This is an archive of the discontinued LLVM Phabricator instance.

Differential D159108

[analyzer] CStringChecker should check the first byte of the destination of strcpy, strncpy
ClosedPublic

Authored by steakhal on Aug 29 2023, 8:21 AM.

Details

Reviewers
NoQ
xazax.hun
donat.nagy
Szelethus
Commits
rGc3a87ddad62a: [analyzer] CStringChecker should check the first byte of the destination of…
Summary

By not checking if the first byte of the destination of strcpy and
strncpy is writable, we missed some reports in the Juliet benchmark.

(Juliet CWE-124 Buffer Underwrite: strcpy, strncpy)

Diff Detail

Event Timeline

steakhal created this revision.Aug 29 2023, 8:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 29 2023, 8:21 AM
Herald added subscribers: manas, ASDenysPetrov, martong and 5 others. · View Herald Transcript
steakhal requested review of this revision.Aug 29 2023, 8:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 29 2023, 8:21 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal added a child revision: D159109: [analyzer] CStringChecker buffer access checks should check the first bytes.Aug 29 2023, 8:21 AM
Harbormaster completed remote builds in B255543: Diff 554354.Aug 29 2023, 11:53 AM
donat.nagy accepted this revision.Aug 30 2023, 3:38 AM

LGTM if the test results are good.

This revision is now accepted and ready to land.Aug 30 2023, 3:38 AM
steakhal mentioned this in D159105: [analyzer] ArrayBoundCheckerV2 should check the region for taint as well.Sep 1 2023, 5:12 AM
xazax.hun accepted this revision.Sep 1 2023, 5:05 PM

LG!

steakhal edited the summary of this revision. (Show Details)Sep 11 2023, 5:13 AM
steakhal removed a parent revision: D159107: [analyzer] ArrayBoundCheckerV2 should disallow forming lvalues to out-of-bounds locations.
Closed by commit rGc3a87ddad62a: [analyzer] CStringChecker should check the first byte of the destination of… (authored by steakhal). · Explain WhySep 11 2023, 5:21 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rGc3a87ddad62a: [analyzer] CStringChecker should check the first byte of the destination of….

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
10 lines
test/
Analysis/
46 lines

Diff 556420

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 2,003 Lines▼ Show 20 Lines if (std::optional<loc::MemRegionVal> dstRegVal =
QualType ptrTy = Dst.Expression->getType(); QualType ptrTy = Dst.Expression->getType();
// If we have an exact value on a bounded copy, use that to check for // If we have an exact value on a bounded copy, use that to check for
// overflows, rather than our estimate about how much is actually copied. // overflows, rather than our estimate about how much is actually copied.
if (std::optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) { if (std::optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
SVal maxLastElement = SVal maxLastElement =
svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy); svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy);
// Check if the first byte of the destination is writable.
state = CheckLocation(C, state, Dst, DstVal, AccessKind::write);
if (!state)
return;
// Check if the last byte of the destination is writable.
state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write); state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write);
if (!state) if (!state)
return; return;
} }
// Then, if the final length is known... // Then, if the final length is known...
if (std::optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) { if (std::optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
*knownStrLength, ptrTy); *knownStrLength, ptrTy);
// ...and we haven't checked the bound, we'll check the actual copy. // ...and we haven't checked the bound, we'll check the actual copy.
if (!boundWarning) { if (!boundWarning) {
// Check if the first byte of the destination is writable.
state = CheckLocation(C, state, Dst, DstVal, AccessKind::write);
if (!state)
return;
// Check if the last byte of the destination is writable.
state = CheckLocation(C, state, Dst, lastElement, AccessKind::write); state = CheckLocation(C, state, Dst, lastElement, AccessKind::write);
if (!state) if (!state)
return; return;
} }
// If this is a stpcpy-style copy, the last element is the return value. // If this is a stpcpy-style copy, the last element is the return value.
if (returnPtr && ReturnEnd) if (returnPtr && ReturnEnd)
Result = lastElement; Result = lastElement;
▲ Show 20 LinesShow All 625 LinesShow Last 20 Lines

clang/test/Analysis/string.c

Show First 20 LinesShow All 1,661 Lines▼ Show 20 Linesvoid strcpy_no_overflow_2(char *y) {
strcpy(x, "12\0"); // expected-warning{{String copy function overflows the destination buffer}} strcpy(x, "12\0"); // expected-warning{{String copy function overflows the destination buffer}}
} }
#else #else
void strcpy_no_overflow_2(char *y) { void strcpy_no_overflow_2(char *y) {
char x[3]; char x[3];
strcpy(x, "12\0"); strcpy(x, "12\0");
} }
#endif #endif
#ifndef SUPPRESS_OUT_OF_BOUND
void testStrcpyDestinationWritableFirstByte(void) {
char dst[10];
char *p = dst - 8;
strcpy(p, "src"); // expected-warning {{String copy function overflows the destination buffer}}
}
void CWE124_Buffer_Underwrite__malloc_char_cpy() {
char * dataBuffer = (char *)malloc(100*sizeof(char));
if (dataBuffer == NULL) return;
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
char * data = dataBuffer - 8;
char source[100];
memset(source, 'C', 100-1); // fill with 'C's
source[100-1] = '\0'; // null terminate
strcpy(data, source); // expected-warning {{String copy function overflows the destination buffer}}
free(dataBuffer);
}
#endif
#ifndef SUPPRESS_OUT_OF_BOUND
void testStrncpyDestinationWritableFirstByte(void) {
char source[100];
use_string(source); // escape
char buf[100];
char *p = buf - 8;
strncpy(p, source, 100-1); // expected-warning {{String copy function overflows the destination buffer}}
}
void CWE124_Buffer_Underwrite__malloc_char_ncpy() {
char * dataBuffer = (char *)malloc(100*sizeof(char));
if (dataBuffer == 0) return;
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
char *data = dataBuffer - 8;
char source[100];
memset(source, 'C', 100-1); // fill with 'C's
source[100-1] = '\0'; // null terminate
strncpy(data, source, 100-1); // expected-warning {{String copy function overflows the destination buffer}}
data[100-1] = '\0'; // null terminate
free(dataBuffer);
}
#endif