This is an archive of the discontinued LLVM Phabricator instance.

Differential D71033

[analyzer] CERT STR rule checkers: STR32-C
Needs RevisionPublic

Authored by Charusso on Dec 4 2019, 2:20 PM.

Details

Reviewers
NoQ
baloghadamsoftware
Summary

This patch introduces a new experimental checker:
alpha.security.cert.str.32c

This checker is implemented based on the following rule:
https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string

It warns on reading non-null-terminated strings. This warning is restricted to
the allocations which the Static Analyzer models with unix.Malloc checker.

Also warns on misusing the strncpy() function.

Diff Detail

Event Timeline

Charusso created this revision.Dec 4 2019, 2:20 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptDec 4 2019, 2:20 PM
Charusso marked an inline comment as done.Dec 4 2019, 2:25 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
519

This is a huge assumption to make this checker as simple as possible. On each allocation I would store the memory regions which the size expression consists of. When we encounter a memory/string handler function call which has a size-expression parameter we could match whether the allocation considered the length of the string it will store.

May we will have a better idea, so I would leave that as it is, for now.

Charusso added a parent revision: D70805: [analyzer] SValHasDescendant: Determine whether the SVal has an SVal descendant.Dec 4 2019, 2:26 PM
Charusso added a comment.Dec 4 2019, 2:32 PM

Examples generated by CodeChecker from the curl project:

str32-c.tar.gz1 MBDownload

Charusso updated this revision to Diff 232672.EditedDec 6 2019, 4:19 PM
Charusso edited the summary of this revision. (Show Details)
  • Add docs.
  • Move to alpha.
Charusso added a child revision: D71155: [analyzer] CERT STR rule checkers: STR30-C.Dec 6 2019, 4:24 PM
Charusso updated this revision to Diff 233904.EditedDec 13 2019, 6:47 PM
Charusso retitled this revision from [analyzer] CERT: StrChecker: 32.c to [analyzer] CERT: STR32-C.
  • Add notes to the initialization of char-arrays.
  • Mark the string null-terminated calling strcpy() with an appropriate size.
Charusso added a comment.Dec 13 2019, 6:51 PM

We need to add the interestingness to the NoteTags so that we only emit notes on initialization/function calls which leads to an error.

Charusso marked an inline comment as done.Dec 13 2019, 6:52 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
513

-1 line

Charusso updated this revision to Diff 241761.Jan 31 2020, 9:58 AM
  • Rebase.
Charusso edited the summary of this revision. (Show Details)Jan 31 2020, 9:58 AM
Charusso mentioned this in D70411: [analyzer] CERT STR rule checkers: STR31-C.Mar 25 2020, 12:35 PM
Charusso updated this revision to Diff 265962.May 24 2020, 9:23 PM
Charusso retitled this revision from [analyzer] CERT: STR32-C to [analyzer] CERT STR rule checkers: STR32-C.
  • Refactor.
  • State out explicitly whether the Analyzer models the dynamic size.
Herald added subscribers: ASDenysPetrov, martong, steakhal. · View Herald TranscriptMay 24 2020, 9:23 PM
Charusso edited parent revisions, added: D70411: [analyzer] CERT STR rule checkers: STR31-C; removed: D70805: [analyzer] SValHasDescendant: Determine whether the SVal has an SVal descendant.May 24 2020, 9:26 PM
baloghadamsoftware requested changes to this revision.Jun 29 2020, 9:15 AM
baloghadamsoftware added inline comments.
clang/docs/analyzer/checkers.rst
1982

Why? Is retrieving the size of arrays is so much more difficult? We miss the first example of the rule this way.

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
181

Why do we need this? The constructor of PathSensitiveBugReport takes a StringRef. Msg.str() returns a StringRef. Your solution creates a C++ string first, which means an unnecessary copy.

313

Do we really need to handle indirect pointers here? I means e.g. char ***?

322

What does it mean that the memory allocation could overflow?

457

Why checking PostCall and not PreCall? Usually PostCall is used for modeling and PreCall for checking because for modeling we need the call already evaluated (e.g. we need the return value) but checking should happen before starting the evaluation of the call.

469

Do we chack any call here passing non-null terminated strings? I disagree with that appraocah because there may be functions expecting e.g. binary data. It seems that we are not even checking the type so we could get false positives here for any mem...() function.

clang/test/Analysis/cert/str32-c.cpp
10

Please move this to the system header simulator instead of repeating it in every test file.

13

Why enum?

