This is an archive of the discontinued LLVM Phabricator instance.

Differential D99659

[analyzer][taint] Extent of heap regions should get taint sometimes
AbandonedPublic

Authored by steakhal on Mar 31 2021, 6:31 AM.

Details

Reviewers
NoQ
vsavchenko
martong
balazske
xazax.hun
Szelethus
Summary

If we allocate a tainted amount of memory, the extent of that region will clearly depend on a tainted value.

We could later make use of this, for example when we try to prove that the array access is valid (0 <= idx < extent).
If the inequality would depend on the tainted value, we should still emit a warning (in ArrayBoundV2), as we currently do if the idx is tainted.

Diff Detail

Event Timeline

steakhal created this revision.Mar 31 2021, 6:31 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptMar 31 2021, 6:31 AM
Herald added subscribers: ASDenysPetrov, Charusso, dkrupp and 8 others. · View Herald Transcript
steakhal requested review of this revision.Mar 31 2021, 6:31 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 31 2021, 6:31 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal added a parent revision: D99658: [analyzer] Fix clang_analyzer_getExtent for heap regions.Mar 31 2021, 6:31 AM
Harbormaster completed remote builds in B96520: Diff 334425.Mar 31 2021, 7:26 AM
steakhal updated this revision to Diff 334474.Mar 31 2021, 10:03 AM

Add a FIXME about placing a NoteTag describing why the extent was getting tainted.

Harbormaster completed remote builds in B96556: Diff 334474.Mar 31 2021, 10:48 AM
martong accepted this revision.Apr 1 2021, 3:00 AM

I like it, looks good to me!

This revision is now accepted and ready to land.Apr 1 2021, 3:00 AM
NoQ added a comment.EditedApr 1 2021, 8:36 PM

This will be obsoleted by D69726 because they are going to be the same symbol from the start.

steakhal abandoned this revision.Apr 6 2021, 9:14 AM

Obsoleted by D69726.

This effort continues as the NFC D99959 patch.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
7 lines
test/
Analysis/
37 lines

Diff 334474

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show All 40 Lines
// InnerPointerChecker interacts very closely with MallocChecker, but unlike // InnerPointerChecker interacts very closely with MallocChecker, but unlike
// the above checkers, it has it's own file, hence the many InnerPointerChecker // the above checkers, it has it's own file, hence the many InnerPointerChecker
// related headers and non-static functions. // related headers and non-static functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AllocationState.h" #include "AllocationState.h"
#include "InterCheckerAPI.h" #include "InterCheckerAPI.h"
#include "Taint.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"
#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"
#include "clang/AST/ParentMap.h" #include "clang/AST/ParentMap.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
▲ Show 20 LinesShow All 1,539 Lines▼ Show 20 LinesProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
if (Optional<DefinedOrUnknownSVal> DefinedSize = if (Optional<DefinedOrUnknownSVal> DefinedSize =
Size.getAs<DefinedOrUnknownSVal>()) { Size.getAs<DefinedOrUnknownSVal>()) {
DefinedOrUnknownSVal DynSize = getDynamicSize(State, R, svalBuilder); DefinedOrUnknownSVal DynSize = getDynamicSize(State, R, svalBuilder);
DefinedOrUnknownSVal DynSizeMatchesSize = DefinedOrUnknownSVal DynSizeMatchesSize =
svalBuilder.evalEQ(State, DynSize, *DefinedSize); svalBuilder.evalEQ(State, DynSize, *DefinedSize);
State = State->assume(DynSizeMatchesSize, true); State = State->assume(DynSizeMatchesSize, true);
// If the size of the allocation is tainted, the associated extent should be
// also tainted.
// FIXME: Add a NoteTag to describe why the extent become tainted.
if (taint::isTainted(State, Size))
State = taint::addTaint(State, DynSize);
assert(State); assert(State);
} }
return MallocUpdateRefState(C, CE, State, Family); return MallocUpdateRefState(C, CE, State, Family);
} }
static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
ProgramStateRef State, ProgramStateRef State,
▲ Show 20 LinesShow All 1,868 LinesShow Last 20 Lines

clang/test/Analysis/malloc.c

// RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \ // RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \ // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
// RUN: -analyzer-checker=alpha.core.CastSize \ // RUN: -analyzer-checker=alpha.core.CastSize \
// RUN: -analyzer-checker=unix \ // RUN: -analyzer-checker=unix \
// RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=debug.ExprInspection // RUN: -analyzer-checker=debug.ExprInspection
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
size_t clang_analyzer_getExtent(void *);
void clang_analyzer_isTainted(int);
// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use // _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability // the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything. // problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported // Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code". // when you compile C code".
// //
Show All 12 Lines
void free(void *); void free(void *);
void *realloc(void *ptr, size_t size); void *realloc(void *ptr, size_t size);
void *reallocf(void *ptr, size_t size); void *reallocf(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size); void *calloc(size_t nmemb, size_t size);
char *strdup(const char *s); char *strdup(const char *s);
wchar_t *wcsdup(const wchar_t *s); wchar_t *wcsdup(const wchar_t *s);
char *strndup(const char *s, size_t n); char *strndup(const char *s, size_t n);
int memcmp(const void *s1, const void *s2, size_t n); int memcmp(const void *s1, const void *s2, size_t n);
int getchar(void);
// Windows variants // Windows variants
char *_strdup(const char *strSource); char *_strdup(const char *strSource);
wchar_t *_wcsdup(const wchar_t *strSource); wchar_t *_wcsdup(const wchar_t *strSource);
void *_alloca(size_t size); void *_alloca(size_t size);
void myfoo(int *p); void myfoo(int *p);
void myfooint(int p); void myfooint(int p);
▲ Show 20 LinesShow All 1,831 Lines▼ Show 20 Linesvoid testPassToSystemHeaderFunctionIndirectly() {
// won't free (p-1) either. // won't free (p-1) either.
} }
void testMallocIntoMalloc() { void testMallocIntoMalloc() {
StructWithPtr *s = malloc(sizeof(StructWithPtr)); StructWithPtr *s = malloc(sizeof(StructWithPtr));
s->memP = malloc(sizeof(int)); s->memP = malloc(sizeof(int));
free(s); free(s);
} // FIXME: should warn here } // FIXME: should warn here
void extentGetsTainted(int conj) {
int tainted = getchar();
{
int *p = (int *)malloc(conj);
clang_analyzer_isTainted(clang_analyzer_getExtent(p)); // expected-warning {{NO}}
free(p);
}
{
int *p = (int *)malloc(tainted);
// expected-warning@-1 {{Untrusted data is used to specify the buffer size \
(CERT/STR31-C. Guarantee that storage for strings has sufficient space for \
character data and the null terminator)}}
clang_analyzer_isTainted(clang_analyzer_getExtent(p)); // expected-warning {{YES}}
free(p);
}
{
int *p = (int *)malloc(5 + tainted);
// expected-warning@-1 {{Untrusted data is used to specify the buffer size \
(CERT/STR31-C. Guarantee that storage for strings has sufficient space for \
character data and the null terminator)}}
clang_analyzer_isTainted(clang_analyzer_getExtent(p)); // expected-warning {{YES}}
free(p);
}
{
int *p = (int *)malloc(conj + tainted);
// expected-warning@-1 {{Untrusted data is used to specify the buffer size \
(CERT/STR31-C. Guarantee that storage for strings has sufficient space for \
character data and the null terminator)}}
clang_analyzer_isTainted(clang_analyzer_getExtent(p)); // expected-warning {{YES}}
free(p);
}
}