This is an archive of the discontinued LLVM Phabricator instance.

Differential D72035

[analyzer][NFC] Use CallEvent checker callback in GenericTaintChecker
ClosedPublic

Authored by steakhal on Dec 31 2019, 4:04 AM.

Details

Reviewers
NoQ
Szelethus
boga95
Commits
rG4138074a5385: [analyzer][NFC] Use CallEvent checker callback in GenericTaintChecker
rG95a94df5a9c3: [analyzer][NFC] Use CallEvent checker callback in GenericTaintChecker
Summary

Intended to be a non-functional change but it turned out CallEvent handles constructor calls unlike CallExpr which doesn't triggered for constructors.

All in all, this change shouldn't be observable since constructors are not yet propagating taintness like functions.
In the future constructors should propagate taintness as well.

This change includes:

  • NFCi change all uses of the CallExpr to CallEvent
  • NFC rename some functions, mark static them etc.
  • NFC omit explicit TaintPropagationRule type in switches
  • NFC apply some clang-tidy fixits

Diff Detail

Event Timeline

steakhal created this revision.Dec 31 2019, 4:04 AM
Herald added subscribers: cfe-commits, Charusso, dkrupp and 7 others. · View Herald TranscriptDec 31 2019, 4:04 AM
steakhal added a parent revision: D71524: [analyzer] Support tainted objects in GenericTaintChecker.Dec 31 2019, 4:05 AM
steakhal added inline comments.Dec 31 2019, 4:13 AM
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
358

I'm not sure why should we adjust (workaround) the number of arguments of CXXInstanceCalls calls, can someone explain it to me?

The same question raised for getArg too.

554

I'm not sure if this is the right way.

NoQ added inline comments.Dec 31 2019, 7:04 AM
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
358

Remove this :)

I think this is about this inconsistency with operator calls where one of {decl, expr} treats this as an argument, but the other doesn't. CallEvent automatically accounts for that (see getAdjustedParameterIndex() and getASTArgumentIndex() as they're overridden in various sub-classes of CallEvent).

427–441

Pls eventually transform this into CallDescriptionMap ^.^

554

You might want to cast Call to CXXMemberOperatorCall but i'm not sure it saves you anything.

Szelethus mentioned this in D71524: [analyzer] Support tainted objects in GenericTaintChecker.Feb 7 2020, 4:52 AM
Szelethus added a comment.Feb 7 2020, 4:55 AM

Hmm, have you branched off of D71524? If so, this patch should definitely land first.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
158

Nice!

358

I have some thoughts about this here: D71524#1859435.

steakhal updated this revision to Diff 243492.Feb 10 2020, 2:58 AM

Rebased on top of master, instead of D71524.

steakhal removed a parent revision: D71524: [analyzer] Support tainted objects in GenericTaintChecker.Feb 10 2020, 2:58 AM
Szelethus accepted this revision.Feb 24 2020, 7:33 AM

Wow. Its a joy to see you do C++. LGTM. Are you planning to introduce CallDescriptionMap at one point? :)

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
492–510

Whoa, this is amazing, but looks like a google interview question or something -- is this a technique I should know about it? I feel like we kinda sacrificed readability for coolness.

This revision is now accepted and ready to land.Feb 24 2020, 7:33 AM
Herald added a subscriber: martong. · View Herald TranscriptFeb 24 2020, 7:33 AM
steakhal marked 5 inline comments as done.Feb 25 2020, 5:56 AM
In D72035#1889320, @Szelethus wrote:

Wow. Its a joy to see you do C++. LGTM. Are you planning to introduce CallDescriptionMap at one point? :)

Yes, definitely.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
492–510

Actually, I agree but still convinced that it is the future-compatible way of doing this.

const auto OneOf = [FDecl](const auto &... Name) {
  // FIXME: use fold expression in C++17
  using unused = int[];
  bool ret = false;
  static_cast<void>(unused{
      0, (ret |= CheckerContext::isCLibraryFunction(FDecl, Name), 0)...});
  return ret;
};

In C++17 using fold expressions the whole lambda could be implemented such a way:

const auto OneOf = [FDecl](const auto &... Name) {
  return (CheckerContext::isCLibraryFunction(FDecl, Name) || ...);
};
Closed by commit rG95a94df5a9c3: [analyzer][NFC] Use CallEvent checker callback in GenericTaintChecker (authored by steakhal). · Explain WhyMar 4 2020, 8:26 AM
This revision was automatically updated to reflect the committed changes.
NoQ added inline comments.Apr 20 2020, 6:16 AM
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
113

rG878194414107e94600de31a11be09a347fb2598b!

Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptApr 20 2020, 6:16 AM
steakhal marked 2 inline comments as done.Apr 20 2020, 7:57 AM
steakhal added inline comments.
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
113

Nice catch! Thank you for the fix.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
338 lines

Diff 248183

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show All 16 Lines
#include "Taint.h" #include "Taint.h"
#include "Yaml.h" #include "Yaml.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/Basic/Builtins.h" #include "clang/Basic/Builtins.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "llvm/Support/YAMLTraits.h" #include "llvm/Support/YAMLTraits.h"
#include <algorithm> #include <algorithm>
#include <limits> #include <limits>
#include <memory>
#include <unordered_map> #include <unordered_map>
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint; using namespace taint;
namespace { namespace {
class GenericTaintChecker class GenericTaintChecker : public Checker<check::PreCall, check::PostCall> {
: public Checker<check::PostStmt<CallExpr>, check::PreStmt<CallExpr>> {
public: public:
static void *getTag() { static void *getTag() {
static int Tag; static int Tag;
return &Tag; return &Tag;
} }
void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
const char *Sep) const override; const char *Sep) const override;
using ArgVector = SmallVector<unsigned, 2>; using ArgVector = SmallVector<unsigned, 2>;
using SignedArgVector = SmallVector<int, 2>; using SignedArgVector = SmallVector<int, 2>;
enum class VariadicType { None, Src, Dst }; enum class VariadicType { None, Src, Dst };
Show All 19 Lines struct TaintConfiguration {
TaintConfiguration(const TaintConfiguration &) = default; TaintConfiguration(const TaintConfiguration &) = default;
TaintConfiguration(TaintConfiguration &&) = default; TaintConfiguration(TaintConfiguration &&) = default;
TaintConfiguration &operator=(const TaintConfiguration &) = default; TaintConfiguration &operator=(const TaintConfiguration &) = default;
TaintConfiguration &operator=(TaintConfiguration &&) = default; TaintConfiguration &operator=(TaintConfiguration &&) = default;
}; };
/// Convert SignedArgVector to ArgVector. /// Convert SignedArgVector to ArgVector.
ArgVector convertToArgVector(CheckerManager &Mgr, const std::string &Option, ArgVector convertToArgVector(CheckerManager &Mgr, const std::string &Option,
SignedArgVector Args); const SignedArgVector &Args);
/// Parse the config. /// Parse the config.
void parseConfiguration(CheckerManager &Mgr, const std::string &Option, void parseConfiguration(CheckerManager &Mgr, const std::string &Option,
TaintConfiguration &&Config); TaintConfiguration &&Config);
static const unsigned InvalidArgIndex{std::numeric_limits<unsigned>::max()}; static const unsigned InvalidArgIndex{std::numeric_limits<unsigned>::max()};
/// Denotes the return vale. /// Denotes the return vale.
static const unsigned ReturnValueIndex{std::numeric_limits<unsigned>::max() - static const unsigned ReturnValueIndex{std::numeric_limits<unsigned>::max() -
1}; 1};
private: private:
mutable std::unique_ptr<BugType> BT; mutable std::unique_ptr<BugType> BT;
void initBugType() const { void initBugType() const {
if (!BT) if (!BT)
BT.reset(new BugType(this, "Use of Untrusted Data", "Untrusted Data")); BT = std::make_unique<BugType>(this, "Use of Untrusted Data",
"Untrusted Data");
} }
struct FunctionData { struct FunctionData {
FunctionData() = delete; FunctionData() = delete;
FunctionData(const FunctionData &) = default; FunctionData(const FunctionData &) = default;
FunctionData(FunctionData &&) = default; FunctionData(FunctionData &&) = default;
FunctionData &operator=(const FunctionData &) = delete; FunctionData &operator=(const FunctionData &) = delete;
FunctionData &operator=(FunctionData &&) = delete; FunctionData &operator=(FunctionData &&) = delete;
static Optional<FunctionData> create(const CallExpr *CE, static Optional<FunctionData> create(const CallEvent &Call,
const CheckerContext &C) { const CheckerContext &C) {
const FunctionDecl *FDecl = C.getCalleeDecl(CE); assert(Call.getDecl());
NoQUnsubmitted
Not Done
ReplyInline Actions

