This is an archive of the discontinued LLVM Phabricator instance.

Differential D97699

[analyzer] Add InvalidPtrChecker
ClosedPublic

Authored by zukatsinadze on Mar 1 2021, 9:05 AM.

Details

Reviewers
NoQ
vsavchenko
Szelethus
martong
balazske
Charusso
steakhal
Commits
rG811b1736d91b: [analyzer] Add InvalidPtrChecker
Summary

This patch introduces a new checker: alpha.security.cert.env.InvalidPtr

Checker finds usage of invalidated pointers.

Based on the following SEI CERT Rules:
ENV34-C: https://wiki.sei.cmu.edu/confluence/x/8tYxBQ
ENV31-C: https://wiki.sei.cmu.edu/confluence/x/5NUxBQ

Diff Detail

Event Timeline

zukatsinadze created this revision.Mar 1 2021, 9:05 AM
Herald added subscribers: steakhal, ASDenysPetrov, ormris and 9 others. · View Herald TranscriptMar 1 2021, 9:05 AM
zukatsinadze requested review of this revision.Mar 1 2021, 9:05 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptMar 1 2021, 9:05 AM
zukatsinadze added a comment.Mar 1 2021, 9:08 AM

Please suggest which package to use for the checker.
CERT rules are ENV, however, it deals with non-ENV functions as well.

Also, I am having a problem with checkDeadSymbols, it is similar to one xazax.hun faced here: http://reviews.llvm.org/D14203 (many many years ago)
envp memory region is marked dead too early in case of aliasing. Please check the snippets, the second one is problematic:

int main(int argc, char **argv, char *envp[]) {
  putenv((char*) "NAME=VALUE"); // envp invalidated
  envp[0]; // gives error
}

int main(int argc, char **argv, char *envp[]) {
  char **e = envp;
  putenv((char*) "NAME=VALUE"); // envp invalidated
  e[0]; // does not give error :(

  // warnOnDeadSymbol reports 'envp' dead here
} 

int main(int argc, char **argv, char *envp[]) {
  char **e = envp;
  putenv((char*) "NAME=VALUE"); // envp invalidated
  e[0]; // gives error again

  /*
    use 'envp' somehow here
  */
}
zukatsinadze updated this revision to Diff 327150.Mar 1 2021, 9:32 AM

Fixed docs.

zukatsinadze added a comment.Mar 1 2021, 9:57 AM

Attaching results of CodeChecker run on some projects.

cc_results.zip4 MBDownload

zukatsinadze updated this revision to Diff 327173.Mar 1 2021, 10:17 AM

Removed code repetition from the tests.

Harbormaster completed remote builds in B91356: Diff 327130.Mar 1 2021, 10:46 AM
Harbormaster completed remote builds in B91363: Diff 327150.Mar 1 2021, 11:46 AM
Harbormaster completed remote builds in B91376: Diff 327173.Mar 1 2021, 1:02 PM
NoQ added a comment.Mar 3 2021, 5:19 PM

CERT rules are typically very vague and don't map nicely into specific static analysis algorithms. A lot of CERT rules flag valid code as well as bugs. I want you to explain what *exactly* does the checker checks (say, in the form of a state machine, i.e. what sequences of events in the program does it find) and whether flagged code is expected to be always invalid.

// warnOnDeadSymbol reports 'envp' dead here

If it reports the symbol as dead after the warning would have been emitted then the problem must be elsewhere. There must be other differences in the analysis *before* the buggy statement. Nothing that happens after the buggy statement should ever matter.

Also the behavior of checkDeadSymbols looks correct here, I don't see any problems from your description. The symbol is reported dead when there's a guarantee that it won't be encountered anymore during analysis. If the parameter variable and the aliasing variable aren't used anymore and the symbol isn't stored anywhere else then the symbol is correctly marked as dead.

Why are you even tracking reg_$0<envp>? It's obvious from the structure of the symbol that it's an environment pointer, there's no need to keep it in maps.

clang/docs/analyzer/checkers.rst
2103–2104

It's very important to explain whether the "unanticipated behavior" is an entirely psychological concept ("most people don't understand how this works but this can occasionally also be a valid solution if you know what you're doing") or a 100% clear indication of a bug ("such code can never be correct", eg. it instantly causes undefined behavior, or the written value can never be read later so there's absolutely no point in writing it, or something like that).

zukatsinadze added a comment.Mar 6 2021, 1:49 PM

@NoQ, thanks for the comments.

In D97699#2601804, @NoQ wrote:

... and whether flagged code is expected to be always invalid.

C standard says "may be overwritten", so I guess it's undefined behavior.

In D97699#2601804, @NoQ wrote:

... I want you to explain what *exactly* does the checker checks ...

There are two problems that are checked.
First: if we have 'envp' argument of main present and we modify the environment in some way (say setenv, putenv...), it "may" reallocate the whole environment memory, but 'envp' will still point to the old location.
Second: if we have a pointer pointing to the result of 'getenv' (and some other non-reentrant functions, there are 5 of them implemented now, but can be easily extended to others, since checker is general enough) and we call 'getenv' again the previous result "may" be overwritten.
The idea of the checker is simple and somewhat comparable to MallocChecker or UseAfterFree (in a sense that 'free' invalidates region). We have a map of previous function call results and after a subsequent call, we invalidate the previous region. And we warn on dereference of such pointer or if we have it as an argument to function call (to avoid some false negatives), which is not inlined.
I will add a description in a checker file.

And about checkDeadSymbols, I get your point, but I am interested why checker has different behavior on these two examples:

int main(int argc, char **argv, char *envp[]) {
  putenv((char*) "NAME=VALUE"); // envp invalidated
  envp[0]; // gives error
}
int main(int argc, char **argv, char *envp[]) {
  char **e = envp;
  putenv((char*) "NAME=VALUE"); // envp invalidated
  e[0]; // does not give error
}

If I manually force keeping envp region in state when I check if (!SymReaper.isLiveRegion(E)) { , then it reports as expected.

zukatsinadze added a reviewer: steakhal.Mar 7 2021, 5:33 AM
Charusso added a comment.Mar 21 2021, 3:31 PM
In D97699#2601804, @NoQ wrote:

Why are you even tracking reg_$0<envp>? It's obvious from the structure of the symbol that it's an environment pointer, there's no need to keep it in maps.

envp is confusable with argv: int main(int argc, char *argv[], char *envp[]) so we obtain envp's region from main() to match it later.

clang/docs/analyzer/checkers.rst
2103–2104

The standard terminology is very vague, like that:

The getenv function returns a pointer to a string associated with the matched list member. The string pointed to shall not be modified by the program but may be overwritten by a subsequent call to the getenv function.

What the hell. 😕 I think it is about table-doubling and reallocating the entire environment pointer table at some point which makes sense in case of the non-getter function calls. For the getters I think another processes could overwrite the environ pointer between two getter calls and problem could occur because of such table-doubling. To resolve the issue we need to call strdup() and create a copy of the current environment entry instead of having a pointer to it as I see.

