This is an archive of the discontinued LLVM Phabricator instance.

Differential D111296

[analyzer] Introduce the assume-controlled-environment config option
ClosedPublic

Authored by steakhal on Oct 7 2021, 3:30 AM.

Details

Reviewers
NoQ
martong
Szelethus
Commits
rGedde4efc66df: [analyzer] Introduce the assume-controlled-environment config option
Summary

If the assume-controlled-environment is true, we should expect getenv() to succeed, and the result should not be considered tainted.
By default, the option will be false.

Diff Detail

Event Timeline

steakhal created this revision.Oct 7 2021, 3:30 AM
Herald added subscribers: manas, ASDenysPetrov, dkrupp and 8 others. · View Herald TranscriptOct 7 2021, 3:30 AM
steakhal requested review of this revision.Oct 7 2021, 3:30 AM
Harbormaster completed remote builds in B127482: Diff 377794.Oct 7 2021, 3:31 AM
steakhal added a parent revision: D111245: [analyzer] Bifurcate on getenv() calls.Oct 7 2021, 3:31 AM
steakhal mentioned this in D111245: [analyzer] Bifurcate on getenv() calls.
steakhal added inline comments.Oct 7 2021, 3:47 AM
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
438

I'm checking this separately.

martong accepted this revision.Oct 12 2021, 8:23 AM

LGTM!

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
331–337

I think we should explicitly mention getenv here.

This revision is now accepted and ready to land.Oct 12 2021, 8:23 AM
steakhal updated this revision to Diff 379121.Oct 12 2021, 11:22 AM

Mention getenv() in the config help.

steakhal marked an inline comment as done.Oct 12 2021, 11:22 AM
Harbormaster completed remote builds in B128427: Diff 379121.Oct 12 2021, 12:44 PM
NoQ accepted this revision.Oct 12 2021, 5:03 PM

Aha, yeah, something like that.

Closed by commit rGedde4efc66df: [analyzer] Introduce the assume-controlled-environment config option (authored by steakhal). · Explain WhyOct 13 2021, 1:51 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rGedde4efc66df: [analyzer] Introduce the assume-controlled-environment config option.
Herald added a project: Restricted Project. · View Herald TranscriptOct 13 2021, 1:51 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
8 lines
lib/
StaticAnalyzer/
Checkers/
11 lines
30 lines
test/
Analysis/
1 line
22 lines

Diff 379307

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def

Show First 20 LinesShow All 322 Lines▼ Show 20 Lines
ANALYZER_OPTION( ANALYZER_OPTION(
bool, ShouldConsiderSingleElementArraysAsFlexibleArrayMembers, bool, ShouldConsiderSingleElementArraysAsFlexibleArrayMembers,
"consider-single-element-arrays-as-flexible-array-members", "consider-single-element-arrays-as-flexible-array-members",
"Consider single element arrays as flexible array member candidates. " "Consider single element arrays as flexible array member candidates. "
"This will prevent the analyzer from assuming that a single element array " "This will prevent the analyzer from assuming that a single element array "
"holds a single element.", "holds a single element.",
false) false)
ANALYZER_OPTION(
bool, ShouldAssumeControlledEnvironment, "assume-controlled-environment",
"Whether the analyzed application runs in a controlled environment. "
"We will assume that environment variables exist in queries and they hold "
"no malicious data. For instance, if this option is enabled, 'getenv()' "
"might be modeled by the analyzer to never return NULL.",
false)
martongUnsubmitted
Done
ReplyInline Actions

I think we should explicitly mention getenv here.

martong: I think we should explicitly mention `getenv` here.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Unsigned analyzer options. // Unsigned analyzer options.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
ANALYZER_OPTION(unsigned, CTUImportThreshold, "ctu-import-threshold", ANALYZER_OPTION(unsigned, CTUImportThreshold, "ctu-import-threshold",
"The maximal amount of translation units that is considered " "The maximal amount of translation units that is considered "
"for import when inlining functions during CTU analysis. " "for import when inlining functions during CTU analysis. "
"Lowering this threshold can alleviate the memory burden of " "Lowering this threshold can alleviate the memory burden of "
▲ Show 20 LinesShow All 115 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 LinesShow All 429 Lines▼ Show 20 Lines TaintPropagationRule Rule =
// Source functions // Source functions
// TODO: Add support for vfscanf & family. // TODO: Add support for vfscanf & family.
.Case("fdopen", {{}, {ReturnValueIndex}}) .Case("fdopen", {{}, {ReturnValueIndex}})
.Case("fopen", {{}, {ReturnValueIndex}}) .Case("fopen", {{}, {ReturnValueIndex}})
.Case("freopen", {{}, {ReturnValueIndex}}) .Case("freopen", {{}, {ReturnValueIndex}})
.Case("getch", {{}, {ReturnValueIndex}}) .Case("getch", {{}, {ReturnValueIndex}})
.Case("getchar", {{}, {ReturnValueIndex}}) .Case("getchar", {{}, {ReturnValueIndex}})
.Case("getchar_unlocked", {{}, {ReturnValueIndex}}) .Case("getchar_unlocked", {{}, {ReturnValueIndex}})
.Case("getenv", {{}, {ReturnValueIndex}})
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I'm checking this separately.