rG878194414107e94600de31a11be09a347fb2598b!

NoQ: rG878194414107e94600de31a11be09a347fb2598b!
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Nice catch! Thank you for the fix.

steakhal: Nice catch! Thank you for the fix.
const FunctionDecl *FDecl = Call.getDecl()->getAsFunction();
if (!FDecl || (FDecl->getKind() != Decl::Function && if (!FDecl || (FDecl->getKind() != Decl::Function &&
FDecl->getKind() != Decl::CXXMethod)) FDecl->getKind() != Decl::CXXMethod))
return None; return None;
StringRef Name = C.getCalleeName(FDecl); StringRef Name = C.getCalleeName(FDecl);
std::string FullName = FDecl->getQualifiedNameAsString(); std::string FullName = FDecl->getQualifiedNameAsString();
if (Name.empty() || FullName.empty()) if (Name.empty() || FullName.empty())
return None; return None;
return FunctionData{FDecl, Name, FullName}; return FunctionData{FDecl, Name, FullName};
} }
bool isInScope(StringRef Scope) const { bool isInScope(StringRef Scope) const {
return StringRef(FullName).startswith(Scope); return StringRef(FullName).startswith(Scope);
} }
const FunctionDecl *const FDecl; const FunctionDecl *const FDecl;
const StringRef Name; const StringRef Name;
const std::string FullName; const std::string FullName;
}; };
/// Catch taint related bugs. Check if tainted data is passed to a /// Catch taint related bugs. Check if tainted data is passed to a
/// system call etc. Returns true on matching. /// system call etc. Returns true on matching.
bool checkPre(const CallExpr *CE, const FunctionData &FData, bool checkPre(const CallEvent &Call, const FunctionData &FData,
CheckerContext &C) const; CheckerContext &C) const;
/// Add taint sources on a pre-visit. Returns true on matching. /// Add taint sources on a pre-visit. Returns true on matching.
bool addSourcesPre(const CallExpr *CE, const FunctionData &FData, bool addSourcesPre(const CallEvent &Call, const FunctionData &FData,
CheckerContext &C) const; CheckerContext &C) const;
/// Mark filter's arguments not tainted on a pre-visit. Returns true on /// Mark filter's arguments not tainted on a pre-visit. Returns true on
/// matching. /// matching.
bool addFiltersPre(const CallExpr *CE, const FunctionData &FData, bool addFiltersPre(const CallEvent &Call, const FunctionData &FData,
CheckerContext &C) const; CheckerContext &C) const;
/// Propagate taint generated at pre-visit. Returns true on matching. /// Propagate taint generated at pre-visit. Returns true on matching.
bool propagateFromPre(const CallExpr *CE, CheckerContext &C) const; static bool propagateFromPre(const CallEvent &Call, CheckerContext &C);
/// Check if the region the expression evaluates to is the standard input, /// Check if the region the expression evaluates to is the standard input,
/// and thus, is tainted. /// and thus, is tainted.
static bool isStdin(const Expr *E, CheckerContext &C); static bool isStdin(const Expr *E, CheckerContext &C);
/// Given a pointer argument, return the value it points to. /// Given a pointer argument, return the value it points to.
static Optional<SVal> getPointedToSVal(CheckerContext &C, const Expr *Arg); static Optional<SVal> getPointeeOf(CheckerContext &C, const Expr *Arg);
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Nice!

