This is an archive of the discontinued LLVM Phabricator instance.

[clang][analyzer]Fix non-effective taint sanitation
ClosedPublic

Authored by dkrupp on Jul 20 2023, 8:12 AM.

Download Raw Diff

Details

Reviewers

donat.nagy
gamesh411
Szelethus
NoQ
steakhal

Commits

rG26b19a67e5c3: [clang][analyzer]Fix non-effective taint sanitation

Summary

There was a bug in alpha.security.taint.TaintPropagation checker in Clang Static Analyzer.
Taint filtering could only sanitize const arguments.
After this patch, taint filtering is effective also on non-const parameters.

Diff Detail

Event Timeline

dkrupp created this revision.Jul 20 2023, 8:12 AM

Herald added a reviewer: NoQ. · View Herald TranscriptJul 20 2023, 8:12 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: steakhal, manas, ASDenysPetrov and 6 others. · View Herald Transcript

dkrupp requested review of this revision.Jul 20 2023, 8:12 AM

Herald added a subscriber: wangpc. · View Herald TranscriptJul 20 2023, 8:12 AM

steakhal added inline comments.Jul 20 2023, 9:35 AM

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
970	Is it only a formatting hunk? I cannot really tell from my phone xd
996	"a a" -> "a"
1001	Why do we need this extra condition?
clang/test/Analysis/taint-generic.c
1014	Can you add a case where the parameter points to const?
1057	Wouldn't it make more sense if depending on the return value of this filter we early return like in the previous examples?

Harbormaster completed remote builds in B246928: Diff 542536.Jul 20 2023, 11:32 AM

-typo fixed in comment

@steakhal thanks for the review. I addressed/answered your comments.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
970	yeap. formatting only.
970	Yes. Only formatting.
1001	That's the heart of the fix. In case we are processing a filter rule, tthe PropDstArgs is empty. Then this part this part without the extra condition put the taintedness back to every pointed to non-const parameter. This is clearly an unwanted behaviour. See also the extra comment.
clang/test/Analysis/taint-generic.c
1014	The previous isOutOfRange(const int*) case is testing the sanitizing when we have a pointer to const.
1057	This test case simulates the case when the buffer is passed by reference and the sanitize command actually changes the contents of the buffer. For example removes shell escapes etc.

dkrupp marked 3 inline comments as not done.Jul 20 2023, 12:40 PM

Approved, modulo formatting hunks.
Unless you have really good reasons for having them as well.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
970	I would suggest not mixing formatting changes with semantic changes in a single revision. Consider not doing the formatting, or at least format in a different revision. Adding and updating comments are fine.
1001	Makes sense. It actually closely follows how we deal with sinks.
clang/test/Analysis/taint-generic.c
1014	Thanks. Good.
1057	Then have a void return type for it please.

This revision is now accepted and ready to land.Jul 20 2023, 12:40 PM

This revision was landed with ongoing or failed builds.Jul 21 2023, 6:11 AM

Closed by commit rG26b19a67e5c3: [clang][analyzer]Fix non-effective taint sanitation (authored by dkrupp). · Explain Why

This revision was automatically updated to reflect the committed changes.

dkrupp marked an inline comment as done.

dkrupp added a commit: rG26b19a67e5c3: [clang][analyzer]Fix non-effective taint sanitation.

Herald added a project: Restricted Project. · View Herald TranscriptJul 21 2023, 6:11 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

-formatting issues fixed
-sanitizecCmd changed to void

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
970	Yes. I realized. I reverted the formatting change.

Harbormaster completed remote builds in B247200: Diff 542903.Jul 21 2023, 7:12 AM

Thanks, all good!

dkrupp mentioned this in D145229: [analyzer] Improve the documentation of the alpha.security.taint.TaintPropagation checker.Jul 24 2023, 9:24 AM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

GenericTaintChecker.cpp

11 lines

test/

Analysis/

Inputs/

taint-generic-config.yaml

5 lines

taint-generic.c

16 lines

Diff 542903

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 Lines • Show All 920 Lines • ▼ Show 20 Lines	ForEachCallArg([this, &State](ArgIdxTy I, const Expr *E, SVal S) {
if (FilterArgs.contains(I)) {		if (FilterArgs.contains(I)) {
State = removeTaint(State, S);		State = removeTaint(State, S);
if (auto P = getPointeeOf(State, S))		if (auto P = getPointeeOf(State, S))
State = removeTaint(State, *P);		State = removeTaint(State, *P);
}		}
});		});

