Hi!
I've started trying to learn coccinelle, but I keep running into stuff I'm
not sure how to accomplish. I'm hoping someone might be able to direct me
towards a sane way to do what I'm trying currently.
I'd like to find all the occurrences of copy_from_user() where the target
is a pointer, but the length is not strictly a sizeof() for the pointer's
type.
For example, I'd want to find these:
copy_from_user(&thing, buf, 1024);
copy_from_user(thingptr, buf, 1024);
but not these:
copy_from_user(&thing, buf, sizeof(thing));
copy_from_user(thingptr, buf, sizeof(*thingptr));
My first glitch was being unsure how to handle both "sizeof(N)" and "sizeof
N". What I did feels sloppy. :)
Secondly, I'm not sure how to express types in a more dynamic fashion.
Presently this will skip "&e, ..., sizeof(e)" but not "ptr, ...,
sizeof(*ptr)". What is the best way to approach this without just repeating
another chunk and using "p, ..., \(sizeof(*p)\|sizeof *p\)" ?
Thanks!
-Kees
@cfu exists@
position p1;
@@
copy_from_u...@p1(...)
@cfuso depends on cfu@
identifier e;
position cfu.p1;
@@
copy_from_u...@p1(&e, ..., \(sizeof(e)\|sizeof e\))
@script:python depends on (cfu && !cfuso) @
p1 << cfu.p1;
@@
print "* file: %s copy_from_user to pointer without sizeof %s" %
(p1[0].file,p1[0].line)
--
Kees Cook
Ubuntu Security Team
_______________________________________________
Cocci mailing list
[email protected]
http://lists.diku.dk/mailman/listinfo/cocci
(Web access from inside DIKUs LAN only)
