1 /*
2 * Copyright (C) 2018 Oracle.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #include "smatch.h"
19 #include "smatch_extra.h"
20
21 static int my_id;
22
23 static int suppress_multiple = 1;
24
25 static int is_write(struct expression *expr)
26 {
27 return 0;
28 }
29
30 static int is_read(struct expression *expr)
31 {
32 struct expression *parent, *last_parent;
33 struct statement *stmt;
34
35 if (is_write(expr))
36 return 0;
37
38 last_parent = expr;
39 while ((parent = expr_get_parent_expr(expr))){
40
41 last_parent = parent;
42
43 /* If we pass a value as a parameter that's a read, probably? */
44 // if (parent->type == EXPR_CALL)
45 // return 1;
46
47 if (parent->type == EXPR_ASSIGNMENT) {
48 if (parent->right == expr)
49 return 1;
50 if (parent->left == expr)
51 return 0;
52 }
53 expr = parent;
54 }
55
56 stmt = expr_get_parent_stmt(last_parent);
57 if (stmt && stmt->type == STMT_RETURN)
58 return 1;
59
60 return 0;
61 }
62
63 static int is_harmless(struct expression *expr)
64 {
65 struct expression *tmp, *parent;
66 struct statement *stmt;
67 int count = 0;
68
69 parent = expr;
70 while ((tmp = expr_get_parent_expr(parent))) {
71 if (tmp->type == EXPR_ASSIGNMENT || tmp->type == EXPR_CALL)
72 return 0;
73 parent = tmp;
74 if (count++ > 4)
75 break;
76 }
77
78 stmt = expr_get_parent_stmt(parent);
79 if (!stmt)
80 return 0;
81 if (stmt->type == STMT_IF && stmt->if_conditional == parent)
82 return 1;
83 if (stmt->type == STMT_ITERATOR &&
84 (stmt->iterator_pre_condition == parent ||
85 stmt->iterator_post_condition == parent))
86 return 1;
87
88 return 0;
89 }
90
91 static unsigned long long get_max_by_type(struct expression *expr)
92 {
93 struct symbol *type;
94 int cnt = 0;
95 sval_t max;
96
97 max.type = &ullong_ctype;
98 max.uvalue = -1ULL;
99
100 while (true) {
101 expr = strip_parens(expr);
102 type = get_type(expr);
103 if (type && sval_type_max(type).uvalue < max.uvalue)
104 max = sval_type_max(type);
105 if (expr->type == EXPR_PREOP) {
106 expr = expr->unop;
107 } else if (expr->type == EXPR_BINOP) {
108 if (expr->op == '%' || expr->op == '&')
109 expr = expr->right;
110 else
111 return max.uvalue;
112 } else {
113 expr = get_assigned_expr(expr);
114 if (!expr)
115 return max.uvalue;
116 }
117 if (cnt++ > 5)
118 return max.uvalue;
119 }
120
121 return max.uvalue;
122 }
123
124 static unsigned long long get_mask(struct expression *expr)
125 {
126 struct expression *tmp;
127 sval_t mask;
128 int cnt = 0;
129
130 expr = strip_expr(expr);
131
132 tmp = get_assigned_expr(expr);
133 while (tmp) {
134 expr = tmp;
135 if (++cnt > 3)
136 break;
137 tmp = get_assigned_expr(expr);
138 }
139
140 if (expr->type == EXPR_BINOP && expr->op == '&') {
141 if (get_value(expr->right, &mask)) /* right is the common case */
142 return mask.uvalue;
143 if (get_value(expr->left, &mask))
144 return mask.uvalue;
145 }
146
147 return ULLONG_MAX;
148 }
149
150 static void array_check(struct expression *expr)
151 {
152 struct expression_list *conditions;
153 struct expression *array_expr, *offset;
154 unsigned long long mask;
155 int array_size;
156 char *name;
157
158 expr = strip_expr(expr);
159 if (!is_array(expr))
160 return;
161
162 if (is_impossible_path())
163 return;
164 if (is_harmless(expr))
165 return;
166
167 array_expr = get_array_base(expr);
168 if (suppress_multiple && is_ignored_expr(my_id, array_expr))
169 return;
170
171 offset = get_array_offset(expr);
172 if (!is_user_rl(offset))
173 return;
174 if (is_nospec(offset))
175 return;
176
177 array_size = get_array_size(array_expr);
178 if (array_size > 0 && get_max_by_type(offset) < array_size)
179 return;
180 // binfo = get_bit_info(offset);
181 // if (array_size > 0 && binfo && binfo->possible < array_size)
182 // return;
183
184 mask = get_mask(offset);
185 if (mask <= array_size)
186 return;
187
188 conditions = get_conditions(offset);
189
190 name = expr_to_str(array_expr);
191 sm_warning("potential spectre issue '%s' [%s]%s",
192 name,
193 is_read(expr) ? "r" : "w",
194 conditions ? " (local cap)" : "");
195 if (suppress_multiple)
196 add_ignore_expr(my_id, array_expr);
197 free_string(name);
198 }
199
200 void check_spectre(int id)
201 {
202 my_id = id;
203
204 suppress_multiple = getenv("FULL_SPECTRE") == NULL;
205
206 if (option_project != PROJ_KERNEL)
207 return;
208
209 add_hook(&array_check, OP_HOOK);
210 }