/// Check for taint propagation sources.		/// Check for taint propagation sources.
/// A rule is relevant if PropSrcArgs is empty, or if any of its signified		/// A rule will make the destination variables tainted if PropSrcArgs
		/// is empty (taints the destination
		/// arguments unconditionally), or if any of its signified
/// args are tainted in context of the current CallEvent.		/// args are tainted in context of the current CallEvent.
bool IsMatching = PropSrcArgs.isEmpty();		bool IsMatching = PropSrcArgs.isEmpty();
std::vector<SymbolRef> TaintedSymbols;		std::vector<SymbolRef> TaintedSymbols;
std::vector<ArgIdxTy> TaintedIndexes;		std::vector<ArgIdxTy> TaintedIndexes;
ForEachCallArg([this, &C, &IsMatching, &State, &TaintedSymbols,		ForEachCallArg([this, &C, &IsMatching, &State, &TaintedSymbols,
&TaintedIndexes](ArgIdxTy I, const Expr *E, SVal) {		&TaintedIndexes](ArgIdxTy I, const Expr *E, SVal) {
std::optional<SVal> TaintedSVal =		std::optional<SVal> TaintedSVal =
getTaintedPointeeOrPointer(State, C.getSVal(E));		getTaintedPointeeOrPointer(State, C.getSVal(E));
IsMatching =		IsMatching =
IsMatching \|\| (PropSrcArgs.contains(I) && TaintedSVal.has_value());		IsMatching \|\| (PropSrcArgs.contains(I) && TaintedSVal.has_value());

// We track back tainted arguments except for stdin		// We track back tainted arguments except for stdin
if (TaintedSVal && !isStdin(*TaintedSVal, C.getASTContext())) {		if (TaintedSVal && !isStdin(*TaintedSVal, C.getASTContext())) {
std::vector<SymbolRef> TaintedArgSyms =		std::vector<SymbolRef> TaintedArgSyms =
getTaintedSymbols(State, *TaintedSVal);		getTaintedSymbols(State, *TaintedSVal);
if (!TaintedArgSyms.empty()) {		if (!TaintedArgSyms.empty()) {
llvm::append_range(TaintedSymbols, TaintedArgSyms);		llvm::append_range(TaintedSymbols, TaintedArgSyms);
TaintedIndexes.push_back(I);		TaintedIndexes.push_back(I);
}		}
}		}
});		});

		// Early return for propagation rules which dont match.
		// Matching propagations, Sinks and Filters will pass this point.
if (!IsMatching)		if (!IsMatching)
return;		return;

const auto WouldEscape = [](SVal V, QualType Ty) -> bool {		const auto WouldEscape = [](SVal V, QualType Ty) -> bool {
if (!isa<Loc>(V))		if (!isa<Loc>(V))
return false;		return false;

const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified();		const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified();
const bool IsNonConstPtr =		const bool IsNonConstPtr =
Ty->isPointerType() && !Ty->getPointeeType().isConstQualified();		Ty->isPointerType() && !Ty->getPointeeType().isConstQualified();

return IsNonConstRef \|\| IsNonConstPtr;		return IsNonConstRef \|\| IsNonConstPtr;
};		};

/// Propagate taint where it is necessary.		/// Propagate taint where it is necessary.
auto &F = State->getStateManager().get_context<ArgIdxFactory>();		auto &F = State->getStateManager().get_context<ArgIdxFactory>();
ImmutableSet<ArgIdxTy> Result = F.getEmptySet();		ImmutableSet<ArgIdxTy> Result = F.getEmptySet();
ForEachCallArg(		ForEachCallArg(
[&](ArgIdxTy I, const Expr *E, SVal V) {		[&](ArgIdxTy I, const Expr *E, SVal V) {
steakhalUnsubmitted Not Done Reply Inline Actions Is it only a formatting hunk? I cannot really tell from my phone xd steakhal: Is it only a formatting hunk? I cannot really tell from my phone xd
dkruppAuthorUnsubmitted Done Reply Inline Actions yeap. formatting only. dkrupp: yeap. formatting only.
dkruppAuthorUnsubmitted Done Reply Inline Actions Yes. Only formatting. dkrupp: Yes. Only formatting.
steakhalUnsubmitted Done Reply Inline Actions I would suggest not mixing formatting changes with semantic changes in a single revision. Consider not doing the formatting, or at least format in a different revision. Adding and updating comments are fine. steakhal: I would suggest not mixing formatting changes with semantic changes in a single revision.
dkruppAuthorUnsubmitted Done Reply Inline Actions Yes. I realized. I reverted the formatting change. dkrupp: Yes. I realized. I reverted the formatting change.
if (PropDstArgs.contains(I)) {		if (PropDstArgs.contains(I)) {
LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs());		LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs());
llvm::dbgs()		llvm::dbgs()
<< "> prepares tainting arg index: " << I << '\n';);		<< "> prepares tainting arg index: " << I << '\n';);
Result = F.add(Result, I);		Result = F.add(Result, I);
}		}