Szelethus: Nice!
/// Check for CWE-134: Uncontrolled Format String. /// Check for CWE-134: Uncontrolled Format String.
static constexpr llvm::StringLiteral MsgUncontrolledFormatString = static constexpr llvm::StringLiteral MsgUncontrolledFormatString =
"Untrusted data is used as a format string " "Untrusted data is used as a format string "
"(CWE-134: Uncontrolled Format String)"; "(CWE-134: Uncontrolled Format String)";
bool checkUncontrolledFormatString(const CallExpr *CE, bool checkUncontrolledFormatString(const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
/// Check for: /// Check for:
/// CERT/STR02-C. "Sanitize data passed to complex subsystems" /// CERT/STR02-C. "Sanitize data passed to complex subsystems"
/// CWE-78, "Failure to Sanitize Data into an OS Command" /// CWE-78, "Failure to Sanitize Data into an OS Command"
static constexpr llvm::StringLiteral MsgSanitizeSystemArgs = static constexpr llvm::StringLiteral MsgSanitizeSystemArgs =
"Untrusted data is passed to a system call " "Untrusted data is passed to a system call "
"(CERT/STR02-C. Sanitize data passed to complex subsystems)"; "(CERT/STR02-C. Sanitize data passed to complex subsystems)";
bool checkSystemCall(const CallExpr *CE, StringRef Name, bool checkSystemCall(const CallEvent &Call, StringRef Name,
CheckerContext &C) const; CheckerContext &C) const;
/// Check if tainted data is used as a buffer size ins strn.. functions, /// Check if tainted data is used as a buffer size ins strn.. functions,
/// and allocators. /// and allocators.
static constexpr llvm::StringLiteral MsgTaintedBufferSize = static constexpr llvm::StringLiteral MsgTaintedBufferSize =
"Untrusted data is used to specify the buffer size " "Untrusted data is used to specify the buffer size "
"(CERT/STR31-C. Guarantee that storage for strings has sufficient space " "(CERT/STR31-C. Guarantee that storage for strings has sufficient space "
"for character data and the null terminator)"; "for character data and the null terminator)";
bool checkTaintedBufferSize(const CallExpr *CE, const FunctionDecl *FDecl, bool checkTaintedBufferSize(const CallEvent &Call, CheckerContext &C) const;
CheckerContext &C) const;
/// Check if tainted data is used as a custom sink's parameter. /// Check if tainted data is used as a custom sink's parameter.
static constexpr llvm::StringLiteral MsgCustomSink = static constexpr llvm::StringLiteral MsgCustomSink =
"Untrusted data is passed to a user-defined sink"; "Untrusted data is passed to a user-defined sink";
bool checkCustomSinks(const CallExpr *CE, const FunctionData &FData, bool checkCustomSinks(const CallEvent &Call, const FunctionData &FData,
CheckerContext &C) const; CheckerContext &C) const;
/// Generate a report if the expression is tainted or points to tainted data. /// Generate a report if the expression is tainted or points to tainted data.
bool generateReportIfTainted(const Expr *E, StringRef Msg, bool generateReportIfTainted(const Expr *E, StringRef Msg,
CheckerContext &C) const; CheckerContext &C) const;
struct TaintPropagationRule; struct TaintPropagationRule;
template <typename T> template <typename T>
Show All 13 Linesprivate:
/// If any of the possible taint source arguments is tainted, all of the /// If any of the possible taint source arguments is tainted, all of the
/// destination arguments should also be tainted. Use InvalidArgIndex in the /// destination arguments should also be tainted. Use InvalidArgIndex in the
/// src list to specify that all of the arguments can introduce taint. Use /// src list to specify that all of the arguments can introduce taint. Use
/// InvalidArgIndex in the dst arguments to signify that all the non-const /// InvalidArgIndex in the dst arguments to signify that all the non-const
/// pointer and reference arguments might be tainted on return. If /// pointer and reference arguments might be tainted on return. If
/// ReturnValueIndex is added to the dst list, the return value will be /// ReturnValueIndex is added to the dst list, the return value will be
/// tainted. /// tainted.
struct TaintPropagationRule { struct TaintPropagationRule {
using PropagationFuncType = bool (*)(bool IsTainted, const CallExpr *, using PropagationFuncType = bool (*)(bool IsTainted, const CallEvent &Call,
CheckerContext &C); CheckerContext &C);
/// List of arguments which can be taint sources and should be checked. /// List of arguments which can be taint sources and should be checked.
ArgVector SrcArgs; ArgVector SrcArgs;
/// List of arguments which should be tainted on function return. /// List of arguments which should be tainted on function return.
ArgVector DstArgs; ArgVector DstArgs;
/// Index for the first variadic parameter if exist. /// Index for the first variadic parameter if exist.
unsigned VariadicIndex; unsigned VariadicIndex;
Show All 27 Lines bool isNull() const {
return SrcArgs.empty() && DstArgs.empty() && return SrcArgs.empty() && DstArgs.empty() &&
VariadicType::None == VarType; VariadicType::None == VarType;
} }
bool isDestinationArgument(unsigned ArgNum) const { bool isDestinationArgument(unsigned ArgNum) const {
return (llvm::find(DstArgs, ArgNum) != DstArgs.end()); return (llvm::find(DstArgs, ArgNum) != DstArgs.end());
} }
static bool isTaintedOrPointsToTainted(const Expr *E, ProgramStateRef State, static bool isTaintedOrPointsToTainted(const Expr *E,
const ProgramStateRef &State,
CheckerContext &C) { CheckerContext &C) {
if (isTainted(State, E, C.getLocationContext()) || isStdin(E, C)) if (isTainted(State, E, C.getLocationContext()) || isStdin(E, C))
return true; return true;
if (!E->getType().getTypePtr()->isPointerType()) if (!E->getType().getTypePtr()->isPointerType())
return false; return false;
Optional<SVal> V = getPointedToSVal(C, E); Optional<SVal> V = getPointeeOf(C, E);
return (V && isTainted(State, *V)); return (V && isTainted(State, *V));
} }
/// Pre-process a function which propagates taint according to the /// Pre-process a function which propagates taint according to the
/// taint rule. /// taint rule.
ProgramStateRef process(const CallExpr *CE, CheckerContext &C) const; ProgramStateRef process(const CallEvent &Call, CheckerContext &C) const;
// Functions for custom taintedness propagation. // Functions for custom taintedness propagation.
static bool postSocket(bool IsTainted, const CallExpr *CE, static bool postSocket(bool IsTainted, const CallEvent &Call,
CheckerContext &C); CheckerContext &C);
}; };
/// Defines a map between the propagation function's name, scope /// Defines a map between the propagation function's name, scope
/// and TaintPropagationRule. /// and TaintPropagationRule.
NameRuleMap CustomPropagations; NameRuleMap CustomPropagations;
/// Defines a map between the filter function's name, scope and filtering /// Defines a map between the filter function's name, scope and filtering
▲ Show 20 LinesShow All 61 Lines▼ Show 20 Lines
} // namespace llvm } // namespace llvm
/// A set which is used to pass information from call pre-visit instruction /// A set which is used to pass information from call pre-visit instruction
/// to the call post-visit. The values are unsigned integers, which are either /// to the call post-visit. The values are unsigned integers, which are either
/// ReturnValueIndex, or indexes of the pointer/reference argument, which /// ReturnValueIndex, or indexes of the pointer/reference argument, which
/// points to data, which should be tainted on return. /// points to data, which should be tainted on return.
REGISTER_SET_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, unsigned) REGISTER_SET_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, unsigned)
GenericTaintChecker::ArgVector GenericTaintChecker::convertToArgVector( GenericTaintChecker::ArgVector
CheckerManager &Mgr, const std::string &Option, SignedArgVector Args) { GenericTaintChecker::convertToArgVector(CheckerManager &Mgr,
steakhalAuthorUnsubmitted
Not Done
ReplyInline Actions

I'm not sure why should we adjust (workaround) the number of arguments of CXXInstanceCalls calls, can someone explain it to me?

The same question raised for getArg too.

steakhal: I'm not sure why should we adjust (//workaround//) the number of arguments of…
NoQUnsubmitted
Not Done
ReplyInline Actions

Remove this :)

I think this is about this inconsistency with operator calls where one of {decl, expr} treats this as an argument, but the other doesn't. CallEvent automatically accounts for that (see getAdjustedParameterIndex() and getASTArgumentIndex() as they're overridden in various sub-classes of CallEvent).

NoQ: Remove this :) I think this is about this inconsistency with operator calls where one of {decl…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

I have some thoughts about this here: D71524#1859435.

