This is an archive of the discontinued LLVM Phabricator instance.

Differential D71033

[analyzer] CERT STR rule checkers: STR32-C
Needs RevisionPublic

Authored by Charusso on Dec 4 2019, 2:20 PM.

Details

Reviewers
NoQ
baloghadamsoftware
Summary

This patch introduces a new experimental checker:
alpha.security.cert.str.32c

This checker is implemented based on the following rule:
https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string

It warns on reading non-null-terminated strings. This warning is restricted to
the allocations which the Static Analyzer models with unix.Malloc checker.

Also warns on misusing the strncpy() function.

Diff Detail

Event Timeline

Charusso created this revision.Dec 4 2019, 2:20 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptDec 4 2019, 2:20 PM
Charusso marked an inline comment as done.Dec 4 2019, 2:25 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
357

This is a huge assumption to make this checker as simple as possible. On each allocation I would store the memory regions which the size expression consists of. When we encounter a memory/string handler function call which has a size-expression parameter we could match whether the allocation considered the length of the string it will store.

May we will have a better idea, so I would leave that as it is, for now.

Charusso added a parent revision: D70805: [analyzer] SValHasDescendant: Determine whether the SVal has an SVal descendant.Dec 4 2019, 2:26 PM
Charusso added a comment.Dec 4 2019, 2:32 PM

Examples generated by CodeChecker from the curl project:

str32-c.tar.gz1 MBDownload

Charusso updated this revision to Diff 232672.EditedDec 6 2019, 4:19 PM
Charusso edited the summary of this revision. (Show Details)
  • Add docs.
  • Move to alpha.
Charusso added a child revision: D71155: [analyzer] CERT STR rule checkers: STR30-C.Dec 6 2019, 4:24 PM
Charusso updated this revision to Diff 233904.EditedDec 13 2019, 6:47 PM
Charusso retitled this revision from [analyzer] CERT: StrChecker: 32.c to [analyzer] CERT: STR32-C.
  • Add notes to the initialization of char-arrays.
  • Mark the string null-terminated calling strcpy() with an appropriate size.
Charusso added a comment.Dec 13 2019, 6:51 PM

We need to add the interestingness to the NoteTags so that we only emit notes on initialization/function calls which leads to an error.

Charusso marked an inline comment as done.Dec 13 2019, 6:52 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
414

-1 line

Charusso updated this revision to Diff 241761.Jan 31 2020, 9:58 AM
  • Rebase.
Charusso edited the summary of this revision. (Show Details)Jan 31 2020, 9:58 AM
Charusso mentioned this in D70411: [analyzer] CERT STR rule checkers: STR31-C.Mar 25 2020, 12:35 PM
Charusso updated this revision to Diff 265962.May 24 2020, 9:23 PM
Charusso retitled this revision from [analyzer] CERT: STR32-C to [analyzer] CERT STR rule checkers: STR32-C.
  • Refactor.
  • State out explicitly whether the Analyzer models the dynamic size.
Herald added subscribers: ASDenysPetrov, martong, steakhal. · View Herald TranscriptMay 24 2020, 9:23 PM
Charusso edited parent revisions, added: D70411: [analyzer] CERT STR rule checkers: STR31-C; removed: D70805: [analyzer] SValHasDescendant: Determine whether the SVal has an SVal descendant.May 24 2020, 9:26 PM
baloghadamsoftware requested changes to this revision.Jun 29 2020, 9:15 AM
baloghadamsoftware added inline comments.
clang/docs/analyzer/checkers.rst
1982 ↗(On Diff #265962)

Why? Is retrieving the size of arrays is so much more difficult? We miss the first example of the rule this way.

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
165

Why do we need this? The constructor of PathSensitiveBugReport takes a StringRef. Msg.str() returns a StringRef. Your solution creates a C++ string first, which means an unnecessary copy.

277

Why checking PostCall and not PreCall? Usually PostCall is used for modeling and PreCall for checking because for modeling we need the call already evaluated (e.g. we need the return value) but checking should happen before starting the evaluation of the call.

289

Do we chack any call here passing non-null terminated strings? I disagree with that appraocah because there may be functions expecting e.g. binary data. It seems that we are not even checking the type so we could get false positives here for any mem...() function.

290

Do we really need to handle indirect pointers here? I means e.g. char ***?

299

What does it mean that the memory allocation could overflow?

clang/test/Analysis/cert/str32-c.cpp
11

Please move this to the system header simulator instead of repeating it in every test file.

