[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
martong added a comment.
I've checked the `StdLibraryFunctionsChecker` related changes and they are
promising.
Comment at: clang/test/Analysis/std-c-library-functions-taint.c:88
+clang_analyzer_dump(n + 1); // expected-warning {{(conj_$}}
expected-note {{(conj_$}}
+(void)toupper(n + 1);// 'n+1' might be MAX_CHAR+1, which does
not satisfie the precondition of 'toupper'
+// expected-warning@-1 {{Function argument constraint is not satisfied,
constraint: Range; It depends on tainted value}}
typo
Comment at: clang/test/Analysis/std-c-library-functions-taint.c:95-113
+// - Testing NotNullConstraint -
+// It's just a made up example, where we get a tainted pointer.
+char *strdup(const char *s);
+void testTaintedPointer(const char *fmt, char *buf) {
+ char *ptr;
+ scanf(fmt, &ptr); // One does not simply read a pointer -
well we do.
+ clang_analyzer_isTainted_str(ptr); // expected-warning {{YES}} expected-note
{{YES}}
I am missing a call to a standard library function which has a
NotNullConstraint attached.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D125225/new/
https://reviews.llvm.org/D125225
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
steakhal added inline comments.
Comment at: clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2363
+ for (SymbolRef SubSym : SubSyms) {
+if (SymbolData::classof(SubSym)) {
+ if (auto MaybeTK = TryToLookupTrackingKind(SubSym))
I think this is the superior way of checking this.
Comment at: clang/test/Analysis/taint-diagnostic-visitor.c:36
scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
- // expected-note@-1 {{Taint originated here}}
+ // expected-note@-1 {{Taint originated here}}
expected-note@-1 {{Propagated taint to the 2nd parameter}}
int vla[x]; // expected-warning {{Declared variable-length array (VLA) has
tainted size}}
If we emit a specific note-tag, we definitely shouldn't emit a `Taint
originated here` note.
I think in my original patch stack I did actually remove the archaic visitor
producing this since the propagation note tags completely supersedes that
approach.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D125225/new/
https://reviews.llvm.org/D125225
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
gamesh411 added a comment. @steakhal This is WIP as there is still a stdlib function, that does not pass the test, and I would like to add more complex taint propagation test cases as well. Could you please glance over these commits: [Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker [BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory [Stdlib] Add taint to the StdLibraryFunctionsChecker Repository: rG LLVM Github Monorepo CHANGES SINCE LAST ACTION https://reviews.llvm.org/D125225/new/ https://reviews.llvm.org/D125225 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
gamesh411 updated this revision to Diff 428070.
gamesh411 added a comment.
- [BoolAssign] Add taint to the BoolAssignmentChecker
- [BugReporter] Transitive interestingness
- [Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker
- [BoundV2] ArrayBoundV2 checks if the extent is tainted
- [BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount
of memory
- [CString] Add ConsiderTaint checker option for CStringChecker
- [CString] Consider tainted out-of-bound accesses
- [Stdlib] Add taint to the StdLibraryFunctionsChecker
- [Malloc] Implement the rsize_t like heuristic
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D125225/new/
https://reviews.llvm.org/D125225
Files:
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
clang/lib/StaticAnalyzer/Core/BugReporter.cpp
clang/test/Analysis/analyzer-config.c
clang/test/Analysis/bool-assignment.c
clang/test/Analysis/malloc.c
clang/test/Analysis/std-c-library-functions-taint.c
clang/test/Analysis/string.c
clang/test/Analysis/taint-diagnostic-visitor.c
Index: clang/test/Analysis/taint-diagnostic-visitor.c
===
--- clang/test/Analysis/taint-diagnostic-visitor.c
+++ clang/test/Analysis/taint-diagnostic-visitor.c
@@ -1,9 +1,12 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,unix.Malloc,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
// This file is for testing enhanced diagnostics produced by the GenericTaintChecker
int scanf(const char *restrict format, ...);
int system(const char *command);
+typedef __typeof(sizeof(int)) size_t;
+void *malloc(size_t size);
+void free(void *ptr);
void taintDiagnostic(void)
{
@@ -34,3 +37,19 @@
int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}}
// expected-note@-1 {{Declared variable-length array (VLA) has tainted size}}
}
+
+void taintDiagnosticMalloc(int conj) {
+ int x;
+ scanf("%d", &x);
+ // expected-note@-1 2 {{Taint originated here}} Once for malloc(tainted), once for BoundsV2.
+
+ int *p = (int *)malloc(x + conj); // Generic taint checker forbids tainted allocation.
+ // expected-warning@-1 {{Untrusted data is used to specify the buffer size}}
+ // expected-note@-2{{Untrusted data is used to specify the buffer size}}
+ // expected-note@-3 {{Allocating tainted amount of memory}}
+
+ p[1] = 1; // BoundsV2 checker can not prove that the access is safe.
