This is an archive of the discontinued LLVM Phabricator instance.

Differential D44143

[clang-tidy] Create properly seeded random generator check
ClosedPublic

Authored by boga95 on Mar 6 2018, 3:58 AM.

Details

Reviewers
aaron.ballman
hokein
ilya-biryukov
Summary

This check flags all pseudo-random number engines and engine adaptors instantiations when it initialized or seeded with default argument or a constant expression. Pseudo-random number engines seeded with a predictable value may cause vulnerabilities e.g. in security protocols.
This is a CERT security rule, see MSC51-CPP.

Example:

void foo() {
    std::mt19937 engine1; // Bad, always generate the same sequence
    std::mt19937 engine2(1); // Bad
    engine1.seed(); // Bad
    engine2.seed(1); // Bad
    
    std::time_t t;
    engine1.seed(std::time(&t)); // Bad, system time might be controlled by user

    std::random_device dev;
    std::mt19937 engine3(dev()); // Good
}

Diff Detail

Event Timeline

boga95 created this revision.Mar 6 2018, 3:58 AM
Herald added subscribers: cfe-commits, mgorny. · View Herald TranscriptMar 6 2018, 3:58 AM
aaron.ballman added a subscriber: aaron.ballman.Mar 6 2018, 5:51 AM

Thank you for working on this check!

Do you think it might be possible to also add a check for cert-msc32-c that handles the C side of things, and use a common check to implement both? C won't ever have the C++'isms, but C++ can certainly abuse std::srand() so it seems like there's at least some overlap.

clang-tidy/cert/CERTTidyModule.cpp
43

The name should be cert-msc51-cpp (and categorized with the other msc checks).

clang-tidy/cert/ProperlySeededRandomGeneratorCheck.cpp
23–25

These should be using fully-qualified names, like ::std::mersenne_twister_engine. Also, I think this list should be configurable so that users can add their own engines if needed.

67

Formatting looks off here.

72

The diagnostics here aren't quite correct -- a random_device isn't *required*. For instance, it's also fine to open up /dev/random and read a seed's worth of bytes. I think a better phrasing might be: random number generator seeded with a default argument will generate a predictable sequence of values.

78–79

I'd probably use similar wording here: random number generator seeded with a constant value will generate a predictable sequence of values.

You can combine these diagnostics and use %select{}0 to choose between the variants.

clang-tidy/cert/ProperlySeededRandomGeneratorCheck.h
34–35

It seems like this should be a private function rather than public.

docs/clang-tidy/checks/cert-properly-seeded-random-generator.rst
3 ↗(On Diff #137151)

When renaming the check, be sure to update titles, file names, etc.

7 ↗(On Diff #137151)

Remove "it".

22–23 ↗(On Diff #137151)

There's no test case for this test, and I don't think this code would generate a diagnostic in the current check form. This might require a (user-configurable) list of disallowed sources of seed values. For instance, it should diagnose when called with a time_t value or a direct call to a time function, but it need not diagnose if the value is somehow obscured. e.g.,

unsigned get_seed() { std::time_t t; return std::time(&t); }
engine1.seed(get_seed()); // No diagnostic required
aaron.ballman edited reviewers, added: aaron.ballman, alexfh; removed: Restricted Project.Mar 6 2018, 5:52 AM
aaron.ballman removed a subscriber: aaron.ballman.
Quuxplusone added a subscriber: Quuxplusone.Mar 6 2018, 11:15 AM
Quuxplusone added inline comments.
docs/clang-tidy/checks/cert-properly-seeded-random-generator.rst
26 ↗(On Diff #137151)

Seeding MT19937 with a single 32-bit integer is not "Good". It makes the seed super easy to brute-force; and for example, engine3 will never produce 7 or 13 as its first output.
http://www.pcg-random.org/posts/cpp-seeding-surprises.html

This doesn't affect the implementation or usefulness of this clang-tidy check, which is pretty nifty. I merely object to marking this sample code with the comment "Good" in official documentation. It should be marked "Will not warn" at best. Or replace it with something slightly more realistic, e.g.

int x = atoi(argv[1]);
std::mt19937 engine3(x);  // Will not warn

As Aaron said above, seeding with the current time is approximately as good an idea, and "will not warn" with the current diagnostic either.