14

Why enum?

This revision now requires changes to proceed.Jun 29 2020, 9:15 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJun 29 2020, 9:15 AM
whisperity added a subscriber: whisperity.Jul 9 2020, 1:01 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
5 lines
Core/
PathSensitive/
8 lines
lib/
StaticAnalyzer/
Checkers/
cert/
192 lines
Core/
13 lines
test/
Analysis/
Inputs/
21 lines
cert/
66 lines
88 lines
15 lines

Diff 232211

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 794 Lines▼ Show 20 Linesdef StrCheckerBase : Checker<"StrCheckerBase">,
Documentation<HasDocumentation>, Documentation<HasDocumentation>,
Hidden; Hidden;
def Str31cChecker : Checker<"31.c">, def Str31cChecker : Checker<"31.c">,
HelpText<"SEI CERT checker of rules defined in STR31-C">, HelpText<"SEI CERT checker of rules defined in STR31-C">,
Dependencies<[StrCheckerBase]>, Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def Str32cChecker : Checker<"32.c">,
HelpText<"SEI CERT checker of rules defined in STR32-C">,
Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>;
} // end "cert.str" } // end "cert.str"
let ParentPackage = SecurityAlpha in { let ParentPackage = SecurityAlpha in {
def ArrayBoundChecker : Checker<"ArrayBound">, def ArrayBoundChecker : Checker<"ArrayBound">,
HelpText<"Warn about buffer overflows (older checker)">, HelpText<"Warn about buffer overflows (older checker)">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
▲ Show 20 LinesShow All 616 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h

//===- DynamicSize.h - Dynamic size related APIs ----------------*- C++ -*-===// //===- DynamicSize.h - Dynamic size related APIs ----------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines APIs that track and query dynamic size information. // This file defines APIs that track and query dynamic size information.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H #ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H #define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSizeInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "llvm/ADT/Optional.h"
namespace clang { namespace clang {
namespace ento { namespace ento {
/// \returns The stored dynamic size for the region \p MR. /// \returns The stored dynamic size for the region \p MR.
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR,
SValBuilder &SVB); SValBuilder &SVB);
/// \returns The stored dynamic size information or the array's static size
/// information for the region \p MR.
Optional<DynamicSizeInfo> getDynamicSizeInfo(ProgramStateRef State,
const MemRegion *MR,
SValBuilder &SVB);
/// \returns The stored dynamic size expression for the region \p MR. /// \returns The stored dynamic size expression for the region \p MR.
const Expr *getDynamicSizeExpr(ProgramStateRef State, const MemRegion *MR); const Expr *getDynamicSizeExpr(ProgramStateRef State, const MemRegion *MR);
/// \returns The stored element count of the region \p MR. /// \returns The stored element count of the region \p MR.
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,
const MemRegion *MR, const MemRegion *MR,
SValBuilder &SVB, SValBuilder &SVB,
QualType ElementTy); QualType ElementTy);
Show All 10 Lines

