This is an archive of the discontinued LLVM Phabricator instance.

Differential D59637

[analyzer] Use the custom propagation rules and sinks in GenericTaintChecker
ClosedPublic

Authored by boga95 on Mar 21 2019, 5:50 AM.

Details

Reviewers
NoQ
Szelethus
xazax.hun
dkrupp
steakhal
Summary

The TaintPropagationRule deduction uses the custom rules from the config.
Check custom sinks when looking for errors. Give an error when at least one of the specified arguments is tainted.
Emit error message and omit a parameter if it's out of bound.

Diff Detail

Event Timeline

boga95 created this revision.Mar 21 2019, 5:50 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 21 2019, 5:50 AM
Herald added subscribers: cfe-commits, Charusso, donat.nagy and 6 others. · View Herald Transcript
boga95 added a parent revision: D59555: [analyzer] Add yaml parser to GenericTaintChecker.Mar 21 2019, 5:50 AM
boga95 added a child revision: D59516: [analyzer] Add custom filter functions for GenericTaintChecker.
boga95 updated this revision to Diff 193676.Apr 4 2019, 2:19 AM

Rebase after https://reviews.llvm.org/D59861.

boga95 updated this revision to Diff 212119.Jul 28 2019, 2:34 PM
boga95 added a subscriber: steakhal.
Szelethus added a comment.Jul 31 2019, 1:23 AM

In general, don't emit to stderr unless we either emit a warning/error about the incorrect configuration. As an experiment, what happens when you try to emit an error in the middle of the symbolic execution? You can retrieve a DiagnosticsEngine from any decl: D->getASTContext().getDiagnostics() (it's funny how you can retrieve almost all major manager objects if you try hard enough).

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
143

How about llvm::StringLiteral?

820

Hmmm, how do we do with qualified names (MyClass::generateTaint(), std::cin >>)?

boga95 marked 2 inline comments as done.Jul 31 2019, 2:21 AM

I think it shouldn't give compile error in case of incorrect configuration now (maybe warning) because:

  • Without qualified names, I can create a code which cannot be configured properly.
  • It can throw an error without configuration, for example:
void read(int*); // There is an existing propagation rule for it

I suggest to let it unchanged now, and I will change it when the checker can handle qualified names.
On the other hand, I think we should make this type of error configurable (from the command line). So the user can select between warnings and errors.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
820

These patches focus on C style functions. I have implemented the uses of qualified names, but I intended to make a separate patch for that.

boga95 updated this revision to Diff 215268.Aug 14 2019, 3:23 PM
boga95 marked an inline comment as done.
boga95 added a comment.Aug 30 2019, 2:50 PM

Should I do anything or it is ready?

NoQ added a comment.Aug 30 2019, 2:58 PM

I have a few immediate style issues but otherwise it looks good :)

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
237 ↗(On Diff #215268)

StringLiterals need to always be declared as constexpr.

251 ↗(On Diff #215268)

It should be "user-defined" because it's a single adjective.

I recommend against using the word "sink" in user-facing messages because it's too jargony. Do we have a better word for this?

252 ↗(On Diff #215268)

This semicolon looks unnecessary.

595–596 ↗(On Diff #215268)

These debug prints should not land.

840 ↗(On Diff #215268)

The GenericTaintChecker:: qualifier is unnecessary.

boga95 updated this revision to Diff 218395.Sep 2 2019, 3:13 PM
Szelethus accepted this revision.Sep 5 2019, 12:54 AM
Szelethus added a reviewer: steakhal.

Some nits inline, otherwise LGTM. @steakhal, do you have anything to add to this?

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
191 ↗(On Diff #218395)

How about only passing CustomPropagations?

605 ↗(On Diff #218395)

I get that there isn't much substance to this assert, but why remove it? We might as well populate the lines in between that and the branch.

844 ↗(On Diff #218395)

Wasn't this commited before?