The correct way to seed a PRNG is to initialize the entire state with random bits, not just 32 bits of the state. This can be done, but not yet in standard C++: http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0205r0.html

test/clang-tidy/cert-properly-seeded-random-generator.cpp
76 ↗(On Diff #137151)

Is the diagnostic suppressed if seed is a template parameter? (Not that I'd do this. It's just a corner case I thought of.)

boga95 added a subscriber: xazax.hun.Mar 7 2018, 12:16 PM
boga95 updated this revision to Diff 137915.Mar 10 2018, 10:24 AM
boga95 marked an inline comment as done.

Add capability to provide a user-configurable list of disallowed types which will trigger warning. Now it also detects C srand function. Rename check to cert-msc51-cpp. Add cert-msc32-c check. Change warning messages. Other minor fixes.

lebedev.ri retitled this revision from Create properly seeded random generator check to [clang-tidy] Create properly seeded random generator check.Mar 10 2018, 10:27 AM
boga95 marked 4 inline comments as done.Mar 12 2018, 12:42 PM
boga95 added a subscriber: szepet.
boga95 added inline comments.
test/clang-tidy/cert-properly-seeded-random-generator.cpp
76 ↗(On Diff #137151)

Hopefully, it is not suppressed.

aaron.ballman added inline comments.Mar 12 2018, 5:20 PM
clang-tidy/cert/CERTTidyModule.cpp
40

This change looks unrelated to the patch.

44

This change looks unrelated to the patch.

clang-tidy/cert/ProperlySeededRandomGeneratorCheck.cpp
36–38

These should be full-qualified names.

75

I think that in C mode, this is fine, but in C++ mode it should register ::std::srand.

115

You can use llvm::find() instead.

docs/clang-tidy/checks/cert-msc51-cpp.rst
8

Backticks around srand

12

Should link to the CERT rule, and also link to the C CERT rule.

Eugene.Zelenko added a subscriber: Eugene.Zelenko.Mar 13 2018, 11:25 AM
Eugene.Zelenko added inline comments.
docs/ReleaseNotes.rst
63

Please replace srand with `srand ()`.

docs/clang-tidy/checks/cert-msc51-cpp.rst
8

Two of them and please add (). Will be good idea to make first statement same as in Release Notes.

30

Is there guideline documentation available online? If so, please add link. See other checks documentation as example.

Eugene.Zelenko added reviewers: hokein, ilya-biryukov.Mar 13 2018, 11:26 AM
alexfh removed a reviewer: alexfh.Mar 14 2018, 6:08 AM
boga95 updated this revision to Diff 144336.Apr 27 2018, 6:53 AM
aaron.ballman added a comment.May 2 2018, 5:57 AM

This is getting closer, but it seems there are still unresolved comments from reviewers. Are you planning to resolve those as well?

dkrupp added a subscriber: dkrupp.May 25 2018, 4:12 AM
boga95 marked 12 inline comments as done.Jun 24 2018, 11:47 AM

I think I resolved all of the comments. Do I forget anything?

clang-tidy/cert/CERTTidyModule.cpp
44

Clang format did it when I apply it to the whole file.

clang-tidy/cert/ProperlySeededRandomGeneratorCheck.cpp
75

It is not match for ::std::srand, just for ::srand. I found some examples, but I think they don't work neither.

docs/clang-tidy/checks/cert-msc51-cpp.rst
30

There is a guideline here.

aaron.ballman added inline comments.Jun 25 2018, 5:17 AM
clang-tidy/cert/CERTTidyModule.cpp
44

You should clang-format the patch, not the entire file. See https://clang.llvm.org/docs/ClangFormat.html#script-for-patch-reformatting for details.

clang-tidy/cert/ProperlySeededRandomGeneratorCheck.cpp
75

As it stands, I'm not certain whether this will match code like std::srand(0);. Please add a test case to the C++ tests for it as it should be handled.

docs/clang-tidy/checks/cert-msc51-cpp.rst
8

This comment still has not been handled. Also, please remove the space between srand and the parens.

boga95 updated this revision to Diff 152778.Jun 25 2018, 2:48 PM
boga95 marked 3 inline comments as done.