Szelethus: I have some thoughts about this here: D71524#1859435.
const std::string &Option,
const SignedArgVector &Args) {
ArgVector Result; ArgVector Result;
for (int Arg : Args) { for (int Arg : Args) {
if (Arg == -1) if (Arg == -1)
Result.push_back(ReturnValueIndex); Result.push_back(ReturnValueIndex);
else if (Arg < -1) { else if (Arg < -1) {
Result.push_back(InvalidArgIndex); Result.push_back(InvalidArgIndex);
Mgr.reportInvalidCheckerOptionValue( Mgr.reportInvalidCheckerOptionValue(
this, Option, this, Option,
▲ Show 20 LinesShow All 50 Lines▼ Show 20 LinesGenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(
// value as tainted even if it's just a pointer, pointing to tainted data. // value as tainted even if it's just a pointer, pointing to tainted data.
// Check for exact name match for functions without builtin substitutes. // Check for exact name match for functions without builtin substitutes.
// Use qualified name, because these are C functions without namespace. // Use qualified name, because these are C functions without namespace.
TaintPropagationRule Rule = TaintPropagationRule Rule =
llvm::StringSwitch<TaintPropagationRule>(FData.FullName) llvm::StringSwitch<TaintPropagationRule>(FData.FullName)
// Source functions // Source functions
// TODO: Add support for vfscanf & family. // TODO: Add support for vfscanf & family.
.Case("fdopen", TaintPropagationRule({}, {ReturnValueIndex})) .Case("fdopen", {{}, {ReturnValueIndex}})
.Case("fopen", TaintPropagationRule({}, {ReturnValueIndex})) .Case("fopen", {{}, {ReturnValueIndex}})
.Case("freopen", TaintPropagationRule({}, {ReturnValueIndex})) .Case("freopen", {{}, {ReturnValueIndex}})
.Case("getch", TaintPropagationRule({}, {ReturnValueIndex})) .Case("getch", {{}, {ReturnValueIndex}})
.Case("getchar", TaintPropagationRule({}, {ReturnValueIndex})) .Case("getchar", {{}, {ReturnValueIndex}})
.Case("getchar_unlocked", .Case("getchar_unlocked", {{}, {ReturnValueIndex}})
TaintPropagationRule({}, {ReturnValueIndex})) .Case("getenv", {{}, {ReturnValueIndex}})
.Case("getenv", TaintPropagationRule({}, {ReturnValueIndex})) .Case("gets", {{}, {0, ReturnValueIndex}})
.Case("gets", TaintPropagationRule({}, {0, ReturnValueIndex})) .Case("scanf", {{}, {}, VariadicType::Dst, 1})
.Case("scanf", TaintPropagationRule({}, {}, VariadicType::Dst, 1)) .Case("socket", {{},
.Case("socket", {ReturnValueIndex},
TaintPropagationRule({}, {ReturnValueIndex}, VariadicType::None, VariadicType::None,
InvalidArgIndex, InvalidArgIndex,
&TaintPropagationRule::postSocket)) &TaintPropagationRule::postSocket})
.Case("wgetch", TaintPropagationRule({}, {ReturnValueIndex})) .Case("wgetch", {{}, {ReturnValueIndex}})
NoQUnsubmitted
Done
ReplyInline Actions

Pls eventually transform this into CallDescriptionMap ^.^

NoQ: Pls eventually transform this into `CallDescriptionMap` ^.^
// Propagating functions // Propagating functions
.Case("atoi", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("atoi", {{0}, {ReturnValueIndex}})
.Case("atol", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("atol", {{0}, {ReturnValueIndex}})
.Case("atoll", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("atoll", {{0}, {ReturnValueIndex}})
.Case("fgetc", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("fgetc", {{0}, {ReturnValueIndex}})
.Case("fgetln", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("fgetln", {{0}, {ReturnValueIndex}})
.Case("fgets", TaintPropagationRule({2}, {0, ReturnValueIndex})) .Case("fgets", {{2}, {0, ReturnValueIndex}})
.Case("fscanf", TaintPropagationRule({0}, {}, VariadicType::Dst, 2)) .Case("fscanf", {{0}, {}, VariadicType::Dst, 2})
.Case("getc", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("sscanf", {{0}, {}, VariadicType::Dst, 2})
.Case("getc_unlocked", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("getc", {{0}, {ReturnValueIndex}})
.Case("getdelim", TaintPropagationRule({3}, {0})) .Case("getc_unlocked", {{0}, {ReturnValueIndex}})
.Case("getline", TaintPropagationRule({2}, {0})) .Case("getdelim", {{3}, {0}})
.Case("getw", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("getline", {{2}, {0}})
.Case("pread", .Case("getw", {{0}, {ReturnValueIndex}})
TaintPropagationRule({0, 1, 2, 3}, {1, ReturnValueIndex})) .Case("pread", {{0, 1, 2, 3}, {1, ReturnValueIndex}})
.Case("read", TaintPropagationRule({0, 2}, {1, ReturnValueIndex})) .Case("read", {{0, 2}, {1, ReturnValueIndex}})
.Case("strchr", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("strchr", {{0}, {ReturnValueIndex}})
.Case("strrchr", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("strrchr", {{0}, {ReturnValueIndex}})
.Case("tolower", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("tolower", {{0}, {ReturnValueIndex}})
.Case("toupper", TaintPropagationRule({0}, {ReturnValueIndex})) .Case("toupper", {{0}, {ReturnValueIndex}})
.Default(TaintPropagationRule()); .Default({});
if (!Rule.isNull()) if (!Rule.isNull())
return Rule; return Rule;
assert(FData.FDecl);
// Check if it's one of the memory setting/copying functions. // Check if it's one of the memory setting/copying functions.
// This check is specialized but faster then calling isCLibraryFunction. // This check is specialized but faster then calling isCLibraryFunction.
const FunctionDecl *FDecl = FData.FDecl; const FunctionDecl *FDecl = FData.FDecl;
unsigned BId = 0; unsigned BId = 0;
if ((BId = FDecl->getMemoryFunctionKind())) if ((BId = FDecl->getMemoryFunctionKind())) {
switch (BId) { switch (BId) {
case Builtin::BImemcpy: case Builtin::BImemcpy:
case Builtin::BImemmove: case Builtin::BImemmove:
case Builtin::BIstrncpy: case Builtin::BIstrncpy:
case Builtin::BIstrncat: case Builtin::BIstrncat:
return TaintPropagationRule({1, 2}, {0, ReturnValueIndex}); return {{1, 2}, {0, ReturnValueIndex}};
case Builtin::BIstrlcpy: case Builtin::BIstrlcpy:
case Builtin::BIstrlcat: case Builtin::BIstrlcat:
return TaintPropagationRule({1, 2}, {0}); return {{1, 2}, {0}};
case Builtin::BIstrndup: case Builtin::BIstrndup:
return TaintPropagationRule({0, 1}, {ReturnValueIndex}); return {{0, 1}, {ReturnValueIndex}};
default: default:
break; break;
}; }
}
// Process all other functions which could be defined as builtins. // Process all other functions which could be defined as builtins.
if (Rule.isNull()) { if (Rule.isNull()) {
if (C.isCLibraryFunction(FDecl, "snprintf")) const auto OneOf = [FDecl](const auto &... Name) {
return TaintPropagationRule({1}, {0, ReturnValueIndex}, VariadicType::Src, // FIXME: use fold expression in C++17
3); using unused = int[];
else if (C.isCLibraryFunction(FDecl, "sprintf")) bool ret = false;
return TaintPropagationRule({}, {0, ReturnValueIndex}, VariadicType::Src, static_cast<void>(unused{
2); 0, (ret |= CheckerContext::isCLibraryFunction(FDecl, Name), 0)...});
else if (C.isCLibraryFunction(FDecl, "strcpy") || return ret;
C.isCLibraryFunction(FDecl, "stpcpy") || };
C.isCLibraryFunction(FDecl, "strcat")) if (OneOf("snprintf"))
return TaintPropagationRule({1}, {0, ReturnValueIndex}); return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3};
else if (C.isCLibraryFunction(FDecl, "bcopy")) if (OneOf("sprintf"))
return TaintPropagationRule({0, 2}, {1}); return {{}, {0, ReturnValueIndex}, VariadicType::Src, 2};
else if (C.isCLibraryFunction(FDecl, "strdup") || if (OneOf("strcpy", "stpcpy", "strcat"))
C.isCLibraryFunction(FDecl, "strdupa")) return {{1}, {0, ReturnValueIndex}};
return TaintPropagationRule({0}, {ReturnValueIndex}); if (OneOf("bcopy"))
else if (C.isCLibraryFunction(FDecl, "wcsdup")) return {{0, 2}, {1}};
return TaintPropagationRule({0}, {ReturnValueIndex}); if (OneOf("strdup", "strdupa", "wcsdup"))
return {{0}, {ReturnValueIndex}};
} }
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Whoa, this is amazing, but looks like a google interview question or something -- is this a technique I should know about it? I feel like we kinda sacrificed readability for coolness.