This revision now requires changes to proceed.Jun 29 2020, 9:15 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJun 29 2020, 9:15 AM
whisperity added a subscriber: whisperity.Jul 9 2020, 1:01 AM

Revision Contents

PathSize
clang/
docs/
analyzer/
12 lines
include/
clang/
StaticAnalyzer/
Checkers/
5 lines
Core/
PathSensitive/
3 lines
lib/
StaticAnalyzer/
Checkers/
cert/
360 lines
Core/
12 lines
test/
Analysis/
Inputs/
18 lines
cert/
38 lines
88 lines
15 lines

Diff 265962

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 1,965 Lines▼ Show 20 Lines
alpha.security.cert.str.31c alpha.security.cert.str.31c
""""""""""""""""""""""""""" """""""""""""""""""""""""""
Checker for `STR31-C rule<https://wiki.sei.cmu.edu/confluence/x/sNUxBQ>`_. Checker for `STR31-C rule<https://wiki.sei.cmu.edu/confluence/x/sNUxBQ>`_.
It warns on misusing the following functions: It warns on misusing the following functions:
``strcpy()``, ``gets()``, ``fscanf()``, ``sprintf()``. ``strcpy()``, ``gets()``, ``fscanf()``, ``sprintf()``.
.. _alpha-security-cert-str-32c:
alpha.security.cert.str.32c
"""""""""""""""""""""""""""
Checker for `STR32-C rule<https://wiki.sei.cmu.edu/confluence/x/r9UxBQ>`_.
It warns on reading non-null-terminated strings. This warning is restricted to
the allocations which the Static Analyzer models with :ref:`unix.Malloc<unix-Malloc>`_.
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why? Is retrieving the size of arrays is so much more difficult? We miss the first example of the rule this way.

baloghadamsoftware: Why? Is retrieving the size of arrays is so much more difficult? We miss the first example of…
Also warns on misusing the ``strncpy()`` function.
.. _alpha-security-ArrayBound: .. _alpha-security-ArrayBound:
alpha.security.ArrayBound (C) alpha.security.ArrayBound (C)
""""""""""""""""""""""""""""" """""""""""""""""""""""""""""
Warn about buffer overflows (older checker). Warn about buffer overflows (older checker).
.. code-block:: c .. code-block:: c
▲ Show 20 LinesShow All 456 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 855 Lines▼ Show 20 Linesdef StrCheckerBase : Checker<"StrCheckerBase">,
Documentation<NotDocumented>, Documentation<NotDocumented>,
Hidden; Hidden;
def Str31cChecker : Checker<"31c">, def Str31cChecker : Checker<"31c">,
HelpText<"SEI CERT checker of rules defined in STR31-C">, HelpText<"SEI CERT checker of rules defined in STR31-C">,
Dependencies<[StrCheckerBase]>, Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def Str32cChecker : Checker<"32c">,
HelpText<"SEI CERT checker of rules defined in STR32-C">,
Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>;
} // end "alpha.cert.str" } // end "alpha.cert.str"
let ParentPackage = SecurityAlpha in { let ParentPackage = SecurityAlpha in {
def ArrayBoundChecker : Checker<"ArrayBound">, def ArrayBoundChecker : Checker<"ArrayBound">,
HelpText<"Warn about buffer overflows (older checker)">, HelpText<"Warn about buffer overflows (older checker)">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
▲ Show 20 LinesShow All 695 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h

Show All 37 Lines
ProgramStateRef setDynamicSize(ProgramStateRef State, const MemRegion *MR, ProgramStateRef setDynamicSize(ProgramStateRef State, const MemRegion *MR,
DefinedOrUnknownSVal Size, SValBuilder &SVB); DefinedOrUnknownSVal Size, SValBuilder &SVB);
/// Set the dynamic size of a CXXNewExpr \p NE by its region \p MR. /// Set the dynamic size of a CXXNewExpr \p NE by its region \p MR.
ProgramStateRef setDynamicSize(ProgramStateRef State, const MemRegion *MR, ProgramStateRef setDynamicSize(ProgramStateRef State, const MemRegion *MR,
const CXXNewExpr *NE, const CXXNewExpr *NE,
const LocationContext *LCtx, SValBuilder &SVB); const LocationContext *LCtx, SValBuilder &SVB);
/// \returns Whether we model the size explicitly.
bool isModeledDynamicSize(ProgramStateRef State, const MemRegion *MR);
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H #endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp

Show All 10 Lines
// The rules can be found in section 'Rule 07. Characters and Strings (STR)': // The rules can be found in section 'Rule 07. Characters and Strings (STR)':
// - https://wiki.sei.cmu.edu/confluence/x/ptUxBQ // - https://wiki.sei.cmu.edu/confluence/x/ptUxBQ
// //
// This checker is a base checker which consist of the following checkers: // This checker is a base checker which consist of the following checkers:
// - STR31-C: Guarantee that storage for strings has sufficient space for // - STR31-C: Guarantee that storage for strings has sufficient space for
// character data and the null terminator: // character data and the null terminator:
// - https://wiki.sei.cmu.edu/confluence/x/sNUxBQ // - https://wiki.sei.cmu.edu/confluence/x/sNUxBQ
// //
// - STR32-C: Do not pass a non-null-terminated character sequence to a
// library function that expects a string:
// - https://wiki.sei.cmu.edu/confluence/x/r9UxBQ
//
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AllocationState.h" #include "AllocationState.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "llvm/ADT/Optional.h"
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
/// Helper struct for defining the function call signatures of 'CDM'. /// Helper struct for defining the function call signatures of 'CDM'.
/// The fields are defining what is the index of the interesting arguments. /// The fields are defining what is the index of the interesting arguments.
struct CallContext { struct CallContext {
CallContext(Optional<unsigned> DestinationPos, CallContext(Optional<unsigned> DestinationPos,
Optional<unsigned> SourcePos = None) Optional<unsigned> SourcePos = None,
: DestinationPos(DestinationPos), SourcePos(SourcePos) {} Optional<unsigned> LengthPos = None)
: DestinationPos(DestinationPos), SourcePos(SourcePos),
LengthPos(LengthPos) {}
Optional<unsigned> DestinationPos; Optional<unsigned> DestinationPos;
Optional<unsigned> SourcePos; Optional<unsigned> SourcePos;
Optional<unsigned> LengthPos;
}; };
class StrCheckerBase : public Checker<check::PostCall> { class StrCheckerBase
: public Checker<check::PostCall, check::Bind, check::PostStmt<DeclStmt>> {
public: public:
/// Check the function calls defined in 'CDM'. /// Check the function calls defined in 'CDM' and regular function calls.
/// Function calls of 'CDM' could cause a not null-terminated string. /// Function calls of 'CDM' could cause a not null-terminated string.
/// ///
/// In case of STR31-C we want to emit an error immediately on such calls. /// In case of STR31-C we want to emit an error immediately on such calls.
///
/// In case of STR32-C we want to store the string is could be not
/// null-terminated in the 'NullTerminationMap'. If such string is passed
/// to a function call we assume that the string could possibly read and
/// so that it emits an error report.
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
/// Check for allocations and hand-written null-terminations (STR32-C).
///
/// It reports a note on allocations which may cannot store a string 'S' due
/// to the string may overflow, for example the size of a memory block created
/// by 'malloc' is not based on 'strlen(S)' of 'S'.
///
/// It catches the hand-written null-terminations, for example:
/// 'c_string[length] = '\0';'. In this case we store the string is being
/// null-terminated in the 'NullTerminationMap'.
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
/// It reports a note on array declarations which may cannot store a string
/// because of its size, similar to the check in 'checkBind()'.
void checkPostStmt(const DeclStmt *S, CheckerContext &C) const;
/// \{ /// \{
/// Check the function calls defined in 'CDM'. /// Check the function calls defined in 'CDM'.
/// STR31-C.
void checkGets(const CallEvent &Call, const CallContext &CallC, void checkGets(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkSprintf(const CallEvent &Call, const CallContext &CallC, void checkSprintf(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkFscanf(const CallEvent &Call, const CallContext &CallC, void checkFscanf(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStrcpy(const CallEvent &Call, const CallContext &CallC, void checkStrcpy(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
