This is an archive of the discontinued LLVM Phabricator instance.

Differential D154603

[analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker
AbandonedPublic

Authored by gamesh411 on Jul 6 2023, 6:01 AM.

Details

Reviewers
Szelethus
NoQ
donat.nagy
balazske
steakhal
Summary

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Diff Detail

Event Timeline

gamesh411 created this revision.Jul 6 2023, 6:01 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJul 6 2023, 6:01 AM
Herald added a reviewer: NoQ. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, manas, ASDenysPetrov and 9 others. · View Herald Transcript
gamesh411 requested review of this revision.Jul 6 2023, 6:01 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 6 2023, 6:01 AM
Herald added subscribers: cfe-commits, wangpc. · View Herald Transcript
gamesh411 added reviewers: donat.nagy, balazske.Jul 6 2023, 6:11 AM
gamesh411 added inline comments.Jul 6 2023, 6:21 AM
clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
99–102

The state modelling is refined to model the env region coming from the main function and the getenv calls.

clang/test/Analysis/cert/env34-c.c
6

This test file is incomplete.
I would welcome suggestions here as to how to test this.
Should a new file be created for the config option with different test cases, or is this file to be extended?

Harbormaster completed remote builds in B243447: Diff 537687.Jul 6 2023, 6:43 AM
donat.nagy added a comment.Jul 7 2023, 1:40 AM

The commit looks good in general, I have a few minor suggestions and a serious question about the state transition bureaucracy.

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
74–75

Nitpick: "practical false positives" sounds strange for me, consider writing
[...but] "in practice does not cause problems (in the commonly used environments)"
or something similar.

131–136

Perhaps add a comment that clarifies that passing a nullptr as the ExplodedNode to addTransition is equivalent to specifying the current node. I remember this because I was studying its implementation recently, but I would've been surprised and suspicious otherwise.

223

I fear that this state transition will go "sideways" and the later state transitions (which add the note tags) will branch off instead of building onto this. IIUC calling CheckerContext::addTransition registers the transition without updating the "current ExplodedNode" field of CheckerContext, so you need to explicitly store and pass around the ExplodedNode returned by it if you want to build on it.

This is an ugly and counter-intuitive API, and I also ran into a very similar issue a few weeks ago (@Szelethus helped me).

clang/test/Analysis/cert/env34-c.c
6

Personally I'd prefer putting those cases into a separate files, because this test file is already 340 lines long and it'd be difficult to understand if it was filled with conditional checks.

steakhal added a comment.Aug 11 2023, 9:33 AM

I'm sorry starting the review of this one only now, but I'm quite booked.
Is it still relevant? If so, I'll continue.

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
120–121

FunctionName and Message will dangle inside the NoteTag.

131–136

If nullptr is equivalent with C.getPredecessor() inside addTransition(), why not simply initialize it to that value instead of to nullptr?

219

We should hoist this into a field, to only construct it once.

221–222

What ensures that Call.getReturnValue().getAsRegion() is not null?

223

I think the usage here is correct.

gamesh411 updated this revision to Diff 552670.Aug 23 2023, 5:24 AM

Add tests for checker option
Remove unnecessary const_cast
Only model a getenv call if there is a value to model
Use getPredecessor to better indicate what happens during EG building
Hoist GetEnvCall variable
Fix dangling strings in note generation

Harbormaster completed remote builds in B254310: Diff 552670.Aug 23 2023, 5:25 AM
gamesh411 updated this revision to Diff 552676.Aug 23 2023, 5:30 AM
gamesh411 marked an inline comment as done.

rebased and squashed

gamesh411 marked 8 inline comments as done.Aug 23 2023, 5:47 AM
gamesh411 added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
44

Reworded the message here

48

Hoisted here

120–121

Good catch, thanks! Fixed this with a lambda capture initializer.

131–136

I ended up using C.getPredecessor() instead of explaining; this seems a bit more intuitive (if such a thing even exists in CSA).

223

(the line number of this comment desync-ed)
I agree, that the addTransition API is easy to misuse, and I would welcome a more streamlined approach.
I tried to pay attention to "build" the state and the Exploded Graph by always providing the Exploded Node (second parameter), and this seems fine.

clang/test/Analysis/invalid-ptr-checker.c
52

This gives 2 warnings. One for subexpression envp, and one for the whole statement *envp. This is the current behaviour ( check clang/test/Analysis/cert/env31-c.c ), and this patch does not change it.
However, I would like to devise a solution for this in a different patch.
One option would be to make the error of this checker Fatal, so only one would appear, or refine the checkLocation callback to only consider one of these 2 cases for reporting.

gamesh411 edited the summary of this revision. (Show Details)Aug 23 2023, 5:49 AM
gamesh411 marked 2 inline comments as done.
gamesh411 added a comment.Aug 23 2023, 6:04 AM
This comment was removed by gamesh411.
gamesh411 added a comment.Aug 23 2023, 6:23 AM
In D154603#4609809, @gamesh411 wrote:
In D154603#4580609, @steakhal wrote:

I'm sorry starting the review of this one only now, but I'm quite booked.
Is it still relevant? If so, I'll continue.

Yes, thanks for the effort!