This revision is now accepted and ready to land.Sep 5 2019, 12:54 AM
Szelethus added a comment.Sep 5 2019, 12:54 AM

Also, please mark inlines done as you fix them :)

steakhal added inline comments.Sep 5 2019, 5:04 AM
lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
191 ↗(On Diff #218395)

I would even consider to move this function out of the whole class. (Not only this function, but the others as well. Like isStdin, etc.)
I think pure, free-functions (in an anonymous namespace) are easier to reason about.

844 ↗(On Diff #218395)

Yes it was (https://github.com/llvm/llvm-project/blob/master/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp#L814).
I would kindly request a rebase.

test/Analysis/taint-generic.c
377 ↗(On Diff #218395)

We could use this syntacs to achieve shorter lines. Note that @-1. Same for all the other lines.

mySink(x, 1, 2);
// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
boga95 updated this revision to Diff 219172.Sep 6 2019, 2:00 PM
boga95 marked 7 inline comments as done.
Szelethus accepted this revision.Sep 6 2019, 2:46 PM

I'm fine with moving in-class function into anonymous namespace later. LGTM, feel free to commit!

steakhal added inline comments.Sep 7 2019, 1:26 AM
lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
118 ↗(On Diff #218395)

Shouldn't we still need an out-of-class initializer part for each static constexpr class member variable?
These would provide the memory locations for the declarations.

constexpr llvm::StringLiteral GenericTaintChecker::MsgUncontrolledFormatString;
constexpr llvm::StringLiteral GenericTaintChecker::MsgSanitizeSystemArgs;
constexpr llvm::StringLiteral GenericTaintChecker::MsgTaintedBufferSize;
constexpr llvm::StringLiteral GenericTaintChecker::MsgCustomSink;
boga95 closed this revision.Sep 8 2019, 1:03 PM
boga95 marked 10 inline comments as done.

Closed by 080ecafdd8b3e990e5ad19202d089c91c9c9b164.

lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
118 ↗(On Diff #218395)

Constexpr values cannot be initialized out of the class, that's why I moved them to here.

191 ↗(On Diff #218395)

I could do that in a separate patch if necessary.

605 ↗(On Diff #218395)

I think there is no need for this. Maybe I can make the ArgNum const.

251 ↗(On Diff #215268)

Currently, I don't have any better idea. I will think about it.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
90 lines
test/
Analysis/
42 lines

Diff 219172

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Linesprivate:
/// Check if the region the expression evaluates to is the standard input, /// Check if the region the expression evaluates to is the standard input,
/// and thus, is tainted. /// and thus, is tainted.
static bool isStdin(const Expr *E, CheckerContext &C); static bool isStdin(const Expr *E, CheckerContext &C);
/// Given a pointer argument, return the value it points to. /// Given a pointer argument, return the value it points to.
static Optional<SVal> getPointedToSVal(CheckerContext &C, const Expr *Arg); static Optional<SVal> getPointedToSVal(CheckerContext &C, const Expr *Arg);
/// Check for CWE-134: Uncontrolled Format String. /// Check for CWE-134: Uncontrolled Format String.
static const char MsgUncontrolledFormatString[]; static constexpr llvm::StringLiteral MsgUncontrolledFormatString =
"Untrusted data is used as a format string "
"(CWE-134: Uncontrolled Format String)";
bool checkUncontrolledFormatString(const CallExpr *CE, bool checkUncontrolledFormatString(const CallExpr *CE,
CheckerContext &C) const; CheckerContext &C) const;
/// Check for: /// Check for:
/// CERT/STR02-C. "Sanitize data passed to complex subsystems" /// CERT/STR02-C. "Sanitize data passed to complex subsystems"
/// CWE-78, "Failure to Sanitize Data into an OS Command" /// CWE-78, "Failure to Sanitize Data into an OS Command"
static const char MsgSanitizeSystemArgs[]; static constexpr llvm::StringLiteral MsgSanitizeSystemArgs =
"Untrusted data is passed to a system call "
"(CERT/STR02-C. Sanitize data passed to complex subsystems)";
bool checkSystemCall(const CallExpr *CE, StringRef Name, bool checkSystemCall(const CallExpr *CE, StringRef Name,
CheckerContext &C) const; CheckerContext &C) const;
/// Check if tainted data is used as a buffer size ins strn.. functions, /// Check if tainted data is used as a buffer size ins strn.. functions,
/// and allocators. /// and allocators.
static const char MsgTaintedBufferSize[]; static constexpr llvm::StringLiteral MsgTaintedBufferSize =
"Untrusted data is used to specify the buffer size "
"(CERT/STR31-C. Guarantee that storage for strings has sufficient space "
"for character data and the null terminator)";
bool checkTaintedBufferSize(const CallExpr *CE, const FunctionDecl *FDecl, bool checkTaintedBufferSize(const CallExpr *CE, const FunctionDecl *FDecl,
CheckerContext &C) const; CheckerContext &C) const;
/// Check if tainted data is used as a custom sink's parameter.
static constexpr llvm::StringLiteral MsgCustomSink =
SzelethusUnsubmitted
Done
ReplyInline Actions