Szelethus: Whoa, this is amazing, but looks like a google interview question or something -- is this a…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Actually, I agree but still convinced that it is the future-compatible way of doing this.

const auto OneOf = [FDecl](const auto &... Name) {
  // FIXME: use fold expression in C++17
  using unused = int[];
  bool ret = false;
  static_cast<void>(unused{
      0, (ret |= CheckerContext::isCLibraryFunction(FDecl, Name), 0)...});
  return ret;
};

In C++17 using fold expressions the whole lambda could be implemented such a way:

const auto OneOf = [FDecl](const auto &... Name) {
  return (CheckerContext::isCLibraryFunction(FDecl, Name) || ...);
};
steakhal: Actually, I agree but still convinced that it is the future-compatible way of doing this.
// Skipping the following functions, since they might be used for cleansing // Skipping the following functions, since they might be used for cleansing or
// or smart memory copy: // smart memory copy:
// - memccpy - copying until hitting a special character. // - memccpy - copying until hitting a special character.
auto It = findFunctionInConfig(CustomPropagations, FData); auto It = findFunctionInConfig(CustomPropagations, FData);
if (It != CustomPropagations.end()) { if (It != CustomPropagations.end())
const auto &Value = It->second; return It->second.second;
return Value.second; return {};
} }
return TaintPropagationRule(); void GenericTaintChecker::checkPreCall(const CallEvent &Call,
}
void GenericTaintChecker::checkPreStmt(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
Optional<FunctionData> FData = FunctionData::create(CE, C); Optional<FunctionData> FData = FunctionData::create(Call, C);
if (!FData) if (!FData)
return; return;
// Check for taintedness related errors first: system call, uncontrolled // Check for taintedness related errors first: system call, uncontrolled
// format string, tainted buffer size. // format string, tainted buffer size.
if (checkPre(CE, *FData, C)) if (checkPre(Call, *FData, C))
return; return;
// Marks the function's arguments and/or return value tainted if it present in // Marks the function's arguments and/or return value tainted if it present in
// the list. // the list.
if (addSourcesPre(CE, *FData, C)) if (addSourcesPre(Call, *FData, C))
return; return;
addFiltersPre(CE, *FData, C); addFiltersPre(Call, *FData, C);
} }
void GenericTaintChecker::checkPostStmt(const CallExpr *CE, void GenericTaintChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
// Set the marked values as tainted. The return value only accessible from // Set the marked values as tainted. The return value only accessible from
// checkPostStmt. // checkPostStmt.
propagateFromPre(CE, C); propagateFromPre(Call, C);
} }
void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State, void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const { const char *NL, const char *Sep) const {
printTaint(State, Out, NL, Sep); printTaint(State, Out, NL, Sep);
} }
bool GenericTaintChecker::addSourcesPre(const CallExpr *CE, bool GenericTaintChecker::addSourcesPre(const CallEvent &Call,
const FunctionData &FData, const FunctionData &FData,
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I'm not sure if this is the right way.

steakhal: I'm not sure if this is the right way.
NoQUnsubmitted
Done
ReplyInline Actions

You might want to cast Call to CXXMemberOperatorCall but i'm not sure it saves you anything.