/// STR32-C.
void checkStrncpy(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const;
/// \} /// \}
/// In case of STR31-C emit an error report of possible buffer overflow. /// Create a report on a function call which could cause a buffer overflow.
///
/// In case of STR31-C emit an error report.
/// In case of STR32-C emit a note and mark the buffer as possibly not
/// null-terminated.
void createCallOverflowReport(const CallEvent &Call, const CallContext &CallC, void createCallOverflowReport(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
bool EnableStr31cChecker = false; bool EnableStr31cChecker = false;
bool EnableStr32cChecker = false;
private: private:
using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &, using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &,
const CallContext &, CheckerContext &)>; const CallContext &, CheckerContext &)>;
const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = { const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = {
// The following checks STR31-C rules. // The following checks STR31-C rules.
// char *gets(char *dest); // char *gets(char *dest);
{{"gets", 1}, {&StrCheckerBase::checkGets, {0}}}, {{"gets", 1}, {&StrCheckerBase::checkGets, {0}}},
// int sprintf(char *dest, const char *format, ... [const char *source]); // int sprintf(char *dest, const char *format, ... [const char *source]);
{{"sprintf", 3, 2}, {&StrCheckerBase::checkSprintf, {0}}}, {{"sprintf", 3, 2}, {&StrCheckerBase::checkSprintf, {0}}},
// int fscanf(FILE *stream, const char *format, ... [char *dest]); // int fscanf(FILE *stream, const char *format, ... [char *dest]);
{{"fscanf", 3, 2}, {&StrCheckerBase::checkFscanf, {2}}}, {{"fscanf", 3, 2}, {&StrCheckerBase::checkFscanf, {2}}},
// char *strcpy(char *dest, const char *src); // char *strcpy(char *dest, const char *src);
{{"strcpy", 2}, {&StrCheckerBase::checkStrcpy, {0, 1}}}}; {{"strcpy", 2}, {&StrCheckerBase::checkStrcpy, {0, 1}}},
// The following checks STR32-C rules.
// char *strncpy(char *dest, const char *src, size_t count)
{{"strncpy", 3}, {&StrCheckerBase::checkStrncpy, {0, 1, 2}}}};
BugType BT{this, "Insecure string handler function call", BugType BT{this, "Insecure string handler function call",
categories::SecurityError}; categories::SecurityError};
}; };
} // namespace } // namespace
/// It stores whether the string is null-terminated.
REGISTER_MAP_WITH_PROGRAMSTATE(NullTerminationMap, const MemRegion *, bool)
/// It stores the allocations which we emit notes on.
REGISTER_LIST_WITH_PROGRAMSTATE(AllocationList, const MemRegion *)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Helper functions. // Helper functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// Returns the interesting region of \p V. /// Returns the interesting region of \p V.
static const MemRegion *getRegion(SVal V) { static const MemRegion *getRegion(SVal V) {
const MemRegion *MR = V.getAsRegion(); const MemRegion *MR = V.getAsRegion();
if (!MR) if (!MR)
Show All 17 Linesvoid StrCheckerBase::createCallOverflowReport(const CallEvent &Call,
const CallContext &CallC, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
unsigned DestPos = *CallC.DestinationPos; unsigned DestPos = *CallC.DestinationPos;
SVal DestV = Call.getArgSVal(DestPos); SVal DestV = Call.getArgSVal(DestPos);
const MemRegion *MR = getRegion(DestV); const MemRegion *MR = getRegion(DestV);
if (!MR) if (!MR)
return; return;
ProgramStateRef State = C.getState();
StringRef CallName = Call.getCalleeIdentifier()->getName(); StringRef CallName = Call.getCalleeIdentifier()->getName();
const Expr *Arg = Call.getArgExpr(DestPos); const Expr *Arg = Call.getArgExpr(DestPos);
SmallString<256> Msg; SmallString<256> Msg;
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
Out << '\'' << CallName << "' could write outside of '" << printPretty(Arg, C) Out << '\'' << CallName << "' could write outside of '" << printPretty(Arg, C)
<< '\''; << '\'';
std::string ReportMessage = Out.str().str();
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why do we need this? The constructor of PathSensitiveBugReport takes a StringRef. Msg.str() returns a StringRef. Your solution creates a C++ string first, which means an unnecessary copy.