How about llvm::StringLiteral?

Szelethus: How about `llvm::StringLiteral`?
"Untrusted data is passed to a user-defined sink";
bool checkCustomSinks(const CallExpr *CE, StringRef Name,
CheckerContext &C) const;
/// Generate a report if the expression is tainted or points to tainted data. /// Generate a report if the expression is tainted or points to tainted data.
bool generateReportIfTainted(const Expr *E, const char Msg[], bool generateReportIfTainted(const Expr *E, StringRef Msg,
CheckerContext &C) const; CheckerContext &C) const;
struct TaintPropagationRule;
using NameRuleMap = llvm::StringMap<TaintPropagationRule>;
using NameArgMap = llvm::StringMap<ArgVector>;
/// A struct used to specify taint propagation rules for a function. /// A struct used to specify taint propagation rules for a function.
/// ///
/// If any of the possible taint source arguments is tainted, all of the /// If any of the possible taint source arguments is tainted, all of the
/// destination arguments should also be tainted. Use InvalidArgIndex in the /// destination arguments should also be tainted. Use InvalidArgIndex in the
/// src list to specify that all of the arguments can introduce taint. Use /// src list to specify that all of the arguments can introduce taint. Use
/// InvalidArgIndex in the dst arguments to signify that all the non-const /// InvalidArgIndex in the dst arguments to signify that all the non-const
/// pointer and reference arguments might be tainted on return. If /// pointer and reference arguments might be tainted on return. If
/// ReturnValueIndex is added to the dst list, the return value will be /// ReturnValueIndex is added to the dst list, the return value will be
Show All 23 Lines TaintPropagationRule(ArgVector &&Src, ArgVector &&Dst,
VariadicType Var = VariadicType::None, VariadicType Var = VariadicType::None,
unsigned VarIndex = InvalidArgIndex, unsigned VarIndex = InvalidArgIndex,
PropagationFuncType Func = nullptr) PropagationFuncType Func = nullptr)
: SrcArgs(std::move(Src)), DstArgs(std::move(Dst)), : SrcArgs(std::move(Src)), DstArgs(std::move(Dst)),
VariadicIndex(VarIndex), VarType(Var), PropagationFunc(Func) {} VariadicIndex(VarIndex), VarType(Var), PropagationFunc(Func) {}
/// Get the propagation rule for a given function. /// Get the propagation rule for a given function.
static TaintPropagationRule static TaintPropagationRule
getTaintPropagationRule(const FunctionDecl *FDecl, StringRef Name, getTaintPropagationRule(const NameRuleMap &CustomPropagations,
const FunctionDecl *FDecl, StringRef Name,
CheckerContext &C); CheckerContext &C);
void addSrcArg(unsigned A) { SrcArgs.push_back(A); } void addSrcArg(unsigned A) { SrcArgs.push_back(A); }
void addDstArg(unsigned A) { DstArgs.push_back(A); } void addDstArg(unsigned A) { DstArgs.push_back(A); }
bool isNull() const { bool isNull() const {
return SrcArgs.empty() && DstArgs.empty() && return SrcArgs.empty() && DstArgs.empty() &&
VariadicType::None == VarType; VariadicType::None == VarType;
Show All 19 Lines struct TaintPropagationRule {
/// taint rule. /// taint rule.
ProgramStateRef process(const CallExpr *CE, CheckerContext &C) const; ProgramStateRef process(const CallExpr *CE, CheckerContext &C) const;
// Functions for custom taintedness propagation. // Functions for custom taintedness propagation.
static bool postSocket(bool IsTainted, const CallExpr *CE, static bool postSocket(bool IsTainted, const CallExpr *CE,
CheckerContext &C); CheckerContext &C);
}; };
using NameRuleMap = llvm::StringMap<TaintPropagationRule>;
using NameArgMap = llvm::StringMap<ArgVector>;
/// Defines a map between the propagation function's name and /// Defines a map between the propagation function's name and
