This is an archive of the discontinued LLVM Phabricator instance.

Differential D112558

[analyzer] sprintf is a taint propagator not a source
ClosedPublic

Authored by steakhal on Oct 26 2021, 10:06 AM.

Details

Reviewers
martong
NoQ
Szelethus
ASDenysPetrov
gamesh411
balazske
Commits
rG49285f43e5ed: [analyzer] sprintf is a taint propagator not a source
Summary

Due to a typo, sprintf() was recognized as a taint source instead of a
taint propagator. It was because an empty taint source list - which is
the first parameter of the TaintPropagationRule - encoded the
unconditional taint sources.
This typo effectively turned the sprintf() into an unconditional taint
source.

This patch fixes that typo and demonstrated the correct behavior with
tests.

Diff Detail

Event Timeline

steakhal created this revision.Oct 26 2021, 10:06 AM
Herald added subscribers: manas, dkrupp, donat.nagy and 7 others. · View Herald TranscriptOct 26 2021, 10:06 AM
steakhal requested review of this revision.Oct 26 2021, 10:06 AM
Harbormaster completed remote builds in B130751: Diff 382379.Oct 26 2021, 10:55 AM
balazske added a comment.Oct 27 2021, 12:13 AM

Probably it is a bit more correct but it can be better to remove the sprintf like functions from taint propagation. These functions return the number of bytes written to buf. This is in some extent dependent on the input parameters but maybe more no than yes. If there are fixed characters in the format string the return value is never zero only if error occurs. (But a more taint-likely case is if the %s format is used.)

martong accepted this revision.Oct 27 2021, 3:09 AM
In D112558#3089443, @balazske wrote:

Probably it is a bit more correct but it can be better to remove the sprintf like functions from taint propagation. These functions return the number of bytes written to buf. This is in some extent dependent on the input parameters but maybe more no than yes. If there are fixed characters in the format string the return value is never zero only if error occurs. (But a more taint-likely case is if the %s format is used.)

Yeah, it is worth thinking about it, but there are no decisive arguments beside each option. So, we could just keep as is.

clang/test/Analysis/taint-generic.c
345

C'mon, no covid please.
I know it's everywhere, but people die in this sh*t and it might offend any reader of this code who has been affected in anyway.

This revision is now accepted and ready to land.Oct 27 2021, 3:09 AM
steakhal updated this revision to Diff 382600.Oct 27 2021, 4:06 AM
steakhal marked an inline comment as done.
In D112558#3089861, @martong wrote:
In D112558#3089443, @balazske wrote:

Probably it is a bit more correct but it can be better to remove the sprintf like functions from taint propagation. These functions return the number of bytes written to buf. This is in some extent dependent on the input parameters but maybe more no than yes. If there are fixed characters in the format string the return value is never zero only if error occurs. (But a more taint-likely case is if the %s format is used.)

Yeah, it is worth thinking about it, but there are no decisive arguments beside each option. So, we could just keep as is.

Okay, I see now. I think the "%d" format string is probably more reasonable. In that case, not sprintf() can actually return 0.

clang/test/Analysis/taint-generic.c
345

Okay.

Harbormaster completed remote builds in B130912: Diff 382600.Oct 27 2021, 5:10 AM
Closed by commit rG49285f43e5ed: [analyzer] sprintf is a taint propagator not a source (authored by steakhal). · Explain WhyOct 28 2021, 2:03 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rG49285f43e5ed: [analyzer] sprintf is a taint propagator not a source.
Herald added a project: Restricted Project. · View Herald TranscriptOct 28 2021, 2:03 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
2 lines
test/
Analysis/
10 lines

Diff 382953

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 LinesShow All 508 Lines▼ Show 20 Lines const auto OneOf = [FDecl](const auto &... Name) {
bool ret = false; bool ret = false;
static_cast<void>(unused{ static_cast<void>(unused{
0, (ret |= CheckerContext::isCLibraryFunction(FDecl, Name), 0)...}); 0, (ret |= CheckerContext::isCLibraryFunction(FDecl, Name), 0)...});
return ret; return ret;
}; };
if (OneOf("snprintf")) if (OneOf("snprintf"))
return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3}; return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3};
if (OneOf("sprintf")) if (OneOf("sprintf"))
return {{}, {0, ReturnValueIndex}, VariadicType::Src, 2}; return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 2};
if (OneOf("strcpy", "stpcpy", "strcat")) if (OneOf("strcpy", "stpcpy", "strcat"))
return {{1}, {0, ReturnValueIndex}}; return {{1}, {0, ReturnValueIndex}};
if (OneOf("bcopy")) if (OneOf("bcopy"))
return {{0, 2}, {1}}; return {{0, 2}, {1}};
if (OneOf("strdup", "strdupa", "wcsdup")) if (OneOf("strdup", "strdupa", "wcsdup"))
return {{0}, {ReturnValueIndex}}; return {{0}, {ReturnValueIndex}};
} }
▲ Show 20 LinesShow All 442 LinesShow Last 20 Lines

clang/test/Analysis/taint-generic.c

Show First 20 LinesShow All 335 Lines▼ Show 20 Linesvoid constraintManagerShouldTreatAsOpaque(int rhs) {
// This comparison used to hit an assertion in the constraint manager, // This comparison used to hit an assertion in the constraint manager,
// which didn't handle NonLoc sym-sym comparisons. // which didn't handle NonLoc sym-sym comparisons.
if (i < rhs) if (i < rhs)
return; return;
if (i < rhs) if (i < rhs)
*(volatile int *) 0; // no-warning *(volatile int *) 0; // no-warning
} }
int sprintf_is_not_a_source(char *buf, char *msg) {
int x = sprintf(buf, "%s", msg); // no-warning
martongUnsubmitted
Done
ReplyInline Actions

C'mon, no covid please.
I know it's everywhere, but people die in this sh*t and it might offend any reader of this code who has been affected in anyway.

martong: C'mon, no covid please. I know it's everywhere, but people die in this sh*t and it might offend…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Okay.

steakhal: Okay.
return 1 / x; // no-warning: 'sprintf' is not a taint source
}
int sprintf_propagates_taint(char *buf, char *msg) {
scanf("%s", msg);
int x = sprintf(buf, "%s", msg); // propagate taint!
return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}}
}
// Test configuration // Test configuration
int mySource1(); int mySource1();
void mySource2(int*); void mySource2(int*);
void myScanf(const char*, ...); void myScanf(const char*, ...);
int myPropagator(int, int*); int myPropagator(int, int*);
int mySnprintf(char*, size_t, const char*, ...); int mySnprintf(char*, size_t, const char*, ...);
bool isOutOfRange(const int*); bool isOutOfRange(const int*);
▲ Show 20 LinesShow All 45 LinesShow Last 20 Lines