This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
2
GenericTaintChecker.cpp
-
test/Analysis/
-
Analysis/
-
taint-generic.c

Differential D114706

[analyzer] Fix sensitive argument logic in GenericTaintChecker
AbandonedPublic

Authored by gamesh411 on Nov 29 2021, 6:18 AM.

Download Raw Diff

Details

Reviewers

steakhal
Szelethus
NoQ

Summary

The semantics of taint sinks is that if ANY of the arguments is tainted, a
warning should be emmitted. Before this change, if there were multiple
arguments that are sensitive, and if the first arg is not tainted, but any of
the noninitial are tainted, a warning is not emitted. After this change the
correct semantics is reflected in code.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

gamesh411 created this revision.Nov 29 2021, 6:18 AM

Herald added subscribers: manas, ASDenysPetrov, martong and 7 others. · View Herald TranscriptNov 29 2021, 6:18 AM

gamesh411 requested review of this revision.Nov 29 2021, 6:18 AM

Herald added a project: Restricted Project. · View Herald TranscriptNov 29 2021, 6:18 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B136431: Diff 390330.Nov 29 2021, 7:51 AM

E.g. execl() and execlp functions are actually variadic. You should also account for them.
I would rather map directly to a full-fledged Propagation rule instead of to a sensitive arg index list. That way you could express this property.
Demonstrate this in a test.

Actually, the CallDescriptionFlags::CDF_MaybeBuiltin CallDescriptions will use the CCtx::isCLibraryFunction() for matching the call.
By using that the code would get significantly shorter and more readable as well.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
951–957	These algorithms are not supposed to have side-effects. Even though we technically could have side-effects, I would still apply it separately. That being said, this seems to be a copy-paste version of the previous hunk, like 3rd time.

This revision now requires changes to proceed.Nov 29 2021, 10:50 AM

The semantics of taint sinks is that if ANY of the arguments is tainted, a
warning should be emmitted. Before this change, if there were multiple
arguments that are sensitive, and if the first arg is not tainted, but any of
the noninitial are tainted, a warning is not emitted. After this change the
correct semantics is reflected in code.

It worked well with custom sinks, didn't it? So, as I see, this patch is about system calls and subscript indices. Could you please update the description to have this information?

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
951–957	That being said, this seems to be a copy-paste version of the previous hunk, like 3rd time. +1, to put it into a named function

This is superseded by D116025.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

GenericTaintChecker.cpp

86 lines

test/

Analysis/

taint-generic.c

9 lines

Diff 390330

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 Lines • Show All 863 Lines • ▼ Show 20 Lines	return generateReportIfTainted(Call.getArgExpr(ArgNum),
MsgUncontrolledFormatString, C);		MsgUncontrolledFormatString, C);
}		}

bool GenericTaintChecker::checkSystemCall(const CallEvent &Call, StringRef Name,		bool GenericTaintChecker::checkSystemCall(const CallEvent &Call, StringRef Name,
CheckerContext &C) const {		CheckerContext &C) const {
// TODO: It might make sense to run this check on demand. In some cases,		// TODO: It might make sense to run this check on demand. In some cases,
// we should check if the environment has been cleansed here. We also might		// we should check if the environment has been cleansed here. We also might
// need to know if the user was reset before these calls(seteuid).		// need to know if the user was reset before these calls(seteuid).
unsigned ArgNum = llvm::StringSwitch<unsigned>(Name)		const ArgVector SensitiveArgs = llvm::StringSwitch<ArgVector>(Name)
.Case("system", 0)		.Case("system", {0})
.Case("popen", 0)		.Case("popen", {0})
.Case("execl", 0)		.Case("execl", {0, 1})
.Case("execle", 0)		.Case("execle", {0, 1})
.Case("execlp", 0)		.Case("execlp", {0, 1})
.Case("execv", 0)		.Case("execv", {0, 1})
.Case("execvp", 0)		.Case("execvp", {0, 1})
.Case("execvP", 0)		.Case("execvP", {0})
.Case("execve", 0)		.Case("execve", {0, 1, 2})
.Case("dlopen", 0)		.Case("dlopen", {0})
.Default(InvalidArgIndex);		.Default({});

if (ArgNum == InvalidArgIndex \|\| Call.getNumArgs() < (ArgNum + 1))
return false;

return generateReportIfTainted(Call.getArgExpr(ArgNum), MsgSanitizeSystemArgs,		// Find the first argument that receives a tainted value.
C);		// The report is emitted as a side-effect.
		return llvm::find_if(SensitiveArgs, [this, &C, &Call](unsigned Idx) {
		return Idx < Call.getNumArgs() &&
		generateReportIfTainted(Call.getArgExpr(Idx),
		MsgSanitizeSystemArgs, C);
		}) != SensitiveArgs.end();
}		}

// TODO: Should this check be a part of the CString checker?		// TODO: Should this check be a part of the CString checker?
// If yes, should taint be a global setting?		// If yes, should taint be a global setting?
bool GenericTaintChecker::checkTaintedBufferSize(const CallEvent &Call,		bool GenericTaintChecker::checkTaintedBufferSize(const CallEvent &Call,
CheckerContext &C) const {		CheckerContext &C) const {
const auto *FDecl = Call.getDecl()->getAsFunction();		const auto *FDecl = Call.getDecl()->getAsFunction();
// If the function has a buffer size argument, set ArgNum.		// If the function has a buffer size argument, set ArgNum.
unsigned ArgNum = InvalidArgIndex;		ArgVector SensitiveArgs = {};
unsigned BId = 0;		unsigned BId = 0;
if ((BId = FDecl->getMemoryFunctionKind())) {		if ((BId = FDecl->getMemoryFunctionKind())) {
switch (BId) {		switch (BId) {
case Builtin::BImemcpy:		case Builtin::BImemcpy:
case Builtin::BImemmove:		case Builtin::BImemmove:
case Builtin::BIstrncpy:		case Builtin::BIstrncpy:
ArgNum = 2;		SensitiveArgs = {2};
break;		break;
case Builtin::BIstrndup:		case Builtin::BIstrndup:
ArgNum = 1;		SensitiveArgs = {1};
break;		break;
default:		default:
break;		break;
}		}
}		}

if (ArgNum == InvalidArgIndex) {		if (SensitiveArgs.empty()) {
using CCtx = CheckerContext;		using CCtx = CheckerContext;
if (CCtx::isCLibraryFunction(FDecl, "malloc") \|\|		if (CCtx::isCLibraryFunction(FDecl, "malloc") \|\|
CCtx::isCLibraryFunction(FDecl, "calloc") \|\|
CCtx::isCLibraryFunction(FDecl, "alloca"))		CCtx::isCLibraryFunction(FDecl, "alloca"))
ArgNum = 0;		SensitiveArgs = {0};
		else if (CCtx::isCLibraryFunction(FDecl, "calloc"))
		SensitiveArgs = {0, 1};
else if (CCtx::isCLibraryFunction(FDecl, "memccpy"))		else if (CCtx::isCLibraryFunction(FDecl, "memccpy"))
ArgNum = 3;		SensitiveArgs = {3};
else if (CCtx::isCLibraryFunction(FDecl, "realloc"))		else if (CCtx::isCLibraryFunction(FDecl, "realloc"))
ArgNum = 1;		SensitiveArgs = {1};
else if (CCtx::isCLibraryFunction(FDecl, "bcopy"))		else if (CCtx::isCLibraryFunction(FDecl, "bcopy"))
ArgNum = 2;		SensitiveArgs = {2};
}		}

return ArgNum != InvalidArgIndex && Call.getNumArgs() > ArgNum &&		// Find the first argument that receives a tainted value.
generateReportIfTainted(Call.getArgExpr(ArgNum), MsgTaintedBufferSize,		// The report is emitted as a side-effect.
C);		return llvm::find_if(SensitiveArgs, [this, &C, &Call](unsigned Idx) {
		return Idx < Call.getNumArgs() &&
		generateReportIfTainted(Call.getArgExpr(Idx),
		MsgTaintedBufferSize, C);
		}) != SensitiveArgs.end();
}		}

bool GenericTaintChecker::checkCustomSinks(const CallEvent &Call,		bool GenericTaintChecker::checkCustomSinks(const CallEvent &Call,
const FunctionData &FData,		const FunctionData &FData,
CheckerContext &C) const {		CheckerContext &C) const {
auto It = findFunctionInConfig(CustomSinks, FData);		auto It = findFunctionInConfig(CustomSinks, FData);
if (It == CustomSinks.end())		if (It == CustomSinks.end())
return false;		return false;

const auto &Value = It->second;		const auto &Value = It->second;
const GenericTaintChecker::ArgVector &Args = Value.second;		const ArgVector &SensitiveArgs = Value.second;
for (unsigned ArgNum : Args) {
if (ArgNum >= Call.getNumArgs())
continue;

if (generateReportIfTainted(Call.getArgExpr(ArgNum), MsgCustomSink, C))		// Find the first argument that receives a tainted value.
return true;		// The report is emitted as a side-effect.
}		return llvm::find_if(SensitiveArgs, [this, &C, &Call](unsigned Idx) {
		return Idx < Call.getNumArgs() &&
return false;		generateReportIfTainted(Call.getArgExpr(Idx), MsgCustomSink,
		C);
		}) != SensitiveArgs.end();
		steakhalUnsubmitted Not Done Reply Inline Actions These algorithms are not supposed to have side-effects. Even though we technically could have side-effects, I would still apply it separately. That being said, this seems to be a copy-paste version of the previous hunk, like 3rd time. steakhal: These algorithms are not supposed to have side-effects. Even though we technically could have…
		martongUnsubmitted Not Done Reply Inline Actions That being said, this seems to be a copy-paste version of the previous hunk, like 3rd time. +1, to put it into a named function martong: > That being said, this seems to be a copy-paste version of the previous hunk, like 3rd time.
}		}

void ento::registerGenericTaintChecker(CheckerManager &Mgr) {		void ento::registerGenericTaintChecker(CheckerManager &Mgr) {
auto *Checker = Mgr.registerChecker<GenericTaintChecker>();		auto *Checker = Mgr.registerChecker<GenericTaintChecker>();
std::string Option{"Config"};		std::string Option{"Config"};
StringRef ConfigFile =		StringRef ConfigFile =
Mgr.getAnalyzerOptions().getCheckerStringOption(Checker, Option);		Mgr.getAnalyzerOptions().getCheckerStringOption(Checker, Option);
llvm::Optional<TaintConfig> Config =		llvm::Optional<TaintConfig> Config =
getConfiguration<TaintConfig>(Mgr, Checker, Option, ConfigFile);		getConfiguration<TaintConfig>(Mgr, Checker, Option, ConfigFile);
if (Config)		if (Config)
Checker->parseConfiguration(Mgr, Option, std::move(Config.getValue()));		Checker->parseConfiguration(Mgr, Option, std::move(Config.getValue()));
}		}

bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) {		bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) {
return true;		return true;
}		}

clang/test/Analysis/taint-generic.c

Show First 20 Lines • Show All 203 Lines • ▼ Show 20 Lines	void testTaintedBufferSize() {
bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}		bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
__builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}		__builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}

// If both buffers are trusted, do not issue a warning.		// If both buffers are trusted, do not issue a warning.
char dst2 = (char)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}		char dst2 = (char)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
strncat(dst2, dst, ts); // no-warning		strncat(dst2, dst, ts); // no-warning
}		}

		void testTaintedBufferSizeNoninitialTaintedArg() {
		size_t ts;
		scanf("%zd", &ts);

		const int nontainted_num = 1;

		(void)calloc(nontainted_num, ts); //expected-warning {{Untrusted data is used to specify the buffer size}}
		}

#define AF_UNIX 1 /* local to host (pipes) */		#define AF_UNIX 1 /* local to host (pipes) */
#define AF_INET 2 /* internetwork: UDP, TCP, etc. */		#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
#define AF_LOCAL AF_UNIX /* backward compatibility */		#define AF_LOCAL AF_UNIX /* backward compatibility */
#define SOCK_STREAM 1		#define SOCK_STREAM 1
int socket(int, int, int);		int socket(int, int, int);
size_t read(int, void *, size_t);		size_t read(int, void *, size_t);
int execl(const char , const char , ...);		int execl(const char , const char , ...);

▲ Show 20 Lines • Show All 187 Lines • Show Last 20 Lines