The ARM64 ABI allows tagged memory addresses to be passed through the user-kernel syscall ABI boundary. Tagged memory addresses are those which contain a non-zero top byte - the hardware will always ignore this top byte, however software does not. This series provides smatch detection to detect code that erroneously compares tagged memory addresses with untagged memory addresses. This current approach will provide a Smatch warning when it detects a comparison is being made between a user originated 64 bit data where the top byte may be non-zero and any variable which may contain an 'untagged address'. 'Untagged addresses' are detected by looking for hard-coded known struct members (such as vm_start, vm_end and addr_limit) and hard-coded known macros (such as PAGE_SIZE, PAGE_MASK and TASK_SIZE). This check is also able to detect when comparisons are made against variables that have been assigned from these known untagged variables, though this tracking is limited to the scope of the function. The warnings produced indicate the point of comparison, yet it is more helpful to walk up the call tree to find where the source of data originated from. This series also updates the smdb.py script to assist with this. To avoid false-warnings, we also introduce the concept of a __untagged (address space) annotation - when this is applied to a function argument we tell Smatch not to treat this as a tagged user-orginated address. We don't use this annotation to suppress warnings, however the smdb.py script will filter out call trees where all parents do not contain tagged user-orginated addresses. There are limitations with this approach, however I'm keen to understand if there are solutions for them. I'll reply to the individual patches with my thoughts. Andrew Murray (7): build: Add '-lm' build flag smdb.py: remove undocumented test command arm64: add check for comparison against tagged address smdb.py: add find_tagged and parse_warns_tagged commands kernel_user_data: track parameter __untagged annotations smdb.py: filter out __untagged from find_tagged results Documentation: add guide for tagged addresses .../arm64-detecting-tagged-addresses.txt | 207 ++++++++++++++ Makefile | 2 +- check_arm64_tagged.c | 255 ++++++++++++++++++ check_list.h | 2 + smatch_data/db/smdb.py | 115 +++++++- smatch_estate.c | 22 ++ smatch_extra.h | 3 + smatch_kernel_user_data.c | 71 ++++- 8 files changed, 662 insertions(+), 15 deletions(-) create mode 100644 Documentation/arm64-detecting-tagged-addresses.txt create mode 100644 check_arm64_tagged.c -- 2.21.0