Add std::srand check to C++ tests. Format patch.

aaron.ballman added inline comments.Jun 27 2018, 11:08 AM
clang-tidy/cert/ProperlySeededRandomGeneratorCheck.cpp
25

In order to conform to CERT's rules, I think this needs a default string of at least time_t and std::time_t.

docs/ReleaseNotes.rst
60

You should also add a note for cert-msc32-c.

docs/clang-tidy/checks/cert-msc51-cpp.rst
8

Please add double backticks around srand() instead of single backticks.

29

Instead of using "Bad" in the comments, it would be good to use "diagnose" or "error" instead.

Note that for this one, in particular, the default behavior is to *not* diagnose, which means this check doesn't really conform to CERT's rules.

boga95 updated this revision to Diff 153169.Jun 27 2018, 1:45 PM
boga95 marked 3 inline comments as done.
boga95 updated this revision to Diff 153172.Jun 27 2018, 1:53 PM
boga95 marked 3 inline comments as done.
aaron.ballman accepted this revision.Jun 28 2018, 10:10 AM

LGTM with a small documentation nit.

docs/clang-tidy/checks/cert-msc51-cpp.rst
40

You should list the default values here explicitly.

This revision is now accepted and ready to land.Jun 28 2018, 10:10 AM
boga95 updated this revision to Diff 153655.Jul 1 2018, 1:52 PM
aaron.ballman added a comment.Jul 3 2018, 3:36 PM

This still LGTM; do you need someone to commit on your behalf?

boga95 added a comment.Jul 4 2018, 12:24 PM

How can I commit it?

docs/clang-tidy/checks/cert-msc51-cpp.rst
8

Should I use double backticks in release notes too?

aaron.ballman closed this revision.Jul 4 2018, 6:22 PM
In D44143#1152550, @boga95 wrote:

How can I commit it?

You need to have obtained commit access first. I went ahead and committed on your behalf in r336301. Thank you for the patch!

docs/clang-tidy/checks/cert-msc51-cpp.rst
8

Good catch; I'll add those when I commit.

Revision Contents

PathSize
clang-tidy/
cert/
5 lines
1 line
47 lines
124 lines
docs/
10 lines
clang-tidy/
checks/
9 lines
40 lines
test/
clang-tidy/
27 lines
210 lines

Diff 153655

clang-tidy/cert/CERTTidyModule.cpp

Context not available.
#include "FloatLoopCounter.h" #include "FloatLoopCounter.h"
#include "LimitedRandomnessCheck.h" #include "LimitedRandomnessCheck.h"
#include "PostfixOperatorCheck.h" #include "PostfixOperatorCheck.h"
#include "ProperlySeededRandomGeneratorCheck.h"
#include "SetLongJmpCheck.h" #include "SetLongJmpCheck.h"
#include "StaticObjectExceptionCheck.h" #include "StaticObjectExceptionCheck.h"
#include "StrToNumCheck.h" #include "StrToNumCheck.h"
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

The name should be cert-msc51-cpp (and categorized with the other msc checks).

aaron.ballman: The name should be `cert-msc51-cpp` (and categorized with the other msc checks).
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

This change looks unrelated to the patch.

aaron.ballman: This change looks unrelated to the patch.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

This change looks unrelated to the patch.

aaron.ballman: This change looks unrelated to the patch.
boga95AuthorUnsubmitted
Not Done
ReplyInline Actions

Clang format did it when I apply it to the whole file.

boga95: Clang format did it when I apply it to the whole file.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

