This is an archive of the discontinued LLVM Phabricator instance.

Differential D119129

[analyzer] Fix taint rule of fgets and setproctitle_init
ClosedPublic

Authored by steakhal on Feb 7 2022, 4:20 AM.

Details

Reviewers
NoQ
martong
ASDenysPetrov
Szelethus
gamesh411
Commits
rGbf5963bf1967: [analyzer] Fix taint rule of fgets and setproctitle_init
Summary

There was a typo in the rule.
{{0}, ReturnValueIndex} meant that the discrete index is 0 and the
variadic index is -1.
What we wanted instead is that both 0 and -1 are in the discrete index
list.

Instead of this, we wanted to express that both 0 and the
ReturnValueIndex is in the discrete arg list.

The manual inspection revealed that setproctitle_init also suffered a
probably incomplete propagation rule.

Diff Detail

Event Timeline

steakhal created this revision.Feb 7 2022, 4:20 AM
Herald added subscribers: manas, dkrupp, donat.nagy and 6 others. · View Herald TranscriptFeb 7 2022, 4:20 AM
steakhal requested review of this revision.Feb 7 2022, 4:20 AM
Harbormaster completed remote builds in B147928: Diff 406392.Feb 7 2022, 4:20 AM
steakhal added a parent revision: D119128: [analyzer] Fix taint propagation by remembering to the location context.Feb 7 2022, 4:31 AM
steakhal updated this revision to Diff 406430.Feb 7 2022, 6:28 AM

rebase

Harbormaster completed remote builds in B147960: Diff 406430.Feb 7 2022, 7:15 AM
Szelethus accepted this revision.EditedFeb 8 2022, 1:31 AM

LGTM! Unrelated to this review, I don't think the term 'sink' is good in a warning message, are users expected to know what that is?

Choked on my coffee reading this:

AUTHORS
Peter Wemm ⟨peter@FreeBSD.org⟩ stole the idea from the Sendmail 8.7.3 source code by Eric Allman ⟨eric@sendmail.org⟩.

This revision is now accepted and ready to land.Feb 8 2022, 1:31 AM
gamesh411 accepted this revision.Feb 8 2022, 1:37 AM
Closed by commit rGbf5963bf1967: [analyzer] Fix taint rule of fgets and setproctitle_init (authored by steakhal). · Explain WhyFeb 14 2022, 7:57 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rGbf5963bf1967: [analyzer] Fix taint rule of fgets and setproctitle_init.
Herald added a project: Restricted Project. · View Herald TranscriptFeb 14 2022, 7:57 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal added a reverting change: rG2acead35c128: Revert "[analyzer] Fix taint rule of fgets and setproctitle_init".Feb 14 2022, 9:45 AM
steakhal added a comment.Feb 23 2022, 4:18 AM

Committed as 7036413dc21254c8bf2f4ac62a3b087bc4b94ce8.

Revision Contents

Diff 408425

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 LinesShow All 553 Lines▼ Show 20 Lines RulesConstructionTy GlobalCRules{
{{"wgetch"}, TR::Source({{}, ReturnValueIndex})}, {{"wgetch"}, TR::Source({{}, ReturnValueIndex})},
// Props // Props
{{"atoi"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"atoi"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"atol"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"atol"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"atoll"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"atoll"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"fgetc"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"fgetc"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"fgetln"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"fgetln"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"fgets"}, TR::Prop({{2}}, {{0}, ReturnValueIndex})}, {{"fgets"}, TR::Prop({{2}}, {{0, ReturnValueIndex}})},
{{"fscanf"}, TR::Prop({{0}}, {{}, 2})}, {{"fscanf"}, TR::Prop({{0}}, {{}, 2})},
{{"sscanf"}, TR::Prop({{0}}, {{}, 2})}, {{"sscanf"}, TR::Prop({{0}}, {{}, 2})},
{{"getc"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"getc"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"getc_unlocked"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"getc_unlocked"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"getdelim"}, TR::Prop({{3}}, {{0}})}, {{"getdelim"}, TR::Prop({{3}}, {{0}})},
{{"getline"}, TR::Prop({{2}}, {{0}})}, {{"getline"}, TR::Prop({{2}}, {{0}})},
{{"getw"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"getw"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"pread"}, TR::Prop({{0, 1, 2, 3}}, {{1, ReturnValueIndex}})}, {{"pread"}, TR::Prop({{0, 1, 2, 3}}, {{1, ReturnValueIndex}})},
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines RulesConstructionTy GlobalCRules{
MsgTaintedBufferSize)}, MsgTaintedBufferSize)},
{{CDF_MaybeBuiltin, {"bcopy"}}, {{CDF_MaybeBuiltin, {"bcopy"}},
TR::SinkProp({{2}}, {{0, 2}}, {{1}}, MsgTaintedBufferSize)}}; TR::SinkProp({{2}}, {{0, 2}}, {{1}}, MsgTaintedBufferSize)}};
// `getenv` returns taint only in untrusted environments. // `getenv` returns taint only in untrusted environments.
if (TR::UntrustedEnv(C)) { if (TR::UntrustedEnv(C)) {
// void setproctitle_init(int argc, char *argv[], char *envp[]) // void setproctitle_init(int argc, char *argv[], char *envp[])
GlobalCRules.push_back( GlobalCRules.push_back(
{{{"setproctitle_init"}}, TR::Sink({{2}}, MsgCustomSink)}); {{{"setproctitle_init"}}, TR::Sink({{1, 2}}, MsgCustomSink)});
GlobalCRules.push_back({{"getenv"}, TR::Source({{ReturnValueIndex}})}); GlobalCRules.push_back({{"getenv"}, TR::Source({{ReturnValueIndex}})});
} }
StaticTaintRules.emplace(std::make_move_iterator(GlobalCRules.begin()), StaticTaintRules.emplace(std::make_move_iterator(GlobalCRules.begin()),
std::make_move_iterator(GlobalCRules.end())); std::make_move_iterator(GlobalCRules.end()));
// User-provided taint configuration. // User-provided taint configuration.
CheckerManager *Mgr = C.getAnalysisManager().getCheckerManager(); CheckerManager *Mgr = C.getAnalysisManager().getCheckerManager();
▲ Show 20 LinesShow All 276 LinesShow Last 20 Lines