/// TaintPropagationRule. /// TaintPropagationRule.
NameRuleMap CustomPropagations; NameRuleMap CustomPropagations;
/// Defines a map between the filter function's name and filtering args. /// Defines a map between the filter function's name and filtering args.
NameArgMap CustomFilters; NameArgMap CustomFilters;
/// Defines a map between the sink function's name and sinking args. /// Defines a map between the sink function's name and sinking args.
NameArgMap CustomSinks; NameArgMap CustomSinks;
}; };
const unsigned GenericTaintChecker::ReturnValueIndex; const unsigned GenericTaintChecker::ReturnValueIndex;
const unsigned GenericTaintChecker::InvalidArgIndex; const unsigned GenericTaintChecker::InvalidArgIndex;
const char GenericTaintChecker::MsgUncontrolledFormatString[] =
"Untrusted data is used as a format string "
"(CWE-134: Uncontrolled Format String)";
const char GenericTaintChecker::MsgSanitizeSystemArgs[] =
"Untrusted data is passed to a system call "
"(CERT/STR02-C. Sanitize data passed to complex subsystems)";
const char GenericTaintChecker::MsgTaintedBufferSize[] =
"Untrusted data is used to specify the buffer size "
"(CERT/STR31-C. Guarantee that storage for strings has sufficient space "
"for character data and the null terminator)";
} // end of anonymous namespace } // end of anonymous namespace
using TaintConfig = GenericTaintChecker::TaintConfiguration; using TaintConfig = GenericTaintChecker::TaintConfiguration;
LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfig::Propagation) LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfig::Propagation)
LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfig::NameArgsPair) LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfig::NameArgsPair)
namespace llvm { namespace llvm {
▲ Show 20 LinesShow All 74 Lines▼ Show 20 Linesvoid GenericTaintChecker::parseConfiguration(CheckerManager &Mgr,
for (auto &S : Config.Sinks) { for (auto &S : Config.Sinks) {
GenericTaintChecker::CustomSinks.try_emplace(S.first, std::move(S.second)); GenericTaintChecker::CustomSinks.try_emplace(S.first, std::move(S.second));
} }
} }
GenericTaintChecker::TaintPropagationRule GenericTaintChecker::TaintPropagationRule
GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule( GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(
const FunctionDecl *FDecl, StringRef Name, CheckerContext &C) { const NameRuleMap &CustomPropagations, const FunctionDecl *FDecl,
StringRef Name, CheckerContext &C) {
// TODO: Currently, we might lose precision here: we always mark a return // TODO: Currently, we might lose precision here: we always mark a return
// value as tainted even if it's just a pointer, pointing to tainted data. // value as tainted even if it's just a pointer, pointing to tainted data.
// Check for exact name match for functions without builtin substitutes. // Check for exact name match for functions without builtin substitutes.
TaintPropagationRule Rule = TaintPropagationRule Rule =
llvm::StringSwitch<TaintPropagationRule>(Name) llvm::StringSwitch<TaintPropagationRule>(Name)
// Source functions // Source functions
// TODO: Add support for vfscanf & family. // TODO: Add support for vfscanf & family.
▲ Show 20 LinesShow All 77 Lines▼ Show 20 Lines if (Rule.isNull()) {
else if (C.isCLibraryFunction(FDecl, "wcsdup")) else if (C.isCLibraryFunction(FDecl, "wcsdup"))
return TaintPropagationRule({0}, {ReturnValueIndex}); return TaintPropagationRule({0}, {ReturnValueIndex});
} }
// Skipping the following functions, since they might be used for cleansing // Skipping the following functions, since they might be used for cleansing