You should clang-format the patch, not the entire file. See https://clang.llvm.org/docs/ClangFormat.html#script-for-patch-reformatting for details.

aaron.ballman: You should clang-format the patch, not the entire file. See https://clang.llvm.
Context not available.
"cert-err61-cpp"); "cert-err61-cpp");
// MSC // MSC
CheckFactories.registerCheck<LimitedRandomnessCheck>("cert-msc50-cpp"); CheckFactories.registerCheck<LimitedRandomnessCheck>("cert-msc50-cpp");
CheckFactories.registerCheck<ProperlySeededRandomGeneratorCheck>(
"cert-msc51-cpp");
// C checkers // C checkers
// DCL // DCL
Context not available.
CheckFactories.registerCheck<StrToNumCheck>("cert-err34-c"); CheckFactories.registerCheck<StrToNumCheck>("cert-err34-c");
// MSC // MSC
CheckFactories.registerCheck<LimitedRandomnessCheck>("cert-msc30-c"); CheckFactories.registerCheck<LimitedRandomnessCheck>("cert-msc30-c");
CheckFactories.registerCheck<ProperlySeededRandomGeneratorCheck>(
"cert-msc32-c");
} }
}; };
Context not available.

clang-tidy/cert/CMakeLists.txt

Context not available.
FloatLoopCounter.cpp FloatLoopCounter.cpp
LimitedRandomnessCheck.cpp LimitedRandomnessCheck.cpp
PostfixOperatorCheck.cpp PostfixOperatorCheck.cpp
ProperlySeededRandomGeneratorCheck.cpp
SetLongJmpCheck.cpp SetLongJmpCheck.cpp
StaticObjectExceptionCheck.cpp StaticObjectExceptionCheck.cpp
StrToNumCheck.cpp StrToNumCheck.cpp
Context not available.

clang-tidy/cert/ProperlySeededRandomGeneratorCheck.h

  • This file was added.
//===--- ProperlySeededRandomGeneratorCheck.h - clang-tidy-------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_PROPERLY_SEEDED_RANDOM_GENERATOR_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_PROPERLY_SEEDED_RANDOM_GENERATOR_H
#include "../ClangTidy.h"
#include <string>
namespace clang {
namespace tidy {
namespace cert {
/// Random number generator must be seeded properly.
///
/// A random number generator initialized with default value or a
/// constant expression is a security vulnerability.
///
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/cert-properly-seeded-random-generator.html
class ProperlySeededRandomGeneratorCheck : public ClangTidyCheck {
public:
ProperlySeededRandomGeneratorCheck(StringRef Name, ClangTidyContext *Context);
void storeOptions(ClangTidyOptions::OptionMap &Opts) override;
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
private:
template <class T>
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

It seems like this should be a private function rather than public.

aaron.ballman: It seems like this should be a private function rather than public.
void checkSeed(const ast_matchers::MatchFinder::MatchResult &Result,
const T *Func);
std::string RawDisallowedSeedTypes;
SmallVector<StringRef, 5> DisallowedSeedTypes;
};
} // namespace cert
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_PROPERLY_SEEDED_RANDOM_GENERATOR_H

clang-tidy/cert/ProperlySeededRandomGeneratorCheck.cpp

  • This file was added.
//===--- ProperlySeededRandomGeneratorCheck.cpp - clang-tidy---------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "ProperlySeededRandomGeneratorCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "llvm/ADT/STLExtras.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace cert {
ProperlySeededRandomGeneratorCheck::ProperlySeededRandomGeneratorCheck(
StringRef Name, ClangTidyContext *Context)
: ClangTidyCheck(Name, Context),
RawDisallowedSeedTypes(
Options.get("DisallowedSeedTypes", "time_t,std::time_t")) {
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

These should be using fully-qualified names, like ::std::mersenne_twister_engine. Also, I think this list should be configurable so that users can add their own engines if needed.

aaron.ballman: These should be using fully-qualified names, like `::std::mersenne_twister_engine`. Also, I…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

In order to conform to CERT's rules, I think this needs a default string of at least time_t and std::time_t.

