[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
martong added a comment. I've checked the `StdLibraryFunctionsChecker` related changes and they are promising. Comment at: clang/test/Analysis/std-c-library-functions-taint.c:88 +clang_analyzer_dump(n + 1); // expected-warning {{(conj_$}} expected-note {{(conj_$}} +(void)toupper(n + 1);// 'n+1' might be MAX_CHAR+1, which does not satisfie the precondition of 'toupper' +// expected-warning@-1 {{Function argument constraint is not satisfied, constraint: Range; It depends on tainted value}} typo Comment at: clang/test/Analysis/std-c-library-functions-taint.c:95-113 +// - Testing NotNullConstraint - +// It's just a made up example, where we get a tainted pointer. +char *strdup(const char *s); +void testTaintedPointer(const char *fmt, char *buf) { + char *ptr; + scanf(fmt, &ptr); // One does not simply read a pointer - well we do. + clang_analyzer_isTainted_str(ptr); // expected-warning {{YES}} expected-note {{YES}} I am missing a call to a standard library function which has a NotNullConstraint attached. Repository: rG LLVM Github Monorepo CHANGES SINCE LAST ACTION https://reviews.llvm.org/D125225/new/ https://reviews.llvm.org/D125225 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
steakhal added inline comments. Comment at: clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2363 + for (SymbolRef SubSym : SubSyms) { +if (SymbolData::classof(SubSym)) { + if (auto MaybeTK = TryToLookupTrackingKind(SubSym)) I think this is the superior way of checking this. Comment at: clang/test/Analysis/taint-diagnostic-visitor.c:36 scanf("%d", &x); // expected-note {{Value assigned to 'x'}} - // expected-note@-1 {{Taint originated here}} + // expected-note@-1 {{Taint originated here}} expected-note@-1 {{Propagated taint to the 2nd parameter}} int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}} If we emit a specific note-tag, we definitely shouldn't emit a `Taint originated here` note. I think in my original patch stack I did actually remove the archaic visitor producing this since the propagation note tags completely supersedes that approach. Repository: rG LLVM Github Monorepo CHANGES SINCE LAST ACTION https://reviews.llvm.org/D125225/new/ https://reviews.llvm.org/D125225 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
gamesh411 added a comment. @steakhal This is WIP as there is still a stdlib function, that does not pass the test, and I would like to add more complex taint propagation test cases as well. Could you please glance over these commits: [Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker [BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory [Stdlib] Add taint to the StdLibraryFunctionsChecker Repository: rG LLVM Github Monorepo CHANGES SINCE LAST ACTION https://reviews.llvm.org/D125225/new/ https://reviews.llvm.org/D125225 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
gamesh411 updated this revision to Diff 428070. gamesh411 added a comment. - [BoolAssign] Add taint to the BoolAssignmentChecker - [BugReporter] Transitive interestingness - [Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker - [BoundV2] ArrayBoundV2 checks if the extent is tainted - [BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory - [CString] Add ConsiderTaint checker option for CStringChecker - [CString] Consider tainted out-of-bound accesses - [Stdlib] Add taint to the StdLibraryFunctionsChecker - [Malloc] Implement the rsize_t like heuristic Repository: rG LLVM Github Monorepo CHANGES SINCE LAST ACTION https://reviews.llvm.org/D125225/new/ https://reviews.llvm.org/D125225 Files: clang/include/clang/StaticAnalyzer/Checkers/Checkers.td clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp clang/lib/StaticAnalyzer/Core/BugReporter.cpp clang/test/Analysis/analyzer-config.c clang/test/Analysis/bool-assignment.c clang/test/Analysis/malloc.c clang/test/Analysis/std-c-library-functions-taint.c clang/test/Analysis/string.c clang/test/Analysis/taint-diagnostic-visitor.c Index: clang/test/Analysis/taint-diagnostic-visitor.c === --- clang/test/Analysis/taint-diagnostic-visitor.c +++ clang/test/Analysis/taint-diagnostic-visitor.c @@ -1,9 +1,12 @@ -// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s +// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,unix.Malloc,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s // This file is for testing enhanced diagnostics produced by the GenericTaintChecker int scanf(const char *restrict format, ...); int system(const char *command); +typedef __typeof(sizeof(int)) size_t; +void *malloc(size_t size); +void free(void *ptr); void taintDiagnostic(void) { @@ -34,3 +37,19 @@ int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}} // expected-note@-1 {{Declared variable-length array (VLA) has tainted size}} } + +void taintDiagnosticMalloc(int conj) { + int x; + scanf("%d", &x); + // expected-note@-1 2 {{Taint originated here}} Once for malloc(tainted), once for BoundsV2. + + int *p = (int *)malloc(x + conj); // Generic taint checker