I would like to go through with this option, and then I would like to fix the following issues with this checker as well:

  • the previous function call notes could be more streamlined
  • the notes of this checker are also shown when another checker hits those nodes with its report
    • for example taint checker giving a warning to getenv usage would also trigger the display of the 'previous function call was here' note here), this I would like to filter with bug category filters
    • code examples for this filtering are below
  • try to consolidate the multiple warnings coming from this checker's checkLocation callback

category based filtering ( example from lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp:167 ):

If (!BR.isInteresting(CallLocation) ||
  BR.getBugType().getCategory() != categories::TaintedData) { //but this would be InvalidPtr BugType's category, namely memory_error
  return "";
}

or checker based filtering ( example from lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp:397 )

if (&BR.getBugType() != smartptr::getNullDereferenceBugType() || // this is a comparison of the address of a static bugtype
    !BR.isInteresting(ThisRegion))

This second one gives a more precise filtering, but the implementation-specific detail of storing the bugtype by reference is what seems to make this work, which I find hacky.

Harbormaster completed remote builds in B254316: Diff 552676.Aug 23 2023, 6:35 AM
steakhal added a comment.Aug 23 2023, 6:37 AM
In D154603#4609872, @gamesh411 wrote:
  • try to consolidate the multiple warnings coming from this checker's checkLocation callback

category based filtering ( example from lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp:167 ):

If (!BR.isInteresting(CallLocation) ||
  BR.getBugType().getCategory() != categories::TaintedData) { //but this would be InvalidPtr BugType's category, namely memory_error
  return "";
}

or checker based filtering ( example from lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp:397 )

if (&BR.getBugType() != smartptr::getNullDereferenceBugType() || // this is a comparison of the address of a static bugtype
    !BR.isInteresting(ThisRegion))

This second one gives a more precise filtering, but the implementation-specific detail of storing the bugtype by reference is what seems to make this work, which I find hacky.

If the checker issues a NoteTag, it makes sense in certain situations to make sure that it acts on only reports issued by that checker. The standard way of achieving that is by comparing the tags, as you do in the second example.
There is nothing wrong with this, if that particular checker issued that NoteTag in the first place. It's marginally debatable, if it was not issued by the given checker but rather something else. That would suggest to me some logic flaw, or coupling issue. For cross-checker cases, I think the bug category would be the better option, but I would still need to think about that, so not set in stone :D

FYI I haven't looked at the patch yet, but I wanted to answer your question.

donat.nagy added a comment.Aug 23 2023, 7:09 AM

The change looks promising, I only have minor remarks.

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
121–122

Minor nitpick: in situations like this, when we want to save an already composed string, std::string is better than SmallString because it doesn't occupy more memory than the actual length of the string. (OTOH SmallString is better for buffer variables, I've seen code that creates a SmallString, composes the message in it, then converts it to a std::string for longer-term storage.)

Of course these are all just inconsequential micro-optimization details...

131–136

if such a thing even exists in CSA

😆

clang/test/Analysis/invalid-ptr-checker.c
11

Use -verify=expected,pedantic here and then you can eliminate the pedantic-warning lines that duplicate the messages of expected-warnings.

gamesh411 updated this revision to Diff 556510.Sep 11 2023, 5:31 PM
  • use std::string
  • simplify tests
gamesh411 marked 2 inline comments as done.Sep 11 2023, 5:32 PM

@steakhal gentle ping

Harbormaster completed remote builds in B257030: Diff 556510.Sep 11 2023, 5:56 PM
steakhal requested changes to this revision.Sep 12 2023, 7:43 AM

Thanks for the ping. I have some concerns inline.

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
1000–1008

I think we should mention this flag in the docs, and an example.

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
115

I'd prefer an explicit out parameter instead of capturing &State here.
This way we only capture "immutable" stuff.

120–121

On second thought, I'm wrong. It won't dangle, because the StringRef(FunctionName) is owned by the identifier of the function, and thus lives as long as the ASTContext.
But Message would dangle :D

124

To me, it feels like all the messages we emit from this NoteTag, are specific to this particular checker.
if that's true, checking interestingness is not enough, and we should also make sure that the BugType is from this checker.
Otherwise, this note could appear for any other reason when the region is marked as interesting.

I also have the feeling that it should mark uninteresting the region once it puts a message there - which should stop other notes placed for the same reason for other - basically unrelated env invalidations.
Could you verify this with a test?

138–141

I'd prefer if we wouldn't put N separate NoteTags, but rather iterate over this set of regions inside the NoteTag.
That way here you don't need the loop and play with Pred nodes.