aaron.ballman: In order to conform to CERT's rules, I think this needs a default string of at least `time_t`…
StringRef(RawDisallowedSeedTypes).split(DisallowedSeedTypes, ',');
}
void ProperlySeededRandomGeneratorCheck::storeOptions(
ClangTidyOptions::OptionMap &Opts) {
Options.store(Opts, "DisallowedSeedTypes", RawDisallowedSeedTypes);
}
void ProperlySeededRandomGeneratorCheck::registerMatchers(MatchFinder *Finder) {
auto RandomGeneratorEngineDecl = cxxRecordDecl(hasAnyName(
"::std::linear_congruential_engine", "::std::mersenne_twister_engine",
"::std::subtract_with_carry_engine", "::std::discard_block_engine",
"::std::independent_bits_engine", "::std::shuffle_order_engine"));
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

These should be full-qualified names.

aaron.ballman: These should be full-qualified names.
auto RandomGeneratorEngineTypeMatcher = hasType(hasUnqualifiedDesugaredType(
recordType(hasDeclaration(RandomGeneratorEngineDecl))));
// std::mt19937 engine;
// engine.seed();
// ^
// engine.seed(1);
// ^
// const int x = 1;
// engine.seed(x);
// ^
Finder->addMatcher(
cxxMemberCallExpr(
has(memberExpr(has(declRefExpr(RandomGeneratorEngineTypeMatcher)),
member(hasName("seed")),
unless(hasDescendant(cxxThisExpr())))))
.bind("seed"),
this);
// std::mt19937 engine;
// ^
// std::mt19937 engine(1);
// ^
// const int x = 1;
// std::mt19937 engine(x);
// ^
Finder->addMatcher(
cxxConstructExpr(RandomGeneratorEngineTypeMatcher).bind("ctor"), this);
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Formatting looks off here.

aaron.ballman: Formatting looks off here.
// srand();
// ^
// const int x = 1;
// srand(x);
// ^
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

The diagnostics here aren't quite correct -- a random_device isn't *required*. For instance, it's also fine to open up /dev/random and read a seed's worth of bytes. I think a better phrasing might be: random number generator seeded with a default argument will generate a predictable sequence of values.

aaron.ballman: The diagnostics here aren't quite correct -- a `random_device` isn't *required*. For instance…
Finder->addMatcher(
callExpr(callee(functionDecl(hasAnyName("::srand", "::std::srand"))))
.bind("srand"),
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

I think that in C mode, this is fine, but in C++ mode it should register ::std::srand.

aaron.ballman: I think that in C mode, this is fine, but in C++ mode it should register `::std::srand`.
boga95AuthorUnsubmitted
Not Done
ReplyInline Actions

It is not match for ::std::srand, just for ::srand. I found some examples, but I think they don't work neither.

boga95: It is not match for ##::std::srand##, just for ##::srand##. I found some examples, but I think…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

As it stands, I'm not certain whether this will match code like std::srand(0);. Please add a test case to the C++ tests for it as it should be handled.

aaron.ballman: As it stands, I'm not certain whether this will match code like `std::srand(0);`. Please add a…
this);
}
void ProperlySeededRandomGeneratorCheck::check(
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

I'd probably use similar wording here: random number generator seeded with a constant value will generate a predictable sequence of values.

You can combine these diagnostics and use %select{}0 to choose between the variants.