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp

Show All 9 Lines
// handler function issues. // handler function issues.
// The rules can be found in section 'Rule 07. Characters and Strings (STR)': // The rules can be found in section 'Rule 07. Characters and Strings (STR)':
// https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152038 // https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152038
// //
// This checker is a base checker which consist of the following checkers: // This checker is a base checker which consist of the following checkers:
// - '31.c' // - '31.c'
// https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator // https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator
// //
// - '32.c'
// https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string
//
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AllocationState.h" #include "AllocationState.h"
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace ast_matchers; using namespace ast_matchers;
namespace { namespace {
struct CallContext { struct CallContext {
CallContext(Optional<unsigned> DestinationPos, CallContext(Optional<unsigned> DestinationPos,
Optional<unsigned> SourcePos = None) Optional<unsigned> SourcePos = None,
: DestinationPos(DestinationPos), SourcePos(SourcePos) {} Optional<unsigned> LengthPos = None)
: DestinationPos(DestinationPos), SourcePos(SourcePos),
LengthPos(LengthPos) {}
Optional<unsigned> DestinationPos; Optional<unsigned> DestinationPos;
Optional<unsigned> SourcePos; Optional<unsigned> SourcePos;
Optional<unsigned> LengthPos;
}; };
class StrCheckerBase : public Checker<check::PostCall, check::Bind> { class StrCheckerBase : public Checker<check::PostCall, check::Bind> {
using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &, using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &,
const CallContext &, CheckerContext &)>; const CallContext &, CheckerContext &)>;
public: public:
// We report a note when any of the calls in 'CDM' is being used because // We report a note when any of the calls in 'CDM' is being used because
Show All 12 Linespublic:
void checkGets(const CallEvent &Call, const CallContext &CallC, void checkGets(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkSprintf(const CallEvent &Call, const CallContext &CallC, void checkSprintf(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkFscanf(const CallEvent &Call, const CallContext &CallC, void checkFscanf(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStrcpy(const CallEvent &Call, const CallContext &CallC, void checkStrcpy(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStrncpy(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const;
std::unique_ptr<BugType> BT; std::unique_ptr<BugType> BT;
bool EnableStr31cChecker = false;
bool EnableStr31cChecker = false, EnableStr32cChecker = false;
private: private:
const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = { const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = {
// The following checks STR31-C rules. // The following checks STR31-C rules.
// char *gets(char *dest); // char *gets(char *dest);
{{"gets", 1}, {&StrCheckerBase::checkGets, {0}}}, {{"gets", 1}, {&StrCheckerBase::checkGets, {0}}},
// int sprintf(char *dest, const char *format, ... [const char *source]); // int sprintf(char *dest, const char *format, ... [const char *source]);
{{"sprintf", 3, 2}, {&StrCheckerBase::checkSprintf, {0}}}, {{"sprintf", 3, 2}, {&StrCheckerBase::checkSprintf, {0}}},
// int fscanf(FILE *stream, const char *format, ... [char *dest]); // int fscanf(FILE *stream, const char *format, ... [char *dest]);
{{"fscanf", 3, 2}, {&StrCheckerBase::checkFscanf, {2}}}, {{"fscanf", 3, 2}, {&StrCheckerBase::checkFscanf, {2}}},
// char *strcpy(char *dest, const char *src); // char *strcpy(char *dest, const char *src);
{{"strcpy", 2}, {&StrCheckerBase::checkStrcpy, {0, 1}}}}; {{"strcpy", 2}, {&StrCheckerBase::checkStrcpy, {0, 1}}},
// The following checks STR32-C rules.
// char *strncpy(char *dest, const char *src, size_t count)
{{"strncpy", 3}, {&StrCheckerBase::checkStrncpy, {0, 1, 2}}}};
}; };
} // namespace } // namespace
// It stores whether the string is null-terminated. // It stores whether the string is null-terminated.
REGISTER_MAP_WITH_PROGRAMSTATE(NullTerminationMap, const MemRegion *, bool) REGISTER_MAP_WITH_PROGRAMSTATE(NullTerminationMap, const MemRegion *, bool)
// It stores the allocations which we emit notes on.
REGISTER_LIST_WITH_PROGRAMSTATE(AllocationList, const MemRegion *)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Helper functions. // Helper functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Returns a string representation of \p E. // Returns a string representation of \p E.
static std::string exprToStr(const Expr *E, CheckerContext &C) { static std::string exprToStr(const Expr *E, CheckerContext &C) {
assert(E); assert(E);
Show All 37 Linesstatic void createOverflowNote(const CallEvent &Call, const CallContext &CallC,
SVal DestV = Call.getArgSVal(DestPos); SVal DestV = Call.getArgSVal(DestPos);
const MemRegion *MR = getRegion(DestV); const MemRegion *MR = getRegion(DestV);
if (!MR) if (!MR)
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
std::string CallName = Call.getCalleeIdentifier()->getName(); std::string CallName = Call.getCalleeIdentifier()->getName();
Optional<std::string> ArrayName = getName(Call.getArgExpr(DestPos), C); std::string ArrayName = "the array";
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why do we need this? The constructor of PathSensitiveBugReport takes a StringRef. Msg.str() returns a StringRef. Your solution creates a C++ string first, which means an unnecessary copy.