// or smart memory copy: // or smart memory copy:
// - memccpy - copying until hitting a special character. // - memccpy - copying until hitting a special character.
auto It = CustomPropagations.find(Name);
if (It != CustomPropagations.end())
return It->getValue();
return TaintPropagationRule(); return TaintPropagationRule();
} }
void GenericTaintChecker::checkPreStmt(const CallExpr *CE, void GenericTaintChecker::checkPreStmt(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
// Check for taintedness related errors first: system call, uncontrolled // Check for taintedness related errors first: system call, uncontrolled
// format string, tainted buffer size. // format string, tainted buffer size.
if (checkPre(CE, C)) if (checkPre(CE, C))
Show All 23 Linesvoid GenericTaintChecker::addSourcesPre(const CallExpr *CE,
if (!FDecl || FDecl->getKind() != Decl::Function) if (!FDecl || FDecl->getKind() != Decl::Function)
return; return;
StringRef Name = C.getCalleeName(FDecl); StringRef Name = C.getCalleeName(FDecl);
if (Name.empty()) if (Name.empty())
return; return;
// First, try generating a propagation rule for this function. // First, try generating a propagation rule for this function.
TaintPropagationRule Rule = TaintPropagationRule Rule = TaintPropagationRule::getTaintPropagationRule(
TaintPropagationRule::getTaintPropagationRule(FDecl, Name, C); this->CustomPropagations, FDecl, Name, C);
if (!Rule.isNull()) { if (!Rule.isNull()) {
State = Rule.process(CE, C); State = Rule.process(CE, C);
if (!State) if (!State)
return; return;
C.addTransition(State); C.addTransition(State);
return; return;
} }
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Lines if (Name.empty())
return false; return false;
if (checkSystemCall(CE, Name, C)) if (checkSystemCall(CE, Name, C))
return true; return true;
if (checkTaintedBufferSize(CE, FDecl, C)) if (checkTaintedBufferSize(CE, FDecl, C))
return true; return true;
if (checkCustomSinks(CE, Name, C))
return true;
return false; return false;
} }
Optional<SVal> GenericTaintChecker::getPointedToSVal(CheckerContext &C, Optional<SVal> GenericTaintChecker::getPointedToSVal(CheckerContext &C,
const Expr *Arg) { const Expr *Arg) {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal AddrVal = C.getSVal(Arg->IgnoreParens()); SVal AddrVal = C.getSVal(Arg->IgnoreParens());
if (AddrVal.isUnknownOrUndef()) if (AddrVal.isUnknownOrUndef())
Show All 21 Lines
GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE, GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Check for taint in arguments. // Check for taint in arguments.
bool IsTainted = true; bool IsTainted = true;
for (unsigned ArgNum : SrcArgs) { for (unsigned ArgNum : SrcArgs) {
if (ArgNum >= CE->getNumArgs()) if (ArgNum >= CE->getNumArgs())
return State; continue;
if ((IsTainted = isTaintedOrPointsToTainted(CE->getArg(ArgNum), State, C))) if ((IsTainted = isTaintedOrPointsToTainted(CE->getArg(ArgNum), State, C)))
break; break;
} }
// Check for taint in variadic arguments. // Check for taint in variadic arguments.
if (!IsTainted && VariadicType::Src == VarType) { if (!IsTainted && VariadicType::Src == VarType) {
// Check if any of the arguments is tainted // Check if any of the arguments is tainted
for (unsigned i = VariadicIndex; i < CE->getNumArgs(); ++i) { for (unsigned i = VariadicIndex; i < CE->getNumArgs(); ++i) {
Show All 11 LinesGenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE,
// Mark the arguments which should be tainted after the function returns. // Mark the arguments which should be tainted after the function returns.
for (unsigned ArgNum : DstArgs) { for (unsigned ArgNum : DstArgs) {
