Re: [PATCH] i2c: mux: harden i2c_mux_alloc() against integer overflows

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Fri, 16 Sep 2022 17:55:55 +0300

On Fri, Sep 16, 2022 at 06:31:45AM -0700, Kees Cook wrote:
> On Fri, Sep 16, 2022 at 11:23:25AM +0300, Dan Carpenter wrote:
> > [...]
> > net/ipv6/mcast.c:450 ip6_mc_source() saving 'size_add' to type 'int'
> 
> Interesting! Are you able to report the consumer? e.g. I think a bunch
> of these would be fixed by:
> 

Are you asking if I can add "passed to sock_kmalloc()" to the report?
It's possible but it's kind of a headache the way this code is written.

When you pass a function to another function in Smatch:

	frob(size_add());

Then Smatch creates a fake assignment:  "frob(fake_assign = size_add());"
and parses that instead.  So this check only looks at the
"fake_assign = size_add();"  assignment.

Attached.

regards,
dan carpenter

/*
 * Copyright (C) 2022 Oracle.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
 */

#include "smatch.h"
#include "smatch_extra.h"
#include "smatch_slist.h"

static int my_id;

static void check_size_t(const char *fn, struct expression *expr, void *unused)
{
	struct symbol *type;

	type = get_type(expr->left);
	if (types_equiv(type, &long_ctype) ||
            types_equiv(type, &ulong_ctype))
		return;
	sm_msg("saving '%s' to type '%s'", fn, type_to_str(type));
}

void check_overflow_truncated(int id)
{
	my_id = id;

	if (option_project != PROJ_KERNEL)
		return;
	add_function_assign_hook("size_mul", &check_size_t, NULL);
	add_function_assign_hook("size_add", &check_size_t, NULL);
	add_function_assign_hook("size_sub", &check_size_t, NULL);
	add_function_assign_hook("__ab_c_size", &check_size_t, NULL);
	add_function_assign_hook("array_size", &check_size_t, NULL);
	add_function_assign_hook("array3_size", &check_size_t, NULL);

}