baloghadamsoftware: Why do we need this? The constructor of `PathSensitiveBugReport` takes a `StringRef`. `Msg.str…
if (Optional<std::string> TmpArrayName = getName(Call.getArgExpr(DestPos), C))
ArrayName = *TmpArrayName;
const NoteTag *Tag = C.getNoteTag( const NoteTag *Tag = C.getNoteTag(
[=]() -> std::string { [=]() -> std::string {
SmallString<128> Msg; SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
Out << '\'' << CallName << "' could write outside of " Out << '\'' << CallName << "' could write outside of " << ArrayName;
<< (ArrayName ? *ArrayName : "the array");
return Out.str(); return Out.str();
}, },
/*IsPrunable=*/false); /*IsPrunable=*/false);
// Mark the string could be not null-terminated. // Mark the string could be not null-terminated.
State = State->set<NullTerminationMap>(MR, false); State = State->set<NullTerminationMap>(MR, false);
C.addTransition(State, C.getPredecessor(), Tag); C.addTransition(State, C.getPredecessor(), Tag);
} }
static bool isWrongAllocation(SVal DestV, SVal SrcV, CheckerContext &C) {
ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder();
// Check the size of the allocation to prevent false alarms.
const MemRegion *SrcMR = getRegion(SrcV);
const MemRegion *DestMR = getRegion(DestV);
if (!SrcMR || !DestMR)
return false;
DefinedOrUnknownSVal SrcSize = getDynamicSize(State, SrcMR, SVB);
DefinedOrUnknownSVal DestSize = getDynamicSize(State, DestMR, SVB);
// 'strlen(src) + integer' is most likely fine.
// FIXME: We cannot catch every '+ integer' part at the moment so we do not
// check that property for now.
SValHasDescendant HasDescendantSrc(SrcMR);
if (HasDescendantSrc.Visit(DestSize))
return false;
if (const MemRegion *DestSizeR = DestSize.getAsRegion())
if (DestSizeR == SrcMR)
return false;
// 'StringRegion' returns the size with the null-terminator.
if (const llvm::APSInt *SrcSizeInt = SVB.getKnownValue(State, SrcSize))
if (const llvm::APSInt *DestSizeInt = SVB.getKnownValue(State, DestSize))
if (SrcSizeInt->getZExtValue() <= DestSizeInt->getZExtValue())
return false;
return true;
}
static bool isWrongAllocation(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) {
SVal DestV = Call.getArgSVal(*CallC.DestinationPos);
SVal SrcV = Call.getArgSVal(*CallC.SourcePos);
return isWrongAllocation(DestV, SrcV, C);
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Evaluating problematic function calls. // Evaluating problematic function calls.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void StrCheckerBase::checkGets(const CallEvent &Call, const CallContext &CallC, void StrCheckerBase::checkGets(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
if (EnableStr31cChecker) if (EnableStr31cChecker)
createOverflowNote(Call, CallC, C); createOverflowNote(Call, CallC, C);
Show All 22 Lines if (FormatExpr->getString() != "%s")
return; return;
createOverflowNote(Call, CallC, C); createOverflowNote(Call, CallC, C);
} }
void StrCheckerBase::checkStrcpy(const CallEvent &Call, void StrCheckerBase::checkStrcpy(const CallEvent &Call,
const CallContext &CallC, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
if (!EnableStr31cChecker) if (EnableStr31cChecker && isWrongAllocation(Call, CallC, C))
return; createOverflowNote(Call, CallC, C);
}
ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder();
SVal SrcV = Call.getArgSVal(*CallC.SourcePos);
SVal DestV = Call.getArgSVal(*CallC.DestinationPos);
// Check the size of the allocation to prevent false alarms.
const MemRegion *SrcMR = getRegion(SrcV);
const MemRegion *DestMR = getRegion(DestV);
if (!SrcMR || !DestMR)
return;
DefinedOrUnknownSVal SrcSize = getDynamicSize(State, SrcMR, SVB);
DefinedOrUnknownSVal DestSize = getDynamicSize(State, DestMR, SVB);
// 'strlen(src) + integer' is most likely fine.
// FIXME: We cannot catch every '+ integer' part at the moment so we do not
// check that property for now.
SValHasDescendant HasDescendantSrc(SrcMR);
if (HasDescendantSrc.Visit(DestSize))
return;
// 'StringRegion' returns the size with the null-terminator.
if (const llvm::APSInt *SrcSizeInt = SVB.getKnownValue(State, SrcSize))
if (const llvm::APSInt *DestSizeInt = SVB.getKnownValue(State, DestSize))
if (SrcSizeInt->getZExtValue() <= DestSizeInt->getZExtValue())
return;
void StrCheckerBase::checkStrncpy(const CallEvent &Call,
const CallContext &CallC,
CheckerContext &C) const {
if (EnableStr32cChecker)
createOverflowNote(Call, CallC, C); createOverflowNote(Call, CallC, C);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Main logic to check a call. // Main logic to check a call.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void StrCheckerBase::checkPostCall(const CallEvent &Call, void StrCheckerBase::checkPostCall(const CallEvent &Call,
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why checking PostCall and not PreCall? Usually PostCall is used for modeling and PreCall for checking because for modeling we need the call already evaluated (e.g. we need the return value) but checking should happen before starting the evaluation of the call.