aaron.ballman: I'd probably use similar wording here: `random number generator seeded with a constant value…
const MatchFinder::MatchResult &Result) {
const auto *Ctor = Result.Nodes.getNodeAs<CXXConstructExpr>("ctor");
if (Ctor)
checkSeed(Result, Ctor);
const auto *Func = Result.Nodes.getNodeAs<CXXMemberCallExpr>("seed");
if (Func)
checkSeed(Result, Func);
const auto *Srand = Result.Nodes.getNodeAs<CallExpr>("srand");
if (Srand)
checkSeed(Result, Srand);
}
template <class T>
void ProperlySeededRandomGeneratorCheck::checkSeed(
const MatchFinder::MatchResult &Result, const T *Func) {
if (Func->getNumArgs() == 0 || Func->getArg(0)->isDefaultArgument()) {
diag(Func->getExprLoc(),
"random number generator seeded with a default argument will generate "
"a predictable sequence of values");
return;
}
llvm::APSInt Value;
if (Func->getArg(0)->EvaluateAsInt(Value, *Result.Context)) {
diag(Func->getExprLoc(),
"random number generator seeded with a constant value will generate a "
"predictable sequence of values");
return;
}
const std::string SeedType(
Func->getArg(0)->IgnoreCasts()->getType().getAsString());
if (llvm::find(DisallowedSeedTypes, SeedType) != DisallowedSeedTypes.end()) {
diag(Func->getExprLoc(),
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

You can use llvm::find() instead.

aaron.ballman: You can use `llvm::find()` instead.
"random number generator seeded with a disallowed source of seed "
"value will generate a predictable sequence of values");
return;
}
}
} // namespace cert
} // namespace tidy
} // namespace clang

docs/ReleaseNotes.rst

Context not available.
Improvements to clang-tidy Improvements to clang-tidy
-------------------------- --------------------------
- New `cert-msc51-cpp
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

You should also add a note for cert-msc32-c.

aaron.ballman: You should also add a note for cert-msc32-c.
<http://clang.llvm.org/extra/clang-tidy/checks/cert-properly-seeded-random-generator.html>`_ check
Detects inappropriate seeding of C++ random generators and C `srand()` function.
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Please replace srand with `srand ()`.

Eugene.Zelenko: Please replace srand with ``srand ()``.
- New `cert-msc32-c
<http://clang.llvm.org/extra/clang-tidy/checks/cert-properly-seeded-random-generator.html>`_ check
Detects inappropriate seeding of `srand()` function.
- The 'misc-incorrect-roundings' check was renamed to `bugprone-incorrect-roundings - The 'misc-incorrect-roundings' check was renamed to `bugprone-incorrect-roundings
<http://clang.llvm.org/extra/clang-tidy/checks/bugprone-incorrect-roundings.html>`_ <http://clang.llvm.org/extra/clang-tidy/checks/bugprone-incorrect-roundings.html>`_
Context not available.

docs/clang-tidy/checks/cert-msc32-c.rst

  • This file was added.
.. title:: clang-tidy - cert-msc32-c
.. meta::
:http-equiv=refresh: 5;URL=cert-msc51-cpp.html
cert-msc32-c
============
The cert-msc32-c check is an alias, please see
`cert-msc51-cpp <cert-msc51-cpp.html>`_ for more information.

docs/clang-tidy/checks/cert-msc51-cpp.rst

  • This file was added.
.. title:: clang-tidy - cert-msc51-cpp
cert-msc51-cpp
==============
This check flags all pseudo-random number engines, engine adaptor
instantiations and ``srand()`` when initialized or seeded with default argument,
constant expression or any user-configurable type. Pseudo-random number
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Backticks around srand

aaron.ballman: Backticks around `srand`
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Two of them and please add (). Will be good idea to make first statement same as in Release Notes.

Eugene.Zelenko: Two of them and please add (). Will be good idea to make first statement same as in Release…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

This comment still has not been handled. Also, please remove the space between srand and the parens.

aaron.ballman: This comment still has not been handled. Also, please remove the space between `srand` and the…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Please add double backticks around srand() instead of single backticks.

aaron.ballman: Please add double backticks around `srand()` instead of single backticks.
boga95AuthorUnsubmitted
Not Done
ReplyInline Actions

Should I use double backticks in release notes too?

boga95: Should I use double backticks in release notes too?
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Good catch; I'll add those when I commit.

aaron.ballman: Good catch; I'll add those when I commit.
engines seeded with a predictable value may cause vulnerabilities e.g. in
security protocols.
This is a CERT security rule, see
`MSC51-CPP. Ensure your random number generator is properly seeded
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Should link to the CERT rule, and also link to the C CERT rule.

