This is an archive of the discontinued LLVM Phabricator instance.

Differential D107804

[analyzer] MallocOverflow should consider comparisons only preceding malloc
ClosedPublic

Authored by steakhal on Aug 10 2021, 2:03 AM.

Details

Reviewers
NoQ
vsavchenko
Szelethus
martong
balazske
Commits
rG68088563fbad: [analyzer] MallocOverflow should consider comparisons only preceding malloc
Summary

MallocOverflow works in two phases:

  1. Collects suspicious malloc calls, whose argument is a multiplication
  2. Filters the aggregated list of suspicious malloc calls by iterating over the BasicBlocks of the CFG looking for comparison binary operators over the variable constituting in any suspicious malloc.

Consequently, it suppressed true-positive cases when the comparison check was after the malloc call.
In this patch, the checker will consider the relative position of the relation check to the malloc call.

E.g.:

void *check_after_malloc(int n, int x) {
  int *p = NULL;
  if (x == 42)
    p = malloc(n * sizeof(int)); // Previously **no** warning, now it
                                 // warns about this.

  // The check is after the allocation!
  if (n > 10) {
    // Do something conditionally.
  }
  return p;
}

Diff Detail

Event Timeline

steakhal created this revision.Aug 10 2021, 2:03 AM
Herald added subscribers: manas, ASDenysPetrov, dkrupp and 8 others. · View Herald TranscriptAug 10 2021, 2:03 AM
steakhal requested review of this revision.Aug 10 2021, 2:03 AM
steakhal mentioned this in D107756: [analyzer] Extend the documentation of MallocOverflow.
Harbormaster completed remote builds in B118823: Diff 365386.Aug 10 2021, 3:13 AM
balazske added inline comments.Aug 11 2021, 8:00 AM
clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
163

Is it safe to check for position in source code, instead of the execution path?

165

This is not a PredTrue any more.

steakhal added inline comments.Aug 11 2021, 8:16 AM
clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
163

I don't think so. But it's already better than outright suppressing any finding.

165

Oh sure, I'm gonna fix it!

steakhal updated this revision to Diff 365921.Aug 12 2021, 12:05 AM
steakhal marked 2 inline comments as done.

PredTrue -> PrecedesMalloc

Harbormaster completed remote builds in B119200: Diff 365921.Aug 12 2021, 1:41 AM
martong added a comment.Aug 17 2021, 12:46 PM

Okay, I think this change is aligned with the checker's original logic. I.e. we have a heuristic, so we do not warn if we see a check of the involved variable...
I was digging a bit and found a related SEI CERT rule. MEM35-C Perhaps this checker could warn on the second code example?

On the other hand, on the long term I'd like to see this checker completely removed without any trace. I mean, generally, we should be able to warn if the result of any binary operation may not be represented in the underlying type. I think, this should be handled with an orchestration of a clever constraint solver and the engine.

steakhal added a comment.Aug 18 2021, 6:27 AM
In D107804#2950274, @martong wrote:

Okay, I think this change is aligned with the checker's original logic. I.e. we have a heuristic, so we do not warn if we see a check of the involved variable...
I was digging a bit and found a related SEI CERT rule. MEM35-C Perhaps this checker could warn on the second code example?

The checker in it's current form, would warn for the very first example, and only for that example:

void *alloc_blocks(size_t num_blocks) {
  if (num_blocks == 0)
    return NULL;
  unsigned long long alloc = num_blocks * BLOCKSIZE ;
  return (alloc < UINT_MAX) ? malloc(num_blocks * BLOCKSIZE ) : NULL;
  // expected-warning@-1 {{the computation of the size of the memory allocation may overflow}}
}

It wouldn't warn for the rest of the examples because those have some sort of comparison checks on the variable.

On the other hand, on the long term I'd like to see this checker completely removed without any trace. I mean, generally, we should be able to warn if the result of any binary operation may not be represented in the underlying type. I think this should be handled with an orchestration of a clever constraint solver and the engine.

We cannot have a witness for overflow if we calculate on unknown symbolic values, like top-level function parameters, etc. In that sense, the checker relaxes the bug condition to look for potential overflowing multiplications in a specific context, in malloc parameters. That being said, a smarter constraint solver wouldn't help much.

martong added inline comments.Aug 18 2021, 9:39 AM
clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
163

Do we somehow assure that the two locations are inside the same stack frame? I mean @balazske has a point and I think this solution is okay if we compare two locations inside the same function.

clang/test/Analysis/malloc-overflow.c
115–124

What happens if the check happens in an inlined function? The location is above the malloc in the TU, isn't it?

int check(int n) 
  return (n > 10);
}

void *check_before_malloc(int n, int x) {
  int *p = NULL;
  if (x == 42)
    p = malloc(n * sizeof(int)); // no-warning?

  if (check(n))
    return NULL;

  // Do some other stuff, e.g. initialize the memory.
  return p;
}
steakhal updated this revision to Diff 368603.Aug 25 2021, 4:10 AM
steakhal marked an inline comment as done.