baloghadamsoftware: Why checking `PostCall` and not `PreCall`? Usually `PostCall` is used for modeling and…
CheckerContext &C) const { CheckerContext &C) const {
if (const auto *Lookup = CDM.lookup(Call)) { if (const auto *Lookup = CDM.lookup(Call)) {
const StrCheck &Check = Lookup->first; const StrCheck &Check = Lookup->first;
Check(this, Call, Lookup->second, C); Check(this, Call, Lookup->second, C);
return; return;
} }
// If we do not model the call and the given argument is a string which is // If we do not model the call and the given argument is a string which is
// not null-terminated emit a report. // not null-terminated emit a report.
for (unsigned I = 0; I < Call.getNumArgs(); ++I) { for (unsigned I = 0; I < Call.getNumArgs(); ++I) {
SVal V = Call.getArgSVal(I); SVal V = Call.getArgSVal(I);
const MemRegion *MR = getRegion(V); const MemRegion *MR = getRegion(V);
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Do we chack any call here passing non-null terminated strings? I disagree with that appraocah because there may be functions expecting e.g. binary data. It seems that we are not even checking the type so we could get false positives here for any mem...() function.

baloghadamsoftware: Do we chack //any// call here passing non-null terminated strings? I disagree with that…
if (!MR) if (!MR)
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Do we really need to handle indirect pointers here? I means e.g. char ***?

baloghadamsoftware: Do we really need to handle indirect pointers here? I means e.g. `char ***`?
continue; continue;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const bool *IsNullTerminated = State->get<NullTerminationMap>(MR); const bool *IsNullTerminated = State->get<NullTerminationMap>(MR);
if (!IsNullTerminated || *IsNullTerminated) if (!IsNullTerminated || *IsNullTerminated)
continue; continue;
const Expr *Arg = Call.getArgExpr(I); const Expr *Arg = Call.getArgExpr(I);
SmallString<128> Msg; SmallString<128> Msg;
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

What does it mean that the memory allocation could overflow?

baloghadamsoftware: What does it mean that //the memory allocation could overflow//?
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
if (Optional<std::string> Name = getName(Arg, C)) if (Optional<std::string> Name = getName(Arg, C))
Out << *Name; Out << *Name;
else else
Out << "the argument"; Out << "the argument";
Out << " is not null-terminated"; Out << " is not null-terminated";
auto Report = std::make_unique<PathSensitiveBugReport>( auto Report = std::make_unique<PathSensitiveBugReport>(
*BT, Out.str(), C.generateErrorNode()); *BT, Out.str(), C.generateErrorNode());
Report->addRange(Arg->getSourceRange()); Report->addRange(Arg->getSourceRange());
// Track the allocation. // Track the allocation.
const auto *VR = MR->getAs<VarRegion>(); const auto *VR = MR->getAs<VarRegion>();
if (VR && VR->getValueType()->getAsArrayTypeUnsafe()) { if (VR && VR->getValueType()->getAsArrayTypeUnsafe()) {
bugreporter::trackExpressionValue(C.getPredecessor(), Arg, *Report); bugreporter::trackExpressionValue(C.getPredecessor(), Arg, *Report);
} else if (const SymbolRef Sym = Call.getArgSVal(I).getAsSymbol()) { } else if (const SymbolRef Sym = Call.getArgSVal(I).getAsSymbol()) {
Report->addVisitor(allocation_state::getMallocBRVisitor(Sym)); Report->addVisitor(allocation_state::getMallocBRVisitor(Sym));
} }
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
} }
void StrCheckerBase::checkBind(SVal L, SVal V, const Stmt *S, static bool checkAllocation(SVal L, SVal V, const Stmt *S, CheckerContext &C,
CheckerContext &C) const { BugType &BT) {
const MemRegion *LocMR = getRegion(L);
const MemRegion *NonLocMR = getRegion(V);
if (!LocMR || !NonLocMR)
return false;
// A C-string is null-terminated.
if (isa<StringRegion>(NonLocMR))
return false;
// Only check for character allocations.
QualType Ty;
if (const auto *LocTVR = LocMR->getAs<TypedValueRegion>()) {
Ty = LocTVR->getValueType();
if (!Ty.isNull() && Ty->isPointerType())
Ty = Ty->getPointeeType();
}
if (Ty.isNull() || !Ty->isAnyCharacterType())
return false;
// See whether we have made a report so it prevent reports on rebindings.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (State->get<AllocationList>().contains(NonLocMR))
return false;
// Check for a hand-written null-termination, e.g: 'c_string[length] = '\0';'. // Check for allocations we model.
const MemRegion *MR = getRegion(L); Optional<DynamicSizeInfo> SizeInfo =
if (!MR) getDynamicSizeInfo(State, NonLocMR, C.getSValBuilder());
if (!SizeInfo)
return false;
// 'strlen(something) + something' is most likely fine.
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