@zukatsinadze it would be great to see a real reference with real issues in real world software. Is the true evil the multiple chained getter calls?

zukatsinadze added inline comments.Mar 21 2021, 5:16 PM
clang/docs/analyzer/checkers.rst
2103–2104

it would be great to see a real reference with real issues in real world software

I've attached some results up in the thread. Checker gave several valuable reports on several projects if that's what you mean.

Is the true evil the multiple chained getter calls?

Besides SEI CERT, there are many other reputable resources stating the same problem with getenv.

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxbd00/getenv.htm
https://www.keil.com/support/man/docs/armlib/armlib_chr1359122850667.htm
https://pubs.opengroup.org/onlinepubs/009696799/functions/getenv.html
https://pubs.opengroup.org/onlinepubs/7908799/xsh/getenv.html
https://www.gnu.org/software/libc/manual/html_node/Environment-Access.html
https://man7.org/linux/man-pages/man3/getenv.3p.html

zukatsinadze added inline comments.Mar 21 2021, 5:49 PM
clang/docs/analyzer/checkers.rst
2103–2104

Actual problem is that getenv is returning a pointer to its internal static buffer instead of giving pointer to environ, that's why the string will change with a subsequent call.

zukatsinadze updated this revision to Diff 335334.Apr 5 2021, 2:50 PM
zukatsinadze edited the summary of this revision. (Show Details)

Gentle ping

  • Diff with context
  • Added some more tests
  • Updated documentation
Harbormaster completed remote builds in B97177: Diff 335334.Apr 5 2021, 4:01 PM
zukatsinadze added a comment.May 24 2021, 9:29 AM

@NoQ can you please have another look at this? I think it will be a useful checker.

Herald added a subscriber: manas. · View Herald TranscriptMay 24 2021, 9:29 AM
zukatsinadze added a reviewer: balazske.Jun 3 2021, 8:42 AM
ormris removed a subscriber: ormris.Jun 3 2021, 10:06 AM
whisperity added a subscriber: whisperity.Jun 3 2021, 10:08 AM
steakhal added a comment.Jun 4 2021, 1:16 AM

Overall I think it's a useful checker not only for checking the getenv() but a bunch of other functions as well, which might return a pointer to a statically allocated buffer.
The implementation could be polished a bit but it's ok I think.

About the produced reports, they were all useful and clear.
It is triggered only if it sees evidence(*) of the use of the invalidated pointer and highlights where it was produced and later invalidated.

(*) escaping via a conservatively evaluated function call also counts as such. There are pros and cons to this, but in this case, it seems like it's a good choice.

clang/docs/analyzer/checkers.rst
2057

?

clang/test/Analysis/cert/env34-c-cert-examples.c
27–28

I just want to highlight the capabilities of this checker.
Here we are using the invalid tmpvar pointer in a conservatively evaluated function call, and we still have a warning. Which is awesome.

Just imagine that getenv() would return a pointer to the same static buffer, then the strcmp() would always succeed, which is likely a bug.

balazske added a comment.Jun 4 2021, 8:51 AM

I have not too deep knowledge about checker development but still found (hopefully valid) issues, even if only a part of them.

clang/docs/analyzer/checkers.rst
2117

From my understanding the "unanticipated behavior" here is clearly a bug: We do not know if the envp points to any valid location. It is not guaranteed that the original value is preserved (in this case it would have sense to use it). And it is not known if it will point to the new and correct array. Unless we know how the internal implementation exactly works.

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
957

I have multiple issues with the documentation texts but they look not final anyway. And the package and checker names could be better. There are already checkers for CERT rules that do not reside in the cert package, it is not good to have some checkers in a cert package and some not. It is likely that checkers will check for more rules or parts of the rules. Checker aliases are a better solution for the cert checker names. (And now the cert would contain checker with name not matching a rule: InvalidPtr.) The name InvalidPtr sounds too general, even if in an `env˙ package.

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
29

I think we do not need to repeat the documentation here.

181

Is it not possible to use const MemRegion * then?

193

evalCall should be used only if the called function is exclusively modeled by this checker which is not the case here. The checkPostCall should be sufficient instead of evalCall.

228

auto is not to be used if the type is not clearly visible in the context. And this would be exactly auto ** here. (But better is const MemRegion **.) Makes the later statement (assign to PrevReg) "messy" (and auto is bad there too).

228

.data is unnecessary here?

320

addTransition is not needed here, the state was not modified.
Save the error node returned by generateNonFatalErrorNode and pass it to the next call of generateNonFatalErrorNode as the Pred parameter.

342

Are these casts really needed?

steakhal added inline comments.Jun 4 2021, 2:27 PM
clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
181

The trait stuff is only specialized for void pointers, instead of for any pointer type.
TBH I don't know why is that.

zukatsinadze updated this revision to Diff 350656.Jun 8 2021, 10:39 AM
zukatsinadze marked 2 inline comments as done.

@balazske Thanks for the comments!

Updated diff after suggested changes.

zukatsinadze marked an inline comment as done and an inline comment as not done.Jun 8 2021, 10:40 AM
zukatsinadze added inline comments.
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
957

Agreed. We can come back to wordsmithing later.

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
228

.data seems to be necessary.

no known conversion from 'llvm::StringRef' to 'typename ProgramStateTrait<PreviousCallResultMap>::key_type' (aka 'const char *') for 1st argument

342

Yes, as steakhal mentioned above, trait is specialized for void*

Harbormaster completed remote builds in B108246: Diff 350656.Jun 8 2021, 11:30 AM
Charusso resigned from this revision.Jul 30 2021, 10:12 AM

@NoQ, what do you think?

steakhal resigned from this revision.Aug 31 2021, 2:17 AM

I think it looks good, I don't have much objection to this.
I've also participated in the offline-review of this patch, so the current shape of this reflects my intentions, thus I resign.
At the same time, I'm requesting others to have a look at this, I genuinely think it has great value!
@Szelethus @martong @NoQ

Note: I'd like to highlight that on not modeled functions it behaves slightly differently than expected.

martong added a comment.Sep 10 2021, 5:11 AM

And about checkDeadSymbols, I get your point, but I am interested why checker has different behavior on these two examples:

a1 int main(int argc, char **argv, char *envp[]) {
a2   putenv((char*) "NAME=VALUE"); // envp invalidated
a3   envp[0]; // gives error
a4 }
b1 int main(int argc, char **argv, char *envp[]) {
b2   char **e = envp;
b3   putenv((char*) "NAME=VALUE"); // envp invalidated
b4   e[0]; // does not give error
b5 }

If I manually force keeping envp region in state when I check if (!SymReaper.isLiveRegion(E)) { , then it reports as expected.

This is because we use the result of the live variable analysis to drive the cleanup mechanism (i.e. garbage collection) of the analyzer. This data-flow analysis is finished before the path sensitive symbolic execution is started. In the first example, envp becomes dead at line a3 because that is the last point where we read it. In the second exmplae, envp becomes dead at line b2 because that is the last location where we read it's value. And it seems like our live variable analysis does not handle aliasing.
In my humble opinion, the engine should be using a lexical based scoping analysis to drive the callbacks of checkDeadSymbols. Or, perhaps, we should have another callback that is called at the end of the scope based lifetime. (RFC @NoQ). Currently, the engine might report a symbol/region as dead even if that is still live in the lexical scoping sense.
On the other hand, having the cleanup mechanism eagerly removing dead symbols and all of their dependency helps the analyzer to keep it's State as small as absolutely needed, all the time. This way it can be as terse in the memory and as fast in runtime as possible.

martong added a comment.Sep 10 2021, 6:50 AM

Nice work!

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
160

Why is it const void *? Why can't we use const MemRegion * and get rid of the ugly reinterpret_cast? There must be a reason ,which I'd like to see documented in the comments.

164

I think we could use the canonical FunctionDecl* as the key instead of const char *. Then all the eval functions like evalGetenv and alike could be substituted with one simple function.

222–225

Would it be possible to add a NoteTag here and eliminate the PreviousCallVisitor?

343

I think we should delete the code of this callback, since we can't use it.

steakhal added inline comments.Sep 10 2021, 7:59 AM
clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
160

The trait is only specialized to const void* and void* see here:

https://github.com/llvm/llvm-project/blob/main/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h#L298-L323

template <> struct ProgramStatePartialTrait<void *>
template <> struct ProgramStatePartialTrait<const void *>

I'm not exactly sure why don't we specialize to any pointer type of type T.

zukatsinadze updated this revision to Diff 372237.Sep 13 2021, 6:38 AM

Thanks for the review @martong

I've fixed all the suggestions.

zukatsinadze marked 4 inline comments as done.Sep 13 2021, 6:40 AM
zukatsinadze added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
164

Thanks! Those functions annoyed me a lot.

Harbormaster completed remote builds in B123659: Diff 372237.Sep 13 2021, 7:53 AM
martong accepted this revision.Sep 13 2021, 8:11 AM

Excellent! Thanks!

This revision is now accepted and ready to land.Sep 13 2021, 8:11 AM
steakhal added inline comments.Sep 13 2021, 9:12 AM
clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
42

Please, insert this in its sorted place.

martong added a comment.Oct 4 2021, 2:51 AM

Gentle ping, I think we can land this, please do so. Let me know if there is an issue with, .e.g missing commit rights, etc...

Closed by commit rG811b1736d91b: [analyzer] Add InvalidPtrChecker (authored by zukatsinadze). · Explain WhyOct 4 2021, 8:13 AM
This revision was automatically updated to reflect the committed changes.
zukatsinadze marked an inline comment as done.
zukatsinadze added a commit: rG811b1736d91b: [analyzer] Add InvalidPtrChecker.

Revision Contents

PathSize
clang/
docs/
analyzer/
57 lines
include/
clang/
StaticAnalyzer/
Checkers/
9 lines
lib/
StaticAnalyzer/
Checkers/
1 line
cert/
279 lines
test/
Analysis/
cert/
73 lines
101 lines
331 lines

Diff 376902

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 2,048 Lines▼ Show 20 Lines
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^
alpha.security.cert alpha.security.cert
^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^
SEI CERT checkers which tries to find errors based on their `C coding rules <https://wiki.sei.cmu.edu/confluence/display/c/2+Rules>`_. SEI CERT checkers which tries to find errors based on their `C coding rules <https://wiki.sei.cmu.edu/confluence/display/c/2+Rules>`_.
.. _alpha-security-cert-pos-checkers: .. _alpha-security-cert-pos-checkers:
steakhalUnsubmitted
Done
ReplyInline Actions

?

steakhal: ?
alpha.security.cert.pos alpha.security.cert.pos
^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^
SEI CERT checkers of `POSIX C coding rules <https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152405>`_. SEI CERT checkers of `POSIX C coding rules <https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152405>`_.
.. _alpha-security-cert-pos-34c: .. _alpha-security-cert-pos-34c:
alpha.security.cert.pos.34c alpha.security.cert.pos.34c
""""""""""""""""""""""""""" """""""""""""""""""""""""""
Finds calls to the ``putenv`` function which pass a pointer to an automatic variable as the argument. Finds calls to the ``putenv`` function which pass a pointer to an automatic variable as the argument.
.. code-block:: c .. code-block:: c
int func(const char *var) { int func(const char *var) {
char env[1024]; char env[1024];
int retval = snprintf(env, sizeof(env),"TEST=%s", var); int retval = snprintf(env, sizeof(env),"TEST=%s", var);
if (retval < 0 || (size_t)retval >= sizeof(env)) { if (retval < 0 || (size_t)retval >= sizeof(env)) {
/* Handle error */ /* Handle error */
} }
return putenv(env); // putenv function should not be called with auto variables return putenv(env); // putenv function should not be called with auto variables
} }
alpha.security.cert.env
^^^^^^^^^^^^^^^^^^^^^^^
SEI CERT checkers of `POSIX C coding rules <https://wiki.sei.cmu.edu/confluence/x/JdcxBQ>`_.
.. _alpha-security-cert-env-InvalidPtr:
alpha.security.cert.env.InvalidPtr
"""""""""""""""""""""""""""
Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
ENV31-C:
Rule is about the possible problem with `main` function's third argument, environment pointer,
"envp". When enviornment array is modified using some modification function
such as putenv, setenv or others, It may happen that memory is reallocated,
however "envp" is not updated to reflect the changes and points to old memory
region.
ENV34-C:
Some functions return a pointer to a statically allocated buffer.
Consequently, subsequent call of these functions will invalidate previous
pointer. These functions include: getenv, localeconv, asctime, setlocale, strerror
NoQUnsubmitted
Not Done
ReplyInline Actions

It's very important to explain whether the "unanticipated behavior" is an entirely psychological concept ("most people don't understand how this works but this can occasionally also be a valid solution if you know what you're doing") or a 100% clear indication of a bug ("such code can never be correct", eg. it instantly causes undefined behavior, or the written value can never be read later so there's absolutely no point in writing it, or something like that).

NoQ: It's very important to explain whether the "unanticipated behavior" is an entirely…
CharussoUnsubmitted
Not Done
ReplyInline Actions

The standard terminology is very vague, like that:

The getenv function returns a pointer to a string associated with the matched list member. The string pointed to shall not be modified by the program but may be overwritten by a subsequent call to the getenv function.

What the hell. 😕 I think it is about table-doubling and reallocating the entire environment pointer table at some point which makes sense in case of the non-getter function calls. For the getters I think another processes could overwrite the environ pointer between two getter calls and problem could occur because of such table-doubling. To resolve the issue we need to call strdup() and create a copy of the current environment entry instead of having a pointer to it as I see.

@zukatsinadze it would be great to see a real reference with real issues in real world software. Is the true evil the multiple chained getter calls?

Charusso: The standard terminology is very vague, like that: ``` The getenv function returns a pointer to…
zukatsinadzeAuthorUnsubmitted
Not Done
ReplyInline Actions

it would be great to see a real reference with real issues in real world software

I've attached some results up in the thread. Checker gave several valuable reports on several projects if that's what you mean.

Is the true evil the multiple chained getter calls?

Besides SEI CERT, there are many other reputable resources stating the same problem with getenv.

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxbd00/getenv.htm
https://www.keil.com/support/man/docs/armlib/armlib_chr1359122850667.htm
https://pubs.opengroup.org/onlinepubs/009696799/functions/getenv.html
https://pubs.opengroup.org/onlinepubs/7908799/xsh/getenv.html
https://www.gnu.org/software/libc/manual/html_node/Environment-Access.html
https://man7.org/linux/man-pages/man3/getenv.3p.html

zukatsinadze: > it would be great to see a real reference with real issues in real world software I've…
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

Actual problem is that getenv is returning a pointer to its internal static buffer instead of giving pointer to environ, that's why the string will change with a subsequent call.

zukatsinadze: Actual problem is that getenv is returning a pointer to its internal static buffer instead of…
.. code-block:: c
int main(int argc, const char *argv[], const char *envp[]) {
if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
// setenv call may invalidate 'envp'
/* Handle error */
}
if (envp != NULL) {
for (size_t i = 0; envp[i] != NULL; ++i) {
puts(envp[i]);
// envp may no longer point to the current environment
// this program has unanticipated behavior, since envp
balazskeUnsubmitted
Not Done
ReplyInline Actions

From my understanding the "unanticipated behavior" here is clearly a bug: We do not know if the envp points to any valid location. It is not guaranteed that the original value is preserved (in this case it would have sense to use it). And it is not known if it will point to the new and correct array. Unless we know how the internal implementation exactly works.

balazske: From my understanding the "unanticipated behavior" here is clearly a bug: We do not know if the…
// does not reflect changes made by setenv function.
}
}
return 0;
}
void previous_call_invalidation() {
char *p, *pp;
p = getenv("VAR");
pp = getenv("VAR2");
// subsequent call to 'getenv' invalidated previous one
*p;
// dereferencing invalid pointer
}
.. _alpha-security-ArrayBound: .. _alpha-security-ArrayBound:
alpha.security.ArrayBound (C) alpha.security.ArrayBound (C)
""""""""""""""""""""""""""""" """""""""""""""""""""""""""""
Warn about buffer overflows (older checker). Warn about buffer overflows (older checker).
.. code-block:: c .. code-block:: c
▲ Show 20 LinesShow All 622 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 67 Lines▼ Show 20 Lines
def Security : Package <"security">; def Security : Package <"security">;
def InsecureAPI : Package<"insecureAPI">, ParentPackage<Security>; def InsecureAPI : Package<"insecureAPI">, ParentPackage<Security>;
def SecurityAlpha : Package<"security">, ParentPackage<Alpha>; def SecurityAlpha : Package<"security">, ParentPackage<Alpha>;
def Taint : Package<"taint">, ParentPackage<SecurityAlpha>; def Taint : Package<"taint">, ParentPackage<SecurityAlpha>;
def CERT : Package<"cert">, ParentPackage<SecurityAlpha>; def CERT : Package<"cert">, ParentPackage<SecurityAlpha>;
def POS : Package<"pos">, ParentPackage<CERT>; def POS : Package<"pos">, ParentPackage<CERT>;
def ENV : Package<"env">, ParentPackage<CERT>;
def Unix : Package<"unix">; def Unix : Package<"unix">;
def UnixAlpha : Package<"unix">, ParentPackage<Alpha>; def UnixAlpha : Package<"unix">, ParentPackage<Alpha>;
def CString : Package<"cstring">, ParentPackage<Unix>; def CString : Package<"cstring">, ParentPackage<Unix>;
def CStringAlpha : Package<"cstring">, ParentPackage<UnixAlpha>; def CStringAlpha : Package<"cstring">, ParentPackage<UnixAlpha>;
def OSX : Package<"osx">; def OSX : Package<"osx">;
def OSXAlpha : Package<"osx">, ParentPackage<Alpha>; def OSXAlpha : Package<"osx">, ParentPackage<Alpha>;
▲ Show 20 LinesShow All 858 Lines▼ Show 20 Lineslet ParentPackage = POS in {
def PutenvWithAuto : Checker<"34c">, def PutenvWithAuto : Checker<"34c">,
HelpText<"Finds calls to the 'putenv' function which pass a pointer to " HelpText<"Finds calls to the 'putenv' function which pass a pointer to "
"an automatic variable as the argument.">, "an automatic variable as the argument.">,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
} // end "alpha.cert.pos" } // end "alpha.cert.pos"
let ParentPackage = ENV in {
def InvalidPtrChecker : Checker<"InvalidPtr">,
HelpText<"Finds usages of possibly invalidated pointers">,
Documentation<HasDocumentation>;
} // end "alpha.cert.env"
balazskeUnsubmitted
Not Done
ReplyInline Actions

I have multiple issues with the documentation texts but they look not final anyway. And the package and checker names could be better. There are already checkers for CERT rules that do not reside in the cert package, it is not good to have some checkers in a cert package and some not. It is likely that checkers will check for more rules or parts of the rules. Checker aliases are a better solution for the cert checker names. (And now the cert would contain checker with name not matching a rule: InvalidPtr.) The name InvalidPtr sounds too general, even if in an `env˙ package.

balazske: I have multiple issues with the documentation texts but they look not final anyway. And the…
zukatsinadzeAuthorUnsubmitted
Not Done
ReplyInline Actions

Agreed. We can come back to wordsmithing later.

zukatsinadze: Agreed. We can come back to wordsmithing later.
let ParentPackage = SecurityAlpha in { let ParentPackage = SecurityAlpha in {
def ArrayBoundChecker : Checker<"ArrayBound">, def ArrayBoundChecker : Checker<"ArrayBound">,
HelpText<"Warn about buffer overflows (older checker)">, HelpText<"Warn about buffer overflows (older checker)">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">, def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">,
HelpText<"Warn about buffer overflows (newer checker)">, HelpText<"Warn about buffer overflows (newer checker)">,
▲ Show 20 LinesShow All 728 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show All 33 Linesadd_clang_library(clangStaticAnalyzerCheckers
DebugContainerModeling.cpp DebugContainerModeling.cpp
DebugIteratorModeling.cpp DebugIteratorModeling.cpp
DeleteWithNonVirtualDtorChecker.cpp DeleteWithNonVirtualDtorChecker.cpp
DereferenceChecker.cpp DereferenceChecker.cpp
DirectIvarAssignment.cpp DirectIvarAssignment.cpp
DivZeroChecker.cpp DivZeroChecker.cpp
DynamicTypePropagation.cpp DynamicTypePropagation.cpp
DynamicTypeChecker.cpp DynamicTypeChecker.cpp
EnumCastOutOfRangeChecker.cpp EnumCastOutOfRangeChecker.cpp
steakhalUnsubmitted
Not Done
ReplyInline Actions

Please, insert this in its sorted place.

steakhal: Please, insert this in its sorted place.
ExprInspectionChecker.cpp ExprInspectionChecker.cpp
FixedAddressChecker.cpp FixedAddressChecker.cpp
FuchsiaHandleChecker.cpp FuchsiaHandleChecker.cpp
GCDAntipatternChecker.cpp GCDAntipatternChecker.cpp
GenericTaintChecker.cpp GenericTaintChecker.cpp
GTestChecker.cpp GTestChecker.cpp
IdenticalExprChecker.cpp IdenticalExprChecker.cpp
InnerPointerChecker.cpp InnerPointerChecker.cpp
InvalidatedIteratorChecker.cpp InvalidatedIteratorChecker.cpp
cert/InvalidPtrChecker.cpp
Iterator.cpp Iterator.cpp
IteratorModeling.cpp IteratorModeling.cpp
IteratorRangeChecker.cpp IteratorRangeChecker.cpp
IvarInvalidationChecker.cpp IvarInvalidationChecker.cpp
LLVMConventionsChecker.cpp LLVMConventionsChecker.cpp
LocalizationChecker.cpp LocalizationChecker.cpp
MacOSKeychainAPIChecker.cpp MacOSKeychainAPIChecker.cpp
MacOSXAPIChecker.cpp MacOSXAPIChecker.cpp
▲ Show 20 LinesShow All 84 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp

  • This file was added.
//== InvalidPtrChecker.cpp ------------------------------------- -*- C++ -*--=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines InvalidPtrChecker which finds usages of possibly
// invalidated pointer.
// CERT SEI Rules ENV31-C and ENV34-C
// For more information see:
// https://wiki.sei.cmu.edu/confluence/x/8tYxBQ
// https://wiki.sei.cmu.edu/confluence/x/5NUxBQ
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang;
using namespace ento;
namespace {
class InvalidPtrChecker
balazskeUnsubmitted
Not Done
ReplyInline Actions

I think we do not need to repeat the documentation here.

balazske: I think we do not need to repeat the documentation here.
: public Checker<check::Location, check::BeginFunction, check::PostCall> {
private:
BugType BT{this, "Use of invalidated pointer", categories::MemoryError};
void EnvpInvalidatingCall(const CallEvent &Call, CheckerContext &C) const;
using HandlerFn = void (InvalidPtrChecker::*)(const CallEvent &Call,
CheckerContext &C) const;
// SEI CERT ENV31-C
const CallDescriptionMap<HandlerFn> EnvpInvalidatingFunctions = {
{{"setenv", 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
{{"unsetenv", 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
{{"putenv", 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
{{"_putenv_s", 2}, &InvalidPtrChecker::EnvpInvalidatingCall},
{{"_wputenv_s", 2}, &InvalidPtrChecker::EnvpInvalidatingCall},
};
void postPreviousReturnInvalidatingCall(const CallEvent &Call,
CheckerContext &C) const;
// SEI CERT ENV34-C
const CallDescriptionMap<HandlerFn> PreviousCallInvalidatingFunctions = {
{{"getenv", 1}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
{{"setlocale", 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
{{"strerror", 1}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
{{"localeconv", 0},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
{{"asctime", 1}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
};
public:
// Obtain the environment pointer from 'main()' (if present).
void checkBeginFunction(CheckerContext &C) const;
// Handle functions in EnvpInvalidatingFunctions, that invalidate environment
// pointer from 'main()'
// Handle functions in PreviousCallInvalidatingFunctions.
// Also, check if invalidated region is passed to a
// conservatively evaluated function call as an argument.
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
// Check if invalidated region is being dereferenced.
void checkLocation(SVal l, bool isLoad, const Stmt *S,
CheckerContext &C) const;
};
} // namespace
// Set of memory regions that were invalidated
REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
// Stores the region of the environment pointer of 'main' (if present).
// Note: This pointer has type 'const MemRegion *', however the trait is only
// specialized to 'const void*' and 'void*'
REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const void *)
// Stores key-value pairs, where key is function declaration and value is
// pointer to memory region returned by previous call of this function
REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, const FunctionDecl *,
const MemRegion *)
void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call,
CheckerContext &C) const {
StringRef FunctionName = Call.getCalleeIdentifier()->getName();
ProgramStateRef State = C.getState();
const auto *Reg = State->get<EnvPtrRegion>();
if (!Reg)
return;
const auto *SymbolicEnvPtrRegion =
reinterpret_cast<const MemRegion *>(const_cast<const void *>(Reg));
State = State->add<InvalidMemoryRegions>(SymbolicEnvPtrRegion);
const NoteTag *Note =
C.getNoteTag([SymbolicEnvPtrRegion, FunctionName](
PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
if (!BR.isInteresting(SymbolicEnvPtrRegion))
return;
Out << '\'' << FunctionName
<< "' call may invalidate the environment parameter of 'main'";
});
C.addTransition(State, Note);
}
void InvalidPtrChecker::postPreviousReturnInvalidatingCall(
const CallEvent &Call, CheckerContext &C) const {
ProgramStateRef State = C.getState();
const NoteTag *Note = nullptr;
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
// Invalidate the region of the previously returned pointer - if there was
// one.
if (const MemRegion *const *Reg = State->get<PreviousCallResultMap>(FD)) {
const MemRegion *PrevReg = *Reg;
State = State->add<InvalidMemoryRegions>(PrevReg);
Note = C.getNoteTag([PrevReg, FD](PathSensitiveBugReport &BR,
llvm::raw_ostream &Out) {
if (!BR.isInteresting(PrevReg))
return;
Out << '\'';
FD->getNameForDiagnostic(Out, FD->getASTContext().getLangOpts(), true);
Out << "' call may invalidate the the result of the previous " << '\'';
FD->getNameForDiagnostic(Out, FD->getASTContext().getLangOpts(), true);
Out << '\'';
});
}
const LocationContext *LCtx = C.getLocationContext();
const auto *CE = cast<CallExpr>(Call.getOriginExpr());
// Function call will return a pointer to the new symbolic region.
DefinedOrUnknownSVal RetVal = C.getSValBuilder().conjureSymbolVal(
CE, LCtx, CE->getType(), C.blockCount());
State = State->BindExpr(CE, LCtx, RetVal);
// Remember to this region.
const auto *SymRegOfRetVal = dyn_cast<SymbolicRegion>(RetVal.getAsRegion());
const MemRegion *MR =
const_cast<MemRegion *>(SymRegOfRetVal->getBaseRegion());
State = State->set<PreviousCallResultMap>(FD, MR);
ExplodedNode *Node = C.addTransition(State, Note);
const NoteTag *PreviousCallNote =
C.getNoteTag([MR](PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
if (!BR.isInteresting(MR))
return;
Out << '\'' << "'previous function call was here" << '\'';
});
martongUnsubmitted
Done
ReplyInline Actions

Why is it const void *? Why can't we use const MemRegion * and get rid of the ugly reinterpret_cast? There must be a reason ,which I'd like to see documented in the comments.

martong: Why is it `const void *`? Why can't we use `const MemRegion *` and get rid of the ugly…
steakhalUnsubmitted
Not Done
ReplyInline Actions

The trait is only specialized to const void* and void* see here:

https://github.com/llvm/llvm-project/blob/main/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h#L298-L323

template <> struct ProgramStatePartialTrait<void *>
template <> struct ProgramStatePartialTrait<const void *>

I'm not exactly sure why don't we specialize to any pointer type of type T.

steakhal: The trait is only specialized to `const void*` and `void*` see here: https://github.
C.addTransition(State, Node, PreviousCallNote);
}
martongUnsubmitted
Done
ReplyInline Actions

I think we could use the canonical FunctionDecl* as the key instead of const char *. Then all the eval functions like evalGetenv and alike could be substituted with one simple function.

martong: I think we could use the canonical `FunctionDecl*` as the key instead of `const char *`. Then…
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

Thanks! Those functions annoyed me a lot.

zukatsinadze: Thanks! Those functions annoyed me a lot.
// TODO: This seems really ugly. Simplify this.
static const MemRegion *findInvalidatedSymbolicBase(ProgramStateRef State,
const MemRegion *Reg) {
while (Reg) {
if (State->contains<InvalidMemoryRegions>(Reg))
return Reg;
const auto *SymBase = Reg->getSymbolicBase();
if (!SymBase)
break;
const auto *SRV = dyn_cast<SymbolRegionValue>(SymBase->getSymbol());
if (!SRV)
break;
Reg = SRV->getRegion();
if (const auto *VarReg = dyn_cast<VarRegion>(SRV->getRegion()))
Reg = VarReg;
}
return nullptr;
balazskeUnsubmitted
Not Done
ReplyInline Actions

Is it not possible to use const MemRegion * then?

balazske: Is it not possible to use `const MemRegion *` then?
steakhalUnsubmitted
Not Done
ReplyInline Actions

The trait stuff is only specialized for void pointers, instead of for any pointer type.
TBH I don't know why is that.

steakhal: The trait stuff is only specialized for void pointers, instead of for any pointer type. TBH I…
}
// Handle functions in EnvpInvalidatingFunctions, that invalidate environment
// pointer from 'main()' Also, check if invalidated region is passed to a
// function call as an argument.
void InvalidPtrChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {
// Check if function invalidates 'envp' argument of 'main'
if (const auto *Handler = EnvpInvalidatingFunctions.lookup(Call))
(this->**Handler)(Call, C);
// Check if function invalidates the result of previous call
balazskeUnsubmitted
Done
ReplyInline Actions

evalCall should be used only if the called function is exclusively modeled by this checker which is not the case here. The checkPostCall should be sufficient instead of evalCall.

balazske: `evalCall` should be used only if the called function is exclusively modeled by this checker…
if (const auto *Handler = PreviousCallInvalidatingFunctions.lookup(Call))
(this->**Handler)(Call, C);
// Check if one of the arguments of the function call is invalidated
// If call was inlined, don't report invalidated argument
if (C.wasInlined)
return;
ProgramStateRef State = C.getState();
for (unsigned I = 0, NumArgs = Call.getNumArgs(); I < NumArgs; ++I) {
if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(
Call.getArgSVal(I).getAsRegion())) {
if (const MemRegion *InvalidatedSymbolicBase =
findInvalidatedSymbolicBase(State, SR)) {
ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
if (!ErrorNode)
return;
SmallString<256> Msg;
llvm::raw_svector_ostream Out(Msg);
Out << "use of invalidated pointer '";
Call.getArgExpr(I)->printPretty(Out, /*Helper=*/nullptr,
C.getASTContext().getPrintingPolicy());
Out << "' in a function call";
auto Report =
std::make_unique<PathSensitiveBugReport>(BT, Out.str(), ErrorNode);
Report->markInteresting(InvalidatedSymbolicBase);
Report->addRange(Call.getArgSourceRange(I));
martongUnsubmitted
Done
ReplyInline Actions

Would it be possible to add a NoteTag here and eliminate the PreviousCallVisitor?

martong: Would it be possible to add a `NoteTag` here and eliminate the `PreviousCallVisitor`?
C.emitReport(std::move(Report));
}
}
balazskeUnsubmitted
Done
ReplyInline Actions

auto is not to be used if the type is not clearly visible in the context. And this would be exactly auto ** here. (But better is const MemRegion **.) Makes the later statement (assign to PrevReg) "messy" (and auto is bad there too).

balazske: `auto` is not to be used if the type is not clearly visible in the context. And this would be…
balazskeUnsubmitted
Not Done
ReplyInline Actions

.data is unnecessary here?

balazske: `.data` is unnecessary here?
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

.data seems to be necessary.

no known conversion from 'llvm::StringRef' to 'typename ProgramStateTrait<PreviousCallResultMap>::key_type' (aka 'const char *') for 1st argument

zukatsinadze: `.data` seems to be necessary. `no known conversion from 'llvm::StringRef' to 'typename…
}
}
// Obtain the environment pointer from 'main()', if present.
void InvalidPtrChecker::checkBeginFunction(CheckerContext &C) const {
if (!C.inTopFrame())
return;
const auto *FD = dyn_cast<FunctionDecl>(C.getLocationContext()->getDecl());
if (!FD || FD->param_size() != 3 || !FD->isMain())
return;
ProgramStateRef State = C.getState();
const MemRegion *EnvpReg =
State->getRegion(FD->parameters()[2], C.getLocationContext());
// Save the memory region pointed by the environment pointer parameter of
// 'main'.
State = State->set<EnvPtrRegion>(
reinterpret_cast<void *>(const_cast<MemRegion *>(EnvpReg)));
C.addTransition(State);
}
// Check if invalidated region is being dereferenced.
void InvalidPtrChecker::checkLocation(SVal Loc, bool isLoad, const Stmt *S,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
// Ignore memory operations involving 'non-invalidated' locations.
const MemRegion *InvalidatedSymbolicBase =
findInvalidatedSymbolicBase(State, Loc.getAsRegion());
if (!InvalidatedSymbolicBase)
return;
ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
if (!ErrorNode)
return;
auto Report = std::make_unique<PathSensitiveBugReport>(
BT, "dereferencing an invalid pointer", ErrorNode);
Report->markInteresting(InvalidatedSymbolicBase);
C.emitReport(std::move(Report));
}
void ento::registerInvalidPtrChecker(CheckerManager &Mgr) {
Mgr.registerChecker<InvalidPtrChecker>();
}
bool ento::shouldRegisterInvalidPtrChecker(const CheckerManager &) {
return true;
}
balazskeUnsubmitted
Not Done
ReplyInline Actions

Are these casts really needed?

balazske: Are these casts really needed?
zukatsinadzeAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes, as steakhal mentioned above, trait is specialized for void*

zukatsinadze: Yes, as steakhal mentioned above, trait is specialized for void*
balazskeUnsubmitted
Not Done
ReplyInline Actions

addTransition is not needed here, the state was not modified.
Save the error node returned by generateNonFatalErrorNode and pass it to the next call of generateNonFatalErrorNode as the Pred parameter.

balazske: `addTransition` is not needed here, the state was not modified. Save the error node returned by…
martongUnsubmitted
Done
ReplyInline Actions

I think we should delete the code of this callback, since we can't use it.

martong: I think we should delete the code of this callback, since we can't use it.

clang/test/Analysis/cert/env31-c.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-output=text -Wno-unused %s \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -verify=putenv,common \
// RUN: -DENV_INVALIDATING_CALL="putenv(\"X=Y\")"
//
// RUN: %clang_analyze_cc1 -analyzer-output=text -Wno-unused %s \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -verify=putenvs,common \
// RUN: -DENV_INVALIDATING_CALL="_putenv_s(\"X\", \"Y\")"
//
// RUN: %clang_analyze_cc1 -analyzer-output=text -Wno-unused %s \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -verify=wputenvs,common \
// RUN: -DENV_INVALIDATING_CALL="_wputenv_s(\"X\", \"Y\")"
//
// RUN: %clang_analyze_cc1 -analyzer-output=text -Wno-unused %s \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -verify=setenv,common \
// RUN: -DENV_INVALIDATING_CALL="setenv(\"X\", \"Y\", 0)"
//
// RUN: %clang_analyze_cc1 -analyzer-output=text -Wno-unused %s \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -verify=unsetenv,common \
// RUN: -DENV_INVALIDATING_CALL="unsetenv(\"X\")"
typedef int errno_t;
typedef char wchar_t;
int putenv(char *string);
errno_t _putenv_s(const char *varname, const char *value_string);
errno_t _wputenv_s(const wchar_t *varname, const wchar_t *value_string);
int setenv(const char *name, const char *value, int overwrite);
int unsetenv(const char *name);
void fn_without_body(char **e);
void fn_with_body(char **e) {}
void call_env_invalidating_fn(char **e) {
ENV_INVALIDATING_CALL;
// putenv-note@-1 5 {{'putenv' call may invalidate the environment parameter of 'main'}}
// putenvs-note@-2 5 {{'_putenv_s' call may invalidate the environment parameter of 'main'}}
// wputenvs-note@-3 5 {{'_wputenv_s' call may invalidate the environment parameter of 'main'}}
// setenv-note@-4 5 {{'setenv' call may invalidate the environment parameter of 'main'}}
// unsetenv-note@-5 5 {{'unsetenv' call may invalidate the environment parameter of 'main'}}
*e;
// common-warning@-1 {{dereferencing an invalid pointer}}
// common-note@-2 {{dereferencing an invalid pointer}}
}
int main(int argc, char *argv[], char *envp[]) {
char **e = envp;
*e; // no-warning
e[0]; // no-warning
*envp; // no-warning
call_env_invalidating_fn(e);
// common-note@-1 5 {{Calling 'call_env_invalidating_fn'}}
// common-note@-2 4 {{Returning from 'call_env_invalidating_fn'}}
*e;
// common-warning@-1 {{dereferencing an invalid pointer}}
// common-note@-2 {{dereferencing an invalid pointer}}
*envp;
// common-warning@-1 2 {{dereferencing an invalid pointer}}
// common-note@-2 2 {{dereferencing an invalid pointer}}
fn_without_body(e);
// common-warning@-1 {{use of invalidated pointer 'e' in a function call}}
// common-note@-2 {{use of invalidated pointer 'e' in a function call}}
fn_with_body(e); // no-warning
}

clang/test/Analysis/cert/env34-c-cert-examples.c

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
// RUN: -verify -Wno-unused %s
#include "../Inputs/system-header-simulator.h"
char *getenv(const char *name);
int strcmp(const char*, const char*);
char *strdup(const char*);
void free(void *memblock);
void *malloc(size_t size);
void incorrect_usage(void) {
char *tmpvar;
char *tempvar;
tmpvar = getenv("TMP");
if (!tmpvar)
return;
tempvar = getenv("TEMP");
if (!tempvar)
return;
if (strcmp(tmpvar, tempvar) == 0) { // body of strcmp is unknown
// expected-warning@-1{{use of invalidated pointer 'tmpvar' in a function call}}
}
steakhalUnsubmitted
Not Done
ReplyInline Actions

I just want to highlight the capabilities of this checker.
Here we are using the invalid tmpvar pointer in a conservatively evaluated function call, and we still have a warning. Which is awesome.

Just imagine that getenv() would return a pointer to the same static buffer, then the strcmp() would always succeed, which is likely a bug.

steakhal: I just want to highlight the capabilities of this checker. Here we are using the invalid…
}
void correct_usage_1(void) {
char *tmpvar;
char *tempvar;
const char *temp = getenv("TMP");
if (temp != NULL) {
tmpvar = (char *)malloc(strlen(temp)+1);
if (tmpvar != NULL) {
strcpy(tmpvar, temp);
} else {
return;
}
} else {
return;
}
temp = getenv("TEMP");
if (temp != NULL) {
tempvar = (char *)malloc(strlen(temp)+1);
if (tempvar != NULL) {
strcpy(tempvar, temp);
} else {
return;
}
} else {
return;
}
if (strcmp(tmpvar, tempvar) == 0) {
printf("TMP and TEMP are the same.\n");
} else {
printf("TMP and TEMP are NOT the same.\n");
}
free(tmpvar);
free(tempvar);
}
void correct_usage_2(void) {
char *tmpvar;
char *tempvar;
const char *temp = getenv("TMP");
if (temp != NULL) {
tmpvar = strdup(temp);
if (tmpvar == NULL) {
return;
}
} else {
return;
}
temp = getenv("TEMP");
if (temp != NULL) {
tempvar = strdup(temp);
if (tempvar == NULL) {
return;
}
} else {
return;
}
if (strcmp(tmpvar, tempvar) == 0) {
printf("TMP and TEMP are the same.\n");
} else {
printf("TMP and TEMP are NOT the same.\n");
}
free(tmpvar);
tmpvar = NULL;
free(tempvar);
tempvar = NULL;
}

clang/test/Analysis/cert/env34-c.c

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=alpha.security.cert.env.InvalidPtr\
// RUN: -analyzer-output=text -verify -Wno-unused %s
#include "../Inputs/system-header-simulator.h"
char *getenv(const char *name);
char *setlocale(int category, const char *locale);
char *strerror(int errnum);
typedef struct {
char * field;
} lconv;
lconv *localeconv(void);
typedef struct {
} tm;
char *asctime(const tm *timeptr);
int strcmp(const char*, const char*);
extern void foo(char *e);
extern char* bar();
void getenv_test1() {
char *p;
p = getenv("VAR");
*p; // no-warning
p = getenv("VAR2");
*p; // no-warning, getenv result was assigned to the same pointer
}
void getenv_test2() {
char *p, *p2;
p = getenv("VAR");
// expected-note@-1{{previous function call was here}}
*p; // no-warning
p2 = getenv("VAR2");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void getenv_test3() {
char *p, *p2, *p3;
p = getenv("VAR");
*p; // no-warning
p = getenv("VAR2");
// expected-note@-1{{previous function call was here}}
p2 = getenv("VAR2");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
p3 = getenv("VAR3");
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void getenv_test4() {
char *p, *p2, *p3;
p = getenv("VAR");
// expected-note@-1{{previous function call was here}}
p2 = getenv("VAR2");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
p3 = getenv("VAR3");
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void getenv_test5() {
char *p, *p2, *p3;
p = getenv("VAR");
p2 = getenv("VAR2");
// expected-note@-1{{previous function call was here}}
p3 = getenv("VAR3");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
*p2;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void getenv_test6() {
char *p, *p2;
p = getenv("VAR");
*p; // no-warning
p = getenv("VAR2");
// expected-note@-1{{previous function call was here}}
*p; // no-warning
p2 = getenv("VAR3");
// expected-note@-1{{previous function call was here}}
// expected-note@-2{{'getenv' call may invalidate the the result of the previous 'getenv'}}
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
*p2; // no-warning
p = getenv("VAR4");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
*p; // no-warning
*p2;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void getenv_test7() {
char *p, *p2;
p = getenv("VAR");
// expected-note@-1{{previous function call was here}}
*p; // no-warning
p2 = getenv("VAR2");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
foo(p);
// expected-warning@-1{{use of invalidated pointer 'p' in a function call}}
// expected-note@-2{{use of invalidated pointer 'p' in a function call}}
}
void getenv_test8() {
static const char *array[] = {
0,
0,
"/var/tmp",
"/usr/tmp",
"/tmp",
"."
};
if( !array[0] )
// expected-note@-1{{Taking true branch}}
array[0] = getenv("TEMPDIR");
// expected-note@-1{{previous function call was here}}
if( !array[1] )
// expected-note@-1{{Taking true branch}}
array[1] = getenv("TMPDIR");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
*array[0];
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void getenv_test9() {
char *p, *p2;
p = getenv("something");
p = bar();
p2 = getenv("something");
*p; // no-warning: p does not point to getenv anymore
}
void getenv_test10() {
strcmp(getenv("VAR1"), getenv("VAR2"));
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
// expected-note@-2{{previous function call was here}}
// expected-warning@-3{{use of invalidated pointer 'getenv("VAR1")' in a function call}}
// expected-note@-4{{use of invalidated pointer 'getenv("VAR1")' in a function call}}
}
void dereference_pointer(char* a) {
*a;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void getenv_test11() {
char *p = getenv("VAR");
// expected-note@-1{{previous function call was here}}
char *pp = getenv("VAR2");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
dereference_pointer(p);
// expected-note@-1{{Calling 'dereference_pointer'}}
}
void getenv_test12(int flag1, int flag2) {
char *p = getenv("VAR");
// expected-note@-1{{previous function call was here}}
if (flag1) {
// expected-note@-1{{Assuming 'flag1' is not equal to 0}}
// expected-note@-2{{Taking true branch}}
char *pp = getenv("VAR2");
// expected-note@-1{{'getenv' call may invalidate the the result of the previous 'getenv'}}
}
if (flag2) {
// expected-note@-1{{Assuming 'flag2' is not equal to 0}}
// expected-note@-2{{Taking true branch}}
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
}
void setlocale_test1() {
char *p, *p2;
p = setlocale(0, "VAR");
*p; // no-warning
p = setlocale(0, "VAR2");
// expected-note@-1{{previous function call was here}}
*p; // no-warning
p2 = setlocale(0, "VAR3");
// expected-note@-1{{'setlocale' call may invalidate the the result of the previous 'setlocale'}}
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void setlocale_test2(int flag) {
char *p, *p2;
p = setlocale(0, "VAR");
*p; // no-warning
p = setlocale(0, "VAR2");
// expected-note@-1{{previous function call was here}}
*p; // no-warning
if (flag) {
// expected-note@-1{{Assuming 'flag' is not equal to 0}}
// expected-note@-2{{Taking true branch}}
p2 = setlocale(0, "VAR3");
// expected-note@-1{{'setlocale' call may invalidate the the result of the previous 'setlocale'}}
}
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void strerror_test1() {
char *p, *p2;
p = strerror(0);
*p; // no-warning
p = strerror(1);
// expected-note@-1{{previous function call was here}}
*p; // no-warning
p2 = strerror(2);
// expected-note@-1{{'strerror' call may invalidate the the result of the previous 'strerror'}}
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void strerror_test2(int errno) {
char *p, *p2;
p = strerror(0);
*p; // no-warning
p = strerror(1);
// expected-note@-1{{previous function call was here}}
*p; // no-warning
if (0 == 1) {
// expected-note@-1{{0 is not equal to 1}}
// expected-note@-2{{Taking false branch}}
p2 = strerror(2);
}
*p; // no-warning
if (errno) {
// expected-note@-1{{Assuming 'errno' is not equal to 0}}
// expected-note@-2{{Taking true branch}}
p2 = strerror(errno);
// expected-note@-1{{'strerror' call may invalidate the the result of the previous 'strerror'}}
}
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void asctime_test() {
const tm *t;
const tm *tt;
char* p = asctime(t);
// expected-note@-1{{previous function call was here}}
char* pp = asctime(tt);
// expected-note@-1{{'asctime' call may invalidate the the result of the previous 'asctime'}}
*p;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void localeconv_test1() {
lconv *lc1 = localeconv();
// expected-note@-1{{previous function call was here}}
lconv *lc2 = localeconv();
// expected-note@-1{{'localeconv' call may invalidate the the result of the previous 'localeconv'}}
*lc1;
// expected-warning@-1{{dereferencing an invalid pointer}}
// expected-note@-2{{dereferencing an invalid pointer}}
}
void localeconv_test2() {
// TODO: false negative
lconv *lc1 = localeconv();
lconv *lc2 = localeconv();
lc1->field;
}