aaron.ballman: Should link to the CERT rule, and also link to the C CERT rule.
<https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded>`_ and
`MSC32-C. Properly seed pseudorandom number generators
<https://wiki.sei.cmu.edu/confluence/display/c/MSC32-C.+Properly+seed+pseudorandom+number+generators>`_.
Examples:
.. code-block:: c++
void foo() {
std::mt19937 engine1; // Diagnose, always generate the same sequence
std::mt19937 engine2(1); // Diagnose
engine1.seed(); // Diagnose
engine2.seed(1); // Diagnose
std::time_t t;
engine1.seed(std::time(&t)); // Diagnose, system time might be controlled by user
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Instead of using "Bad" in the comments, it would be good to use "diagnose" or "error" instead.

Note that for this one, in particular, the default behavior is to *not* diagnose, which means this check doesn't really conform to CERT's rules.

aaron.ballman: Instead of using "Bad" in the comments, it would be good to use "diagnose" or "error" instead.
int x = atoi(argv[1]);
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Is there guideline documentation available online? If so, please add link. See other checks documentation as example.

Eugene.Zelenko: Is there guideline documentation available online? If so, please add link. See other checks…
boga95AuthorUnsubmitted
Not Done
ReplyInline Actions

There is a guideline here.

boga95: There is a guideline [[ http://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html…
std::mt19937 engine3(x); // Will not warn
}
Options
-------
.. option:: DisallowedSeedTypes
A comma-separated list of the type names which are disallowed.
Default values are ``time_t``, ``std::time_t``.
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

You should list the default values here explicitly.

aaron.ballman: You should list the default values here explicitly.

test/clang-tidy/cert-msc32-c.c

  • This file was added.
// RUN: %check_clang_tidy %s cert-msc32-c %t -- -config="{CheckOptions: [{key: cert-msc32-c.DisallowedSeedTypes, value: 'some_type,time_t'}]}" -- -std=c99
void srand(int seed);
typedef int time_t;
time_t time(time_t *t);
void f() {
srand(1);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc32-c]
const int a = 1;
srand(a);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc32-c]
time_t t;
srand(time(&t)); // Disallowed seed type
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc32-c]
}
void g() {
typedef int user_t;
user_t a = 1;
srand(a);
int b = 1;
srand(b); // Can not evaluate as int
}