This is a huge assumption to make this checker as simple as possible. On each allocation I would store the memory regions which the size expression consists of. When we encounter a memory/string handler function call which has a size-expression parameter we could match whether the allocation considered the length of the string it will store.

May we will have a better idea, so I would leave that as it is, for now.

Charusso: This is a huge assumption to make this checker as simple as possible. On each allocation I…
// FIXME: Use the 'SValVisitor' to catch every such constructs of the symbol.
if (const SymExpr *SizeSym = SizeInfo->getSize().getAsSymExpr())
for (const SymExpr *Sym : SizeSym->symbols())
if (const auto *SIE = dyn_cast<SymIntExpr>(Sym))
if (SIE->getOpcode() == BO_Add)
if (const auto *SM = dyn_cast<SymbolMetadata>(SIE->getLHS()))
return true;
std::string ArrayName = "The array";
if (const auto *VR = LocMR->getAs<VarRegion>())
if (const VarDecl *VD = VR->getDecl())
ArrayName = '\'' + VD->getNameAsString() + '\'';
const NoteTag *Tag = C.getNoteTag(
[=]() -> std::string {
SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg);
Out << ArrayName
<< " is allocated without considering the length of the string it "
"will store, therefore it could overflow";
return Out.str();
},
/*IsPrunable=*/false);
// Mark the string could be not null-terminated.
State = State->set<NullTerminationMap>(NonLocMR, false);
State = State->add<AllocationList>(NonLocMR);
C.addTransition(State, C.getPredecessor(), Tag);
return true;
}
void StrCheckerBase::checkBind(SVal L, SVal V, const Stmt *S,
CheckerContext &C) const {
if (EnableStr32cChecker)
if (checkAllocation(L, V, S, C, *BT))
return; return;
ProgramStateRef State = C.getState();
bool IsNullTermination = false; bool IsNullTermination = false;
if (const llvm::APInt *Int = C.getSValBuilder().getKnownValue(State, V)) if (const llvm::APInt *Int = C.getSValBuilder().getKnownValue(State, V))
IsNullTermination = Int->isNullValue(); IsNullTermination = Int->isNullValue();
if (!IsNullTermination) if (!IsNullTermination)
return; return;
// Mark the string null-terminated. // Mark the string null-terminated.
if (const auto *MR = getRegion(L)) {
State = State->set<NullTerminationMap>(MR, true); State = State->set<NullTerminationMap>(MR, true);
C.addTransition(State, C.getPredecessor()); C.addTransition(State, C.getPredecessor());
} }
}
void ento::registerStrCheckerBase(CheckerManager &Mgr) { void ento::registerStrCheckerBase(CheckerManager &Mgr) {
auto *Checker = Mgr.registerChecker<StrCheckerBase>(); auto *Checker = Mgr.registerChecker<StrCheckerBase>();
Checker->BT = std::make_unique<BugType>( Checker->BT = std::make_unique<BugType>(
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

-1 line

Charusso: -1 line
Mgr.getCurrentCheckerName(), "Insecure string handler function call", Mgr.getCurrentCheckerName(), "Insecure string handler function call",
categories::SecurityError); categories::SecurityError);
} }
bool ento::shouldRegisterStrCheckerBase(const LangOptions &) { return true; } bool ento::shouldRegisterStrCheckerBase(const LangOptions &) { return true; }
#define REGISTER_CHECKER(Name) \ #define REGISTER_CHECKER(Name) \
void ento::register##Name(CheckerManager &Mgr) { \ void ento::register##Name(CheckerManager &Mgr) { \
auto *Checker = Mgr.getChecker<StrCheckerBase>(); \ auto *Checker = Mgr.getChecker<StrCheckerBase>(); \
Checker->Enable##Name = true; \ Checker->Enable##Name = true; \
} \ } \
\ \
bool ento::shouldRegister##Name(const LangOptions &LO) { return true; } bool ento::shouldRegister##Name(const LangOptions &LO) { return true; }
REGISTER_CHECKER(Str31cChecker) REGISTER_CHECKER(Str31cChecker)
REGISTER_CHECKER(Str32cChecker)