219–225
This revision now requires changes to proceed.Sep 12 2023, 7:43 AM
gamesh411 abandoned this revision.Sep 29 2023, 2:20 AM

Moving this to GitHub as Phabricator is shutting down. Relevant PR here: https://github.com/llvm/llvm-project/pull/67663

GitHub <noreply@github.com> mentioned this in rGf7a46d700f64: [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker….Oct 24 2023, 5:00 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
9 lines
lib/
StaticAnalyzer/
Checkers/
cert/
86 lines
test/
Analysis/
1 line
cert/
40 lines
1 line
50 lines

Diff 556510

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 991 Lines▼ Show 20 Lineslet ParentPackage = POS in {
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
} // end "alpha.cert.pos" } // end "alpha.cert.pos"
let ParentPackage = ENV in { let ParentPackage = ENV in {
def InvalidPtrChecker : Checker<"InvalidPtr">, def InvalidPtrChecker : Checker<"InvalidPtr">,
HelpText<"Finds usages of possibly invalidated pointers">, HelpText<"Finds usages of possibly invalidated pointers">,
CheckerOptions<[
CmdLineOption<Boolean,
"InvalidatingGetEnv",
"Regard getenv as an invalidating call (as per POSIX "
"standard), which can lead to false positives depending on "
"implementation.",
"false",
InAlpha>,
]>,
steakhalUnsubmitted
Not Done
ReplyInline Actions

I think we should mention this flag in the docs, and an example.

steakhal: I think we should mention this flag in the docs, and an example.
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
} // end "alpha.cert.env" } // end "alpha.cert.env"
let ParentPackage = SecurityAlpha in { let ParentPackage = SecurityAlpha in {
def ArrayBoundChecker : Checker<"ArrayBound">, def ArrayBoundChecker : Checker<"ArrayBound">,
HelpText<"Warn about buffer overflows (older checker)">, HelpText<"Warn about buffer overflows (older checker)">,
▲ Show 20 LinesShow All 736 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp

//== InvalidPtrChecker.cpp ------------------------------------- -*- C++ -*--=// //== InvalidPtrChecker.cpp ------------------------------------- -*- C++ -*--=//
Lint: Lint
Inline Actions

clang-format not found in user’s local PATH; not linting file.

Lint: Lint: clang-format not found in user’s local PATH; not linting file.
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
Show All 24 Linesprivate:
BugType BT{this, "Use of invalidated pointer", categories::MemoryError}; BugType BT{this, "Use of invalidated pointer", categories::MemoryError};
void EnvpInvalidatingCall(const CallEvent &Call, CheckerContext &C) const; void EnvpInvalidatingCall(const CallEvent &Call, CheckerContext &C) const;
using HandlerFn = void (InvalidPtrChecker::*)(const CallEvent &Call, using HandlerFn = void (InvalidPtrChecker::*)(const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
// SEI CERT ENV31-C // SEI CERT ENV31-C
// If set to true, consider getenv calls as invalidating operations on the
// environment variable buffer. This is implied in the standard, but in
// practice does not cause problems (in the commonly used environments).
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

Reworded the message here

gamesh411: Reworded the message here
bool InvalidatingGetEnv = false;
// GetEnv can be treated invalidating and non-invalidating as well.
const CallDescription GetEnvCall{{"getenv"}, 1};
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

Hoisted here

gamesh411: Hoisted here
const CallDescriptionMap<HandlerFn> EnvpInvalidatingFunctions = { const CallDescriptionMap<HandlerFn> EnvpInvalidatingFunctions = {
{{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall}, {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
{{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall}, {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
{{{"putenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall}, {{{"putenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
{{{"_putenv_s"}, 2}, &InvalidPtrChecker::EnvpInvalidatingCall}, {{{"_putenv_s"}, 2}, &InvalidPtrChecker::EnvpInvalidatingCall},
{{{"_wputenv_s"}, 2}, &InvalidPtrChecker::EnvpInvalidatingCall}, {{{"_wputenv_s"}, 2}, &InvalidPtrChecker::EnvpInvalidatingCall},
}; };
void postPreviousReturnInvalidatingCall(const CallEvent &Call, void postPreviousReturnInvalidatingCall(const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
// SEI CERT ENV34-C // SEI CERT ENV34-C
const CallDescriptionMap<HandlerFn> PreviousCallInvalidatingFunctions = { const CallDescriptionMap<HandlerFn> PreviousCallInvalidatingFunctions = {
{{{"getenv"}, 1}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
{{{"setlocale"}, 2}, {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
{{{"strerror"}, 1}, {{{"strerror"}, 1},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
{{{"localeconv"}, 0}, {{{"localeconv"}, 0},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
{{{"asctime"}, 1}, {{{"asctime"}, 1},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
}; };
// The private members of this checker corresponding to commandline options
// are set in this function.
friend void ento::registerInvalidPtrChecker(CheckerManager &);
donat.nagyUnsubmitted
Done
ReplyInline Actions

Nitpick: "practical false positives" sounds strange for me, consider writing
[...but] "in practice does not cause problems (in the commonly used environments)"
or something similar.

