Re: [Cocci] [PATCH v4] coccinelle: misc: add array_size_dup script to detect missed overflow checks
On Tue, 23 Jun 2020, Denis Efremov wrote: > Detect an opencoded expression that is used before or after > array_size()/array3_size()/struct_size() to compute the same size. > > Signed-off-by: Denis Efremov Applied, thanks. julia > --- > Changes in v2: > - python rules moved next to SmPL patterns > - assignment operator used > - struct_size patterns fixed to check only E3, since >E1, E2 are sizeofs of a structure and a member >of a structure > Changes in v3: > - s/overlow/overflow/ typo fixed (thanks, Markus) > - \(\|\) changed to &\(E1\|E2\) > - print strings breaks removed > Changes in v4: > - duplicates warning removed > - python2 compatability in report& modes added > - s/down the code/later/ warning changed > - \(E1\|E2\|subE1\|subE2\) patterns simplified to \(subE1\|subE2\) > > scripts/coccinelle/misc/array_size_dup.cocci | 209 +++ > 1 file changed, 209 insertions(+) > create mode 100644 scripts/coccinelle/misc/array_size_dup.cocci > > diff --git a/scripts/coccinelle/misc/array_size_dup.cocci > b/scripts/coccinelle/misc/array_size_dup.cocci > new file mode 100644 > index ..d3d635b2d4fc > --- /dev/null > +++ b/scripts/coccinelle/misc/array_size_dup.cocci > @@ -0,0 +1,209 @@ > +// SPDX-License-Identifier: GPL-2.0-only > +/// > +/// Check for array_size(), array3_size(), struct_size() duplicates. > +/// Three types of patterns for these functions: > +/// 1. An opencoded expression is used before array_size() to compute the > same size > +/// 2. An opencoded expression is used after array_size() to compute the > same size > +/// From security point of view only first case is relevant. These functions > +/// perform arithmetic overflow check. Thus, if we use an opencoded > expression > +/// before a call to the *_size() function we can miss an overflow. > +/// > +// Confidence: High > +// Copyright: (C) 2020 Denis Efremov ISPRAS > +// Options: --no-includes --include-headers --no-loops > + > +virtual context > +virtual report > +virtual org > + > +@as@ > +expression E1, E2; > +@@ > + > +array_size(E1, E2) > + > +@as_next@ > +expression subE1 <= as.E1; > +expression subE2 <= as.E2; > +expression as.E1, as.E2, E3; > +assignment operator aop; > +position p1, p2; > +@@ > + > +* E1 * E2@p1 > + ... when != \(subE1\|subE2\) aop E3 > + when != &\(subE1\|subE2\) > +* array_size(E1, E2)@p2 > + > +@script:python depends on report@ > +p1 << as_next.p1; > +p2 << as_next.p2; > +@@ > + > +msg = "WARNING: array_size is used later (line %s) to compute the same size" > % (p2[0].line) > +coccilib.report.print_report(p1[0], msg) > + > +@script:python depends on org@ > +p1 << as_next.p1; > +p2 << as_next.p2; > +@@ > + > +msg = "WARNING: array_size is used later (line %s) to compute the same size" > % (p2[0].line) > +coccilib.org.print_todo(p1[0], msg) > + > +@as_prev@ > +expression subE1 <= as.E1; > +expression subE2 <= as.E2; > +expression as.E1, as.E2, E3; > +assignment operator aop; > +position p1, p2; > +@@ > + > +* array_size(E1, E2)@p1 > + ... when != \(subE1\|subE2\) aop E3 > + when != &\(subE1\|subE2\) > +* E1 * E2@p2 > + > +@script:python depends on report@ > +p1 << as_prev.p1; > +p2 << as_prev.p2; > +@@ > + > +msg = "WARNING: array_size is already used (line %s) to compute the same > size" % (p1[0].line) > +coccilib.report.print_report(p2[0], msg) > + > +@script:python depends on org@ > +p1 << as_prev.p1; > +p2 << as_prev.p2; > +@@ > + > +msg = "WARNING: array_size is already used (line %s) to compute the same > size" % (p1[0].line) > +coccilib.org.print_todo(p2[0], msg) > + > +@as3@ > +expression E1, E2, E3; > +@@ > + > +array3_size(E1, E2, E3) > + > +@as3_next@ > +expression subE1 <= as3.E1; > +expression subE2 <= as3.E2; > +expression subE3 <= as3.E3; > +expression