baloghadamsoftware: Why do we need this? The constructor of `PathSensitiveBugReport` takes a `StringRef`. `Msg.str…
// In case of STR31-C emit an error.
if (EnableStr31cChecker) {
const Expr *Arg = Call.getArgExpr(DestPos);
auto Report = std::make_unique<PathSensitiveBugReport>(BT, Out.str(), auto Report = std::make_unique<PathSensitiveBugReport>(
C.generateErrorNode()); BT, ReportMessage, C.generateErrorNode());
Report->addRange(Arg->getSourceRange()); Report->addRange(Arg->getSourceRange());
Report->markInteresting(MR);
// Track the allocation. // Track the allocation.
bugreporter::trackExpressionValue(Report->getErrorNode(), Arg, *Report); bugreporter::trackExpressionValue(Report->getErrorNode(), Arg, *Report);
if (const SymbolRef Sym = DestV.getAsSymbol()) if (const SymbolRef Sym = DestV.getAsSymbol())
Report->addVisitor(allocation_state::getMallocBRVisitor(Sym)); Report->addVisitor(allocation_state::getMallocBRVisitor(Sym));
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
return;
}
// In case of STR32-C emit a note.
if (!EnableStr32cChecker)
return;
const NoteTag *Tag = C.getNoteTag(
[=](PathSensitiveBugReport &BR) -> std::string {
return BR.isInteresting(MR) ? ReportMessage : "";
},
/*IsPrunable=*/false);
// Mark the string could be not null-terminated.
ProgramStateRef State = C.getState();
State = State->set<NullTerminationMap>(MR, false);
C.addTransition(State, Tag);
}
/// Create a note about the buffer could overflow and store the allocation
/// may cannot store the entire null-terminated string.
static void createAllocationOverflowReport(const MemRegion *MR,
Optional<std::string> ArrayName,
bool IsInit, CheckerContext &C) {
ProgramStateRef State = C.getState();
const NoteTag *Tag = C.getNoteTag(
[=](PathSensitiveBugReport &BR) -> std::string {
if (!BR.isInteresting(MR))
return "";
SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg);
Out << (ArrayName ? '\'' + *ArrayName + '\'' : "The array") << " is "
<< (IsInit ? "initialized" : "declared")
<< " without considering the length of the string it "
"will store, therefore it could overflow";
return Out.str().str();
},
/*IsPrunable=*/false);
// Mark the string it will store could be not null-terminated.
State = State->set<NullTerminationMap>(MR, false);
State = State->add<AllocationList>(MR);
C.addTransition(State, Tag);
}
/// Check whether the size of the memory block allocated is based on the string
/// it will store.
// FIXME: Use better heuristics to catch such constructs.
// FIXME: Make sure the size is appropriate for the null-terminator.
static bool isWrongSizeAllocation(const MemRegion *MR, CheckerContext &C) {
// Only check for allocations we model.
ProgramStateRef State = C.getState();
if (!isModeledDynamicSize(State, MR))
return false;
SValBuilder &SVB = C.getSValBuilder();
DefinedOrUnknownSVal AllocationSize = getDynamicSize(State, MR, SVB);
// 'strlen(something) + something' is most likely fine.
if (const SymExpr *SizeSym = AllocationSize.getAsSymExpr())
if (const auto *SIE = dyn_cast<SymIntExpr>(SizeSym))
if (SIE->getOpcode() == BO_Add)
if (const auto *SM = dyn_cast<SymbolMetadata>(SIE->getLHS()))
return false;
return true;
}
/// Check whether the function call could write outside of the buffer.
static bool isCallOverflow(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) {
SVal DestV = Call.getArgSVal(*CallC.DestinationPos);
SVal SrcV = Call.getArgSVal(*CallC.SourcePos);
ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder();
// Check the size of the allocation to prevent false alarms.
const MemRegion *SrcMR = getRegion(SrcV);
const MemRegion *DestMR = getRegion(DestV);
if (!SrcMR || !DestMR)
return false;
// Only check for allocations we model.
if (!isModeledDynamicSize(State, DestMR))
return false;
DefinedOrUnknownSVal SrcSize = getDynamicSize(State, SrcMR, SVB);
DefinedOrUnknownSVal DestSize = getDynamicSize(State, DestMR, SVB);
if (SrcSize == DestSize)
return false;
if (const llvm::APSInt *SrcSizeInt = SVB.getKnownValue(State, SrcSize))
if (const llvm::APSInt *DestSizeInt = SVB.getKnownValue(State, DestSize))
if (SrcSizeInt->getZExtValue() <= DestSizeInt->getZExtValue())
return false;
if (!isWrongSizeAllocation(DestMR, C))
return false;
return true;
}
static bool isNonConstCharAllocation(const MemRegion *MR) {
const auto *TVR = MR->getAs<TypedValueRegion>();
if (!TVR)
return false;
QualType Ty = TVR->getValueType();
if (Ty.isNull())
return false;
while (Ty->isPointerType())
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Do we really need to handle indirect pointers here? I means e.g. char ***?