donat.nagy: Nitpick: "practical false positives" sounds strange for me, consider writing [...but] "in…
public: public:
// Obtain the environment pointer from 'main()' (if present). // Obtain the environment pointer from 'main()' (if present).
void checkBeginFunction(CheckerContext &C) const; void checkBeginFunction(CheckerContext &C) const;
// Handle functions in EnvpInvalidatingFunctions, that invalidate environment // Handle functions in EnvpInvalidatingFunctions, that invalidate environment
// pointer from 'main()' // pointer from 'main()'
// Handle functions in PreviousCallInvalidatingFunctions. // Handle functions in PreviousCallInvalidatingFunctions.
// Also, check if invalidated region is passed to a // Also, check if invalidated region is passed to a
// conservatively evaluated function call as an argument. // conservatively evaluated function call as an argument.
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
// Check if invalidated region is being dereferenced. // Check if invalidated region is being dereferenced.
void checkLocation(SVal l, bool isLoad, const Stmt *S, void checkLocation(SVal l, bool isLoad, const Stmt *S,
CheckerContext &C) const; CheckerContext &C) const;
}; };
} // namespace } // namespace
// Set of memory regions that were invalidated // Set of memory regions that were invalidated
REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *) REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
// Stores the region of the environment pointer of 'main' (if present). // Stores the region of the environment pointer of 'main' (if present).
REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *) REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
// Stores the regions of environments returned by getenv calls.
REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

The state modelling is refined to model the env region coming from the main function and the getenv calls.

gamesh411: The state modelling is refined to model the env region coming from the main function and the…
// Stores key-value pairs, where key is function declaration and value is // Stores key-value pairs, where key is function declaration and value is
// pointer to memory region returned by previous call of this function // pointer to memory region returned by previous call of this function
REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, const FunctionDecl *, REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, const FunctionDecl *,
const MemRegion *) const MemRegion *)
void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call, void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
StringRef FunctionName = Call.getCalleeIdentifier()->getName(); StringRef FunctionName = Call.getCalleeIdentifier()->getName();
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const MemRegion *SymbolicEnvPtrRegion = State->get<EnvPtrRegion>();
if (!SymbolicEnvPtrRegion)
return;
State = State->add<InvalidMemoryRegions>(SymbolicEnvPtrRegion); auto PlaceInvalidationNote = [&C, FunctionName,
&State](const MemRegion *Region,
steakhalUnsubmitted
Not Done
ReplyInline Actions

I'd prefer an explicit out parameter instead of capturing &State here.
This way we only capture "immutable" stuff.

steakhal: I'd prefer an explicit out parameter instead of capturing `&State` here. This way we only…
StringRef Message, ExplodedNode *Pred) {
State = State->add<InvalidMemoryRegions>(Region);
// Make copy of string data for the time when notes are *actually* created.
const NoteTag *Note = const NoteTag *Note =
C.getNoteTag([SymbolicEnvPtrRegion, FunctionName]( C.getNoteTag([Region, FunctionName = std::string{FunctionName},
steakhalUnsubmitted
Done
ReplyInline Actions

FunctionName and Message will dangle inside the NoteTag.

steakhal: `FunctionName` and `Message` will dangle inside the NoteTag.
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

Good catch, thanks! Fixed this with a lambda capture initializer.

gamesh411: Good catch, thanks! Fixed this with a lambda capture initializer.
steakhalUnsubmitted
Not Done
ReplyInline Actions

On second thought, I'm wrong. It won't dangle, because the StringRef(FunctionName) is owned by the identifier of the function, and thus lives as long as the ASTContext.
But Message would dangle :D

steakhal: On second thought, I'm wrong. It won't dangle, because the StringRef(FunctionName) is owned by…
Message = std::string{Message}](
donat.nagyUnsubmitted
Done
ReplyInline Actions

Minor nitpick: in situations like this, when we want to save an already composed string, std::string is better than SmallString because it doesn't occupy more memory than the actual length of the string. (OTOH SmallString is better for buffer variables, I've seen code that creates a SmallString, composes the message in it, then converts it to a std::string for longer-term storage.)

Of course these are all just inconsequential micro-optimization details...

donat.nagy: Minor nitpick: in situations like this, when we want to save an already composed string, `std…
PathSensitiveBugReport &BR, llvm::raw_ostream &Out) { PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
if (!BR.isInteresting(SymbolicEnvPtrRegion)) if (!BR.isInteresting(Region))
steakhalUnsubmitted
Not Done
ReplyInline Actions

To me, it feels like all the messages we emit from this NoteTag, are specific to this particular checker.
if that's true, checking interestingness is not enough, and we should also make sure that the BugType is from this checker.
Otherwise, this note could appear for any other reason when the region is marked as interesting.

I also have the feeling that it should mark uninteresting the region once it puts a message there - which should stop other notes placed for the same reason for other - basically unrelated env invalidations.
Could you verify this with a test?

steakhal: To me, it feels like all the messages we emit from this NoteTag, are specific to this…
return; return;
Out << '\'' << FunctionName Out << '\'' << FunctionName << "' " << Message;
<< "' call may invalidate the environment parameter of 'main'";
}); });
return C.addTransition(State, Pred, Note);
};
C.addTransition(State, Note); ExplodedNode *CurrentChainEnd = C.getPredecessor();
if (const MemRegion *MainEnvPtr = State->get<MainEnvPtrRegion>())
CurrentChainEnd = PlaceInvalidationNote(
MainEnvPtr, "call may invalidate the environment parameter of 'main'",
CurrentChainEnd);
donat.nagyUnsubmitted
Done
ReplyInline Actions

Perhaps add a comment that clarifies that passing a nullptr as the ExplodedNode to addTransition is equivalent to specifying the current node. I remember this because I was studying its implementation recently, but I would've been surprised and suspicious otherwise.

