-
-Wsign-compare is garbage
The -Wsign-compare warning is bad. It is a waste of time and will only make your code worse and more buggy.
-
Debugfs functions are not supposed to be checked
Debugfs functions are not supposed to have error handling.
-
Writing a double fget() warning
Recently we were looking at CVE-2023-1838 fixed in commit fb4554c2232e (“Fix double fget() in vhost_net_set_backend()”). It’s a form of a double fetch bug, where you get data from the user, you run all kinds on checks on it to verify that the data is good and then you get the data from the user again.…
-
Debugging Smatch Checks
When you write your first Smatch check it is, unfortunately, unlikely that it will work on the first try. Here are some hints to figure out what is wrong. The first thing is to remember that Smatch works on pre-processed code. If you’re checking kernel code then you can view the pre-processed code using the…
-
Smatch hooks and modules
There are two kinds of Smatch files. smatch_*.c files are core files which provide functionality and check_*.c files are checks. The other files in the directory are Sparse files. The most interesting smatch_*.c file is smatch_flow.c which describes how the code flows and how smatch hooks are called. Search for __pass_to_client(expr, WHATEVER_HOOK); The smatch_function_hooks.c file…
-
The Param/Key API
These days the param/key API is the preferred way to write Smatch checks. In my First Smatch Check post I wrote how to implement match_kfree() in the old way which hardcoded that the freed variable was argument 0. With the param/key API we would instead say the freed variable was param 0 and the the…
-
The Cross Function DB
Smatch saves a variety of information in the cross function DB. For example, it saves that ‘(struct foo)->bar’ is in units of type byte or that it holds the values 32,48. But the most interesting data is in the caller_info and return_states tables, which hold information about how functions are called and what they return.…
-
Merging States
When you’re learning programming, they teach about branch statements like if(), but in Smatch how paths merge back together is much more interesting than branching. That’s where the history is saved, so a lot of internal magic happens here. Smatch states are saved in a group called a stree. The current states arecall the cur…
-
First Smatch Check
This is a small guide to writing a First Smatch Check. Read aboutSmatch Data Types first. This blog will explain how to create a simple Smatch check for dereferencing freed variables. There is already a better but quite complicated Smatch check for dereferencing freed variables so a simple check like this is not very useful…
-
Smatch Data Types
A good place to start learning about how to program Smatch is to learn the datatypes. Some of the datatypes come from Sparse and some are from Smatch. Sparse types: struct symbol: A symbol is basically something which a name. Functions have names, types have names, variables have names. struct statement: This is a C…
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
Static Analysis by Dan Carpenter 