test/clang-tidy/cert-msc51-cpp.cpp

  • This file was added.
// RUN: %check_clang_tidy %s cert-msc51-cpp %t -- -config="{CheckOptions: [{key: cert-msc51-cpp.DisallowedSeedTypes, value: 'some_type,time_t'}]}" -- -std=c++11
namespace std {
void srand(int seed);
template <class UIntType, UIntType a, UIntType c, UIntType m>
struct linear_congruential_engine {
linear_congruential_engine(int _ = 0);
void seed(int _ = 0);
};
using default_random_engine = linear_congruential_engine<unsigned int, 1, 2, 3>;
using size_t = int;
template <class UIntType, size_t w, size_t n, size_t m, size_t r,
UIntType a, size_t u, UIntType d, size_t s,
UIntType b, size_t t,
UIntType c, size_t l, UIntType f>
struct mersenne_twister_engine {
mersenne_twister_engine(int _ = 0);
void seed(int _ = 0);
};
using mt19937 = mersenne_twister_engine<unsigned int, 32, 624, 397, 21, 0x9908b0df, 11, 0xffffffff, 7, 0x9d2c5680, 15, 0xefc60000, 18, 1812433253>;
template <class UIntType, size_t w, size_t s, size_t r>
struct subtract_with_carry_engine {
subtract_with_carry_engine(int _ = 0);
void seed(int _ = 0);
};
using ranlux24_base = subtract_with_carry_engine<unsigned int, 24, 10, 24>;
template <class Engine, size_t p, size_t r>
struct discard_block_engine {
discard_block_engine();
discard_block_engine(int _);
void seed();
void seed(int _);
};
using ranlux24 = discard_block_engine<ranlux24_base, 223, 23>;
template <class Engine, size_t w, class UIntType>
struct independent_bits_engine {
independent_bits_engine();
independent_bits_engine(int _);
void seed();
void seed(int _);
};
using independent_bits = independent_bits_engine<ranlux24_base, 223, int>;
template <class Engine, size_t k>
struct shuffle_order_engine {
shuffle_order_engine();
shuffle_order_engine(int _);
void seed();
void seed(int _);
};
using shuffle_order = shuffle_order_engine<ranlux24_base, 223>;
struct random_device {
random_device();
int operator()();
};
} // namespace std
using time_t = unsigned int;
time_t time(time_t *t);
void f() {
const int seed = 2;
time_t t;
std::srand(0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::srand(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::srand(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
// One instantiation for every engine
std::default_random_engine engine1;
// CHECK-MESSAGES: :[[@LINE-1]]:30: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
std::default_random_engine engine2(1);
// CHECK-MESSAGES: :[[@LINE-1]]:30: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::default_random_engine engine3(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:30: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::default_random_engine engine4(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:30: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
engine1.seed();
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
engine1.seed(1);
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine1.seed(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine1.seed(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
std::mt19937 engine5;
// CHECK-MESSAGES: :[[@LINE-1]]:16: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
std::mt19937 engine6(1);
// CHECK-MESSAGES: :[[@LINE-1]]:16: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::mt19937 engine7(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:16: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::mt19937 engine8(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:16: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
engine5.seed();
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
engine5.seed(1);
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine5.seed(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine5.seed(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
std::ranlux24_base engine9;
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
std::ranlux24_base engine10(1);
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::ranlux24_base engine11(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::ranlux24_base engine12(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
engine9.seed();
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
engine9.seed(1);
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine9.seed(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine9.seed(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:11: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
std::ranlux24 engine13;
// CHECK-MESSAGES: :[[@LINE-1]]:17: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
std::ranlux24 engine14(1);
// CHECK-MESSAGES: :[[@LINE-1]]:17: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::ranlux24 engine15(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:17: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::ranlux24 engine16(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:17: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
engine13.seed();
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
engine13.seed(1);
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine13.seed(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine13.seed(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
std::independent_bits engine17;
// CHECK-MESSAGES: :[[@LINE-1]]:25: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
std::independent_bits engine18(1);
// CHECK-MESSAGES: :[[@LINE-1]]:25: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::independent_bits engine19(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:25: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::independent_bits engine20(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:25: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
engine17.seed();
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
engine17.seed(1);
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine17.seed(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine17.seed(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
std::shuffle_order engine21;
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
std::shuffle_order engine22(1);
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::shuffle_order engine23(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
std::shuffle_order engine24(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:22: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
engine21.seed();
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a default argument will generate a predictable sequence of values [cert-msc51-cpp]
engine21.seed(1);
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine21.seed(seed);
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a constant value will generate a predictable sequence of values [cert-msc51-cpp]
engine21.seed(time(&t));
// CHECK-MESSAGES: :[[@LINE-1]]:12: warning: random number generator seeded with a disallowed source of seed value will generate a predictable sequence of values [cert-msc51-cpp]
}
struct A {
A(int _ = 0);
void seed(int _ = 0);
};
void g() {
int n = 1;
std::default_random_engine engine1(n);
std::mt19937 engine2(n);
std::ranlux24_base engine3(n);
std::ranlux24 engine4(n);
std::independent_bits engine5(n);
std::shuffle_order engine6(n);
std::random_device dev;
std::default_random_engine engine7(dev());
std::mt19937 engine8(dev());
std::ranlux24_base engine9(dev());
std::ranlux24 engine10(dev());
std::independent_bits engine11(dev());
std::shuffle_order engine12(dev());
A a1;
A a2(1);
a1.seed();
a1.seed(1);
a1.seed(n);
}