Add a test using macros. It demonstrates that the source locations are properly resolved.
@martong Let me know if you have anything.

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp
163

I would assert this fact, but I'm not exactly sure how to acquire the enclosing function of a SourceLocation.

clang/test/Analysis/malloc-overflow.c
115–124

The checker conducts a simple AST-matching, thus it wouldn't resolve the check(n) call. So, the checker will fire regardless of where you put the check(n) call, before or after the malloc().

Even in case of macros, it still works. Check the updated test file.

Harbormaster completed remote builds in B121142: Diff 368603.Aug 25 2021, 4:44 AM
steakhal updated this revision to Diff 368679.Aug 25 2021, 10:37 AM

Pin the -triple to x86_64

Harbormaster completed remote builds in B121192: Diff 368679.Aug 25 2021, 11:48 AM
martong requested changes to this revision.Aug 26 2021, 6:37 AM

Upsz-upsz, something went terribly off here! Flexible array members related changes come in with the last diff. For example, the file flexible-array-members.c came in. It might be perhaps a rebase issue if the FAM related change had been commited already, could you please rebase this patch?

This revision now requires changes to proceed.Aug 26 2021, 6:37 AM
steakhal updated this revision to Diff 368864.Aug 26 2021, 6:51 AM

The right diff this time :D

Harbormaster completed remote builds in B121335: Diff 368864.Aug 26 2021, 7:38 AM
martong accepted this revision.Aug 26 2021, 8:26 AM

Thanks, LGTM!

This revision is now accepted and ready to land.Aug 26 2021, 8:26 AM
steakhal updated this revision to Diff 369031.Aug 26 2021, 11:39 PM
steakhal marked an inline comment as done.

Rebased. Removed the given limitation from the user-facing documentation, that this patch fixes.

Harbormaster completed remote builds in B121446: Diff 369031.Aug 27 2021, 12:14 AM
Closed by commit rG68088563fbad: [analyzer] MallocOverflow should consider comparisons only preceding malloc (authored by steakhal). · Explain WhyAug 27 2021, 5:41 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rG68088563fbad: [analyzer] MallocOverflow should consider comparisons only preceding malloc.
Herald added a project: Restricted Project. · View Herald TranscriptAug 27 2021, 5:41 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
martong added a comment.Aug 27 2021, 6:27 AM

Probably it is too late, but the title of this change is misleading. I think is should be either MallocOverflow should consider comparisons AFTER malloc or MallocOverflow should NOT consider comparisons only preceding malloc.

Revision Contents

PathSize
clang/
docs/
analyzer/
4 lines
lib/
StaticAnalyzer/
Checkers/
33 lines
test/
Analysis/
37 lines

Diff 369078

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 2,184 Lines▼ Show 20 Lines
- The checker won't warn for variables involved in explicit casts, - The checker won't warn for variables involved in explicit casts,
since that might limit the variable's domain. since that might limit the variable's domain.
E.g.: ``(unsigned char)int x`` would limit the domain to ``[0,255]``. E.g.: ``(unsigned char)int x`` would limit the domain to ``[0,255]``.
The checker will miss the true-positive cases when the explicit cast would The checker will miss the true-positive cases when the explicit cast would
not tighten the domain to prevent the overflow in the subsequent not tighten the domain to prevent the overflow in the subsequent
multiplication operation. multiplication operation.
- If the variable ``n`` participates in a comparison anywhere in the enclosing
function's scope, even after the ``malloc()``, the report will be still
suppressed.
- It is an AST-based checker, thus it does not make use of the - It is an AST-based checker, thus it does not make use of the
path-sensitive taint-analysis. path-sensitive taint-analysis.
.. _alpha-security-MmapWriteExec: .. _alpha-security-MmapWriteExec:
alpha.security.MmapWriteExec (C) alpha.security.MmapWriteExec (C)
"""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""
Warn on mmap() calls that are both writable and executable. Warn on mmap() calls that are both writable and executable.
▲ Show 20 LinesShow All 510 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp

Show All 26 Lines
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using llvm::APSInt; using llvm::APSInt;
namespace { namespace {
struct MallocOverflowCheck { struct MallocOverflowCheck {
const CallExpr *call;
const BinaryOperator *mulop; const BinaryOperator *mulop;
const Expr *variable; const Expr *variable;
APSInt maxVal; APSInt maxVal;
MallocOverflowCheck(const BinaryOperator *m, const Expr *v, APSInt val) MallocOverflowCheck(const CallExpr *call, const BinaryOperator *m,
: mulop(m), variable(v), maxVal(std::move(val)) {} const Expr *v, APSInt val)
: call(call), mulop(m), variable(v), maxVal(std::move(val)) {}
}; };
class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> { class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> {
public: public:
void checkASTCodeBody(const Decl *D, AnalysisManager &mgr, void checkASTCodeBody(const Decl *D, AnalysisManager &mgr,
BugReporter &BR) const; BugReporter &BR) const;
void CheckMallocArgument( void CheckMallocArgument(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Expr *TheArgument, ASTContext &Context) const; const CallExpr *TheCall, ASTContext &Context) const;
void OutputPossibleOverflows( void OutputPossibleOverflows(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Decl *D, BugReporter &BR, AnalysisManager &mgr) const; const Decl *D, BugReporter &BR, AnalysisManager &mgr) const;
}; };
} // end anonymous namespace } // end anonymous namespace
// Return true for computations which evaluate to zero: e.g., mult by 0. // Return true for computations which evaluate to zero: e.g., mult by 0.
static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) { static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) {
return (op == BO_Mul) && (Val == 0); return (op == BO_Mul) && (Val == 0);
} }
void MallocOverflowSecurityChecker::CheckMallocArgument( void MallocOverflowSecurityChecker::CheckMallocArgument(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Expr *TheArgument, const CallExpr *TheCall, ASTContext &Context) const {
ASTContext &Context) const {
/* Look for a linear combination with a single variable, and at least /* Look for a linear combination with a single variable, and at least
one multiplication. one multiplication.
Reject anything that applies to the variable: an explicit cast, Reject anything that applies to the variable: an explicit cast,
conditional expression, an operation that could reduce the range conditional expression, an operation that could reduce the range
of the result, or anything too complicated :-). */ of the result, or anything too complicated :-). */
const Expr *e = TheArgument; const Expr *e = TheCall->getArg(0);
const BinaryOperator * mulop = nullptr; const BinaryOperator * mulop = nullptr;
APSInt maxVal; APSInt maxVal;
for (;;) { for (;;) {
maxVal = 0; maxVal = 0;
e = e->IgnoreParenImpCasts(); e = e->IgnoreParenImpCasts();
if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) { if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) {
BinaryOperatorKind opc = binop->getOpcode(); BinaryOperatorKind opc = binop->getOpcode();
Show All 27 Linesvoid MallocOverflowSecurityChecker::CheckMallocArgument(
if (mulop == nullptr) if (mulop == nullptr)
return; return;
// We've found the right structure of malloc argument, now save // We've found the right structure of malloc argument, now save
// the data so when the body of the function is completely available // the data so when the body of the function is completely available
// we can check for comparisons. // we can check for comparisons.
// TODO: Could push this into the innermost scope where 'e' is PossibleMallocOverflows.push_back(
// defined, rather than the whole function. MallocOverflowCheck(TheCall, mulop, e, maxVal));
PossibleMallocOverflows.push_back(MallocOverflowCheck(mulop, e, maxVal));
} }
namespace { namespace {
// A worker class for OutputPossibleOverflows. // A worker class for OutputPossibleOverflows.
class CheckOverflowOps : class CheckOverflowOps :
public EvaluatedExprVisitor<CheckOverflowOps> { public EvaluatedExprVisitor<CheckOverflowOps> {
public: public:
typedef SmallVectorImpl<MallocOverflowCheck> theVecType; typedef SmallVectorImpl<MallocOverflowCheck> theVecType;
Show All 24 Lines void Erase(const T1 *DR,
return getDecl(CheckDR) == getDecl(DR) && Pred(Check); return getDecl(CheckDR) == getDecl(DR) && Pred(Check);
return false; return false;
}; };
toScanFor.erase(std::remove_if(toScanFor.begin(), toScanFor.end(), P), toScanFor.erase(std::remove_if(toScanFor.begin(), toScanFor.end(), P),
toScanFor.end()); toScanFor.end());
} }
void CheckExpr(const Expr *E_p) { void CheckExpr(const Expr *E_p) {
auto PredTrue = [](const MallocOverflowCheck &) { return true; };
const Expr *E = E_p->IgnoreParenImpCasts(); const Expr *E = E_p->IgnoreParenImpCasts();
const auto PrecedesMalloc = [E, this](const MallocOverflowCheck &c) {
return Context.getSourceManager().isBeforeInTranslationUnit(
balazskeUnsubmitted
Done
ReplyInline Actions

Is it safe to check for position in source code, instead of the execution path?

balazske: Is it safe to check for position in source code, instead of the execution path?
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I don't think so. But it's already better than outright suppressing any finding.

