This is an archive of the discontinued LLVM Phabricator instance.

Differential D159109

[analyzer] CStringChecker buffer access checks should check the first bytes
ClosedPublic

Authored by steakhal on Aug 29 2023, 8:21 AM.

Details

Reviewers
NoQ
xazax.hun
donat.nagy
Szelethus
Commits
rG706afc977882: Fixup "[analyzer] CStringChecker buffer access checks should check the first…
rG0954dc3fb921: [analyzer] CStringChecker buffer access checks should check the first bytes
Summary

By not checking if the first byte of the buffer is accessible,
we missed some reports in the Juliet benchmark.

(Juliet CWE-124 Buffer Underwrite: memcpy, memmove)

Depends on D159108

Diff Detail

Event Timeline

steakhal created this revision.Aug 29 2023, 8:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 29 2023, 8:21 AM
Herald added subscribers: manas, ASDenysPetrov, martong and 5 others. · View Herald Transcript
steakhal requested review of this revision.Aug 29 2023, 8:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 29 2023, 8:21 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B255544: Diff 554355.Aug 29 2023, 11:19 AM
donat.nagy accepted this revision.Aug 30 2023, 3:37 AM

LGTM if the test results are also good.

This revision is now accepted and ready to land.Aug 30 2023, 3:37 AM
steakhal mentioned this in D159105: [analyzer] ArrayBoundCheckerV2 should check the region for taint as well.Sep 1 2023, 5:12 AM
xazax.hun accepted this revision.Sep 1 2023, 5:15 PM

LG!

This revision was landed with ongoing or failed builds.Sep 11 2023, 5:21 AM
Closed by commit rG0954dc3fb921: [analyzer] CStringChecker buffer access checks should check the first bytes (authored by steakhal). · Explain Why
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rG0954dc3fb921: [analyzer] CStringChecker buffer access checks should check the first bytes.
steakhal added a commit: rG706afc977882: Fixup "[analyzer] CStringChecker buffer access checks should check the first….Sep 11 2023, 6:01 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
10 lines
test/
Analysis/
19 lines

Diff 556421

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 474 Lines▼ Show 20 LinesCStringChecker::CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
State = checkNonNull(C, State, Buffer, BufVal); State = checkNonNull(C, State, Buffer, BufVal);
if (!State) if (!State)
return nullptr; return nullptr;
// If out-of-bounds checking is turned off, skip the rest. // If out-of-bounds checking is turned off, skip the rest.
if (!Filter.CheckCStringOutOfBounds) if (!Filter.CheckCStringOutOfBounds)
return State; return State;
SVal BufStart =
svalBuilder.evalCast(BufVal, PtrTy, Buffer.Expression->getType());
// Check if the first byte of the buffer is accessible.
State = CheckLocation(C, State, Buffer, BufStart, Access, CK);
if (!State)
return nullptr;
// Get the access length and make sure it is known. // Get the access length and make sure it is known.
// FIXME: This assumes the caller has already checked that the access length // FIXME: This assumes the caller has already checked that the access length
// is positive. And that it's unsigned. // is positive. And that it's unsigned.
SVal LengthVal = C.getSVal(Size.Expression); SVal LengthVal = C.getSVal(Size.Expression);
std::optional<NonLoc> Length = LengthVal.getAs<NonLoc>(); std::optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
if (!Length) if (!Length)
return State; return State;
// Compute the offset of the last element to be accessed: size-1. // Compute the offset of the last element to be accessed: size-1.
NonLoc One = svalBuilder.makeIntVal(1, SizeTy).castAs<NonLoc>(); NonLoc One = svalBuilder.makeIntVal(1, SizeTy).castAs<NonLoc>();
SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy); SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy);
if (Offset.isUnknown()) if (Offset.isUnknown())
return nullptr; return nullptr;
NonLoc LastOffset = Offset.castAs<NonLoc>(); NonLoc LastOffset = Offset.castAs<NonLoc>();
// Check that the first buffer is sufficiently long. // Check that the first buffer is sufficiently long.
SVal BufStart =
svalBuilder.evalCast(BufVal, PtrTy, Buffer.Expression->getType());
if (std::optional<Loc> BufLoc = BufStart.getAs<Loc>()) { if (std::optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
SVal BufEnd = SVal BufEnd =
svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy); svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);
State = CheckLocation(C, State, Buffer, BufEnd, Access, CK); State = CheckLocation(C, State, Buffer, BufEnd, Access, CK);
// If the buffer isn't large enough, abort. // If the buffer isn't large enough, abort.
if (!State) if (!State)
▲ Show 20 LinesShow All 2,158 LinesShow Last 20 Lines

clang/test/Analysis/string.c

Show First 20 LinesShow All 65 Lines▼ Show 20 Lines
#define NULL 0 #define NULL 0
typedef typeof(sizeof(int)) size_t; typedef typeof(sizeof(int)) size_t;
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
int scanf(const char *restrict format, ...); int scanf(const char *restrict format, ...);
void *malloc(size_t); void *malloc(size_t);
void free(void *); void free(void *);
void *memcpy(void *dest, const void *src, unsigned long n);
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
// strlen() // strlen()
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
#define strlen BUILTIN(strlen) #define strlen BUILTIN(strlen)
size_t strlen(const char *s); size_t strlen(const char *s);
▲ Show 20 LinesShow All 1,626 Lines▼ Show 20 Linesvoid CWE124_Buffer_Underwrite__malloc_char_ncpy() {
char source[100]; char source[100];
memset(source, 'C', 100-1); // fill with 'C's memset(source, 'C', 100-1); // fill with 'C's
source[100-1] = '\0'; // null terminate source[100-1] = '\0'; // null terminate
strncpy(data, source, 100-1); // expected-warning {{String copy function overflows the destination buffer}} strncpy(data, source, 100-1); // expected-warning {{String copy function overflows the destination buffer}}
data[100-1] = '\0'; // null terminate data[100-1] = '\0'; // null terminate
free(dataBuffer); free(dataBuffer);
} }
#endif #endif
#ifndef SUPPRESS_OUT_OF_BOUND
void CWE124_Buffer_Underwrite__malloc_char_memcpy() {
char * dataBuffer = (char *)malloc(100*sizeof(char));
if (dataBuffer == NULL) return;
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
char *data = dataBuffer - 8;
char source[100];
memset(source, 'C', 100-1); // fill with 'C's
source[100-1] = '\0'; // null terminate
memcpy(data, source, 100*sizeof(char)); // expected-warning {{Memory copy function overflows the destination buffer}}
data[100-1] = '\0';
free(dataBuffer);
}
#endif