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp

Show All 34 Lines
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR,
SValBuilder &SVB) { SValBuilder &SVB) {
if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR)) if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR))
return SizeInfo->getSize(); return SizeInfo->getSize();
return MR->getMemRegionManager().getStaticSize(MR, SVB); return MR->getMemRegionManager().getStaticSize(MR, SVB);
} }
Optional<DynamicSizeInfo> getDynamicSizeInfo(ProgramStateRef State,
const MemRegion *MR,
SValBuilder &SVB) {
if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR))
return *SizeInfo;
if (const auto *TVR = MR->getAs<TypedValueRegion>())
if (TVR->getValueType()->getAsArrayTypeUnsafe())
return DynamicSizeInfo(MR->getMemRegionManager().getStaticSize(MR, SVB));
return None;
}
const Expr *getDynamicSizeExpr(ProgramStateRef State, const MemRegion *MR) { const Expr *getDynamicSizeExpr(ProgramStateRef State, const MemRegion *MR) {
if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR)) if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR))
return SizeInfo->getSizeExpr(); return SizeInfo->getSizeExpr();
return nullptr; return nullptr;
} }
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,
Show All 18 Lines

clang/test/Analysis/Inputs/system-header-simulator.h

Show All 32 Lines
int fscanf(FILE *stream, const char *format, ...); int fscanf(FILE *stream, const char *format, ...);
int fscanf_s(FILE *stream, const char *format, ...); int fscanf_s(FILE *stream, const char *format, ...);
char *getenv(const char *varname); char *getenv(const char *varname);
// Note, on some platforms errno macro gets replaced with a function call. // Note, on some platforms errno macro gets replaced with a function call.
extern int errno; extern int errno;
typedef int errno_t; typedef int errno_t;
size_t strlen(const char *); void *memcpy(void *dest, const void *src, size_t count);
size_t strlen(const char *str);
char *strcpy(char *dest, const char *src); char *strcpy(char *dest, const char *src);
errno_t strcpy_s(char *dest, size_t destSize, const char *src); errno_t strcpy_s(char *dest, size_t destSize, const char *src);
char *strncpy(char *dest, const char *src, size_t count); char *strncpy(char *dest, const char *src, size_t count);
void *memcpy(void *dest, const void *src, size_t count); // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".
//
// See the docs for more:
// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
#if !defined(_WCHAR_T_DEFINED) && !__cplusplus
// "Microsoft implements wchar_t as a two-byte unsigned value"
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif
size_t wcslen(const wchar_t *str);
typedef unsigned long __darwin_pthread_key_t; typedef unsigned long __darwin_pthread_key_t;
typedef __darwin_pthread_key_t pthread_key_t; typedef __darwin_pthread_key_t pthread_key_t;
int pthread_setspecific(pthread_key_t, const void *); int pthread_setspecific(pthread_key_t, const void *);
typedef long long __int64_t; typedef long long __int64_t;
typedef __int64_t __darwin_off_t; typedef __int64_t __darwin_off_t;
typedef __darwin_off_t fpos_t; typedef __darwin_off_t fpos_t;
▲ Show 20 LinesShow All 71 LinesShow Last 20 Lines

clang/test/Analysis/cert/str32-c-notes.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,security.cert.str.32.c \
// RUN: -analyzer-output=text -verify %s
// See the examples on the page of STR32-C:
// https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string
#include "../Inputs/system-header-simulator.h"
void *realloc(void *memblock, size_t size);
namespace test_strncpy_bad {
enum { STR_SIZE = 32 };
size_t func(const char *source) {
char c_str[STR_SIZE];
// expected-note@-1 {{'c_str' initialized here}}
size_t ret = 0;
if (source) {
// expected-note@-1 {{Assuming 'source' is non-null}}
// expected-note@-2 {{Taking true branch}}
c_str[sizeof(c_str) - 1] = '\0';
strncpy(c_str, source, sizeof(c_str));
// expected-note@-1 {{'strncpy' could write outside of 'c_str'}}
ret = strlen(c_str);
// expected-note@-1 {{'c_str' is not null-terminated}}
// expected-warning@-2 {{'c_str' is not null-terminated}}
}
return ret;
}
} // namespace test_strncpy_bad
namespace test_realloc_bad {
wchar_t *cur_msg = NULL;
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(void) {
if (cur_msg == NULL) {
// expected-note@-1 {{Assuming 'cur_msg' is not equal to NULL}}
// expected-note@-2 {{Taking false branch}}
return;
}
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t *temp = (wchar_t *)realloc(cur_msg, temp_size * sizeof(wchar_t));
// expected-note@-1 {{Memory is allocated}}
// expected-note@-2 {{'temp' is allocated without considering the length of the string it will store, therefore it could overflow}}
/* temp and cur_msg may no longer be null-terminated */
if (temp == NULL) {
// expected-note@-1 {{Assuming 'temp' is not equal to NULL}}
// expected-note@-2 {{Taking false branch}}
return;
}
cur_msg = temp; // no-warning: rebinding
cur_msg_size = temp_size;
cur_msg_len = wcslen(cur_msg);
// expected-note@-1 {{'cur_msg' is not null-terminated}}
// expected-warning@-2 {{'cur_msg' is not null-terminated}}
}
} // namespace test_realloc_bad

