is to handle things like return skb->data where we don't set a
1437 * state for that.
1438 */
1439 if (!pointed_at_found && points_to_user_data(expr)) {
1440 sql_insert_return_states(return_id, return_ranges,
1441 (is_skb_data(expr) || func_gets_user_data) ?
1442 USER_DATA_SET : USER_DATA,
1443 -1, "*$", "s64min-s64max");
1444 }
1445
1446 free_string(return_str);
1447 }
1448
1449 static void returns_param_capped(struct expression *expr, int param, char *key, char *value)
1450 {
1451 struct smatch_state *state, *new;
1452 struct symbol *sym;
1453 char *name;
1454
1455 name = return_state_to_var_sym(expr, param, key, &sym);
1456 if (!name || !sym)
1457 goto free;
1458
1459 state = get_state(my_id, name, sym);
1460 if (!state || estate_capped(state))
1461 goto free;
1462
1463 new = clone_estate(state);
1464 estate_set_capped(new);
1465
1466 set_state(my_id, name, sym, new);
1467 free:
1468 free_string(name);
1469 }
1470
1471 static struct int_stack *gets_data_stack;
1472 static void match_function_def(struct symbol *sym)
1473 {
1474 func_gets_user_data = false;
1475 }
1476
1477 static void match_inline_start(struct expression *expr)
1478 {
1479 push_int(&gets_data_stack, func_gets_user_data);
1480 }
1481
1482 static void match_inline_end(struct expression *expr)
1483 {
1484 func_gets_user_data = pop_int(&gets_data_stack);
1485 }
1486
1487 void register_kernel_user_data(int id)
1488 {
1489 int i;
1490
1491 my_id = id;
1492
1493 if (option_project != PROJ_KERNEL)
1494 return;
1495
1496 set_dynamic_states(my_id);
1497
1498 add_hook(&match_function_def, FUNC_DEF_HOOK);
1499 add_hook(&match_inline_start, INLINE_FN_START);
1500 add_hook(&match_inline_end, INLINE_FN_END);
1501
1502 add_hook(&save_start_states, AFTER_DEF_HOOK);
1503 add_hook(&free_start_states, AFTER_FUNC_HOOK);
1504 add_hook(&match_save_states, INLINE_FN_START);
1505 add_hook(&match_restore_states, INLINE_FN_END);
1506
1507 add_unmatched_state_hook(my_id, &empty_state);
1508 add_extra_nomod_hook(&extra_nomod_hook);
1509 add_pre_merge_hook(my_id, &pre_merge_hook);
1510 add_merge_hook(my_id, &merge_estates);
1511
1512 add_function_hook("copy_from_user", &match_user_copy, INT_PTR(0));
1513 add_function_hook("__copy_from_user", &match_user_copy, INT_PTR(0));
1514 add_function_hook("memcpy_fromiovec", &match_user_copy, INT_PTR(0));
1515 for (i = 0; i < ARRAY_SIZE(kstr_funcs); i++)
1516 add_function_hook(kstr_funcs[i], &match_user_copy, INT_PTR(2));
1517 add_function_hook("usb_control_msg", &match_user_copy, INT_PTR(6));
1518
1519 for (i = 0; i < ARRAY_SIZE(returns_user_data); i++) {
1520 add_function_assign_hook(returns_user_data[i], &match_user_assign_function, NULL);
1521 add_function_hook(returns_user_data[i], &match_returns_user_rl, NULL);
1522 }
1523
1524 add_function_hook("sscanf", &match_sscanf, NULL);
1525
1526 add_hook(&match_syscall_definition, AFTER_DEF_HOOK);
1527
1528 add_hook(&match_assign, ASSIGNMENT_HOOK);
1529 select_return_states_hook(PARAM_SET, &db_param_set);
1530 add_hook(&match_condition, CONDITION_HOOK);
1531
1532 add_hook(&match_call_info, FUNCTION_CALL_HOOK);
1533 add_member_info_callback(my_id, struct_member_callback);
1534 select_caller_info_hook(set_param_user_data, USER_DATA);
1535 select_return_states_hook(USER_DATA, &returns_param_user_data);
1536 select_return_states_hook(USER_DATA_SET, &returns_param_user_data_set);
1537 select_return_states_hook(CAPPED_DATA, &returns_param_capped);
1538 add_split_return_callback(¶m_set_to_user_data);
1539 }
1540
1541 void register_kernel_user_data2(int id)
1542 {
1543 my_call_id = id;
1544
1545 if (option_project != PROJ_KERNEL)
1546 return;
1547 select_caller_info_hook(set_called, INTERNAL);
1548 }
1549
--- EOF ---