NoQ: You might want to cast `Call` to `CXXMemberOperatorCall` but i'm not sure it saves you anything.
CheckerContext &C) const { CheckerContext &C) const {
// First, try generating a propagation rule for this function. // First, try generating a propagation rule for this function.
TaintPropagationRule Rule = TaintPropagationRule::getTaintPropagationRule( TaintPropagationRule Rule = TaintPropagationRule::getTaintPropagationRule(
this->CustomPropagations, FData, C); this->CustomPropagations, FData, C);
if (!Rule.isNull()) { if (!Rule.isNull()) {
ProgramStateRef State = Rule.process(CE, C); ProgramStateRef State = Rule.process(Call, C);
if (State) { if (State) {
C.addTransition(State); C.addTransition(State);
return true; return true;
} }
} }
return false; return false;
} }
bool GenericTaintChecker::addFiltersPre(const CallExpr *CE, bool GenericTaintChecker::addFiltersPre(const CallEvent &Call,
const FunctionData &FData, const FunctionData &FData,
CheckerContext &C) const { CheckerContext &C) const {
auto It = findFunctionInConfig(CustomFilters, FData); auto It = findFunctionInConfig(CustomFilters, FData);
if (It == CustomFilters.end()) if (It == CustomFilters.end())
return false; return false;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const auto &Value = It->second; const auto &Value = It->second;
const ArgVector &Args = Value.second; const ArgVector &Args = Value.second;
for (unsigned ArgNum : Args) { for (unsigned ArgNum : Args) {
if (ArgNum >= CE->getNumArgs()) if (ArgNum >= Call.getNumArgs())
continue; continue;
const Expr *Arg = CE->getArg(ArgNum); const Expr *Arg = Call.getArgExpr(ArgNum);
Optional<SVal> V = getPointedToSVal(C, Arg); Optional<SVal> V = getPointeeOf(C, Arg);
if (V) if (V)
State = removeTaint(State, *V); State = removeTaint(State, *V);
} }
if (State != C.getState()) { if (State != C.getState()) {
C.addTransition(State); C.addTransition(State);
return true; return true;
} }
return false; return false;
} }
bool GenericTaintChecker::propagateFromPre(const CallExpr *CE, bool GenericTaintChecker::propagateFromPre(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Depending on what was tainted at pre-visit, we determined a set of // Depending on what was tainted at pre-visit, we determined a set of
// arguments which should be tainted after the function returns. These are // arguments which should be tainted after the function returns. These are
// stored in the state as TaintArgsOnPostVisit set. // stored in the state as TaintArgsOnPostVisit set.
TaintArgsOnPostVisitTy TaintArgs = State->get<TaintArgsOnPostVisit>(); TaintArgsOnPostVisitTy TaintArgs = State->get<TaintArgsOnPostVisit>();
if (TaintArgs.isEmpty()) if (TaintArgs.isEmpty())
return false; return false;
for (unsigned ArgNum : TaintArgs) { for (unsigned ArgNum : TaintArgs) {
// Special handling for the tainted return value. // Special handling for the tainted return value.
if (ArgNum == ReturnValueIndex) { if (ArgNum == ReturnValueIndex) {
State = addTaint(State, CE, C.getLocationContext()); State = addTaint(State, Call.getReturnValue());
continue; continue;
} }
// The arguments are pointer arguments. The data they are pointing at is // The arguments are pointer arguments. The data they are pointing at is
// tainted after the call. // tainted after the call.
if (CE->getNumArgs() < (ArgNum + 1)) if (Call.getNumArgs() < (ArgNum + 1))
return false; return false;
const Expr *Arg = CE->getArg(ArgNum); const Expr *Arg = Call.getArgExpr(ArgNum);
Optional<SVal> V = getPointedToSVal(C, Arg); Optional<SVal> V = getPointeeOf(C, Arg);
if (V) if (V)
State = addTaint(State, *V); State = addTaint(State, *V);
} }
// Clear up the taint info from the state. // Clear up the taint info from the state.
State = State->remove<TaintArgsOnPostVisit>(); State = State->remove<TaintArgsOnPostVisit>();
if (State != C.getState()) { if (State != C.getState()) {
C.addTransition(State); C.addTransition(State);
return true; return true;
} }
return false; return false;
} }
bool GenericTaintChecker::checkPre(const CallExpr *CE, bool GenericTaintChecker::checkPre(const CallEvent &Call,
const FunctionData &FData, const FunctionData &FData,
CheckerContext &C) const { CheckerContext &C) const {
if (checkUncontrolledFormatString(Call, C))
if (checkUncontrolledFormatString(CE, C))
return true;
if (checkSystemCall(CE, FData.Name, C))
return true; return true;
if (checkTaintedBufferSize(CE, FData.FDecl, C)) if (checkSystemCall(Call, FData.Name, C))
return true; return true;
if (checkCustomSinks(CE, FData, C)) if (checkTaintedBufferSize(Call, C))
return true; return true;
return false; return checkCustomSinks(Call, FData, C);
} }
Optional<SVal> GenericTaintChecker::getPointedToSVal(CheckerContext &C, Optional<SVal> GenericTaintChecker::getPointeeOf(CheckerContext &C,
const Expr *Arg) { const Expr *Arg) {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal AddrVal = C.getSVal(Arg->IgnoreParens()); SVal AddrVal = C.getSVal(Arg->IgnoreParens());
if (AddrVal.isUnknownOrUndef()) if (AddrVal.isUnknownOrUndef())
return None; return None;
Optional<Loc> AddrLoc = AddrVal.getAs<Loc>(); Optional<Loc> AddrLoc = AddrVal.getAs<Loc>();
if (!AddrLoc) if (!AddrLoc)
return None; return None;
QualType ArgTy = Arg->getType().getCanonicalType(); QualType ArgTy = Arg->getType().getCanonicalType();
if (!ArgTy->isPointerType()) if (!ArgTy->isPointerType())
return State->getSVal(*AddrLoc); return State->getSVal(*AddrLoc);
QualType ValTy = ArgTy->getPointeeType(); QualType ValTy = ArgTy->getPointeeType();
// Do not dereference void pointers. Treat them as byte pointers instead. // Do not dereference void pointers. Treat them as byte pointers instead.
// FIXME: we might want to consider more than just the first byte. // FIXME: we might want to consider more than just the first byte.
if (ValTy->isVoidType()) if (ValTy->isVoidType())
ValTy = C.getASTContext().CharTy; ValTy = C.getASTContext().CharTy;
return State->getSVal(*AddrLoc, ValTy); return State->getSVal(*AddrLoc, ValTy);
} }
ProgramStateRef ProgramStateRef
GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE, GenericTaintChecker::TaintPropagationRule::process(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Check for taint in arguments. // Check for taint in arguments.
bool IsTainted = true; bool IsTainted = true;
for (unsigned ArgNum : SrcArgs) { for (unsigned ArgNum : SrcArgs) {
if (ArgNum >= CE->getNumArgs()) if (ArgNum >= Call.getNumArgs())
continue; continue;
if ((IsTainted = isTaintedOrPointsToTainted(CE->getArg(ArgNum), State, C))) if ((IsTainted =
isTaintedOrPointsToTainted(Call.getArgExpr(ArgNum), State, C)))
break; break;
} }
// Check for taint in variadic arguments. // Check for taint in variadic arguments.
if (!IsTainted && VariadicType::Src == VarType) { if (!IsTainted && VariadicType::Src == VarType) {
// Check if any of the arguments is tainted // Check if any of the arguments is tainted
for (unsigned i = VariadicIndex; i < CE->getNumArgs(); ++i) { for (unsigned i = VariadicIndex; i < Call.getNumArgs(); ++i) {
if ((IsTainted = isTaintedOrPointsToTainted(CE->getArg(i), State, C))) if ((IsTainted =
isTaintedOrPointsToTainted(Call.getArgExpr(i), State, C)))
break; break;