as3.E1, as3.E2, as3.E3, E4; > +assignment operator aop; > +position p1, p2; > +@@ > + > +* E1 * E2 * E3@p1 > + ... when != \(subE1\|subE2\|subE3\) aop E4 > + when != &\(subE1\|subE2\|subE3\) > +* array3_size(E1, E2, E3)@p2 > + > +@script:python depends on report@ > +p1 << as3_next.p1; > +p2 << as3_next.p2; > +@@ > + > +msg = "WARNING: array3_size is used later (line %s) to compute the same > size" % (p2[0].line) > +coccilib.report.print_report(p1[0], msg) > + > +@script:python depends on org@ > +p1 << as3_next.p1; > +p2 << as3_next.p2; > +@@ > + > +msg = "WARNING: array3_size is used later (line %s) to compute the same > size" % (p2[0].line) > +coccilib.org.print_todo(p1[0], msg) > + > +@as3_prev@ > +expression subE1 <= as3.E1; > +expression subE2 <= as3.E2; > +expression subE3 <= as3.E3; > +expression as3.E1, as3.E2, as3.E3, E4; > +assignment operator aop; > +position p1, p2; > +@@ > + > +* array3_size(E1, E2, E3)@p1 > + ... when != \(subE1\|subE2\|subE3\) aop E4 > + when != &\(subE1\|subE2\|subE3\) > +* E1 * E2 * E3@p2 > + > +@script:python depends on report@ > +p1 << as3_prev.p1; > +p2 << as3_prev.p2; > +@@ > + > +msg = "WARNING: array3_size is already used
Re: [Cocci] [PATCH v4] coccinelle: misc: add array_size_dup script to detect missed overflow checks
I don't agree with any of these comments. julia On Tue, 23 Jun 2020, Markus Elfring wrote: > > Changes in v2: > … > > - assignment operator used > > I prefer the distinction for the application of corresponding metavariables. > > > > Changes in v3: > … > > - \(\|\) changed to &\(E1\|E2\) > > Would it be more helpful to mention the movement of the ampersand > before SmPL disjunctions? > > > … > >+/// Three types of patterns for these functions: > > Will another adjustment be needed according to your information “duplicates > warning removed”? > > > … > > +virtual context > > +virtual report > > +virtual org > > Can the following SmPL code variant ever become more attractive? > > +virtual context, report, org > > > … > > +expression subE1 <= as.E1; > > +expression subE2 <= as.E2; > > +expression as.E1, as.E2, E3; > > How do you think about the following SmPL code variant? > > +expression subE1 <= as.E1, > + subE2 <= as.E2, > + as.E1, as.E2, E3; > > > … > > +msg = "WARNING: array_size is used later (line %s) to compute the same > > size" % (p2[0].line) > > +coccilib.report.print_report(p1[0], msg) > > Please omit the extra Python variable “msg” for the passing of such simple > message objects. > > What does hinder you to take the proposed script variants better into account? > > Regards, > Markus >___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v4] coccinelle: misc: add array_size_dup script to detect missed overflow checks
Detect an opencoded expression that is used before or after array_size()/array3_size()/struct_size() to compute the same size. Signed-off-by: Denis Efremov --- Changes in v2: - python rules moved next to SmPL patterns - assignment operator used - struct_size patterns fixed to check only E3, since E1, E2 are sizeofs of a structure and a member of a structure Changes in v3: - s/overlow/overflow/ typo fixed (thanks, Markus) - \(\|\) changed to &\(E1\|E2\) - print strings breaks removed Changes in v4: - duplicates warning removed - python2 compatability in report& modes added - s/down the code/later/ warning changed - \(E1\|E2\|subE1\|subE2\) patterns simplified to \(subE1\|subE2\) scripts/coccinelle/misc/array_size_dup.cocci | 209 +++ 1 file changed, 209 insertions(+) create mode 100644 scripts/coccinelle/misc/array_size_dup.cocci diff --git a/scripts/coccinelle/misc/array_size_dup.cocci b/scripts/coccinelle/misc/array_size_dup.cocci new file mode 100644 index ..d3d635b2d4fc --- /dev/null +++ b/scripts/coccinelle/misc/array_size_dup.cocci @@ -0,0 +1,209 @@ +// SPDX-License-Identifier: GPL-2.0-only +/// +/// Check for array_size(), array3_size(), struct_size() duplicates. +/// Three types of patterns for these functions: +/// 1. An opencoded expression is used before array_size() to compute the same size +/// 2. An opencoded expression is used after array_size() to compute the same size +/// From security point of view only first case is relevant. These functions +/// perform arithmetic overflow check. Thus, if we use an opencoded expression +/// before a call to the *_size() function we can miss an overflow. +/// +// Confidence: High +// Copyright: (C) 2020 Denis Efremov ISPRAS +// Options: --no-includes --include-headers --no-loops + +virtual context +virtual report +virtual org + +@as@ +expression E1, E2; +@@ + +array_size(E1, E2) + +@as_next@ +expression subE1 <= as.E1; +expression subE2 <= as.E2; +expression as.E1, as.E2, E3; +assignment operator aop; +position p1, p2; +@@ + +* E1 * E2@p1 + ... when != \(subE1\|subE2\) aop E3 + when != &\(subE1\|subE2\) +* array_size(E1, E2)@p2 + +@script:python depends on report@ +p1 << as_next.p1; +p2 << as_next.p2; +@@ + +msg = "WARNING: array_size is used later (line %s) to compute the same size" % (p2[0].line) +coccilib.report.print_report(p1[0], msg) + +@script:python depends on org@ +p1 << as_next.p1; +p2 << as_next.p2; +@@ + +msg = "WARNING: array_size is used later (line %s) to compute the same size" % (p2[0].line) +coccilib.org.print_todo(p1[0], msg) + +@as_prev@ +expression subE1 <= as.E1; +expression subE2 <= as.E2; +expression as.E1, as.E2, E3; +assignment operator aop; +position p1, p2; +@@ + +* array_size(E1, E2)@p1 + ... when != \(subE1\|subE2\) aop E3 + when != &\(subE1\|subE2\) +* E1 * E2@p2 + +@script:python depends on report@ +p1 << as_prev.p1; +p2 << as_prev.p2; +@@ + +msg = "WARNING: array_size is already used (line %s) to compute the same size" % (p1[0].line) +coccilib.report.print_report(p2[0], msg) + +@script:python depends on org@ +p1 << as_prev.p1; +p2 << as_prev.p2; +@@ + +msg = "WARNING: array_size is already used (line %s) to compute the same size" % (p1[0].line) +coccilib.org.print_todo(p2[0], msg) + +@as3@ +expression E1, E2, E3; +@@ + +array3_size(E1, E2, E3) + +@as3_next@ +expression subE1 <= as3.E1; +expression subE2 <= as3.E2; +expression subE3 <= as3.E3; +expression as3.E1, as3.E2, as3.E3, E4; +assignment operator aop; +position p1, p2; +@@ + +* E1 * E2 * E3@p1 + ... when != \(subE1\|subE2\|subE3\) aop E4 + when != &\(subE1\|subE2\|subE3\) +* array3_size(E1, E2, E3)@p2 + +@script:python depends on report@ +p1 << as3_next.p1; +p2 << as3_next.p2; +@@ + +msg = "WARNING: array3_size is used later (line %s) to compute the same size" % (p2[0].line) +coccilib.report.print_report(p1[0], msg) + +@script:python depends on org@ +p1 << as3_next.p1; +p2 << as3_next.p2; +@@ + +msg = "WARNING: array3_size is used later (line %s) to compute the same size" % (p2[0].line) +coccilib.org.print_todo(p1[0], msg) + +@as3_prev@ +expression subE1 <= as3.E1; +expression subE2 <= as3.E2; +expression subE3 <= as3.E3; +expression as3.E1, as3.E2, as3.E3, E4; +assignment operator aop; +position p1, p2; +@@ + +* array3_size(E1, E2, E3)@p1 + ... when != \(subE1\|subE2\|subE3\) aop E4 + when != &\(subE1\|subE2\|subE3\) +* E1 * E2 * E3@p2 + +@script:python depends on report@ +p1 << as3_prev.p1; +p2 << as3_prev.p2; +@@ + +msg = "WARNING: array3_size is already used (line %s) to compute the same size" % (p1[0].line) +coccilib.report.print_report(p2[0], msg) + +@script:python depends on org@ +p1 << as3_prev.p1; +p2 << as3_prev.p2; +@@ + +msg = "WARNING: array3_size is already used (line %s) to compute the same size" % (p1[0].line) +coccilib.org.print_todo(p2[0], msg) + +@ss@ +expression E1, E2, E3; +@@ + +struct_size(E1, E2, E3) + +@ss_next@ +expression subE3 <= ss.E3; +expression