baloghadamsoftware: Do we really need to handle indirect pointers here? I means e.g. `char ***`?
Ty = Ty->getPointeeType();
if (const ArrayType *AT = Ty->getAsArrayTypeUnsafe())
Ty = AT->getElementType();
return Ty->isAnyCharacterType() && !Ty.isConstQualified();
}
/// Check whether the memory allocation could overflow, if so emit a report.
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

What does it mean that the memory allocation could overflow?

baloghadamsoftware: What does it mean that //the memory allocation could overflow//?
static bool isAllocationOverflow(SVal L, SVal V, const Stmt *S,
CheckerContext &C) {
const MemRegion *LocMR = getRegion(L);
const MemRegion *NonLocMR = getRegion(V);
if (!LocMR || !NonLocMR)
return false;
// A C-string is null-terminated.
if (isa<StringRegion>(NonLocMR))
return false;
if (!isNonConstCharAllocation(LocMR))
return false;
// See whether we have already made a report for that allocation, so it
// prevent additional reports on rebindings.
ProgramStateRef State = C.getState();
if (State->get<AllocationList>().contains(NonLocMR))
return false;
if (!isWrongSizeAllocation(NonLocMR, C))
return false;
bool IsInit = false;
Optional<std::string> ArrayName;
if (const auto *VR = LocMR->getAs<VarRegion>()) {
if (const VarDecl *VD = VR->getDecl()) {
IsInit = VD->getInit();
ArrayName = VD->getNameAsString();
}
}
createAllocationOverflowReport(NonLocMR, ArrayName, IsInit, C);
return true;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// The following checks STR31-C rules. // The following checks STR31-C rules.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void StrCheckerBase::checkGets(const CallEvent &Call, const CallContext &CallC, void StrCheckerBase::checkGets(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
Show All 24 Lines if (FormatExpr->getString() != "%s")
return; return;
createCallOverflowReport(Call, CallC, C); createCallOverflowReport(Call, CallC, C);
} }
void StrCheckerBase::checkStrcpy(const CallEvent &Call, void StrCheckerBase::checkStrcpy(const CallEvent &Call,
const CallContext &CallC, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
if (!EnableStr31cChecker) if (EnableStr31cChecker || EnableStr32cChecker)
return; if (isCallOverflow(Call, CallC, C))
createCallOverflowReport(Call, CallC, C);
}
ProgramStateRef State = C.getState(); //===----------------------------------------------------------------------===//
SValBuilder &SVB = C.getSValBuilder(); // The following checks STR32-C rules.
SVal SrcV = Call.getArgSVal(*CallC.SourcePos); //===----------------------------------------------------------------------===//
SVal DestV = Call.getArgSVal(*CallC.DestinationPos);
// Check the size of the allocation 'DestSize' to prevent false alarms. void StrCheckerBase::checkStrncpy(const CallEvent &Call,
const MemRegion *SrcMR = getRegion(SrcV); const CallContext &CallC,
const MemRegion *DestMR = getRegion(DestV); CheckerContext &C) const {
if (!SrcMR || !DestMR) if (EnableStr32cChecker)
return; if (isCallOverflow(Call, CallC, C))
createCallOverflowReport(Call, CallC, C);
}
DefinedOrUnknownSVal SrcSize = getDynamicSize(State, SrcMR, SVB); void StrCheckerBase::checkBind(SVal L, SVal V, const Stmt *S,
DefinedOrUnknownSVal DestSize = getDynamicSize(State, DestMR, SVB); CheckerContext &C) const {
if (!EnableStr32cChecker)
return;
// Only care about allocations we could model. if (isAllocationOverflow(L, V, S, C))
// FIXME: Use heuristics what is an allocator and try to obtain its size.
if (DestSize.isUnknown())
return; return;
if (SrcSize == DestSize) ProgramStateRef State = C.getState();
bool IsNullTermination = false;
if (const llvm::APInt *Int = C.getSValBuilder().getKnownValue(State, V))
IsNullTermination = Int->isNullValue();
if (!IsNullTermination)
return; return;
if (const llvm::APSInt *SrcSizeInt = SVB.getKnownValue(State, SrcSize)) // Mark the string null-terminated.
if (const llvm::APSInt *DestSizeInt = SVB.getKnownValue(State, DestSize)) State = State->set<NullTerminationMap>(getRegion(L), true);
if (SrcSizeInt->getZExtValue() <= DestSizeInt->getZExtValue()) C.addTransition(State);
}
void StrCheckerBase::checkPostStmt(const DeclStmt *S, CheckerContext &C) const {
if (!EnableStr32cChecker)
return; return;
// Allocating size of 'strlen(src)' is most likely fine. if (const auto *VD = cast<VarDecl>(S->getSingleDecl())) {
// FIXME: Make sure we catch 'strlen()' in complex SVals. if (VD->getType()->getAsArrayTypeUnsafe()) {
// FIXME: Calcualte the appropriate size for holding the string. ProgramStateRef State = C.getState();
if (const SymExpr *SE = DestSize.getAsSymExpr())
if (const auto *SIE = dyn_cast<SymIntExpr>(SE)) const VarRegion *VR = State->getRegion(VD, C.getLocationContext());
if (const auto *SM = dyn_cast<SymbolMetadata>(SIE->getLHS())) if (!isNonConstCharAllocation(VR))
if (SM->getRegion() == SrcMR)
return; return;
createCallOverflowReport(Call, CallC, C); std::string ArrayName = VD->getNameAsString();
createAllocationOverflowReport(VR, ArrayName, VD->getInit(), C);
}
}
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Main logic to check a function call. // Main logic to check a function call.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void StrCheckerBase::checkPostCall(const CallEvent &Call, void StrCheckerBase::checkPostCall(const CallEvent &Call,
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why checking PostCall and not PreCall? Usually PostCall is used for modeling and PreCall for checking because for modeling we need the call already evaluated (e.g. we need the return value) but checking should happen before starting the evaluation of the call.

baloghadamsoftware: Why checking `PostCall` and not `PreCall`? Usually `PostCall` is used for modeling and…
CheckerContext &C) const { CheckerContext &C) const {
if (const auto *Lookup = CDM.lookup(Call)) { if (const auto *Lookup = CDM.lookup(Call)) {
const StrCheck &Check = Lookup->first; const StrCheck &Check = Lookup->first;
Check(this, Call, Lookup->second, C); Check(this, Call, Lookup->second, C);
return;
}
// In case of STR32-C we want to catch not null-terminated strings passed
// to a function call.
if (!EnableStr32cChecker)
return;
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Do we chack any call here passing non-null terminated strings? I disagree with that appraocah because there may be functions expecting e.g. binary data. It seems that we are not even checking the type so we could get false positives here for any mem...() function.

