This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
CheckSecuritySyntaxOnly.cpp
-
test/Analysis/
-
Analysis/
-
security-syntax-checks.m

Differential D55226

[Fix][StaticAnalyzer] Bug 39792 - False positive on strcpy targeting struct member
ClosedPublic

Authored by Pierre-vh on Dec 3 2018, 10:19 AM.

Download Raw Diff

Details

Reviewers

dcoughlin
MaskRay
george.karpenkov
MTC

Commits

rGe2a8eec45738: [analyzer] [PR39792] false positive on strcpy targeting struct members
rC351097: [analyzer] [PR39792] false positive on strcpy targeting struct members
rL351097: [analyzer] [PR39792] false positive on strcpy targeting struct members

Summary

Fix for the bug n°39792: False positive on strcpy targeting struct member
Bugzilla: https://bugs.llvm.org/show_bug.cgi?id=39792

I fixed it by replacing the use of dyn_cast by two isas to check if Target is a DeclRefExpr or a MemberExpr.
The removal of the DeclRef variable seems to be meaningless because the only place where the DeclRef variable was used is one line below, and it was used to call a method which is inherited from Expr.
Thus, replacing the only use of DeclRef by Target should have no effect.

I also added a small test for this bugfix in test/Analysis/security-syntax-checks.m

Note: I think we can completely remove the outer if (isa<DeclRefExpr>(Target) || isa<MemberExpr>(Target)), no? Why should we only allow DeclRefExprs to pass this check?

PS: This is my first contribution ever to CLang (or any other open source project), so I'm totally open to feedback, even if it's harsh.

Thank you for your attention!

Diff Detail

Repository: rL LLVM

Event Timeline

Pierre-vh created this revision.Dec 3 2018, 10:19 AM

Herald added a reviewer: george.karpenkov. · View Herald TranscriptDec 3 2018, 10:19 AM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 4 others. · View Herald Transcript

Thank you for the fix, but how far can the pattern matching go? Seems easy enough to think of cases not covered by the above.
In any case, the fix looks good.

This revision is now accepted and ready to land.Dec 3 2018, 10:52 AM

In D55226#1317083, @george.karpenkov wrote:

Thank you for the fix, but how far can the pattern matching go? Seems easy enough to think of cases not covered by the above.
In any case, the fix looks good.

Hey,

Sadly I'm not experienced enough to think of every case that should pass this check, so I limited myself to just fixing the bug.
Can't we totally remove the outer if so we allow every Target expression that has a ConstantArrayType to pass this check?

Thank you for your time!

Please add more context using the -U option, like git diff -U99999 ....

In D55226#1317119, @Pierre-vh wrote:

Sadly I'm not experienced enough to think of every case that should pass this check, so I limited myself to just fixing the bug.
Can't we totally remove the outer if so we allow every Target expression that has a ConstantArrayType to pass this check?

IMHO, it's fine to remove the outer check!

MTC accepted this revision.Dec 4 2018, 4:11 AM

Hello again! I updated the diff and completely removed the outer if. Please let me know what you think!

Thanks for the fix! :)

*deleted rest of the comment after re-reading the code*

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
662 ↗	(On Diff #176661)	No need for this newline.

Here's the diff without the extra newline :)

Hi again!

As I'm quite new to this, I don't know what the next step is. Do we need to wait for more people to review this diff?
What happens when it's considered "ready"? How is it committed? (I don't have commit access)

Thank you for your help!

I like what I'm seeing.

In D55226#1320281, @Pierre-vh wrote:

Hi again!

As I'm quite new to this, I don't know what the next step is. Do we need to wait for more people to review this diff?
What happens when it's considered "ready"? How is it committed? (I don't have commit access)

Welcome! :) Always great to see new people around.

Once the revision is accepted (and, preferably accepted by someone knowledgeable in the analyzer) you may commit. When you start contributing to the project, and you don't have commit access just yet, you should ask someone who does to commit the patch on your behalf. Once you have "enough" patches under your belt, you may ask for a commit access.