clang/test/Analysis/taint-checker-callback-order-has-definition.c

Show All 19 Linesvoid top(const char *fname, char *buf) {
// CHECK-NEXT: PostCall<fopen(fname, "r")> actually wants to taint arg index: -1 // CHECK-NEXT: PostCall<fopen(fname, "r")> actually wants to taint arg index: -1
if (!fp) if (!fp)
return; return;
(void)fgets(buf, 42, fp); // Trigger taint propagation. (void)fgets(buf, 42, fp); // Trigger taint propagation.
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2
//
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: -1 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: -1
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 0 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 0
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 1
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 2 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 2
} }

clang/test/Analysis/taint-checker-callback-order-without-definition.c

Show All 13 Linesvoid top(const char *fname, char *buf) {
// CHECK: PreCall<fopen(fname, "r")> prepares tainting arg index: -1 // CHECK: PreCall<fopen(fname, "r")> prepares tainting arg index: -1
// CHECK-NEXT: PostCall<fopen(fname, "r")> actually wants to taint arg index: -1 // CHECK-NEXT: PostCall<fopen(fname, "r")> actually wants to taint arg index: -1
if (!fp) if (!fp)
return; return;
(void)fgets(buf, 42, fp); // Trigger taint propagation. (void)fgets(buf, 42, fp); // Trigger taint propagation.
// FIXME: Why is the arg index 1 prepared for taint?
// Before the call it wasn't tainted, and it also shouldn't be tainted after the call.
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: -1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 0
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 1
// CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2 // CHECK-NEXT: PreCall<fgets(buf, 42, fp)> prepares tainting arg index: 2
// //
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: -1 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: -1
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 0 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 0
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 1
// CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 2 // CHECK-NEXT: PostCall<fgets(buf, 42, fp)> actually wants to taint arg index: 2
} }

clang/test/Analysis/taint-generic.c

Show First 20 LinesShow All 52 Lines▼ Show 20 Lines
#ifdef FILE_IS_STRUCT #ifdef FILE_IS_STRUCT
extern struct _FILE *stdin; extern struct _FILE *stdin;
#else #else
extern FILE *stdin; extern FILE *stdin;
#endif #endif
#define bool _Bool #define bool _Bool
char *getenv(const char *name);
int fscanf(FILE *restrict stream, const char *restrict format, ...); int fscanf(FILE *restrict stream, const char *restrict format, ...);
int sprintf(char *str, const char *format, ...); int sprintf(char *str, const char *format, ...);
void setproctitle(const char *fmt, ...); void setproctitle(const char *fmt, ...);
void setproctitle_init(int argc, char *argv[], char *envp[]);
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
// Define string functions. Use builtin for some of them. They all default to // Define string functions. Use builtin for some of them. They all default to
// the processing in the taint checker. // the processing in the taint checker.
#define strcpy(dest, src) \ #define strcpy(dest, src) \
((__builtin_object_size(dest, 0) != -1ULL) \ ((__builtin_object_size(dest, 0) != -1ULL) \
? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \ ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
: __inline_strcpy_chk(dest, src)) : __inline_strcpy_chk(dest, src))
▲ Show 20 LinesShow All 327 Lines▼ Show 20 Linesvoid testConfigurationSinks(void) {
mySink(1, x, 2); // no-warning mySink(1, x, 2); // no-warning
mySink(1, 2, x); mySink(1, 2, x);
// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}} // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
} }
void testUnknownFunction(void (*foo)(void)) { void testUnknownFunction(void (*foo)(void)) {
foo(); // no-crash foo(); // no-crash
} }
void testProctitleFalseNegative() {
char flag[80];
fscanf(stdin, "%79s", flag);
char *argv[] = {"myapp", flag};
// FIXME: We should have a warning below: Untrusted data passed to sink.
setproctitle_init(1, argv, 0);
}
void testProctitle2(char *real_argv[]) {
char *app = getenv("APP_NAME");
if (!app)
return;
char *argv[] = {app, "--foobar"};
setproctitle_init(1, argv, 0); // expected-warning {{Untrusted data is passed to a user-defined sink}}
setproctitle_init(1, real_argv, argv); // expected-warning {{Untrusted data is passed to a user-defined sink}}
}