donat.nagy: Perhaps add a comment that clarifies that passing a `nullptr` as the ExplodedNode to…
steakhalUnsubmitted
Done
ReplyInline Actions

If nullptr is equivalent with C.getPredecessor() inside addTransition(), why not simply initialize it to that value instead of to nullptr?

steakhal: If `nullptr` is equivalent with `C.getPredecessor()` inside `addTransition()`, why not simply…
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

I ended up using C.getPredecessor() instead of explaining; this seems a bit more intuitive (if such a thing even exists in CSA).

gamesh411: I ended up using C.getPredecessor() instead of explaining; this seems a bit more intuitive (if…
donat.nagyUnsubmitted
Done
ReplyInline Actions

if such a thing even exists in CSA

😆

donat.nagy: > if such a thing even exists in CSA 😆
for (const MemRegion *EnvPtr : State->get<GetenvEnvPtrRegions>())
CurrentChainEnd = PlaceInvalidationNote(
EnvPtr, "call may invalidate the environment returned by getenv",
CurrentChainEnd);
steakhalUnsubmitted
Not Done
ReplyInline Actions

I'd prefer if we wouldn't put N separate NoteTags, but rather iterate over this set of regions inside the NoteTag.
That way here you don't need the loop and play with Pred nodes.

steakhal: I'd prefer if we wouldn't put N separate NoteTags, but rather iterate over this set of regions…
} }
void InvalidPtrChecker::postPreviousReturnInvalidatingCall( void InvalidPtrChecker::postPreviousReturnInvalidatingCall(
const CallEvent &Call, CheckerContext &C) const { const CallEvent &Call, CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const NoteTag *Note = nullptr; const NoteTag *Note = nullptr;
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
Show All 19 Linesvoid InvalidPtrChecker::postPreviousReturnInvalidatingCall(
// Function call will return a pointer to the new symbolic region. // Function call will return a pointer to the new symbolic region.
DefinedOrUnknownSVal RetVal = C.getSValBuilder().conjureSymbolVal( DefinedOrUnknownSVal RetVal = C.getSValBuilder().conjureSymbolVal(
CE, LCtx, CE->getType(), C.blockCount()); CE, LCtx, CE->getType(), C.blockCount());
State = State->BindExpr(CE, LCtx, RetVal); State = State->BindExpr(CE, LCtx, RetVal);
// Remember to this region. // Remember to this region.
const auto *SymRegOfRetVal = cast<SymbolicRegion>(RetVal.getAsRegion()); const auto *SymRegOfRetVal = cast<SymbolicRegion>(RetVal.getAsRegion());
const MemRegion *MR = const MemRegion *MR = SymRegOfRetVal->getBaseRegion();
const_cast<MemRegion *>(SymRegOfRetVal->getBaseRegion());
State = State->set<PreviousCallResultMap>(FD, MR); State = State->set<PreviousCallResultMap>(FD, MR);
ExplodedNode *Node = C.addTransition(State, Note); ExplodedNode *Node = C.addTransition(State, Note);
const NoteTag *PreviousCallNote = const NoteTag *PreviousCallNote =
C.getNoteTag([MR](PathSensitiveBugReport &BR, llvm::raw_ostream &Out) { C.getNoteTag([MR](PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
if (!BR.isInteresting(MR)) if (!BR.isInteresting(MR))
return; return;
Out << '\'' << "'previous function call was here" << '\''; Out << '\'' << "'previous function call was here" << '\'';
Show All 21 Linesstatic const MemRegion *findInvalidatedSymbolicBase(ProgramStateRef State,
return nullptr; return nullptr;
} }
// Handle functions in EnvpInvalidatingFunctions, that invalidate environment // Handle functions in EnvpInvalidatingFunctions, that invalidate environment
// pointer from 'main()' Also, check if invalidated region is passed to a // pointer from 'main()' Also, check if invalidated region is passed to a
// function call as an argument. // function call as an argument.
void InvalidPtrChecker::checkPostCall(const CallEvent &Call, void InvalidPtrChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
// Model 'getenv' calls
if (GetEnvCall.matches(Call)) {
steakhalUnsubmitted
Done
ReplyInline Actions

We should hoist this into a field, to only construct it once.

steakhal: We should hoist this into a field, to only construct it once.
const MemRegion *Region = Call.getReturnValue().getAsRegion();
if (Region) {
State = State->add<GetenvEnvPtrRegions>(Region);
steakhalUnsubmitted
Done
ReplyInline Actions

What ensures that Call.getReturnValue().getAsRegion() is not null?

steakhal: What ensures that `Call.getReturnValue().getAsRegion()` is not null?
C.addTransition(State);
donat.nagyUnsubmitted
Done
ReplyInline Actions

I fear that this state transition will go "sideways" and the later state transitions (which add the note tags) will branch off instead of building onto this. IIUC calling CheckerContext::addTransition registers the transition without updating the "current ExplodedNode" field of CheckerContext, so you need to explicitly store and pass around the ExplodedNode returned by it if you want to build on it.