baloghadamsoftware: Do we chack //any// call here passing non-null terminated strings? I disagree with that…
// If the passed parameter is a const-qualified string we assume that the
// string could be read. If such string is not null-terminated emit a report.
for (unsigned I = 0; I < Call.parameters().size(); ++I) {
SVal V = Call.getArgSVal(I);
const MemRegion *MR = getRegion(V);
if (!MR)
continue;
QualType ParamTy = Call.parameters()[I]->getType();
if (ParamTy->isPointerType())
ParamTy = ParamTy->getPointeeType();
if (!ParamTy.isConstQualified())
continue;
ProgramStateRef State = C.getState();
const bool *IsNullTerminated = State->get<NullTerminationMap>(MR);
if (!IsNullTerminated || *IsNullTerminated)
continue;
SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg);
const Expr *Arg = Call.getArgExpr(I);
Out << '\'' << printPretty(Arg, C) << "' is not null-terminated";
auto Report = std::make_unique<PathSensitiveBugReport>(
BT, Out.str(), C.generateErrorNode());
Report->addRange(Arg->getSourceRange());
Report->markInteresting(MR);
// Track the allocation.
bugreporter::trackExpressionValue(Report->getErrorNode(), Arg, *Report);
if (const SymbolRef Sym = Call.getArgSVal(I).getAsSymbol())
Report->addVisitor(allocation_state::getMallocBRVisitor(Sym));
C.emitReport(std::move(Report));
} }
} }
void ento::registerStrCheckerBase(CheckerManager &Mgr) { void ento::registerStrCheckerBase(CheckerManager &Mgr) {
Mgr.registerChecker<StrCheckerBase>(); Mgr.registerChecker<StrCheckerBase>();
} }
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

-1 line

Charusso: -1 line
bool ento::shouldRegisterStrCheckerBase(const CheckerManager &) { return true; } bool ento::shouldRegisterStrCheckerBase(const CheckerManager &) { return true; }
#define REGISTER_CHECKER(Name) \ #define REGISTER_CHECKER(Name) \
void ento::register##Name(CheckerManager &Mgr) { \ void ento::register##Name(CheckerManager &Mgr) { \
auto *Checker = Mgr.getChecker<StrCheckerBase>(); \ auto *Checker = Mgr.getChecker<StrCheckerBase>(); \
Checker->Enable##Name = true; \ Checker->Enable##Name = true; \
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

This is a huge assumption to make this checker as simple as possible. On each allocation I would store the memory regions which the size expression consists of. When we encounter a memory/string handler function call which has a size-expression parameter we could match whether the allocation considered the length of the string it will store.

May we will have a better idea, so I would leave that as it is, for now.

Charusso: This is a huge assumption to make this checker as simple as possible. On each allocation I…
} \ } \
\ \
bool ento::shouldRegister##Name(const CheckerManager &) { return true; } bool ento::shouldRegister##Name(const CheckerManager &) { return true; }
REGISTER_CHECKER(Str31cChecker) REGISTER_CHECKER(Str31cChecker)
REGISTER_CHECKER(Str32cChecker)

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp

Show First 20 LinesShow All 94 Lines▼ Show 20 Lines if (const Expr *SizeExpr = NE->getArraySize().getValueOr(nullptr)) {
ElementCount = SVB.makeIntVal(1, /*IsUnsigned=*/true); ElementCount = SVB.makeIntVal(1, /*IsUnsigned=*/true);
} }
return setDynamicSize( return setDynamicSize(
State, MR, getSize(State, ElementCount, NE->getAllocatedType(), SVB), State, MR, getSize(State, ElementCount, NE->getAllocatedType(), SVB),
SVB); SVB);
} }
bool isModeledDynamicSize(ProgramStateRef State, const MemRegion *MR) {
assert(MR);
if (State->get<DynamicSizeMap>(MR))
return true;
if (const auto *TVR = dyn_cast<TypedValueRegion>(MR->getBaseRegion()))
if (TVR->getValueType()->getAsArrayTypeUnsafe())
return true;
return false;
}
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang

clang/test/Analysis/Inputs/system-header-simulator.h

Show First 20 LinesShow All 62 Lines▼ Show 20 Lines
void clearerr(FILE *stream); void clearerr(FILE *stream);
int feof(FILE *stream); int feof(FILE *stream);
int ferror(FILE *stream); int ferror(FILE *stream);
int fileno(FILE *stream); int fileno(FILE *stream);
// Note, on some platforms errno macro gets replaced with a function call. // Note, on some platforms errno macro gets replaced with a function call.
extern int errno; extern int errno;
size_t strlen(const char *); // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".
//
// See the docs for more:
// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
#if !defined(_WCHAR_T_DEFINED) && !__cplusplus
// "Microsoft implements wchar_t as a two-byte unsigned value"
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif
size_t wcslen(const wchar_t *str);
size_t strlen(const char *);
char *strcpy(char *restrict, const char *restrict); char *strcpy(char *restrict, const char *restrict);
char *strncpy(char *dst, const char *src, size_t n); char *strncpy(char *dst, const char *src, size_t n);
void *memcpy(void *dst, const void *src, size_t n); void *memcpy(void *dst, const void *src, size_t n);
typedef unsigned long __darwin_pthread_key_t; typedef unsigned long __darwin_pthread_key_t;
typedef __darwin_pthread_key_t pthread_key_t; typedef __darwin_pthread_key_t pthread_key_t;
int pthread_setspecific(pthread_key_t, const void *); int pthread_setspecific(pthread_key_t, const void *);
▲ Show 20 LinesShow All 66 LinesShow Last 20 Lines