// Should mark the return value? // Should mark the return value?
if (ArgNum == ReturnValueIndex) { if (ArgNum == ReturnValueIndex) {
State = State->add<TaintArgsOnPostVisit>(ReturnValueIndex); State = State->add<TaintArgsOnPostVisit>(ReturnValueIndex);
continue; continue;
} }
if (ArgNum >= CE->getNumArgs())
continue;
// Mark the given argument. // Mark the given argument.
assert(ArgNum < CE->getNumArgs());
State = State->add<TaintArgsOnPostVisit>(ArgNum); State = State->add<TaintArgsOnPostVisit>(ArgNum);
} }
// Mark all variadic arguments tainted if present. // Mark all variadic arguments tainted if present.
if (VariadicType::Dst == VarType) { if (VariadicType::Dst == VarType) {
// For all pointer and references that were passed in: // For all pointer and references that were passed in:
// If they are not pointing to const data, mark data as tainted. // If they are not pointing to const data, mark data as tainted.
// TODO: So far we are just going one level down; ideally we'd need to // TODO: So far we are just going one level down; ideally we'd need to
▲ Show 20 LinesShow All 80 Lines▼ Show 20 Linesstatic bool getPrintfFormatArgumentNum(const CallExpr *CE,
if (C.getCalleeName(CE).find("setproctitle") != StringRef::npos) { if (C.getCalleeName(CE).find("setproctitle") != StringRef::npos) {
ArgNum = 0; ArgNum = 0;
return true; return true;
} }
return false; return false;
} }
bool GenericTaintChecker::generateReportIfTainted(const Expr *E, bool GenericTaintChecker::generateReportIfTainted(const Expr *E, StringRef Msg,
const char Msg[],
CheckerContext &C) const { CheckerContext &C) const {
assert(E); assert(E);
// Check for taint. // Check for taint.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
Optional<SVal> PointedToSVal = getPointedToSVal(C, E); Optional<SVal> PointedToSVal = getPointedToSVal(C, E);
SVal TaintedSVal; SVal TaintedSVal;
if (PointedToSVal && isTainted(State, *PointedToSVal)) if (PointedToSVal && isTainted(State, *PointedToSVal))
Show All 39 Lines unsigned ArgNum = llvm::StringSwitch<unsigned>(Name)
.Case("execl", 0) .Case("execl", 0)
.Case("execle", 0) .Case("execle", 0)
.Case("execlp", 0) .Case("execlp", 0)
.Case("execv", 0) .Case("execv", 0)
.Case("execvp", 0) .Case("execvp", 0)
.Case("execvP", 0) .Case("execvP", 0)
.Case("execve", 0) .Case("execve", 0)
.Case("dlopen", 0) .Case("dlopen", 0)
.Default(UINT_MAX); .Default(InvalidArgIndex);
if (ArgNum == UINT_MAX || CE->getNumArgs() < (ArgNum + 1)) if (ArgNum == InvalidArgIndex || CE->getNumArgs() < (ArgNum + 1))
return false; return false;
return generateReportIfTainted(CE->getArg(ArgNum), MsgSanitizeSystemArgs, C); return generateReportIfTainted(CE->getArg(ArgNum), MsgSanitizeSystemArgs, C);
} }
// TODO: Should this check be a part of the CString checker? // TODO: Should this check be a part of the CString checker?
// If yes, should taint be a global setting? // If yes, should taint be a global setting?
bool GenericTaintChecker::checkTaintedBufferSize(const CallExpr *CE, bool GenericTaintChecker::checkTaintedBufferSize(const CallExpr *CE,
Show All 28 Lines if (ArgNum == InvalidArgIndex) {
else if (C.isCLibraryFunction(FDecl, "bcopy")) else if (C.isCLibraryFunction(FDecl, "bcopy"))
ArgNum = 2; ArgNum = 2;
} }
return ArgNum != InvalidArgIndex && CE->getNumArgs() > ArgNum && return ArgNum != InvalidArgIndex && CE->getNumArgs() > ArgNum &&
generateReportIfTainted(CE->getArg(ArgNum), MsgTaintedBufferSize, C); generateReportIfTainted(CE->getArg(ArgNum), MsgTaintedBufferSize, C);
} }
bool GenericTaintChecker::checkCustomSinks(const CallExpr *CE, StringRef Name,
CheckerContext &C) const {
auto It = CustomSinks.find(Name);
SzelethusUnsubmitted
Done
ReplyInline Actions