This is an ugly and counter-intuitive API, and I also ran into a very similar issue a few weeks ago (@Szelethus helped me).

donat.nagy: I fear that this state transition will go "sideways" and the later state transitions (which add…
steakhalUnsubmitted
Done
ReplyInline Actions

I think the usage here is correct.

steakhal: I think the usage here is correct.
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

(the line number of this comment desync-ed)
I agree, that the addTransition API is easy to misuse, and I would welcome a more streamlined approach.
I tried to pay attention to "build" the state and the Exploded Graph by always providing the Exploded Node (second parameter), and this seems fine.

gamesh411: (the line number of this comment desync-ed) I agree, that the addTransition API is easy to…
}
}
steakhalUnsubmitted
Not Done
ReplyInline Actions
// Model 'getenv' calls
if (GetEnvCall.matches(Call)) {
- const MemRegion *Region = Call.getReturnValue().getAsRegion();
- if (Region) {
- State = State->add<GetenvEnvPtrRegions>(Region);
- C.addTransition(State);
+ if (const MemRegion *Region = Call.getReturnValue().getAsRegion()) {
+ C.addTransition(State->add<GetenvEnvPtrRegions>(Region));
+ return;
}
}
// Check if function invalidates 'envp' argument of 'main'
steakhal:
// Check if function invalidates 'envp' argument of 'main' // Check if function invalidates 'envp' argument of 'main'
if (const auto *Handler = EnvpInvalidatingFunctions.lookup(Call)) if (const auto *Handler = EnvpInvalidatingFunctions.lookup(Call))
(this->**Handler)(Call, C); (this->**Handler)(Call, C);
// Check if function invalidates the result of previous call // Check if function invalidates the result of previous call
if (const auto *Handler = PreviousCallInvalidatingFunctions.lookup(Call)) if (const auto *Handler = PreviousCallInvalidatingFunctions.lookup(Call))
(this->**Handler)(Call, C); (this->**Handler)(Call, C);
// If pedantic mode is on, regard 'getenv' calls invalidating as well
if (InvalidatingGetEnv && GetEnvCall.matches(Call))
postPreviousReturnInvalidatingCall(Call, C);
// Check if one of the arguments of the function call is invalidated // Check if one of the arguments of the function call is invalidated
// If call was inlined, don't report invalidated argument // If call was inlined, don't report invalidated argument
if (C.wasInlined) if (C.wasInlined)
return; return;
ProgramStateRef State = C.getState();
for (unsigned I = 0, NumArgs = Call.getNumArgs(); I < NumArgs; ++I) { for (unsigned I = 0, NumArgs = Call.getNumArgs(); I < NumArgs; ++I) {
if (const auto *SR = dyn_cast_or_null<SymbolicRegion>( if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(
Call.getArgSVal(I).getAsRegion())) { Call.getArgSVal(I).getAsRegion())) {
if (const MemRegion *InvalidatedSymbolicBase = if (const MemRegion *InvalidatedSymbolicBase =
findInvalidatedSymbolicBase(State, SR)) { findInvalidatedSymbolicBase(State, SR)) {
ExplodedNode *ErrorNode = C.generateNonFatalErrorNode(); ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
if (!ErrorNode) if (!ErrorNode)
Show All 26 Lines if (!FD || FD->param_size() != 3 || !FD->isMain())
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const MemRegion *EnvpReg = const MemRegion *EnvpReg =
State->getRegion(FD->parameters()[2], C.getLocationContext()); State->getRegion(FD->parameters()[2], C.getLocationContext());
// Save the memory region pointed by the environment pointer parameter of // Save the memory region pointed by the environment pointer parameter of
// 'main'. // 'main'.
C.addTransition(State->set<EnvPtrRegion>(EnvpReg)); C.addTransition(State->set<MainEnvPtrRegion>(EnvpReg));
} }
// Check if invalidated region is being dereferenced. // Check if invalidated region is being dereferenced.
void InvalidPtrChecker::checkLocation(SVal Loc, bool isLoad, const Stmt *S, void InvalidPtrChecker::checkLocation(SVal Loc, bool isLoad, const Stmt *S,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Ignore memory operations involving 'non-invalidated' locations. // Ignore memory operations involving 'non-invalidated' locations.
const MemRegion *InvalidatedSymbolicBase = const MemRegion *InvalidatedSymbolicBase =
findInvalidatedSymbolicBase(State, Loc.getAsRegion()); findInvalidatedSymbolicBase(State, Loc.getAsRegion());
if (!InvalidatedSymbolicBase) if (!InvalidatedSymbolicBase)
return; return;
ExplodedNode *ErrorNode = C.generateNonFatalErrorNode(); ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
if (!ErrorNode) if (!ErrorNode)
return; return;
auto Report = std::make_unique<PathSensitiveBugReport>( auto Report = std::make_unique<PathSensitiveBugReport>(
BT, "dereferencing an invalid pointer", ErrorNode); BT, "dereferencing an invalid pointer", ErrorNode);
Report->markInteresting(InvalidatedSymbolicBase); Report->markInteresting(InvalidatedSymbolicBase);
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
void ento::registerInvalidPtrChecker(CheckerManager &Mgr) { void ento::registerInvalidPtrChecker(CheckerManager &Mgr) {
Mgr.registerChecker<InvalidPtrChecker>(); auto *Checker = Mgr.registerChecker<InvalidPtrChecker>();
Checker->InvalidatingGetEnv =
Mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker,
"InvalidatingGetEnv");
} }
bool ento::shouldRegisterInvalidPtrChecker(const CheckerManager &) { bool ento::shouldRegisterInvalidPtrChecker(const CheckerManager &) {
return true; return true;
} }