		// Taint property gets lost if the variable is passed as a
		// non-const pointer or reference to a function which is
		// not inlined. For matching rules we want to preserve the taintedness.
// TODO: We should traverse all reachable memory regions via the		// TODO: We should traverse all reachable memory regions via the
// escaping parameter. Instead of doing that we simply mark only the		// escaping parameter. Instead of doing that we simply mark only the
// referred memory region as tainted.		// referred memory region as tainted.
if (WouldEscape(V, E->getType())) {		if (WouldEscape(V, E->getType()) && getTaintedPointeeOrPointer(State, V)) {
LLVM_DEBUG(if (!Result.contains(I)) {		LLVM_DEBUG(if (!Result.contains(I)) {
llvm::dbgs() << "PreCall<";		llvm::dbgs() << "PreCall<";
Call.dump(llvm::dbgs());		Call.dump(llvm::dbgs());
llvm::dbgs() << "> prepares tainting arg index: " << I << '\n';		llvm::dbgs() << "> prepares tainting arg index: " << I << '\n';
});		});
Result = F.add(Result, I);		Result = F.add(Result, I);
}		}
});		});
		steakhalUnsubmitted Done Reply Inline Actions "a a" -> "a" steakhal: "a a" -> "a"

if (!Result.isEmpty())		if (!Result.isEmpty())
State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);		State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
const NoteTag *InjectionTag = taintOriginTrackerTag(		const NoteTag *InjectionTag = taintOriginTrackerTag(
C, std::move(TaintedSymbols), std::move(TaintedIndexes),		C, std::move(TaintedSymbols), std::move(TaintedIndexes),
		steakhalUnsubmitted Done Reply Inline Actions Why do we need this extra condition? steakhal: Why do we need this extra condition?
		dkruppAuthorUnsubmitted Done Reply Inline Actions That's the heart of the fix. In case we are processing a filter rule, tthe PropDstArgs is empty. Then this part this part without the extra condition put the taintedness back to every pointed to non-const parameter. This is clearly an unwanted behaviour. See also the extra comment. dkrupp: That's the heart of the fix. In case we are processing a filter rule, tthe PropDstArgs is…
		steakhalUnsubmitted Not Done Reply Inline Actions Makes sense. It actually closely follows how we deal with sinks. steakhal: Makes sense. It actually closely follows how we deal with sinks.
Call.getCalleeStackFrame(0));		Call.getCalleeStackFrame(0));
C.addTransition(State, InjectionTag);		C.addTransition(State, InjectionTag);
}		}

bool GenericTaintRule::UntrustedEnv(CheckerContext &C) {		bool GenericTaintRule::UntrustedEnv(CheckerContext &C) {
return !C.getAnalysisManager()		return !C.getAnalysisManager()
.getAnalyzerOptions()		.getAnalyzerOptions()
.ShouldAssumeControlledEnvironment;		.ShouldAssumeControlledEnvironment;
▲ Show 20 Lines • Show All 102 Lines • Show Last 20 Lines

clang/test/Analysis/Inputs/taint-generic-config.yaml

Show First 20 Lines • Show All 63 Lines • ▼ Show 20 Lines	- Name: isOutOfRange2
Args: [0]		Args: [0]