Here are some links with more info on patch reviews, commiting, and the like:

https://llvm.org/docs/Contributing.html
https://llvm.org/docs/DeveloperPolicy.html ("Making and Submitting a Patch" seems outdated, but the following sections are worth a read: "Code Reviews", "Obtaining Commit Access" (and the rest, if you have the time))
https://llvm.org/docs/Phabricator.html

Sadly, I won't be around my working PC for a while, so I can't commit on your behalf just yet. If you asked for someone to commit but no one did, it's perfectly fine to ping it once a week (or, more frequently if it's urgent).

Hello!

I'm pinging since it's been a week. If someone can commit this patch on my behalf, that would be great.

Thank you :)

Hello!

I'm trying one last ping since it's been a month and it hasn't been commited (I think).

Whoops, sorry. There were holidays, and then I did forget about this patch. I'll commit this now.

@Pierre-vh The patch does not compile due to unmatched braces. Please do test and compile before submitting!

Closed by commit rL351097: [analyzer] [PR39792] false positive on strcpy targeting struct members (authored by george.karpenkov). · Explain WhyJan 14 2019, 10:58 AM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: llvm-commits. · View Herald TranscriptJan 14 2019, 10:58 AM

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Checkers/

CheckSecuritySyntaxOnly.cpp

14 lines

test/

Analysis/

security-syntax-checks.m

5 lines

Diff 181603

cfe/trunk/lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp

Show First 20 Lines • Show All 645 Lines • ▼ Show 20 Lines	void WalkAST::checkCall_strcpy(const CallExpr CE, const FunctionDecl FD) {
if (!filter.check_strcpy)		if (!filter.check_strcpy)
return;		return;

if (!checkCall_strCommon(CE, FD))		if (!checkCall_strCommon(CE, FD))
return;		return;

const auto *Target = CE->getArg(0)->IgnoreImpCasts(),		const auto *Target = CE->getArg(0)->IgnoreImpCasts(),
*Source = CE->getArg(1)->IgnoreImpCasts();		*Source = CE->getArg(1)->IgnoreImpCasts();
if (const auto *DeclRef = dyn_cast<DeclRefExpr>(Target))
if (const auto *Array = dyn_cast<ConstantArrayType>(DeclRef->getType())) {		if (const auto *Array = dyn_cast<ConstantArrayType>(Target->getType())) {
uint64_t ArraySize = BR.getContext().getTypeSize(Array) / 8;		uint64_t ArraySize = BR.getContext().getTypeSize(Array) / 8;
if (const auto *String = dyn_cast<StringLiteral>(Source)) {		if (const auto *String = dyn_cast<StringLiteral>(Source)) {
if (ArraySize >= String->getLength() + 1)		if (ArraySize >= String->getLength() + 1)
return;		return;
}		}
}		}

// Issue a warning.		// Issue a warning.
PathDiagnosticLocation CELoc =		PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);		PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,		BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
"Potential insecure memory buffer bounds restriction in "		"Potential insecure memory buffer bounds restriction in "
"call 'strcpy'",		"call 'strcpy'",
"Security",		"Security",
▲ Show 20 Lines • Show All 261 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/security-syntax-checks.m

Show First 20 Lines • Show All 171 Lines • ▼ Show 20 Lines	void test_strcpy_2() {
strcpy(x, "abcd"); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}		strcpy(x, "abcd"); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
}		}

void test_strcpy_safe() {		void test_strcpy_safe() {
char x[5];		char x[5];
strcpy(x, "abcd");		strcpy(x, "abcd");
}		}

		void test_strcpy_safe_2() {
		struct {char s1[100];} s;
		strcpy(s.s1, "hello");
		}

//===----------------------------------------------------------------------===		//===----------------------------------------------------------------------===
// strcat()		// strcat()
//===----------------------------------------------------------------------===		//===----------------------------------------------------------------------===
#ifdef VARIANT		#ifdef VARIANT

#define __strcat_chk BUILTIN(__strcat_chk)		#define __strcat_chk BUILTIN(__strcat_chk)
char __strcat_chk(char restrict s1, const char *restrict s2, size_t destlen);		char __strcat_chk(char restrict s1, const char *restrict s2, size_t destlen);

▲ Show 20 Lines • Show All 48 Lines • Show Last 20 Lines