clang/test/Analysis/analyzer-config.c

// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ConfigDumper > %t 2>&1 // RUN: %clang_analyze_cc1 -analyzer-checker=debug.ConfigDumper > %t 2>&1
// RUN: FileCheck --input-file=%t %s --match-full-lines // RUN: FileCheck --input-file=%t %s --match-full-lines
// CHECK: [config] // CHECK: [config]
// CHECK-NEXT: add-pop-up-notes = true // CHECK-NEXT: add-pop-up-notes = true
// CHECK-NEXT: aggressive-binary-operation-simplification = false // CHECK-NEXT: aggressive-binary-operation-simplification = false
// CHECK-NEXT: alpha.clone.CloneChecker:IgnoredFilesPattern = "" // CHECK-NEXT: alpha.clone.CloneChecker:IgnoredFilesPattern = ""
// CHECK-NEXT: alpha.clone.CloneChecker:MinimumCloneComplexity = 50 // CHECK-NEXT: alpha.clone.CloneChecker:MinimumCloneComplexity = 50
// CHECK-NEXT: alpha.clone.CloneChecker:ReportNormalClones = true // CHECK-NEXT: alpha.clone.CloneChecker:ReportNormalClones = true
// CHECK-NEXT: alpha.cplusplus.STLAlgorithmModeling:AggressiveStdFindModeling = false // CHECK-NEXT: alpha.cplusplus.STLAlgorithmModeling:AggressiveStdFindModeling = false
// CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false // CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04 // CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01 // CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01
// CHECK-NEXT: alpha.security.cert.env.InvalidPtr:InvalidatingGetEnv = false
// CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = "" // CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = ""
// CHECK-NEXT: alpha.unix.Errno:AllowErrnoReadOutsideConditionExpressions = true // CHECK-NEXT: alpha.unix.Errno:AllowErrnoReadOutsideConditionExpressions = true
// CHECK-NEXT: alpha.unix.StdCLibraryFunctions:DisplayLoadedSummaries = false // CHECK-NEXT: alpha.unix.StdCLibraryFunctions:DisplayLoadedSummaries = false
// CHECK-NEXT: alpha.unix.StdCLibraryFunctions:ModelPOSIX = false // CHECK-NEXT: alpha.unix.StdCLibraryFunctions:ModelPOSIX = false
// CHECK-NEXT: apply-fixits = false // CHECK-NEXT: apply-fixits = false
// CHECK-NEXT: assume-controlled-environment = false // CHECK-NEXT: assume-controlled-environment = false
// CHECK-NEXT: avoid-suppressing-null-argument-paths = false // CHECK-NEXT: avoid-suppressing-null-argument-paths = false
// CHECK-NEXT: c++-allocator-inlining = true // CHECK-NEXT: c++-allocator-inlining = true
▲ Show 20 LinesShow All 113 LinesShow Last 20 Lines

clang/test/Analysis/cert/env34-c-cert-examples.c

// Default options.
// RUN: %clang_analyze_cc1 \ // RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \ // RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -verify -Wno-unused %s // RUN: -verify -Wno-unused %s
//
// Test the laxer handling of getenv function (this is the default).
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -analyzer-config alpha.security.cert.env.InvalidPtr:InvalidatingGetEnv=false \
// RUN: -verify -Wno-unused %s
//
// Test the stricter handling of getenv function.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -analyzer-config alpha.security.cert.env.InvalidPtr:InvalidatingGetEnv=true \
// RUN: -verify=pedantic -Wno-unused %s
#include "../Inputs/system-header-simulator.h" #include "../Inputs/system-header-simulator.h"
char *getenv(const char *name); char *getenv(const char *name);
int setenv(const char *name, const char *value, int overwrite);
int strcmp(const char*, const char*); int strcmp(const char*, const char*);
char *strdup(const char*); char *strdup(const char*);
void free(void *memblock); void free(void *memblock);
void *malloc(size_t size); void *malloc(size_t size);
void incorrect_usage(void) { void incorrect_usage_setenv_getenv_invalidation(void) {
char *tmpvar;
char *tempvar;
tmpvar = getenv("TMP");
if (!tmpvar)
return;
setenv("TEMP", "", 1); //setenv can invalidate env
if (!tmpvar)
return;
if (strcmp(tmpvar, "") == 0) { // body of strcmp is unknown
// expected-warning@-1{{use of invalidated pointer 'tmpvar' in a function call}}
// pedantic-warning@-2{{use of invalidated pointer 'tmpvar' in a function call}}
}
}
void incorrect_usage_double_getenv_invalidation(void) {
char *tmpvar; char *tmpvar;
char *tempvar; char *tempvar;
tmpvar = getenv("TMP"); tmpvar = getenv("TMP");
if (!tmpvar) if (!tmpvar)
return; return;
tempvar = getenv("TEMP"); tempvar = getenv("TEMP"); //getenv should not invalidate env in non-pedantic mode
if (!tempvar) if (!tempvar)
return; return;
if (strcmp(tmpvar, tempvar) == 0) { // body of strcmp is unknown if (strcmp(tmpvar, tempvar) == 0) { // body of strcmp is unknown
// expected-warning@-1{{use of invalidated pointer 'tmpvar' in a function call}} // pedantic-warning@-1{{use of invalidated pointer 'tmpvar' in a function call}}
} }
} }
void correct_usage_1(void) { void correct_usage_1(void) {
char *tmpvar; char *tmpvar;
char *tempvar; char *tempvar;
const char *temp = getenv("TMP"); const char *temp = getenv("TMP");
▲ Show 20 LinesShow All 66 LinesShow Last 20 Lines