+ // expected-warning@-1 {{Out of bound memory access (index is tainted)}}
+ // expected-note@-2{{Out of bound memory access (index is tainted)}}
+ free(p);
+}
Index: clang/test/Analysis/string.c
===
--- clang/test/Analysis/string.c
+++ clang/test/Analysis/string.c
@@ -1,10 +1,13 @@
-// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \
+// RUN: %clang_analyze_cc1 %s -Wno-null-dereference \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=unix.Malloc \
+// RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-checker=debug.ExprInspection \
-// RUN: -analyzer-config eagerly-assume=false
+// RUN: -analyzer-config alpha.unix.cstring.OutOfBounds:ConsiderTaint=true \
+// RUN: -analyzer-config eagerly-assume=false \
+// RUN: -verify=expected,tainted,OOB-consider-tainted
//
// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference -DUSE_BUILTINS \
// RUN: -analyzer-checker=core \
@@ -22,7 +25,7 @@
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false
//
-// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \
+// RUN: %clang_analyze_cc1 %s -Wno-null-dereference \
// RUN: -DUSE_BUILTINS -DVARIANT \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.security.taint \
@@ -30,7 +33,8 @@
// RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-checker=debug.ExprInspection \
-// RUN: -analyzer-config eagerly-assume=false
+// RUN: -analyzer-config eagerly-assume=false \
+// RUN: -verify=expected,tainted
//
// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \
// RUN: -DSUPPRESS_OUT_OF_BOUND \
@@ -481,6 +485,23 @@
}
#endif
+void strcat_overflow_tainted_dst_extent(char *y) {
+ int n;
+ scanf("%d", &n);
+ char *p = mall
[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
gamesh411 created this revision.
gamesh411 added a reviewer: steakhal.
Herald added subscribers: manas, ASDenysPetrov, martong, dkrupp, donat.nagy,
Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun.
Herald added a reviewer: Szelethus.
Herald added a project: All.
gamesh411 requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.
[BugReporter] Transitive interestingness
[Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker
[BoundV2] ArrayBoundV2 checks if the extent is tainted
[BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount
of memory
[CString] Add ConsiderTaint checker option for CStringChecker
[CString] Consider tainted out-of-bound accesses
[TaintProp] Place NoteTags when propagating taint
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D125225
Files:
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
clang/lib/StaticAnalyzer/Core/BugReporter.cpp
clang/test/Analysis/analyzer-config.c
clang/test/Analysis/string.c
clang/test/Analysis/taint-diagnostic-visitor.c
Index: clang/test/Analysis/taint-diagnostic-visitor.c
===
--- clang/test/Analysis/taint-diagnostic-visitor.c
+++ clang/test/Analysis/taint-diagnostic-visitor.c
@@ -1,28 +1,31 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,unix.Malloc,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
// This file is for testing enhanced diagnostics produced by the GenericTaintChecker
int scanf(const char *restrict format, ...);
int system(const char *command);
+typedef __typeof(sizeof(int)) size_t;
+void *malloc(size_t size);
+void free(void *ptr);
void taintDiagnostic(void)
{
char buf[128];
- scanf("%s", buf); // expected-note {{Taint originated here}}
+ scanf("%s", buf); // expected-note {{Propagated taint to the 2nd parameter}}
system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
}
int taintDiagnosticOutOfBound(void) {
int index;
int Array[] = {1, 2, 3, 4, 5};
- scanf("%d", &index); // expected-note {{Taint originated here}}
+ scanf("%d", &index); // expected-note {{Taint originated here}} expected-note {{Propagated taint to the 2nd parameter}}
return Array[index]; // expected-warning {{Out of bound memory access (index is tainted)}}
// expected-note@-1 {{Out of bound memory access (index is tainted)}}
}
int taintDiagnosticDivZero(int operand) {
scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}}
- // expected-note@-1 {{Taint originated here}}
+ // expected-note@-1 {{Taint originated here}} expected-note@-1 {{Propagated taint to the 2nd parameter}}
return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}}
// expected-note@-1 {{Division by a tainted value, possibly zero}}
}
@@ -30,7 +33,23 @@
void taintDiagnosticVLA(void) {
int x;
scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
- // expected-note@-1 {{Taint originated here}}
+ // expected-note@-1 {{Taint originated here}} expected-note@-1 {{Propagated taint to the 2nd parameter}}
int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}}
// expected-note@-1 {{Declared variable-length array (VLA) has tainted size}}
}
+
+void taintDiagnosticMalloc(int conj) {
+ int x;
+ scanf("%d", &x); // expected-note {{Taint originated here}}
+ // expected-note@-1 2 {{Propagated taint to the 2nd parameter}} Once for malloc(tainted), once for BoundsV2.
+
+ int *p = (int *)malloc(x + conj); // Generic taint checker forbids tainted allocation.
+ // expected-warning@-1 {{Untrusted data is used to specify the buffer size}}
+ // expected-note@-2{{Untrusted data is used to specify the buffer size}}
+ // expected-note@-3 {{Allocating tainted amount of memory}}
+
+ p[1] = 1; // BoundsV2 checker can not prove that the access is safe.
+ // expected-warning@-1 {{Out of bound memory access (index is tainted)}}
+ // expected-note@-2{{Out of bound memory access (index is tainted)}}
+ free(p);
+}
Index: clang/test/Analysis/string.c
===
--- clang/test/Analysis/string.c
+++ clang/test/Analysis/string.c
@@ -1,10