} }
} }
if (PropagationFunc) if (PropagationFunc)
IsTainted = PropagationFunc(IsTainted, CE, C); IsTainted = PropagationFunc(IsTainted, Call, C);
if (!IsTainted) if (!IsTainted)
return State; return State;
// Mark the arguments which should be tainted after the function returns. // Mark the arguments which should be tainted after the function returns.
for (unsigned ArgNum : DstArgs) { for (unsigned ArgNum : DstArgs) {
// Should mark the return value? // Should mark the return value?
if (ArgNum == ReturnValueIndex) { if (ArgNum == ReturnValueIndex) {
State = State->add<TaintArgsOnPostVisit>(ReturnValueIndex); State = State->add<TaintArgsOnPostVisit>(ReturnValueIndex);
continue; continue;
} }
if (ArgNum >= CE->getNumArgs()) if (ArgNum >= Call.getNumArgs())
continue; continue;
// Mark the given argument. // Mark the given argument.
State = State->add<TaintArgsOnPostVisit>(ArgNum); State = State->add<TaintArgsOnPostVisit>(ArgNum);
} }
// Mark all variadic arguments tainted if present. // Mark all variadic arguments tainted if present.
if (VariadicType::Dst == VarType) { if (VariadicType::Dst == VarType) {
// For all pointer and references that were passed in: // For all pointer and references that were passed in:
// If they are not pointing to const data, mark data as tainted. // If they are not pointing to const data, mark data as tainted.
// TODO: So far we are just going one level down; ideally we'd need to // TODO: So far we are just going one level down; ideally we'd need to
// recurse here. // recurse here.
for (unsigned i = VariadicIndex; i < CE->getNumArgs(); ++i) { for (unsigned i = VariadicIndex; i < Call.getNumArgs(); ++i) {
const Expr *Arg = CE->getArg(i); const Expr *Arg = Call.getArgExpr(i);
// Process pointer argument. // Process pointer argument.
const Type *ArgTy = Arg->getType().getTypePtr(); const Type *ArgTy = Arg->getType().getTypePtr();
QualType PType = ArgTy->getPointeeType(); QualType PType = ArgTy->getPointeeType();
if ((!PType.isNull() && !PType.isConstQualified()) || if ((!PType.isNull() && !PType.isConstQualified()) ||
(ArgTy->isReferenceType() && !Arg->getType().isConstQualified())) (ArgTy->isReferenceType() && !Arg->getType().isConstQualified())) {
State = State->add<TaintArgsOnPostVisit>(i); State = State->add<TaintArgsOnPostVisit>(i);
} }
} }
}
return State; return State;
} }
// If argument 0(protocol domain) is network, the return value should get taint. // If argument 0(protocol domain) is network, the return value should get taint.
bool GenericTaintChecker::TaintPropagationRule::postSocket(bool /*IsTainted*/, bool GenericTaintChecker::TaintPropagationRule::postSocket(
const CallExpr *CE, bool /*IsTainted*/, const CallEvent &Call, CheckerContext &C) {
CheckerContext &C) { SourceLocation DomLoc = Call.getArgExpr(0)->getExprLoc();
SourceLocation DomLoc = CE->getArg(0)->getExprLoc();
StringRef DomName = C.getMacroNameOrSpelling(DomLoc); StringRef DomName = C.getMacroNameOrSpelling(DomLoc);
// White list the internal communication protocols. // White list the internal communication protocols.
if (DomName.equals("AF_SYSTEM") || DomName.equals("AF_LOCAL") || if (DomName.equals("AF_SYSTEM") || DomName.equals("AF_LOCAL") ||
DomName.equals("AF_UNIX") || DomName.equals("AF_RESERVED_36")) DomName.equals("AF_UNIX") || DomName.equals("AF_RESERVED_36"))
return false; return false;
return true; return true;
} }
bool GenericTaintChecker::isStdin(const Expr *E, CheckerContext &C) { bool GenericTaintChecker::isStdin(const Expr *E, CheckerContext &C) {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal Val = C.getSVal(E); SVal Val = C.getSVal(E);
// stdin is a pointer, so it would be a region. // stdin is a pointer, so it would be a region.
const MemRegion *MemReg = Val.getAsRegion(); const MemRegion *MemReg = Val.getAsRegion();
// The region should be symbolic, we do not know it's value. // The region should be symbolic, we do not know it's value.
const SymbolicRegion *SymReg = dyn_cast_or_null<SymbolicRegion>(MemReg); const auto *SymReg = dyn_cast_or_null<SymbolicRegion>(MemReg);
if (!SymReg) if (!SymReg)
return false; return false;
// Get it's symbol and find the declaration region it's pointing to. // Get it's symbol and find the declaration region it's pointing to.
const SymbolRegionValue *Sm = const auto *Sm = dyn_cast<SymbolRegionValue>(SymReg->getSymbol());
dyn_cast<SymbolRegionValue>(SymReg->getSymbol());
if (!Sm) if (!Sm)
return false; return false;
const DeclRegion *DeclReg = dyn_cast_or_null<DeclRegion>(Sm->getRegion()); const auto *DeclReg = dyn_cast_or_null<DeclRegion>(Sm->getRegion());
if (!DeclReg) if (!DeclReg)
return false; return false;
// This region corresponds to a declaration, find out if it's a global/extern // This region corresponds to a declaration, find out if it's a global/extern
// variable named stdin with the proper type. // variable named stdin with the proper type.
if (const auto *D = dyn_cast_or_null<VarDecl>(DeclReg->getDecl())) { if (const auto *D = dyn_cast_or_null<VarDecl>(DeclReg->getDecl())) {
D = D->getCanonicalDecl(); D = D->getCanonicalDecl();
if ((D->getName().find("stdin") != StringRef::npos) && D->isExternC()) { if ((D->getName().find("stdin") != StringRef::npos) && D->isExternC()) {
const auto *PtrTy = dyn_cast<PointerType>(D->getType().getTypePtr()); const auto *PtrTy = dyn_cast<PointerType>(D->getType().getTypePtr());
if (PtrTy && PtrTy->getPointeeType().getCanonicalType() == if (PtrTy && PtrTy->getPointeeType().getCanonicalType() ==
C.getASTContext().getFILEType().getCanonicalType()) C.getASTContext().getFILEType().getCanonicalType())
return true; return true;
} }
} }
return false; return false;
} }
static bool getPrintfFormatArgumentNum(const CallExpr *CE, static bool getPrintfFormatArgumentNum(const CallEvent &Call,
const CheckerContext &C, const CheckerContext &C,
unsigned &ArgNum) { unsigned &ArgNum) {
// Find if the function contains a format string argument. // Find if the function contains a format string argument.
// Handles: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, // Handles: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf,
// vsnprintf, syslog, custom annotated functions. // vsnprintf, syslog, custom annotated functions.
const FunctionDecl *FDecl = C.getCalleeDecl(CE); const FunctionDecl *FDecl = Call.getDecl()->getAsFunction();
if (!FDecl) if (!FDecl)
return false; return false;
for (const auto *Format : FDecl->specific_attrs<FormatAttr>()) { for (const auto *Format : FDecl->specific_attrs<FormatAttr>()) {
ArgNum = Format->getFormatIdx() - 1; ArgNum = Format->getFormatIdx() - 1;
if ((Format->getType()->getName() == "printf") && CE->getNumArgs() > ArgNum) if ((Format->getType()->getName() == "printf") &&
Call.getNumArgs() > ArgNum)
return true; return true;
} }
// Or if a function is named setproctitle (this is a heuristic). // Or if a function is named setproctitle (this is a heuristic).
if (C.getCalleeName(CE).find("setproctitle") != StringRef::npos) { if (C.getCalleeName(FDecl).find("setproctitle") != StringRef::npos) {
ArgNum = 0; ArgNum = 0;
return true; return true;
} }
return false; return false;
} }