clang/test/Analysis/cert/env34-c.c

// RUN: %clang_analyze_cc1 \ // RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=alpha.security.cert.env.InvalidPtr\ // RUN: -analyzer-checker=alpha.security.cert.env.InvalidPtr\
// RUN: -analyzer-config alpha.security.cert.env.InvalidPtr:InvalidatingGetEnv=true \
// RUN: -analyzer-output=text -verify -Wno-unused %s // RUN: -analyzer-output=text -verify -Wno-unused %s
#include "../Inputs/system-header-simulator.h" #include "../Inputs/system-header-simulator.h"
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

This test file is incomplete.
I would welcome suggestions here as to how to test this.
Should a new file be created for the config option with different test cases, or is this file to be extended?

gamesh411: This test file is incomplete. I would welcome suggestions here as to how to test this. Should a…
donat.nagyUnsubmitted
Done
ReplyInline Actions

Personally I'd prefer putting those cases into a separate files, because this test file is already 340 lines long and it'd be difficult to understand if it was filled with conditional checks.

donat.nagy: Personally I'd prefer putting those cases into a separate files, because this test file is…
char *getenv(const char *name); char *getenv(const char *name);
char *setlocale(int category, const char *locale); char *setlocale(int category, const char *locale);
char *strerror(int errnum); char *strerror(int errnum);
typedef struct { typedef struct {
char * field; char * field;
} lconv; } lconv;
lconv *localeconv(void); lconv *localeconv(void);
▲ Show 20 LinesShow All 318 LinesShow Last 20 Lines

clang/test/Analysis/invalid-ptr-checker.c

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=alpha.security.cert.env.InvalidPtr \
// RUN: -analyzer-config alpha.security.cert.env.InvalidPtr:InvalidatingGetEnv=false \
// RUN: -analyzer-output=text -verify -Wno-unused %s
//
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=alpha.security.cert.env.InvalidPtr \
// RUN: -analyzer-config \
// RUN: alpha.security.cert.env.InvalidPtr:InvalidatingGetEnv=true \
// RUN: -analyzer-output=text -verify=expected,pedantic -Wno-unused %s
donat.nagyUnsubmitted
Done
ReplyInline Actions

Use -verify=expected,pedantic here and then you can eliminate the pedantic-warning lines that duplicate the messages of expected-warnings.

donat.nagy: Use `-verify=expected,pedantic` here and then you can eliminate the `pedantic-warning` lines…
#include "Inputs/system-header-simulator.h"
char *getenv(const char *name);
int setenv(const char *name, const char *value, int overwrite);
int strcmp(const char *, const char *);
int custom_env_handler(const char **envp);
void getenv_after_getenv(void) {
char *v1 = getenv("V1");
// pedantic-note@-1{{previous function call was here}}
char *v2 = getenv("V2");
// pedantic-note@-1{{'getenv' call may invalidate the result of the previous 'getenv'}}
strcmp(v1, v2);
// pedantic-warning@-1{{use of invalidated pointer 'v1' in a function call}}
// pedantic-note@-2{{use of invalidated pointer 'v1' in a function call}}
}
void setenv_after_getenv(void) {
char *v1 = getenv("VAR1");
setenv("VAR2", "...", 1);
// expected-note@-1{{'setenv' call may invalidate the environment returned by getenv}}
strcmp(v1, "");
// expected-warning@-1{{use of invalidated pointer 'v1' in a function call}}
// expected-note@-2{{use of invalidated pointer 'v1' in a function call}}
}
int main(int argc, const char *argv[], const char *envp[]) {
setenv("VAR", "...", 0);
// expected-note@-1 2 {{'setenv' call may invalidate the environment parameter of 'main'}}
*envp;
// expected-warning@-1 2 {{dereferencing an invalid pointer}}
// expected-note@-2 2 {{dereferencing an invalid pointer}}
}
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

This gives 2 warnings. One for subexpression envp, and one for the whole statement *envp. This is the current behaviour ( check clang/test/Analysis/cert/env31-c.c ), and this patch does not change it.
However, I would like to devise a solution for this in a different patch.
One option would be to make the error of this checker Fatal, so only one would appear, or refine the checkLocation callback to only consider one of these 2 cases for reporting.

gamesh411: This gives 2 warnings. One for subexpression `envp`, and one for the whole statement `*envp`.