Powered by Linux
Re: tracing back a variable — Semantic Matching Tool

Re: tracing back a variable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dan,

On 04/10/2018 05:19 AM, Dan Carpenter wrote:
On Mon, Apr 09, 2018 at 11:25:48AM -0500, Gustavo A. R. Silva wrote:
Hi all,

I wonder if smatch can be used to trace back a particular variable in order
to determine if such variable is directly or indirectly controlled from any
syscall?


Of course, you *could* build something like that...

There is the get_implied_rl() function.  You give it a variable and it
tells you if the variable can be controlled by the user.  So it could
be from a syscall, kstrtol() or from skb->data etc.

So say you have something like:

	u8 foo = *(char *)skb->data;

	if (foo > 8)
		return;

Then get_implied_rl() will say foo is 0-8 range.

In theory there is enough information in the database so you could trace
function parameters to find out where they come from, but no one has
tested that so it probably doesn't work.

What are you working on?  Perhaps there is a different way to get the
information you want.


I'm analyzing code patterns that could be potentially vulnerable to variant 1 of Spectre.

So I want to determine if the variable x in the sample below can somehow be controlled by the user:

if (x < array1_size) {
  v = array2[array1[x]*256]
}

Thanks
--
Gustavo

--
To unsubscribe from this list: send the line "unsubscribe smatch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux