This is an archive of the discontinued LLVM Phabricator instance.

Differential D80505

[analyzer] CERT STR rule checkers: STR51-CPP
Needs RevisionPublic

Authored by Charusso on May 24 2020, 9:53 PM.

Details

Reviewers
NoQ
baloghadamsoftware
Summary

This patch introduces a new experimental checker:
alpha.security.cert.str.51cpp

This checker is implemented based on the following rule:
https://wiki.sei.cmu.edu/confluence/x/E3s-BQ

It warns on possible std::string construction from a nullptr.

Diff Detail

Event Timeline

Charusso created this revision.May 24 2020, 9:53 PM
Herald added subscribers: ASDenysPetrov, martong, steakhal and 8 others. · View Herald TranscriptMay 24 2020, 9:53 PM
Charusso added a parent revision: D80504: [analyzer] CERT STR rule checkers: STR50-CPP.May 24 2020, 9:56 PM
Charusso marked an inline comment as done.
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
749

We do not really try to model the construction and whether the members are nullable (dataflow, fixed-point, ugh!) so that this assumption is needed to relax this checker. It is still somewhat noisy.

baloghadamsoftware added inline comments.Jun 26 2020, 6:31 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
67

I support the idea that MemRegionManager should be directly accessible from CheckerContext but I would create a separate micro-patch for that. With a unit test, of course.

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
97

I do not see this function used (even defined) anywhere. Not even EvalCDM which the comment refers to.

749

OK, let us make something clear at the beginning: do we look for constructor arguments that may be null or are null? I would think the latter one is more useful, and then we should not disclose arguments.

baloghadamsoftware added a reviewer: baloghadamsoftware.Jun 26 2020, 6:32 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJun 26 2020, 6:32 AM
baloghadamsoftware requested changes to this revision.Jun 30 2020, 5:09 AM
This revision now requires changes to proceed.Jun 30 2020, 5:09 AM
whisperity added a subscriber: whisperity.Jul 9 2020, 1:01 AM

Revision Contents

PathSize
clang/
docs/
analyzer/
9 lines
include/
clang/
StaticAnalyzer/
Checkers/
5 lines
Core/
PathSensitive/
2 lines
lib/
StaticAnalyzer/
Checkers/
cert/
68 lines
test/
Analysis/
Inputs/
3 lines
cert/
33 lines
32 lines
diagnostics/
2 lines

Diff 265966

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 1,997 Lines▼ Show 20 Lines
alpha.security.cert.str.50cpp alpha.security.cert.str.50cpp
""""""""""""""""""""""""""""" """""""""""""""""""""""""""""
Checker for `STR50-CPP rule<https://wiki.sei.cmu.edu/confluence/x/i3w-BQ>`_. Checker for `STR50-CPP rule<https://wiki.sei.cmu.edu/confluence/x/i3w-BQ>`_.
It warns on misusing ``std::cin`` and ``std::basic_istream<T>::read()`` to It warns on misusing ``std::cin`` and ``std::basic_istream<T>::read()`` to
create a ``std::string`` which may not null-terminated. create a ``std::string`` which may not null-terminated.
.. _alpha-security-cert-str-51cpp:
alpha.security.cert.str.51cpp
"""""""""""""""""""""""""""""
Checker for `STR51-CPP rule<https://wiki.sei.cmu.edu/confluence/x/E3s-BQ>`_.
It warns on possible ``std::string`` construction from a ``nullptr``.
.. _alpha-security-ArrayBound: .. _alpha-security-ArrayBound:
alpha.security.ArrayBound (C) alpha.security.ArrayBound (C)
""""""""""""""""""""""""""""" """""""""""""""""""""""""""""
Warn about buffer overflows (older checker). Warn about buffer overflows (older checker).
.. code-block:: c .. code-block:: c
▲ Show 20 LinesShow All 456 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 870 Lines▼ Show 20 Linesdef Str32cChecker : Checker<"32c">,
Dependencies<[StrCheckerBase]>, Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def Str50cppChecker : Checker<"50cpp">, def Str50cppChecker : Checker<"50cpp">,
HelpText<"SEI CERT checker of rules defined in STR50-CPP">, HelpText<"SEI CERT checker of rules defined in STR50-CPP">,
Dependencies<[StrCheckerBase]>, Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def Str51cppChecker : Checker<"51cpp">,
HelpText<"SEI CERT checker of rules defined in STR51-CPP">,
Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>;
} // end "alpha.cert.str" } // end "alpha.cert.str"
let ParentPackage = SecurityAlpha in { let ParentPackage = SecurityAlpha in {
def ArrayBoundChecker : Checker<"ArrayBound">, def ArrayBoundChecker : Checker<"ArrayBound">,
HelpText<"Warn about buffer overflows (older checker)">, HelpText<"Warn about buffer overflows (older checker)">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
▲ Show 20 LinesShow All 695 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h

Show First 20 LinesShow All 58 Lines▼ Show 20 Linespublic:
ConstraintManager &getConstraintManager() { ConstraintManager &getConstraintManager() {
return Eng.getConstraintManager(); return Eng.getConstraintManager();
} }
StoreManager &getStoreManager() { StoreManager &getStoreManager() {
return Eng.getStoreManager(); return Eng.getStoreManager();
} }
MemRegionManager &getRegionManager() { return Eng.getRegionManager(); }
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

I support the idea that MemRegionManager should be directly accessible from CheckerContext but I would create a separate micro-patch for that. With a unit test, of course.

baloghadamsoftware: I support the idea that `MemRegionManager` should be directly accessible from `CheckerContext`…
/// Returns the previous node in the exploded graph, which includes /// Returns the previous node in the exploded graph, which includes
/// the state of the program before the checker ran. Note, checkers should /// the state of the program before the checker ran. Note, checkers should
/// not retain the node in their state since the nodes might get invalidated. /// not retain the node in their state since the nodes might get invalidated.
ExplodedNode *getPredecessor() { return Pred; } ExplodedNode *getPredecessor() { return Pred; }
const ProgramStateRef &getState() const { return Pred->getState(); } const ProgramStateRef &getState() const { return Pred->getState(); }
/// Check if the checker changed the state of the execution; ex: added /// Check if the checker changed the state of the execution; ex: added
/// a new transition or a bug report. /// a new transition or a bug report.
▲ Show 20 LinesShow All 310 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp

Show All 21 Lines
// - STR32-C: Do not pass a non-null-terminated character sequence to a // - STR32-C: Do not pass a non-null-terminated character sequence to a
// library function that expects a string: // library function that expects a string:
// - https://wiki.sei.cmu.edu/confluence/x/r9UxBQ // - https://wiki.sei.cmu.edu/confluence/x/r9UxBQ
// //
// - STR50-CPP: Guarantee that storage for strings has sufficient space for // - STR50-CPP: Guarantee that storage for strings has sufficient space for
// character data and the null terminator: // character data and the null terminator:
// - https://wiki.sei.cmu.edu/confluence/x/i3w-BQ // - https://wiki.sei.cmu.edu/confluence/x/i3w-BQ
// //
// - STR51-CPP: Do not attempt to create a std::string from a null pointer:
// - https://wiki.sei.cmu.edu/confluence/x/E3s-BQ
//
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AllocationState.h" #include "AllocationState.h"
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Linespublic:
/// 'c_string[length] = '\0';'. In this case we store the string is being /// 'c_string[length] = '\0';'. In this case we store the string is being
/// null-terminated in the 'NullTerminationMap'. /// null-terminated in the 'NullTerminationMap'.
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
/// It reports a note on array declarations which may cannot store a string /// It reports a note on array declarations which may cannot store a string
/// because of its size, similar to the check in 'checkBind()'. /// because of its size, similar to the check in 'checkBind()'.
void checkPostStmt(const DeclStmt *S, CheckerContext &C) const; void checkPostStmt(const DeclStmt *S, CheckerContext &C) const;
/// Evalute function calls defined in 'EvalCDM'.
bool evalCall(const CallEvent &Call, CheckerContext &C) const;
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

I do not see this function used (even defined) anywhere. Not even EvalCDM which the comment refers to.

baloghadamsoftware: I do not see this function used (even defined) anywhere. Not even `EvalCDM` which the comment…
/// \{ /// \{
/// Check the function calls defined in 'CDM'. /// Check the function calls defined in 'CDM'.
/// STR30-C. /// STR30-C.
void checkMemchr(const CallEvent &Call, const CallContext &CallC, void checkMemchr(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStrchr(const CallEvent &Call, const CallContext &CallC, void checkStrchr(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStrrchr(const CallEvent &Call, const CallContext &CallC, void checkStrrchr(const CallEvent &Call, const CallContext &CallC,
Show All 18 Linespublic:
void checkInStream(const CallEvent &Call, const CallContext &CallC, void checkInStream(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkRead(const CallEvent &Call, const CallContext &CallC, void checkRead(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStringConstructor(const CallEvent &Call, const CallContext &CallC, void checkStringConstructor(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
/// \} /// \}
/// Create a report on a function call which could cause a buffer overflow. /// Creates a report on a function call which could cause a buffer overflow.
/// ///
/// In case of STR31-C emit an error report. /// In case of STR31-C emit an error report.
/// In case of STR32-C emit a note and mark the buffer as possibly not /// In case of STR32-C emit a note and mark the buffer as possibly not
/// null-terminated. /// null-terminated.
void createCallOverflowReport(const CallEvent &Call, const CallContext &CallC, void createCallOverflowReport(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
bool EnableStr30cChecker = false; bool EnableStr30cChecker = false;
bool EnableStr31cChecker = false; bool EnableStr31cChecker = false;
bool EnableStr32cChecker = false; bool EnableStr32cChecker = false;
bool EnableStr50cppChecker = false; bool EnableStr50cppChecker = false;
bool EnableStr51cppChecker = false;
private: private:
using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &, using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &,
const CallContext &, CheckerContext &)>; const CallContext &, CheckerContext &)>;
const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = { const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = {
// The following checks STR30-C rules. // The following checks STR30-C rules.
// void *memchr(const void *buffer, int c, size_t count); // void *memchr(const void *buffer, int c, size_t count);
Show All 21 Lines const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = {
// char *strncpy(char *dest, const char *src, size_t count) // char *strncpy(char *dest, const char *src, size_t count)
{{"strncpy", 3}, {&StrCheckerBase::checkStrncpy, {0, 1, 2}}}, {{"strncpy", 3}, {&StrCheckerBase::checkStrncpy, {0, 1, 2}}},
// The following checks STR50-CPP rules. // The following checks STR50-CPP rules.
{{"operator>>"}, {&StrCheckerBase::checkInStream, {None, 1}}}, {{"operator>>"}, {&StrCheckerBase::checkInStream, {None, 1}}},
// istream& read (char *src, streamsize n); // istream& read (char *src, streamsize n);
{{{"std", "basic_istream", "read"}, 2}, {{{"std", "basic_istream", "read"}, 2},
{&StrCheckerBase::checkRead, {None, 0, 1}}}, {&StrCheckerBase::checkRead, {None, 0, 1}}},
{{{"std", "basic_string"}, 1},
// The following checks STR50-CPP, STR51-CPP rules.
{{{"std", "basic_string"}},
{&StrCheckerBase::checkStringConstructor, {None, 0}}}}; {&StrCheckerBase::checkStringConstructor, {None, 0}}}};
BugType BT{this, "Insecure string handler function call", BugType BT{this, "Insecure string handler function call",
categories::SecurityError}; categories::SecurityError};
}; };
} // namespace } // namespace
/// It stores whether the string is null-terminated. /// It stores whether the string is null-terminated.
▲ Show 20 LinesShow All 532 Lines▼ Show 20 Linesvoid StrCheckerBase::checkRead(const CallEvent &Call, const CallContext &CallC,
// Mark the allocation have arbitrary input data, may not null terminated. // Mark the allocation have arbitrary input data, may not null terminated.
State = State->set<NullTerminationMap>(DR, false); State = State->set<NullTerminationMap>(DR, false);
C.addTransition(State, Tag); C.addTransition(State, Tag);
} }
void StrCheckerBase::checkStringConstructor(const CallEvent &Call, void StrCheckerBase::checkStringConstructor(const CallEvent &Call,
const CallContext &CallC, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
if (!EnableStr50cppChecker) if (Call.getNumArgs() == 0)
return; return;
const auto *MR = getRegion(Call.getArgSVal(0));
const auto *DR = dyn_cast_or_null<DeclRegion>(getRegion(Call.getArgSVal(0))); const auto *DR = dyn_cast_or_null<DeclRegion>(getRegion(Call.getArgSVal(0)));
if (!DR)
ProgramStateRef State = C.getState();
const Expr *SrcArg = Call.getArgExpr(0);
// In case of STR51-CPP we need to be sure whether the constructor is
// called with a non-null string.
SVal SrcV = Call.getArgSVal(0);
if (EnableStr51cppChecker && MR) {
// We are only interested in possible nullptrs.
// Assume that only non-arguments could be nullable.
// Assume that only non-methods could be nullable.
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

We do not really try to model the construction and whether the members are nullable (dataflow, fixed-point, ugh!) so that this assumption is needed to relax this checker. It is still somewhat noisy.

Charusso: We do not really try to model the construction and whether the members are nullable (dataflow…
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

OK, let us make something clear at the beginning: do we look for constructor arguments that may be null or are null? I would think the latter one is more useful, and then we should not disclose arguments.

baloghadamsoftware: OK, let us make something clear at the beginning: do we look for constructor arguments that…
// FIXME: Add more assumptions to tweak the reports.
bool IsNullable = false;
if (DR) {
IsNullable = !isa<StackArgumentsSpaceRegion>(DR->getMemorySpace());
} else if (const auto *CE = dyn_cast<CallExpr>(SrcArg->IgnoreImpCasts())) {
IsNullable = !dyn_cast<CXXMemberCallExpr>(CE);
}
// 'SrcV' is problematic iff it is not exactly non-null and nullable.
if (IsNullable && MR->getSymbolicBase() &&
!State->isNonNull(SrcV).isConstrainedTrue()) {
auto Report = std::make_unique<PathSensitiveBugReport>(
BT, "Constructing from nullptr", C.generateErrorNode());
Report->addRange(SrcArg->getSourceRange());
Report->markInteresting(MR);
// Track the allocation.
bugreporter::trackExpressionValue(Report->getErrorNode(), SrcArg,
*Report);
if (const SymbolRef Sym = C.getSVal(SrcArg).getAsSymbol())
Report->addVisitor(allocation_state::getMallocBRVisitor(Sym));
C.emitReport(std::move(Report));
return;
}
}
// In case of STR50-CPP we need to be sure whether the constructor is
// called with a null-terminated string.
if (!EnableStr50cppChecker)
return; return;
const bool *IsNullTerminated = C.getState()->get<NullTerminationMap>(DR); // If the second argument is present which is the size of the string
// assume that the string will be null-terminated.
if (Call.getNumArgs() > 1)
return;
const bool *IsNullTerminated = State->get<NullTerminationMap>(MR);
if (!IsNullTerminated || *IsNullTerminated) if (!IsNullTerminated || *IsNullTerminated)
return; return;
SmallString<256> Msg; SmallString<256> Msg;
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
Out << '\'' << DR->getDecl()->getName() << "' is not null-terminated"; Out << '\'' << DR->getDecl()->getName() << "' is not null-terminated";
std::string ReportMsg = Out.str().str(); std::string ReportMsg = Out.str().str();
auto Report = std::make_unique<PathSensitiveBugReport>(BT, Out.str(), auto Report = std::make_unique<PathSensitiveBugReport>(BT, Out.str(),
C.generateErrorNode()); C.generateErrorNode());
const Expr *SrcArg = Call.getArgExpr(0);
Report->addRange(SrcArg->getSourceRange()); Report->addRange(SrcArg->getSourceRange());
Report->markInteresting(DR); Report->markInteresting(DR);
// Track the allocation. // Track the allocation.
bugreporter::trackExpressionValue(Report->getErrorNode(), SrcArg, *Report); bugreporter::trackExpressionValue(Report->getErrorNode(), SrcArg, *Report);
if (const SymbolRef Sym = C.getSVal(SrcArg).getAsSymbol()) if (const SymbolRef Sym = C.getSVal(SrcArg).getAsSymbol())
Report->addVisitor(allocation_state::getMallocBRVisitor(Sym)); Report->addVisitor(allocation_state::getMallocBRVisitor(Sym));
▲ Show 20 LinesShow All 70 Lines▼ Show 20 Lines#define REGISTER_CHECKER(Name) \
} \ } \
\ \
bool ento::shouldRegister##Name(const CheckerManager &) { return true; } bool ento::shouldRegister##Name(const CheckerManager &) { return true; }
REGISTER_CHECKER(Str30cChecker) REGISTER_CHECKER(Str30cChecker)
REGISTER_CHECKER(Str31cChecker) REGISTER_CHECKER(Str31cChecker)
REGISTER_CHECKER(Str32cChecker) REGISTER_CHECKER(Str32cChecker)
REGISTER_CHECKER(Str50cppChecker) REGISTER_CHECKER(Str50cppChecker)
REGISTER_CHECKER(Str51cppChecker)

clang/test/Analysis/Inputs/system-header-simulator-cxx.h

Show First 20 LinesShow All 574 Lines▼ Show 20 Lines public:
basic_string &insert(size_type index, size_type count, CharT ch); basic_string &insert(size_type index, size_type count, CharT ch);
basic_string &replace(size_type pos, size_type count, const basic_string &str); basic_string &replace(size_type pos, size_type count, const basic_string &str);
void pop_back(); void pop_back();
void push_back(CharT ch); void push_back(CharT ch);
void reserve(size_type new_cap); void reserve(size_type new_cap);
void resize(size_type count); void resize(size_type count);
void shrink_to_fit(); void shrink_to_fit();
void swap(basic_string &other); void swap(basic_string &other);
bool empty();
size_t size() const;
}; };
typedef basic_string<char> string; typedef basic_string<char> string;
typedef basic_string<wchar_t> wstring; typedef basic_string<wchar_t> wstring;
#if __cplusplus >= 201103L #if __cplusplus >= 201103L
typedef basic_string<char16_t> u16string; typedef basic_string<char16_t> u16string;
typedef basic_string<char32_t> u32string; typedef basic_string<char32_t> u32string;
#endif #endif
▲ Show 20 LinesShow All 547 LinesShow Last 20 Lines

clang/test/Analysis/cert/str51-cpp-false-positive-suppression.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -fcxx-exceptions \
// RUN: -analyzer-checker=core,unix,alpha.security.cert.str.51cpp \
// RUN: -verify %s
// See the examples on the page of STR51-CPP:
// https://wiki.sei.cmu.edu/confluence/x/E3s-BQ
// expected-no-diagnostics
#include "../Inputs/system-header-simulator.h"
#include "../Inputs/system-header-simulator-cxx.h"
namespace std {
char *getenv(const char *varname);
}; // namespace std
class C {
std::string S;
public:
C(const std::string &S) : S(S) {} // no-warning: StackArgumentsSpaceRegion
};
class Slice {
public:
Slice() : data_(""), size_(0) { }
std::string ToString() const { return std::string(data_, size_); }
// no-warning: StackArgumentsSpaceRegion
private:
const char* data_;
size_t size_;
};

clang/test/Analysis/cert/str51-cpp.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -fcxx-exceptions \
// RUN: -analyzer-checker=core,unix,alpha.security.cert.str.51cpp \
// RUN: -verify %s
// See the examples on the page of STR51-CPP:
// https://wiki.sei.cmu.edu/confluence/x/E3s-BQ
#include "../Inputs/system-header-simulator-cxx.h"
namespace std {
char *getenv(const char *varname);
}; // namespace std
namespace test_getenv_bad {
void f() {
std::string tmp(std::getenv("TMP"));
// expected-warning@-1 {{Constructing from nullptr}}
if (!tmp.empty()) {
// ...
}
}
} // namespace test_getenv_bad
namespace test_getenv_good {
void f() {
const char *tmpPtrVal = std::getenv("TMP");
std::string tmp(tmpPtrVal ? tmpPtrVal : "");
if (!tmp.empty()) {
// ...
}
}
} // namespace test_getenv_good

clang/test/Analysis/diagnostics/explicit-suppression.cpp

Show All 13 Linesclass C {
// The virtual function is to make C not trivially copy assignable so that we call the // The virtual function is to make C not trivially copy assignable so that we call the
// variant of std::copy() that does not defer to memmove(). // variant of std::copy() that does not defer to memmove().
virtual int f(); virtual int f();
}; };
void testCopyNull(C *I, C *E) { void testCopyNull(C *I, C *E) {
std::copy(I, E, (C *)0); std::copy(I, E, (C *)0);
#ifndef SUPPRESSED #ifndef SUPPRESSED
// expected-warning@../Inputs/system-header-simulator-cxx.h:722 {{Called C++ object pointer is null}} // expected-warning@../Inputs/system-header-simulator-cxx.h:725 {{Called C++ object pointer is null}}
#endif #endif
} }