Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] DDG ERROR when parse vma->vm_file->private_data #5051

Open
hac425xxx opened this issue Nov 3, 2024 · 3 comments
Open

[Bug] DDG ERROR when parse vma->vm_file->private_data #5051

hac425xxx opened this issue Nov 3, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@hac425xxx
Copy link

code

https://github.com/torvalds/linux/blob/master/drivers/hwtracing/intel_th/msu.c#L1585

static void msc_mmap_open(struct vm_area_struct *vma)
{
	struct msc_iter *iter = vma->vm_file->private_data;
	struct msc *msc = iter->msc;

	atomic_inc(&msc->mmap_count);
}

the ddg
image

the dataflow from vma->vm_file to vma->vm_file->private_data is missed.

example sc

var src = m.parameter
var sink = cpg.call.argument
sink.reachableByFlows(src).p

result

  """
┌─────────────────┬─────────────────────────────────────────┬────┬─────────────┬─────┐
│nodeType         │tracked                                  │line│method       │file │
├─────────────────┼─────────────────────────────────────────┼────┼─────────────┼─────┤
│MethodParameterIn│msc_mmap_open(struct vm_area_struct *vma)│1583│msc_mmap_open│msu.c│
│Call             │*iter = vma->vm_file->private_data       │1585│msc_mmap_open│msu.c│
└─────────────────┴─────────────────────────────────────────┴────┴─────────────┴─────┘""",
  """
┌─────────────────┬─────────────────────────────────────────┬────┬─────────────┬─────┐
│nodeType         │tracked                                  │line│method       │file │
├─────────────────┼─────────────────────────────────────────┼────┼─────────────┼─────┤
│MethodParameterIn│msc_mmap_open(struct vm_area_struct *vma)│1583│msc_mmap_open│msu.c│
│Identifier       │*iter = vma->vm_file->private_data       │1585│msc_mmap_open│msu.c│
└─────────────────┴─────────────────────────────────────────┴────┴─────────────┴─────┘"""
@hac425xxx hac425xxx added the bug Something isn't working label Nov 3, 2024
@hac425xxx hac425xxx changed the title [Bug] DDG ERROR when parse [Bug] DDG ERROR when parse vma->vm_file->private_data Nov 3, 2024
@hac425xxx
Copy link
Author

path from vma->vm_file->private_data is work

var m = cpg.method.name("msc_mmap_open").next()
var src = cpg.call.filter(_.method.name == "msc_mmap_open").filter(_.name == "<operator>.indirectFieldAccess").code(".*vma.*")
var sink = cpg.call.filter(_.method.name == "msc_mmap_open").filter(_.name == "atomic_inc")
sink.reachableByFlows(src).p

result

  """
┌──────────┬──────────────────────────────────┬────┬─────────────┬─────┐
│nodeType  │tracked                           │line│method       │file │
├──────────┼──────────────────────────────────┼────┼─────────────┼─────┤
│Call      │*iter = vma->vm_file->private_data│1585│msc_mmap_open│msu.c│
│Identifier│*iter = vma->vm_file->private_data│1585│msc_mmap_open│msu.c│
│Call      │*msc = iter->msc                  │1586│msc_mmap_open│msu.c│
│Identifier│*msc = iter->msc                  │1586│msc_mmap_open│msu.c│
│Call      │atomic_inc(&msc->mmap_count)      │1588│msc_mmap_open│msu.c│
│Call      │atomic_inc(&msc->mmap_count)      │1588│msc_mmap_open│msu.c│
└──────────┴──────────────────────────────────┴────┴─────────────┴─────┘"""

@hac425xxx
Copy link
Author

it seems is the bug when process indirectFieldAccess, I try to make it generate to call custom_xxxx

      case IASTBinaryExpression.op_pmdot            => "custom_xxxx"
      case IASTBinaryExpression.op_pmarrow          => "custom_xxxx"

the dataflow seems fine.

  """_________________________________________________________________________________________
| nodeType          | tracked                        | lineNumber| method        | file  |
|========================================================================================|
| MethodParameterIn | msc_mmap_open(struct vm_are... | 1583      | msc_mmap_open | msu.c |
| Identifier        | vma->vm_file                   | 1585      | msc_mmap_open | msu.c |
| Call              | vma->vm_file                   | 1585      | msc_mmap_open | msu.c |
| Call              | vma->vm_file->private_data     | 1585      | msc_mmap_open | msu.c |
| Identifier        | *iter = vma->vm_file->priva... | 1585      | msc_mmap_open | msu.c |
| Identifier        | iter->msc                      | 1586      | msc_mmap_open | msu.c |
| Call              | iter->msc                      | 1586      | msc_mmap_open | msu.c |
| Identifier        | *msc = iter->msc               | 1586      | msc_mmap_open | msu.c |
| Identifier        | msc->mmap_count                | 1588      | msc_mmap_open | msu.c |
| Call              | atomic_inc(&msc->mmap_count)   | 1588      | msc_mmap_open | msu.c |
""",

the ast graph
image

@hac425xxx
Copy link
Author

make isGenericMemberAccessName always return false, the dataflow works.

diff --git a/semanticcpg/src/main/scala/io/shiftleft/semanticcpg/utils/MemberAccess.scala b/semanticcpg/src/main/scala/io/shiftleft/semanticcpg/utils/MemberAccess.scala
index d27f04c81..ff57bfd9d 100644
--- a/semanticcpg/src/main/scala/io/shiftleft/semanticcpg/utils/MemberAccess.scala
+++ b/semanticcpg/src/main/scala/io/shiftleft/semanticcpg/utils/MemberAccess.scala
@@ -20,6 +20,8 @@ object MemberAccess {
     (name == Operators.indirectIndexAccess) ||
     (name == Operators.pointerShift) ||
     (name == Operators.getElementPtr)
+    return false
+
   }


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant