This is an archive of the discontinued LLVM Phabricator instance.

Differential D119128

[analyzer] Fix taint propagation by remembering to the location context
ClosedPublic

Authored by steakhal on Feb 7 2022, 4:18 AM.

Details

Reviewers
NoQ
martong
ASDenysPetrov
Szelethus
gamesh411
Commits
rGb099e1e56255: [analyzer] Fix taint propagation by remembering to the location context
Summary

Fixes the issue D118987 by mapping the propagation to the callsite's
LocationContext.
This way we can keep track of the in-flight propagations.

Note that empty propagation sets won't be inserted.

Diff Detail

Event Timeline

steakhal created this revision.Feb 7 2022, 4:18 AM
Herald added subscribers: manas, dkrupp, donat.nagy and 6 others. · View Herald TranscriptFeb 7 2022, 4:18 AM
steakhal requested review of this revision.Feb 7 2022, 4:18 AM
steakhal added a parent revision: D118987: [analyzer] Add failing test case demonstrating buggy taint propagation.
Harbormaster completed remote builds in B147927: Diff 406390.Feb 7 2022, 4:18 AM
steakhal added a child revision: D119129: [analyzer] Fix taint rule of fgets and setproctitle_init.Feb 7 2022, 4:31 AM
Szelethus added a comment.Feb 7 2022, 5:27 AM

Sounds about right! Just a nit, otherwise LGTM.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
441

Are there any comfortable ways of making this non-global?
https://llvm.org/docs/CodingStandards.html#do-not-use-static-constructors

Also, I wonder how efficient immutable data structures are against something like std::vector, when the element type is small and the number of elements are expected to be very low. Just a thought, I don't have particularly strong views on this.

steakhal marked an inline comment as done.Feb 7 2022, 6:21 AM
steakhal added inline comments.
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
441

Thanks for catching it.
I grepped for a similar code and it seems like there is the REGISTER_SET_FACTORY_WITH_PROGRAMSTATE for exactly this.
Now I know about this :)

steakhal updated this revision to Diff 406426.Feb 7 2022, 6:21 AM
steakhal marked an inline comment as done.

using REGISTER_SET_FACTORY_WITH_PROGRAMSTATE

Harbormaster completed remote builds in B147957: Diff 406426.Feb 7 2022, 6:22 AM
steakhal updated this revision to Diff 406429.Feb 7 2022, 6:26 AM

upload the right diff

Harbormaster completed remote builds in B147959: Diff 406429.Feb 7 2022, 7:10 AM
NoQ added inline comments.Feb 7 2022, 9:55 AM
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
441

ImmutableList is another good candidate. I prefer these data structures to be immutable because that's a much stronger guarantee that they won't actually ever be updated while stored in the state.

clang/test/Analysis/taint-checker-callback-order-has-definition.c
3

This test will be annoying to update when more debug prints are added. It might be better to test this through debug.TaintTest or a new ExprInspection function.

NoQ accepted this revision.Feb 7 2022, 9:55 AM

Looks correct, thanks for fixing this!

This revision is now accepted and ready to land.Feb 7 2022, 9:55 AM
Szelethus accepted this revision.Feb 8 2022, 12:55 AM

LGTM!

Closed by commit rGb099e1e56255: [analyzer] Fix taint propagation by remembering to the location context (authored by steakhal). · Explain WhyFeb 14 2022, 7:57 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rGb099e1e56255: [analyzer] Fix taint propagation by remembering to the location context.
Herald added a project: Restricted Project. · View Herald TranscriptFeb 14 2022, 7:57 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal added a reverting change: rGd16c5f4192c3: Revert "[analyzer] Fix taint propagation by remembering to the location context".Feb 14 2022, 9:46 AM
Szelethus added a comment.Feb 22 2022, 7:54 AM

Can we reopen this if the code is not upstream at this time?

steakhal added a comment.Feb 22 2022, 10:36 AM

I'll re-land the whole stack tomorrow, by adding the asserts requirement for the tests to make the tests pass on all bots.

steakhal added a comment.Feb 23 2022, 4:17 AM

Committed as a848a5cf2f2f2f8a621bdc5a12e0fe49dc743176.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
39 lines
test/
Analysis/
15 lines

Diff 408424

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show All 32 Lines
#include <utility> #include <utility>
#define DEBUG_TYPE "taint-checker" #define DEBUG_TYPE "taint-checker"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint; using namespace taint;
using llvm::ImmutableSet;
namespace { namespace {
class GenericTaintChecker; class GenericTaintChecker;
/// Check for CWE-134: Uncontrolled Format String. /// Check for CWE-134: Uncontrolled Format String.
constexpr llvm::StringLiteral MsgUncontrolledFormatString = constexpr llvm::StringLiteral MsgUncontrolledFormatString =
"Untrusted data is used as a format string " "Untrusted data is used as a format string "
"(CWE-134: Uncontrolled Format String)"; "(CWE-134: Uncontrolled Format String)";
▲ Show 20 LinesShow All 380 Lines▼ Show 20 Lines
}; };
} // namespace yaml } // namespace yaml
} // namespace llvm } // namespace llvm
/// A set which is used to pass information from call pre-visit instruction /// A set which is used to pass information from call pre-visit instruction
/// to the call post-visit. The values are signed integers, which are either /// to the call post-visit. The values are signed integers, which are either
/// ReturnValueIndex, or indexes of the pointer/reference argument, which /// ReturnValueIndex, or indexes of the pointer/reference argument, which
/// points to data, which should be tainted on return. /// points to data, which should be tainted on return.
REGISTER_SET_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, ArgIdxTy) REGISTER_MAP_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, const LocationContext *,
ImmutableSet<ArgIdxTy>)
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(ArgIdxFactory, ArgIdxTy)
SzelethusUnsubmitted
Done
ReplyInline Actions

Are there any comfortable ways of making this non-global?
https://llvm.org/docs/CodingStandards.html#do-not-use-static-constructors

Also, I wonder how efficient immutable data structures are against something like std::vector, when the element type is small and the number of elements are expected to be very low. Just a thought, I don't have particularly strong views on this.

Szelethus: Are there any comfortable ways of making this non-global? https://llvm.org/docs/CodingStandards.
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for catching it.
I grepped for a similar code and it seems like there is the REGISTER_SET_FACTORY_WITH_PROGRAMSTATE for exactly this.
Now I know about this :)

steakhal: Thanks for catching it. I grepped for a similar code and it seems like there is the…
NoQUnsubmitted
Not Done
ReplyInline Actions

ImmutableList is another good candidate. I prefer these data structures to be immutable because that's a much stronger guarantee that they won't actually ever be updated while stored in the state.

NoQ: `ImmutableList` is another good candidate. I prefer these data structures to be immutable…
void GenericTaintRuleParser::validateArgVector(const std::string &Option, void GenericTaintRuleParser::validateArgVector(const std::string &Option,
const ArgVecTy &Args) const { const ArgVecTy &Args) const {
for (ArgIdxTy Arg : Args) { for (ArgIdxTy Arg : Args) {
if (Arg < ReturnValueIndex) { if (Arg < ReturnValueIndex) {
Mgr.reportInvalidCheckerOptionValue( Mgr.reportInvalidCheckerOptionValue(
Mgr.getChecker<GenericTaintChecker>(), Option, Mgr.getChecker<GenericTaintChecker>(), Option,
"an argument number for propagation rules greater or equal to -1"); "an argument number for propagation rules greater or equal to -1");
▲ Show 20 LinesShow All 234 Lines▼ Show 20 Linesvoid GenericTaintChecker::checkPreCall(const CallEvent &Call,
taintUnsafeSocketProtocol(Call, C); taintUnsafeSocketProtocol(Call, C);
} }
void GenericTaintChecker::checkPostCall(const CallEvent &Call, void GenericTaintChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
// Set the marked values as tainted. The return value only accessible from // Set the marked values as tainted. The return value only accessible from
// checkPostStmt. // checkPostStmt.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const StackFrameContext *CurrentFrame = C.getStackFrame();
// Depending on what was tainted at pre-visit, we determined a set of // Depending on what was tainted at pre-visit, we determined a set of
// arguments which should be tainted after the function returns. These are // arguments which should be tainted after the function returns. These are
// stored in the state as TaintArgsOnPostVisit set. // stored in the state as TaintArgsOnPostVisit set.
TaintArgsOnPostVisitTy TaintArgs = State->get<TaintArgsOnPostVisit>(); TaintArgsOnPostVisitTy TaintArgsMap = State->get<TaintArgsOnPostVisit>();
if (TaintArgs.isEmpty())
const ImmutableSet<ArgIdxTy> *TaintArgs = TaintArgsMap.lookup(CurrentFrame);
if (!TaintArgs)
return; return;
assert(!TaintArgs->isEmpty());
LLVM_DEBUG(for (ArgIdxTy I LLVM_DEBUG(for (ArgIdxTy I
: TaintArgs) { : *TaintArgs) {
llvm::dbgs() << "PostCall<"; llvm::dbgs() << "PostCall<";
Call.dump(llvm::dbgs()); Call.dump(llvm::dbgs());
llvm::dbgs() << "> actually wants to taint arg index: " << I << '\n'; llvm::dbgs() << "> actually wants to taint arg index: " << I << '\n';
}); });
for (ArgIdxTy ArgNum : TaintArgs) { for (ArgIdxTy ArgNum : *TaintArgs) {
// Special handling for the tainted return value. // Special handling for the tainted return value.
if (ArgNum == ReturnValueIndex) { if (ArgNum == ReturnValueIndex) {
State = addTaint(State, Call.getReturnValue()); State = addTaint(State, Call.getReturnValue());
continue; continue;
} }
// The arguments are pointer arguments. The data they are pointing at is // The arguments are pointer arguments. The data they are pointing at is
// tainted after the call. // tainted after the call.
if (auto V = getPointeeOf(C, Call.getArgSVal(ArgNum))) if (auto V = getPointeeOf(C, Call.getArgSVal(ArgNum)))
State = addTaint(State, *V); State = addTaint(State, *V);
} }
// Clear up the taint info from the state. // Clear up the taint info from the state.
State = State->remove<TaintArgsOnPostVisit>(); State = State->remove<TaintArgsOnPostVisit>(CurrentFrame);
C.addTransition(State); C.addTransition(State);
} }
void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State, void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const { const char *NL, const char *Sep) const {
printTaint(State, Out, NL, Sep); printTaint(State, Out, NL, Sep);
} }
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Lines const auto WouldEscape = [](SVal V, QualType Ty) -> bool {
const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified(); const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified();
const bool IsNonConstPtr = const bool IsNonConstPtr =
Ty->isPointerType() && !Ty->getPointeeType().isConstQualified(); Ty->isPointerType() && !Ty->getPointeeType().isConstQualified();
return IsNonConstRef || IsNonConstPtr; return IsNonConstRef || IsNonConstPtr;
}; };
/// Propagate taint where it is necessary. /// Propagate taint where it is necessary.
auto &F = State->getStateManager().get_context<ArgIdxFactory>();
ImmutableSet<ArgIdxTy> Result = F.getEmptySet();
ForEachCallArg( ForEachCallArg(
[this, &State, WouldEscape, &Call](ArgIdxTy I, const Expr *E, SVal V) { [this, WouldEscape, &Call, &Result, &F](ArgIdxTy I, const Expr *E,
SVal V) {
if (PropDstArgs.contains(I)) { if (PropDstArgs.contains(I)) {
LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs()); LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs());
llvm::dbgs() llvm::dbgs()
<< "> prepares tainting arg index: " << I << '\n';); << "> prepares tainting arg index: " << I << '\n';);
State = State->add<TaintArgsOnPostVisit>(I); Result = F.add(Result, I);
} }
// TODO: We should traverse all reachable memory regions via the // TODO: We should traverse all reachable memory regions via the
// escaping parameter. Instead of doing that we simply mark only the // escaping parameter. Instead of doing that we simply mark only the
// referred memory region as tainted. // referred memory region as tainted.
if (WouldEscape(V, E->getType())) { if (WouldEscape(V, E->getType())) {
LLVM_DEBUG(if (!State->contains<TaintArgsOnPostVisit>(I)) { LLVM_DEBUG(if (!Result.contains(I)) {
llvm::dbgs() << "PreCall<"; llvm::dbgs() << "PreCall<";
Call.dump(llvm::dbgs()); Call.dump(llvm::dbgs());
llvm::dbgs() << "> prepares tainting arg index: " << I << '\n'; llvm::dbgs() << "> prepares tainting arg index: " << I << '\n';
}); });
State = State->add<TaintArgsOnPostVisit>(I); Result = F.add(Result, I);
} }
}); });
if (!Result.isEmpty())
State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
C.addTransition(State); C.addTransition(State);
} }
bool GenericTaintRule::UntrustedEnv(CheckerContext &C) { bool GenericTaintRule::UntrustedEnv(CheckerContext &C) {
return !C.getAnalysisManager() return !C.getAnalysisManager()
.getAnalyzerOptions() .getAnalyzerOptions()
.ShouldAssumeControlledEnvironment; .ShouldAssumeControlledEnvironment;
} }
▲ Show 20 LinesShow All 74 Lines▼ Show 20 Linesvoid GenericTaintChecker::taintUnsafeSocketProtocol(const CallEvent &Call,
StringRef DomName = C.getMacroNameOrSpelling(DomLoc); StringRef DomName = C.getMacroNameOrSpelling(DomLoc);
// Allow internal communication protocols. // Allow internal communication protocols.
bool SafeProtocol = DomName.equals("AF_SYSTEM") || bool SafeProtocol = DomName.equals("AF_SYSTEM") ||
DomName.equals("AF_LOCAL") || DomName.equals("AF_UNIX") || DomName.equals("AF_LOCAL") || DomName.equals("AF_UNIX") ||
DomName.equals("AF_RESERVED_36"); DomName.equals("AF_RESERVED_36");
if (SafeProtocol) if (SafeProtocol)
return; return;
C.addTransition(C.getState()->add<TaintArgsOnPostVisit>(ReturnValueIndex)); ProgramStateRef State = C.getState();
auto &F = State->getStateManager().get_context<ArgIdxFactory>();
ImmutableSet<ArgIdxTy> Result = F.add(F.getEmptySet(), ReturnValueIndex);
State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
C.addTransition(State);
} }
/// Checker registration /// Checker registration
void ento::registerGenericTaintChecker(CheckerManager &Mgr) { void ento::registerGenericTaintChecker(CheckerManager &Mgr) {
Mgr.registerChecker<GenericTaintChecker>(); Mgr.registerChecker<GenericTaintChecker>();
} }
bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) { bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) {
return true; return true;
} }

clang/test/Analysis/taint-checker-callback-order-has-definition.c

// RUN: %clang_analyze_cc1 %s \ // RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core,alpha.security.taint \ // RUN: -analyzer-checker=core,alpha.security.taint \
// RUN: -mllvm -debug-only=taint-checker \ // RUN: -mllvm -debug-only=taint-checker \
NoQUnsubmitted
Not Done
ReplyInline Actions

This test will be annoying to update when more debug prints are added. It might be better to test this through debug.TaintTest or a new ExprInspection function.

NoQ: This test will be annoying to update when more debug prints are added. It might be better to…
// RUN: 2>&1 | FileCheck %s // RUN: 2>&1 | FileCheck %s
// FIXME: We should not crash.
// XFAIL: *
struct _IO_FILE; struct _IO_FILE;
typedef struct _IO_FILE FILE; typedef struct _IO_FILE FILE;
FILE *fopen(const char *fname, const char *mode); FILE *fopen(const char *fname, const char *mode);
void nested_call(void) {} void nested_call(void) {}
char *fgets(char *s, int n, FILE *fp) { char *fgets(char *s, int n, FILE *fp) {
nested_call(); // no-crash: we should not try adding taint to a non-existent argument. nested_call(); // no-crash: we should not try adding taint to a non-existent argument.
Show All 9 Lines if (!fp)
return; return;
(void)fgets(buf, 42, fp); // Trigger taint propagation. (void)fgets(buf, 42, fp); // Trigger taint propagation.
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 1 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2
// FIXME: We should propagate taint from PreCall<fgets> -> PostCall<fgets>. // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: -1
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: -1 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 0
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 0 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 1
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 1 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 2
// CHECK-NEXT: PostCall<nested_call()> actually wants to taint arg index: 2
// FIXME: We should not crash.
// CHECK: PLEASE submit a bug report
} }