clang/test/Analysis/cert/str32-c-notes.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,alpha.security.cert.str.32c \
// RUN: -analyzer-output=text -verify %s
// See the examples on the page of STR32-C:
// https://wiki.sei.cmu.edu/confluence/x/r9UxBQ
#include "../Inputs/system-header-simulator.h"
void *realloc(void *memblock, size_t size);
namespace test_realloc_bad {
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(wchar_t *cur_msg) {
if (cur_msg == NULL) {
// expected-note@-1 {{Assuming 'cur_msg' is not equal to NULL}}
// expected-note@-2 {{Taking false branch}}
return;
}
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t *temp = (wchar_t *)realloc(cur_msg, temp_size * sizeof(wchar_t));
// expected-note@-1 {{Memory is allocated}}
// expected-note@-2 {{'temp' initialized here}}
// expected-note@-3 {{'temp' is initialized without considering the length of the string it will store, therefore it could overflow}}
/* temp and cur_msg may no longer be null-terminated */
cur_msg = temp;
// expected-note@-1 {{Value assigned to 'cur_msg'}}
cur_msg_len = wcslen(cur_msg);
// expected-note@-1 {{'cur_msg' is not null-terminated}}
// expected-warning@-2 {{'cur_msg' is not null-terminated}}
}
} // namespace test_realloc_bad

clang/test/Analysis/cert/str32-c.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,alpha.security.cert.str.32c \
// RUN: -verify %s
// See the examples on the page of STR32-C:
// https://wiki.sei.cmu.edu/confluence/x/r9UxBQ
#include "../Inputs/system-header-simulator.h"
void *realloc(void *memblock, size_t size);
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Please move this to the system header simulator instead of repeating it in every test file.

baloghadamsoftware: Please move this to the //system header simulator// instead of repeating it in every test file.
namespace test_strncpy_bad {
enum { STR_SIZE = 32 };
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why enum?

baloghadamsoftware: Why `enum`?
size_t func(const char *source) {
char c_str[STR_SIZE];
size_t ret = 0;
if (source) {
c_str[sizeof(c_str) - 1] = '\0';
strncpy(c_str, source, sizeof(c_str));
ret = strlen(c_str);
// expected-warning@-1 {{'c_str' is not null-terminated}}
}
return ret;
}
} // namespace test_strncpy_bad
namespace test_strncpy_good {
enum { STR_SIZE = 32 };
size_t func(const char *src) {
char c_str[STR_SIZE];
size_t ret = 0;
if (src) {
strncpy(c_str, src, sizeof(c_str) - 1);
c_str[sizeof(c_str) - 1] = '\0';
ret = strlen(c_str);
}
return ret;
}
} // namespace test_strncpy_good
namespace test_realloc_bad {
wchar_t *cur_msg = NULL;
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(void) {
if (cur_msg == NULL)
return;
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t *temp = (wchar_t *)realloc(cur_msg, temp_size * sizeof(wchar_t));
/* temp and cur_msg may no longer be null-terminated */
if (temp == NULL)
return;
cur_msg = temp;
cur_msg_size = temp_size;
cur_msg_len = wcslen(cur_msg);
// expected-warning@-1 {{'cur_msg' is not null-terminated}}
}
} // namespace test_realloc_bad
namespace test_realloc_good {
wchar_t *cur_msg = NULL;
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(void) {
if (cur_msg == NULL)
return;
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t *temp = (wchar_t *)realloc(cur_msg, temp_size * sizeof(wchar_t));
/* temp and cur_msg may no longer be null-terminated */
if (temp == NULL)
return;
cur_msg = temp;
/* Properly null-terminate cur_msg */
cur_msg[temp_size - 1] = L'\0';
cur_msg_size = temp_size;
cur_msg_len = wcslen(cur_msg);
}
} // namespace test_realloc_good

clang/test/Analysis/malloc.c

// RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \ // RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \ // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
// RUN: -analyzer-checker=alpha.core.CastSize \ // RUN: -analyzer-checker=alpha.core.CastSize \
// RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=debug.ExprInspection // RUN: -analyzer-checker=debug.ExprInspection
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".
//
// See the docs for more:
// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
#if !defined(_WCHAR_T_DEFINED)
// "Microsoft implements wchar_t as a two-byte unsigned value"
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif // !defined(_WCHAR_T_DEFINED)
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t); void *malloc(size_t);
void *alloca(size_t); void *alloca(size_t);
void *valloc(size_t); void *valloc(size_t);
void free(void *); void free(void *);
void *realloc(void *ptr, size_t size); void *realloc(void *ptr, size_t size);
void *reallocf(void *ptr, size_t size); void *reallocf(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size); void *calloc(size_t nmemb, size_t size);
▲ Show 20 LinesShow All 1,821 LinesShow Last 20 Lines