steakhal: I'm checking this separately.
.Case("gets", {{}, {0, ReturnValueIndex}}) .Case("gets", {{}, {0, ReturnValueIndex}})
.Case("scanf", {{}, {}, VariadicType::Dst, 1}) .Case("scanf", {{}, {}, VariadicType::Dst, 1})
.Case("socket", {{}, .Case("socket", {{},
{ReturnValueIndex}, {ReturnValueIndex},
VariadicType::None, VariadicType::None,
InvalidArgIndex, InvalidArgIndex,
&TaintPropagationRule::postSocket}) &TaintPropagationRule::postSocket})
.Case("wgetch", {{}, {ReturnValueIndex}}) .Case("wgetch", {{}, {ReturnValueIndex}})
Show All 16 Lines TaintPropagationRule Rule =
.Case("strchr", {{0}, {ReturnValueIndex}}) .Case("strchr", {{0}, {ReturnValueIndex}})
.Case("strrchr", {{0}, {ReturnValueIndex}}) .Case("strrchr", {{0}, {ReturnValueIndex}})
.Case("tolower", {{0}, {ReturnValueIndex}}) .Case("tolower", {{0}, {ReturnValueIndex}})
.Case("toupper", {{0}, {ReturnValueIndex}}) .Case("toupper", {{0}, {ReturnValueIndex}})
.Default({}); .Default({});
if (!Rule.isNull()) if (!Rule.isNull())
return Rule; return Rule;
// `getenv` returns taint only in untrusted environments.
if (FData.FullName == "getenv") {
if (C.getAnalysisManager()
.getAnalyzerOptions()
.ShouldAssumeControlledEnvironment)
return {};
return {{}, {ReturnValueIndex}};
}
assert(FData.FDecl); assert(FData.FDecl);
// Check if it's one of the memory setting/copying functions. // Check if it's one of the memory setting/copying functions.
// This check is specialized but faster then calling isCLibraryFunction. // This check is specialized but faster then calling isCLibraryFunction.
const FunctionDecl *FDecl = FData.FDecl; const FunctionDecl *FDecl = FData.FDecl;
unsigned BId = 0; unsigned BId = 0;
if ((BId = FDecl->getMemoryFunctionKind())) { if ((BId = FDecl->getMemoryFunctionKind())) {
switch (BId) { switch (BId) {
▲ Show 20 LinesShow All 480 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 562 Lines▼ Show 20 Lines enum CheckKind {
CK_StdCLibraryFunctionsTesterChecker, CK_StdCLibraryFunctionsTesterChecker,
CK_NumCheckKinds CK_NumCheckKinds
}; };
DefaultBool ChecksEnabled[CK_NumCheckKinds]; DefaultBool ChecksEnabled[CK_NumCheckKinds];
CheckerNameRef CheckNames[CK_NumCheckKinds]; CheckerNameRef CheckNames[CK_NumCheckKinds];
bool DisplayLoadedSummaries = false; bool DisplayLoadedSummaries = false;
bool ModelPOSIX = false; bool ModelPOSIX = false;
bool ShouldAssumeControlledEnvironment = false;
private: private:
Optional<Summary> findFunctionSummary(const FunctionDecl *FD, Optional<Summary> findFunctionSummary(const FunctionDecl *FD,
CheckerContext &C) const; CheckerContext &C) const;
Optional<Summary> findFunctionSummary(const CallEvent &Call, Optional<Summary> findFunctionSummary(const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void initFunctionSummaries(CheckerContext &C) const; void initFunctionSummaries(CheckerContext &C) const;
▲ Show 20 LinesShow All 849 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
// int delimiter, FILE *restrict stream); // int delimiter, FILE *restrict stream);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"getdelim", "getdelim",
Signature(ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, IntTy, Signature(ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, IntTy,
FilePtrRestrictTy}, FilePtrRestrictTy},
RetType{Ssize_tTy}), RetType{Ssize_tTy}),
GetLineSummary); GetLineSummary);
{
Summary GetenvSummary = Summary(NoEvalCall)
.ArgConstraint(NotNull(ArgNo(0)))
.Case({NotNull(Ret)});
// In untrusted environments the envvar might not exist.
if (!ShouldAssumeControlledEnvironment)
GetenvSummary.Case({NotNull(Ret)->negate()});
// char *getenv(const char *name); // char *getenv(const char *name);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}), "getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
Summary(NoEvalCall) std::move(GetenvSummary));
.Case({NotNull(Ret)}) }
.Case({NotNull(Ret)->negate()})
.ArgConstraint(NotNull(ArgNo(0))));
if (ModelPOSIX) { if (ModelPOSIX) {
// long a64l(const char *str64); // long a64l(const char *str64);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}), "a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
▲ Show 20 LinesShow All 1,197 Lines▼ Show 20 Lines addToFunctionSummaryMap(
Summary(EvalCallAsPure)); Summary(EvalCallAsPure));
} }
SummariesInitialized = true; SummariesInitialized = true;
} }
void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) { void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>(); auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>();
const AnalyzerOptions &Opts = mgr.getAnalyzerOptions();
Checker->DisplayLoadedSummaries = Checker->DisplayLoadedSummaries =
mgr.getAnalyzerOptions().getCheckerBooleanOption( Opts.getCheckerBooleanOption(Checker, "DisplayLoadedSummaries");
Checker, "DisplayLoadedSummaries"); Checker->ModelPOSIX = Opts.getCheckerBooleanOption(Checker, "ModelPOSIX");
Checker->ModelPOSIX = Checker->ShouldAssumeControlledEnvironment =
mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker, "ModelPOSIX"); Opts.ShouldAssumeControlledEnvironment;
} }
bool ento::shouldRegisterStdCLibraryFunctionsChecker( bool ento::shouldRegisterStdCLibraryFunctionsChecker(
const CheckerManager &mgr) { const CheckerManager &mgr) {
return true; return true;
} }
#define REGISTER_CHECKER(name) \ #define REGISTER_CHECKER(name) \
Show All 12 Lines