# int x; // x is tainted		# int x; // x is tainted
# myAnotherNamespace::isOutOfRange(&x); // x is not tainted anymore		# myAnotherNamespace::isOutOfRange(&x); // x is not tainted anymore
- Name: isOutOfRange2		- Name: isOutOfRange2
Scope: "myAnotherNamespace::"		Scope: "myAnotherNamespace::"
Args: [0]		Args: [0]

		# char *str; // str is tainted
		# sanitizeCmd(str) // str is not tainted anymore
		- Name: sanitizeCmd
		Args: [0]

# A list of sink functions		# A list of sink functions
Sinks:		Sinks:
# int x, y; // x and y are tainted		# int x, y; // x and y are tainted
# mySink(x, 0, 1); // It will warn		# mySink(x, 0, 1); // It will warn
# mySink(0, 1, y); // It will warn		# mySink(0, 1, y); // It will warn
# mySink(0, x, 1); // It won't warn		# mySink(0, x, 1); // It won't warn
- Name: mySink		- Name: mySink
Args: [0, 2]		Args: [0, 2]
Show All 12 Lines

clang/test/Analysis/taint-generic.c

	Show First 20 Lines • Show All 1,004 Lines • ▼ Show 20 Lines
	}			}

	// Test configuration			// Test configuration
	int mySource1(void);			int mySource1(void);
	void mySource2(int*);			void mySource2(int*);
	void myScanf(const char*, ...);			void myScanf(const char*, ...);
	int myPropagator(int, int*);			int myPropagator(int, int*);
	int mySnprintf(char, size_t, const char, ...);			int mySnprintf(char, size_t, const char, ...);
	bool isOutOfRange(const int*);			bool isOutOfRange(const int*); // const filter function
				void sanitizeCmd(char*); // non-const filter function
				steakhalUnsubmitted Not Done Reply Inline Actions Can you add a case where the parameter points to const? steakhal: Can you add a case where the parameter points to const?
				dkruppAuthorUnsubmitted Not Done Reply Inline Actions The previous isOutOfRange(const int) case is testing the sanitizing when we have a pointer to const. dkrupp:* The previous isOutOfRange(const int*) case is testing the sanitizing when we have a pointer to…
				steakhalUnsubmitted Done Reply Inline Actions Thanks. Good. steakhal: Thanks. Good.
	void mySink(int, int, int);			void mySink(int, int, int);

	void testConfigurationSources1(void) {			void testConfigurationSources1(void) {
	int x = mySource1();			int x = mySource1();
	Buffer[x] = 1; // expected-warning {{Out of bound memory access }}			Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
	}			}

	void testConfigurationSources2(void) {			void testConfigurationSources2(void) {
	Show All 17 Lines

	void testConfigurationFilter(void) {			void testConfigurationFilter(void) {
	int x = mySource1();			int x = mySource1();
	if (isOutOfRange(&x)) // the filter function			if (isOutOfRange(&x)) // the filter function
	return;			return;
	Buffer[x] = 1; // no-warning			Buffer[x] = 1; // no-warning
	}			}

				void testConfigurationFilterNonConst(void) {
				char buffer[1000];
				myScanf("%s", buffer); // makes buffer tainted
				system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
				}

				void testConfigurationFilterNonConst2(void) {
				char buffer[1000];
				myScanf("%s", buffer); // makes buffer tainted
				sanitizeCmd(buffer); // removes taintedness
				steakhalUnsubmitted Not Done Reply Inline Actions Wouldn't it make more sense if depending on the return value of this filter we early return like in the previous examples? steakhal: Wouldn't it make more sense if depending on the return value of this filter we early return…
				dkruppAuthorUnsubmitted Not Done Reply Inline Actions This test case simulates the case when the buffer is passed by reference and the sanitize command actually changes the contents of the buffer. For example removes shell escapes etc. dkrupp: This test case simulates the case when the buffer is passed by reference and the sanitize…
				steakhalUnsubmitted Not Done Reply Inline Actions Then have a void return type for it please. steakhal: Then have a void return type for it please.
				system(buffer); // no-warning
				}

	void testConfigurationSinks(void) {			void testConfigurationSinks(void) {
	int x = mySource1();			int x = mySource1();
	mySink(x, 1, 2);			mySink(x, 1, 2);
	// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}			// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
	mySink(1, x, 2); // no-warning			mySink(1, x, 2); // no-warning
	mySink(1, 2, x);			mySink(1, 2, x);
	// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}			// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
	}			}
	Show All 21 Lines