This is an archive of the discontinued LLVM Phabricator instance.

Differential D125524

[BoundV2] ArrayBoundV2 checks if the extent is tainted
Needs ReviewPublic

Authored by gamesh411 on May 13 2022, 1:03 AM.

Details

Reviewers
steakhal
Szelethus
Summary

Use upperbound instead of offset to check if the extent of memory region
being accessed is tainted or not.

Original author: steakhal

Diff Detail

Event Timeline

gamesh411 created this revision.May 13 2022, 1:03 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptMay 13 2022, 1:03 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: martong, Szelethus, dkrupp. · View Herald Transcript
gamesh411 requested review of this revision.May 13 2022, 1:03 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 13 2022, 1:03 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
gamesh411 updated this revision to Diff 429159.May 13 2022, 1:10 AM

add analyzer tag

Harbormaster completed remote builds in B164258: Diff 429159.May 13 2022, 2:21 AM
martong added inline comments.May 13 2022, 5:51 AM
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
208

Could you please explain why we change rawOffset to *upperBoundToCheck? And perhaps the same explanation could infiltrate into the checker's code itself as a comment to upperbound.

clang/test/Analysis/taint-diagnostic-visitor.c
46–48

Could we get rid of the seemingly unrelated malloc taint report by using an array on the stack?

steakhal added inline comments.May 13 2022, 6:13 AM
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
208

In the test attached you can see that the extent is tainted, not the offset.
Thus checking the offset for taint won't suffice.
The bug condition should depend on the calculation itself, which is basically what is done here.

clang/test/Analysis/taint-diagnostic-visitor.c
46–48

No, we need the extent to be tainted.

martong added inline comments.May 13 2022, 7:20 AM
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
208

Okay makes sense, but then please update the comment

// If we are under constrained and the index variables are tainted, report.

to mention the extent as well.

gamesh411 added a child revision: D132915: [BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory.Aug 30 2022, 1:05 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
5 lines
test/
Analysis/
20 lines

Diff 429159

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show First 20 LinesShow All 199 Lines▼ Show 20 Lines if (!upperboundToCheck)
break; break;
ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; ProgramStateRef state_exceedsUpperBound, state_withinUpperBound;
std::tie(state_exceedsUpperBound, state_withinUpperBound) = std::tie(state_exceedsUpperBound, state_withinUpperBound) =
state->assume(*upperboundToCheck); state->assume(*upperboundToCheck);
// If we are under constrained and the index variables are tainted, report. // If we are under constrained and the index variables are tainted, report.
if (state_exceedsUpperBound && state_withinUpperBound) { if (state_exceedsUpperBound && state_withinUpperBound) {
SVal ByteOffset = rawOffset.getByteOffset(); if (isTainted(state, *upperboundToCheck)) {
martongUnsubmitted
Not Done
ReplyInline Actions

Could you please explain why we change rawOffset to *upperBoundToCheck? And perhaps the same explanation could infiltrate into the checker's code itself as a comment to upperbound.

martong: Could you please explain why we change `rawOffset` to `*upperBoundToCheck`? And perhaps the…
steakhalUnsubmitted
Not Done
ReplyInline Actions

In the test attached you can see that the extent is tainted, not the offset.
Thus checking the offset for taint won't suffice.
The bug condition should depend on the calculation itself, which is basically what is done here.

steakhal: In the test attached you can see that the extent is tainted, not the offset. Thus checking the…
martongUnsubmitted
Not Done
ReplyInline Actions

Okay makes sense, but then please update the comment

// If we are under constrained and the index variables are tainted, report.

to mention the extent as well.

martong: Okay makes sense, but then please update the comment ``` // If we are under constrained and the…
if (isTainted(state, ByteOffset)) {
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted, reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted,
std::make_unique<TaintBugVisitor>(ByteOffset)); std::make_unique<TaintBugVisitor>(*upperboundToCheck));
return; return;
} }
} else if (state_exceedsUpperBound) { } else if (state_exceedsUpperBound) {
// If we are constrained enough to definitely exceed the upper bound, // If we are constrained enough to definitely exceed the upper bound,
// report. // report.
assert(!state_withinUpperBound); assert(!state_withinUpperBound);
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);
return; return;
▲ Show 20 LinesShow All 142 LinesShow Last 20 Lines

clang/test/Analysis/taint-diagnostic-visitor.c

// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,unix.Malloc,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
// This file is for testing enhanced diagnostics produced by the GenericTaintChecker // This file is for testing enhanced diagnostics produced by the GenericTaintChecker
int scanf(const char *restrict format, ...); int scanf(const char *restrict format, ...);
int system(const char *command); int system(const char *command);
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t size);
void free(void *ptr);
void taintDiagnostic(void) void taintDiagnostic(void)
{ {
char buf[128]; char buf[128];
scanf("%s", buf); // expected-note {{Taint originated here}} scanf("%s", buf); // expected-note {{Taint originated here}}
system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}} system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
} }
Show All 14 Lines
void taintDiagnosticVLA(void) { void taintDiagnosticVLA(void) {
int x; int x;
scanf("%d", &x); // expected-note {{Value assigned to 'x'}} scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
// expected-note@-1 {{Taint originated here}} // expected-note@-1 {{Taint originated here}}
int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}} int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}}
// expected-note@-1 {{Declared variable-length array (VLA) has tainted size}} // expected-note@-1 {{Declared variable-length array (VLA) has tainted size}}
} }
void taintDiagnosticMalloc(int conj) {
int x;
scanf("%d", &x);
// expected-note@-1 2 {{Taint originated here}} Once for malloc(tainted), once for BoundsV2.
int *p = (int *)malloc(x + conj); // Generic taint checker forbids tainted allocation.
// expected-warning@-1 {{Untrusted data is used to specify the buffer size}}
// expected-note@-2 {{Untrusted data is used to specify the buffer size}}
martongUnsubmitted
Not Done
ReplyInline Actions

Could we get rid of the seemingly unrelated malloc taint report by using an array on the stack?

martong: Could we get rid of the seemingly unrelated malloc taint report by using an array on the stack?
steakhalUnsubmitted
Not Done
ReplyInline Actions

No, we need the extent to be tainted.

steakhal: No, we need the extent to be tainted.
p[1] = 1; // BoundsV2 checker can not prove that the access is safe.
// expected-warning@-1 {{Out of bound memory access (index is tainted)}}
// expected-note@-2 {{Out of bound memory access (index is tainted)}}
free(p);
}