Hmmm, how do we do with qualified names (MyClass::generateTaint(), std::cin >>)?

Szelethus: Hmmm, how do we do with qualified names (`MyClass::generateTaint()`, `std::cin >>`)?
boga95AuthorUnsubmitted
Done
ReplyInline Actions

These patches focus on C style functions. I have implemented the uses of qualified names, but I intended to make a separate patch for that.

boga95: These patches focus on C style functions. I have implemented the uses of qualified names, but I…
if (It == CustomSinks.end())
return false;
const GenericTaintChecker::ArgVector &Args = It->getValue();
for (unsigned ArgNum : Args) {
if (ArgNum >= CE->getNumArgs())
continue;
if (generateReportIfTainted(CE->getArg(ArgNum), MsgCustomSink, C))
return true;
}
return false;
}
void ento::registerGenericTaintChecker(CheckerManager &Mgr) { void ento::registerGenericTaintChecker(CheckerManager &Mgr) {
auto *Checker = Mgr.registerChecker<GenericTaintChecker>(); auto *Checker = Mgr.registerChecker<GenericTaintChecker>();
std::string Option{"Config"}; std::string Option{"Config"};
StringRef ConfigFile = StringRef ConfigFile =
Mgr.getAnalyzerOptions().getCheckerStringOption(Checker, Option); Mgr.getAnalyzerOptions().getCheckerStringOption(Checker, Option);
llvm::Optional<TaintConfig> Config = llvm::Optional<TaintConfig> Config =
getConfiguration<TaintConfig>(Mgr, Checker, Option, ConfigFile); getConfiguration<TaintConfig>(Mgr, Checker, Option, ConfigFile);
if (Config) if (Config)
Checker->parseConfiguration(Mgr, Option, std::move(Config.getValue())); Checker->parseConfiguration(Mgr, Option, std::move(Config.getValue()));
} }
bool ento::shouldRegisterGenericTaintChecker(const LangOptions &LO) { bool ento::shouldRegisterGenericTaintChecker(const LangOptions &LO) {
return true; return true;
} }

clang/test/Analysis/taint-generic.c

Show First 20 LinesShow All 332 Lines▼ Show 20 Linesvoid constraintManagerShouldTreatAsOpaque(int rhs) {
scanf("%d", &i); scanf("%d", &i);
// This comparison used to hit an assertion in the constraint manager, // This comparison used to hit an assertion in the constraint manager,
// which didn't handle NonLoc sym-sym comparisons. // which didn't handle NonLoc sym-sym comparisons.
if (i < rhs) if (i < rhs)
return; return;
if (i < rhs) if (i < rhs)
*(volatile int *) 0; // no-warning *(volatile int *) 0; // no-warning
} }
// Test configuration
int mySource1();
void mySource2(int*);
void myScanf(const char*, ...);
int myPropagator(int, int*);
int mySnprintf(char*, size_t, const char*, ...);
void mySink(int, int, int);
void testConfigurationSources1() {
int x = mySource1();
Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
}
void testConfigurationSources2() {
int x;
mySource2(&x);
Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
}
void testConfigurationSources3() {
int x, y;
myScanf("%d %d", &x, &y);
Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
}
void testConfigurationPropagation() {
int x = mySource1();
int y;
myPropagator(x, &y);
Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
}
void testConfigurationSinks() {
int x = mySource1();
mySink(x, 1, 2);
// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
mySink(1, x, 2); // no-warning
mySink(1, 2, x);
// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
}