clang/test/Analysis/analyzer-config.c

Show All 9 Lines
// CHECK-NEXT: alpha.cplusplus.STLAlgorithmModeling:AggressiveStdFindModeling = false // CHECK-NEXT: alpha.cplusplus.STLAlgorithmModeling:AggressiveStdFindModeling = false
// CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false // CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04 // CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01 // CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01
// CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = "" // CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = ""
// CHECK-NEXT: apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries = false // CHECK-NEXT: apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries = false
// CHECK-NEXT: apiModeling.StdCLibraryFunctions:ModelPOSIX = false // CHECK-NEXT: apiModeling.StdCLibraryFunctions:ModelPOSIX = false
// CHECK-NEXT: apply-fixits = false // CHECK-NEXT: apply-fixits = false
// CHECK-NEXT: assume-controlled-environment = false
// CHECK-NEXT: avoid-suppressing-null-argument-paths = false // CHECK-NEXT: avoid-suppressing-null-argument-paths = false
// CHECK-NEXT: c++-allocator-inlining = true // CHECK-NEXT: c++-allocator-inlining = true
// CHECK-NEXT: c++-container-inlining = false // CHECK-NEXT: c++-container-inlining = false
// CHECK-NEXT: c++-inlining = destructors // CHECK-NEXT: c++-inlining = destructors
// CHECK-NEXT: c++-shared_ptr-inlining = false // CHECK-NEXT: c++-shared_ptr-inlining = false
// CHECK-NEXT: c++-stdlib-inlining = true // CHECK-NEXT: c++-stdlib-inlining = true
// CHECK-NEXT: c++-temp-dtor-inlining = true // CHECK-NEXT: c++-temp-dtor-inlining = true
// CHECK-NEXT: c++-template-inlining = true // CHECK-NEXT: c++-template-inlining = true
▲ Show 20 LinesShow All 99 LinesShow Last 20 Lines

clang/test/Analysis/assume-controlled-environment.c

  • This file was added.
// RUN: %clang_analyze_cc1 -verify=untrusted-env %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=debug.TaintTest
// RUN: %clang_analyze_cc1 -verify %s -DEXPECT_NO_WARNINGS \
// RUN: -analyzer-config assume-controlled-environment=true \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=debug.TaintTest
#ifdef EXPECT_NO_WARNINGS
// expected-no-diagnostics
#endif
char *getenv(const char *name);
void foo() {
char *p = getenv("FOO"); // untrusted-env-warning {{tainted}}
(void)p; // untrusted-env-warning {{tainted}}
}