Hi Dan,
On 04/10/2018 05:19 AM, Dan Carpenter wrote:
On Mon, Apr 09, 2018 at 11:25:48AM -0500, Gustavo A. R. Silva wrote:
Hi all,
I wonder if smatch can be used to trace back a particular variable in order
to determine if such variable is directly or indirectly controlled from any
syscall?
Of course, you *could* build something like that...
There is the get_implied_rl() function. You give it a variable and it
tells you if the variable can be controlled by the user. So it could
be from a syscall, kstrtol() or from skb->data etc.
So say you have something like:
u8 foo = *(char *)skb->data;
if (foo > 8)
return;
Then get_implied_rl() will say foo is 0-8 range.
In theory there is enough information in the database so you could trace
function parameters to find out where they come from, but no one has
tested that so it probably doesn't work.
What are you working on? Perhaps there is a different way to get the
information you want.
I'm analyzing code patterns that could be potentially vulnerable to
variant 1 of Spectre.
So I want to determine if the variable x in the sample below can somehow
be controlled by the user:
if (x < array1_size) {
v = array2[array1[x]*256]
}
Thanks
--
Gustavo
--
To unsubscribe from this list: send the line "unsubscribe smatch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