bool GenericTaintChecker::generateReportIfTainted(const Expr *E, StringRef Msg, bool GenericTaintChecker::generateReportIfTainted(const Expr *E, StringRef Msg,
CheckerContext &C) const { CheckerContext &C) const {
assert(E); assert(E);
// Check for taint. // Check for taint.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
Optional<SVal> PointedToSVal = getPointedToSVal(C, E); Optional<SVal> PointedToSVal = getPointeeOf(C, E);
SVal TaintedSVal; SVal TaintedSVal;
if (PointedToSVal && isTainted(State, *PointedToSVal)) if (PointedToSVal && isTainted(State, *PointedToSVal))
TaintedSVal = *PointedToSVal; TaintedSVal = *PointedToSVal;
else if (isTainted(State, E, C.getLocationContext())) else if (isTainted(State, E, C.getLocationContext()))
TaintedSVal = C.getSVal(E); TaintedSVal = C.getSVal(E);
else else
return false; return false;
// Generate diagnostic. // Generate diagnostic.
if (ExplodedNode *N = C.generateNonFatalErrorNode()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
initBugType(); initBugType();
auto report = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N); auto report = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N);
report->addRange(E->getSourceRange()); report->addRange(E->getSourceRange());
report->addVisitor(std::make_unique<TaintBugVisitor>(TaintedSVal)); report->addVisitor(std::make_unique<TaintBugVisitor>(TaintedSVal));
C.emitReport(std::move(report)); C.emitReport(std::move(report));
return true; return true;
} }
return false; return false;
} }
bool GenericTaintChecker::checkUncontrolledFormatString( bool GenericTaintChecker::checkUncontrolledFormatString(
const CallExpr *CE, CheckerContext &C) const { const CallEvent &Call, CheckerContext &C) const {
// Check if the function contains a format string argument. // Check if the function contains a format string argument.
unsigned ArgNum = 0; unsigned ArgNum = 0;
if (!getPrintfFormatArgumentNum(CE, C, ArgNum)) if (!getPrintfFormatArgumentNum(Call, C, ArgNum))
return false; return false;
// If either the format string content or the pointer itself are tainted, // If either the format string content or the pointer itself are tainted,
// warn. // warn.
return generateReportIfTainted(CE->getArg(ArgNum), return generateReportIfTainted(Call.getArgExpr(ArgNum),
MsgUncontrolledFormatString, C); MsgUncontrolledFormatString, C);
} }
bool GenericTaintChecker::checkSystemCall(const CallExpr *CE, StringRef Name, bool GenericTaintChecker::checkSystemCall(const CallEvent &Call, StringRef Name,
CheckerContext &C) const { CheckerContext &C) const {
// TODO: It might make sense to run this check on demand. In some cases, // TODO: It might make sense to run this check on demand. In some cases,
// we should check if the environment has been cleansed here. We also might // we should check if the environment has been cleansed here. We also might
// need to know if the user was reset before these calls(seteuid). // need to know if the user was reset before these calls(seteuid).
unsigned ArgNum = llvm::StringSwitch<unsigned>(Name) unsigned ArgNum = llvm::StringSwitch<unsigned>(Name)
.Case("system", 0) .Case("system", 0)
.Case("popen", 0) .Case("popen", 0)
.Case("execl", 0) .Case("execl", 0)
.Case("execle", 0) .Case("execle", 0)
.Case("execlp", 0) .Case("execlp", 0)
.Case("execv", 0) .Case("execv", 0)
.Case("execvp", 0) .Case("execvp", 0)
.Case("execvP", 0) .Case("execvP", 0)
.Case("execve", 0) .Case("execve", 0)
.Case("dlopen", 0) .Case("dlopen", 0)
.Default(InvalidArgIndex); .Default(InvalidArgIndex);
if (ArgNum == InvalidArgIndex || CE->getNumArgs() < (ArgNum + 1)) if (ArgNum == InvalidArgIndex || Call.getNumArgs() < (ArgNum + 1))
return false; return false;
return generateReportIfTainted(CE->getArg(ArgNum), MsgSanitizeSystemArgs, C); return generateReportIfTainted(Call.getArgExpr(ArgNum), MsgSanitizeSystemArgs,
C);
} }
// TODO: Should this check be a part of the CString checker? // TODO: Should this check be a part of the CString checker?
// If yes, should taint be a global setting? // If yes, should taint be a global setting?
bool GenericTaintChecker::checkTaintedBufferSize(const CallExpr *CE, bool GenericTaintChecker::checkTaintedBufferSize(const CallEvent &Call,
const FunctionDecl *FDecl,
CheckerContext &C) const { CheckerContext &C) const {
const auto *FDecl = Call.getDecl()->getAsFunction();
// If the function has a buffer size argument, set ArgNum. // If the function has a buffer size argument, set ArgNum.
unsigned ArgNum = InvalidArgIndex; unsigned ArgNum = InvalidArgIndex;
unsigned BId = 0; unsigned BId = 0;
if ((BId = FDecl->getMemoryFunctionKind())) if ((BId = FDecl->getMemoryFunctionKind())) {
switch (BId) { switch (BId) {
case Builtin::BImemcpy: case Builtin::BImemcpy:
case Builtin::BImemmove: case Builtin::BImemmove:
case Builtin::BIstrncpy: case Builtin::BIstrncpy:
ArgNum = 2; ArgNum = 2;
break; break;
case Builtin::BIstrndup: case Builtin::BIstrndup:
ArgNum = 1; ArgNum = 1;
break; break;
default: default:
break; break;
}; }
}
if (ArgNum == InvalidArgIndex) { if (ArgNum == InvalidArgIndex) {
if (C.isCLibraryFunction(FDecl, "malloc") || using CCtx = CheckerContext;
C.isCLibraryFunction(FDecl, "calloc") || if (CCtx::isCLibraryFunction(FDecl, "malloc") ||
C.isCLibraryFunction(FDecl, "alloca")) CCtx::isCLibraryFunction(FDecl, "calloc") ||
CCtx::isCLibraryFunction(FDecl, "alloca"))
ArgNum = 0; ArgNum = 0;
else if (C.isCLibraryFunction(FDecl, "memccpy")) else if (CCtx::isCLibraryFunction(FDecl, "memccpy"))
ArgNum = 3; ArgNum = 3;
else if (C.isCLibraryFunction(FDecl, "realloc")) else if (CCtx::isCLibraryFunction(FDecl, "realloc"))
ArgNum = 1; ArgNum = 1;
else if (C.isCLibraryFunction(FDecl, "bcopy")) else if (CCtx::isCLibraryFunction(FDecl, "bcopy"))
ArgNum = 2; ArgNum = 2;
} }
return ArgNum != InvalidArgIndex && CE->getNumArgs() > ArgNum && return ArgNum != InvalidArgIndex && Call.getNumArgs() > ArgNum &&
generateReportIfTainted(CE->getArg(ArgNum), MsgTaintedBufferSize, C); generateReportIfTainted(Call.getArgExpr(ArgNum), MsgTaintedBufferSize,
C);
} }
bool GenericTaintChecker::checkCustomSinks(const CallExpr *CE, bool GenericTaintChecker::checkCustomSinks(const CallEvent &Call,
const FunctionData &FData, const FunctionData &FData,
CheckerContext &C) const { CheckerContext &C) const {
auto It = findFunctionInConfig(CustomSinks, FData); auto It = findFunctionInConfig(CustomSinks, FData);
if (It == CustomSinks.end()) if (It == CustomSinks.end())
return false; return false;
const auto &Value = It->second; const auto &Value = It->second;
const GenericTaintChecker::ArgVector &Args = Value.second; const GenericTaintChecker::ArgVector &Args = Value.second;
for (unsigned ArgNum : Args) { for (unsigned ArgNum : Args) {
if (ArgNum >= CE->getNumArgs()) if (ArgNum >= Call.getNumArgs())
continue; continue;
if (generateReportIfTainted(CE->getArg(ArgNum), MsgCustomSink, C)) if (generateReportIfTainted(Call.getArgExpr(ArgNum), MsgCustomSink, C))
return true; return true;
} }
return false; return false;
} }
void ento::registerGenericTaintChecker(CheckerManager &Mgr) { void ento::registerGenericTaintChecker(CheckerManager &Mgr) {
auto *Checker = Mgr.registerChecker<GenericTaintChecker>(); auto *Checker = Mgr.registerChecker<GenericTaintChecker>();
Show All 12 Lines