Add functions that access guest data, and teach smatch about the
parameter that points to the user data. As there are multiple
flavors, try to be exhaustive.
Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx>
---
check_user_data2.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/check_user_data2.c b/check_user_data2.c
index a556bb8..5d5606c 100644
--- a/check_user_data2.c
+++ b/check_user_data2.c
@@ -49,6 +49,15 @@ static const char *returns_user_data[] = {
"kmap_atomic", "skb_network_header",
};
+// in Xen, these functions are called "copy_from_guest"
+static const char * xen_from_guest_funcs[] = {
+"copy_from_guest", "__copy_from_guest", "copy_from_guest_offset",
+"copy_from_user_hvm", "__raw_copy_from_guest", "__copy_from_user",
+"__hvm_copy", "hvm_copy_from_guest_phys", "hvm_copy_from_guest_virt",
+"hvm_fetch_from_guest_virt", "hvm_copy_from_guest_virt_nofault",
+"hvm_fetch_from_guest_virt_nofault",
+};
+
static void set_points_to_user_data(struct expression *expr);
static struct stree *start_states;
@@ -1224,6 +1233,11 @@ void check_user_data2(int id)
add_function_hook("copy_from_user", &match_user_copy, INT_PTR(0));
add_function_hook("__copy_from_user", &match_user_copy, INT_PTR(0));
add_function_hook("memcpy_fromiovec", &match_user_copy, INT_PTR(0));
+
+ // in Xen, these functions are called "copy_from_guest"
+ for (i = 0; i < ARRAY_SIZE(xen_from_guest_funcs); i++)
+ add_function_hook(xen_from_guest_funcs[i], &match_user_copy, INT_PTR(0));
+
for (i = 0; i < ARRAY_SIZE(kstr_funcs); i++)
add_function_hook(kstr_funcs[i], &match_user_copy, INT_PTR(2));
add_function_hook("usb_control_msg", &match_user_copy, INT_PTR(6));
--
2.7.4
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