steakhal: I don't think so. But it's already better than outright suppressing any finding.
martongUnsubmitted
Done
ReplyInline Actions

Do we somehow assure that the two locations are inside the same stack frame? I mean @balazske has a point and I think this solution is okay if we compare two locations inside the same function.

martong: Do we somehow assure that the two locations are inside the same stack frame? I mean @balazske…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I would assert this fact, but I'm not exactly sure how to acquire the enclosing function of a SourceLocation.

steakhal: I would assert this fact, but I'm not exactly sure how to acquire the enclosing function of a…
E->getExprLoc(), c.call->getExprLoc());
};
balazskeUnsubmitted
Done
ReplyInline Actions

This is not a PredTrue any more.

balazske: This is not a `PredTrue` any more.
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Oh sure, I'm gonna fix it!

steakhal: Oh sure, I'm gonna fix it!
if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E)) if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E))
Erase<DeclRefExpr>(DR, PredTrue); Erase<DeclRefExpr>(DR, PrecedesMalloc);
else if (const auto *ME = dyn_cast<MemberExpr>(E)) { else if (const auto *ME = dyn_cast<MemberExpr>(E)) {
Erase<MemberExpr>(ME, PredTrue); Erase<MemberExpr>(ME, PrecedesMalloc);
} }
} }
// Check if the argument to malloc is assigned a value // Check if the argument to malloc is assigned a value
// which cannot cause an overflow. // which cannot cause an overflow.
// e.g., malloc (mul * x) and, // e.g., malloc (mul * x) and,
// case 1: mul = <constant value> // case 1: mul = <constant value>
// case 2: mul = a/b, where b > x // case 2: mul = a/b, where b > x
▲ Show 20 LinesShow All 142 Lines▼ Show 20 Lines for (CFGBlock::iterator bi = block->begin(), be = block->end();
// Get the name of the callee. If it's a builtin, strip off the prefix. // Get the name of the callee. If it's a builtin, strip off the prefix.
IdentifierInfo *FnInfo = FD->getIdentifier(); IdentifierInfo *FnInfo = FD->getIdentifier();
if (!FnInfo) if (!FnInfo)
continue; continue;
if (FnInfo->isStr ("malloc") || FnInfo->isStr ("_MALLOC")) { if (FnInfo->isStr ("malloc") || FnInfo->isStr ("_MALLOC")) {
if (TheCall->getNumArgs() == 1) if (TheCall->getNumArgs() == 1)
CheckMallocArgument(PossibleMallocOverflows, TheCall->getArg(0), CheckMallocArgument(PossibleMallocOverflows, TheCall,
mgr.getASTContext()); mgr.getASTContext());
} }
} }
} }
} }
} }
OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr); OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr);
Show All 9 Lines

clang/test/Analysis/malloc-overflow.c

Show First 20 LinesShow All 105 Lines▼ Show 20 Lines
} }
void * f14(int n) void * f14(int n)
{ {
if (n < 0) if (n < 0)
return NULL; return NULL;
return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}} return malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
} }
void *check_before_malloc(int n, int x) {
int *p = NULL;
if (n > 10)
return NULL;
if (x == 42)
p = malloc(n * sizeof(int)); // no-warning, the check precedes the allocation
// Do some other stuff, e.g. initialize the memory.
return p;
}
martongUnsubmitted
Done
ReplyInline Actions

What happens if the check happens in an inlined function? The location is above the malloc in the TU, isn't it?

int check(int n) 
  return (n > 10);
}

void *check_before_malloc(int n, int x) {
  int *p = NULL;
  if (x == 42)
    p = malloc(n * sizeof(int)); // no-warning?

  if (check(n))
    return NULL;

  // Do some other stuff, e.g. initialize the memory.
  return p;
}
martong: What happens if the check happens in an inlined function? The location is above the malloc in…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

The checker conducts a simple AST-matching, thus it wouldn't resolve the check(n) call. So, the checker will fire regardless of where you put the check(n) call, before or after the malloc().

Even in case of macros, it still works. Check the updated test file.

steakhal: The checker conducts a simple AST-matching, thus it wouldn't resolve the `check(n)` call. So…
void *check_after_malloc(int n, int x) {
int *p = NULL;
if (x == 42)
p = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
// The check is after the allocation!
if (n > 10) {
// Do something conditionally.
}
return p;
}
#define GREATER_THAN(lhs, rhs) (lhs > rhs)
void *check_after_malloc_using_macros(int n, int x) {
int *p = NULL;
if (x == 42)
p = malloc(n * sizeof(int)); // expected-warning {{the computation of the size of the memory allocation may overflow}}
if (GREATER_THAN(n, 10))
return NULL;
// Do some other stuff, e.g. initialize the memory.
return p;
}
#undef GREATER_THAN