clang/test/Analysis/cert/str32-c.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,security.cert.str.32.c \
// RUN: -verify %s
// See the examples on the page of STR32-C:
// https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string
#include "../Inputs/system-header-simulator.h"
void *realloc(void *memblock, size_t size);
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Please move this to the system header simulator instead of repeating it in every test file.

baloghadamsoftware: Please move this to the //system header simulator// instead of repeating it in every test file.
namespace test_strncpy_bad {
enum { STR_SIZE = 32 };
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why enum?

baloghadamsoftware: Why `enum`?
size_t func(const char *source) {
char c_str[STR_SIZE];
size_t ret = 0;
if (source) {
c_str[sizeof(c_str) - 1] = '\0';
strncpy(c_str, source, sizeof(c_str));
ret = strlen(c_str);
// expected-warning@-1 {{'c_str' is not null-terminated}}
}
return ret;
}
} // namespace test_strncpy_bad
namespace test_strncpy_good {
enum { STR_SIZE = 32 };
size_t func(const char *src) {
char c_str[STR_SIZE];
size_t ret = 0;
if (src) {
strncpy(c_str, src, sizeof(c_str) - 1);
c_str[sizeof(c_str) - 1] = '\0';
ret = strlen(c_str);
}
return ret;
}
} // namespace test_strncpy_good
namespace test_realloc_bad {
wchar_t *cur_msg = NULL;
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(void) {
if (cur_msg == NULL)
return;
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t *temp = (wchar_t *)realloc(cur_msg, temp_size * sizeof(wchar_t));
/* temp and cur_msg may no longer be null-terminated */
if (temp == NULL)
return;
cur_msg = temp;
cur_msg_size = temp_size;
cur_msg_len = wcslen(cur_msg);
// expected-warning@-1 {{'cur_msg' is not null-terminated}}
}
} // namespace test_realloc_bad
namespace test_realloc_good {
wchar_t *cur_msg = NULL;
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(void) {
if (cur_msg == NULL)
return;
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t *temp = (wchar_t *)realloc(cur_msg, temp_size * sizeof(wchar_t));
/* temp and cur_msg may no longer be null-terminated */
if (temp == NULL)
return;
cur_msg = temp;
/* Properly null-terminate cur_msg */
cur_msg[temp_size - 1] = L'\0';
cur_msg_size = temp_size;
cur_msg_len = wcslen(cur_msg);
}
} // namespace test_realloc_good

clang/test/Analysis/malloc.c

// RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \ // RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \ // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
// RUN: -analyzer-checker=alpha.core.CastSize \ // RUN: -analyzer-checker=alpha.core.CastSize \
// RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=debug.ExprInspection // RUN: -analyzer-checker=debug.ExprInspection
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".
//
// See the docs for more:
// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
#if !defined(_WCHAR_T_DEFINED)
// "Microsoft implements wchar_t as a two-byte unsigned value"
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif // !defined(_WCHAR_T_DEFINED)
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t); void *malloc(size_t);
void *alloca(size_t); void *alloca(size_t);
void *valloc(size_t); void *valloc(size_t);
void free(void *); void free(void *);
void *realloc(void *ptr, size_t size); void *realloc(void *ptr, size_t size);
void *reallocf(void *ptr, size_t size); void *reallocf(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size); void *calloc(size_t nmemb, size_t size);
▲ Show 20 LinesShow All 1,821 LinesShow Last 20 Lines