forbids tainted allocation. + // expected-warning@-1 {{Untrusted data is used to specify the buffer size}} + // expected-note@-2{{Untrusted data is used to specify the buffer size}} + // expected-note@-3 {{Allocating tainted amount of memory}} + + p[1] = 1; // BoundsV2 checker can not prove that the access is safe. + // expected-warning@-1 {{Out of bound memory access (index is tainted)}} + // expected-note@-2{{Out of bound memory access (index is tainted)}} + free(p); +} Index: clang/test/Analysis/string.c === --- clang/test/Analysis/string.c +++ clang/test/Analysis/string.c @@ -1,10 +1,13 @@ -// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \ +// RUN: %clang_analyze_cc1 %s -Wno-null-dereference \ // RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.Malloc \ +// RUN: -analyzer-checker=alpha.security.taint \ // RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=debug.ExprInspection \ -// RUN: -analyzer-config eagerly-assume=false +// RUN: -analyzer-config alpha.unix.cstring.OutOfBounds:ConsiderTaint=true \ +// RUN: -analyzer-config eagerly-assume=false \ +// RUN: -verify=expected,tainted,OOB-consider-tainted // // RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference -DUSE_BUILTINS \ // RUN: -analyzer-checker=core \ @@ -22,7 +25,7 @@ // RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-config eagerly-assume=false // -// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \ +// RUN: %clang_analyze_cc1 %s -Wno-null-dereference \ // RUN: -DUSE_BUILTINS -DVARIANT \ // RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=alpha.security.taint \ @@ -30,7 +33,8 @@ // RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=debug.ExprInspection \ -// RUN: -analyzer-config eagerly-assume=false +// RUN: -analyzer-config eagerly-assume=false \ +// RUN: -verify=expected,tainted // // RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \ // RUN: -DSUPPRESS_OUT_OF_BOUND \ @@ -481,6 +485,23 @@ } #endif +void strcat_overflow_tainted_dst_extent(char *y) { + int n; + scanf("%d", &n); + char *p = mall
[PATCH] D125225: [WIP][analyzer] Taint Notes enhancements
gamesh411 created this revision. gamesh411 added a reviewer: steakhal. Herald added subscribers: manas, ASDenysPetrov, martong, dkrupp, donat.nagy, Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun. Herald added a reviewer: Szelethus. Herald added a project: All. gamesh411 requested review of this revision. Herald added a project: clang. Herald added a subscriber: cfe-commits. [BugReporter] Transitive interestingness [Malloc] Pass down a State and a Pred ExplodedNode in the MallocChecker [BoundV2] ArrayBoundV2 checks if the extent is tainted [BoundV2][Malloc] Place NoteTags when allocated an interesting tainted amount of memory [CString] Add ConsiderTaint checker option for CStringChecker [CString] Consider tainted out-of-bound accesses [TaintProp] Place NoteTags when propagating taint Repository: rG LLVM Github Monorepo https://reviews.llvm.org/D125225 Files: clang/include/clang/StaticAnalyzer/Checkers/Checkers.td clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp clang/lib/StaticAnalyzer/Core/BugReporter.cpp clang/test/Analysis/analyzer-config.c clang/test/Analysis/string.c clang/test/Analysis/taint-diagnostic-visitor.c Index: clang/test/Analysis/taint-diagnostic-visitor.c === --- clang/test/Analysis/taint-diagnostic-visitor.c +++ clang/test/Analysis/taint-diagnostic-visitor.c @@ -1,28 +1,31 @@ -// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s +// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,unix.Malloc,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s // This file is for testing enhanced diagnostics produced by the GenericTaintChecker int scanf(const char *restrict format, ...); int system(const char *command); +typedef __typeof(sizeof(int)) size_t; +void *malloc(size_t size); +void free(void *ptr); void taintDiagnostic(void) { char buf[128]; - scanf("%s", buf); // expected-note {{Taint originated here}} + scanf("%s", buf); // expected-note {{Propagated taint to the 2nd parameter}} system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}} } int taintDiagnosticOutOfBound(void) { int index; int Array[] = {1, 2, 3, 4, 5}; - scanf("%d", &index); // expected-note {{Taint originated here}} + scanf("%d", &index); // expected-note {{Taint originated here}} expected-note {{Propagated taint to the 2nd parameter}} return Array[index]; // expected-warning {{Out of bound memory access (index is tainted)}} // expected-note@-1 {{Out of bound memory access (index is tainted)}} } int taintDiagnosticDivZero(int operand) { scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}} - // expected-note@-1 {{Taint originated here}} + // expected-note@-1 {{Taint originated here}} expected-note@-1 {{Propagated taint to the 2nd parameter}} return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}} // expected-note@-1 {{Division by a tainted value, possibly zero}} } @@ -30,7 +33,23 @@ void taintDiagnosticVLA(void) { int x; scanf("%d", &x); // expected-note {{Value assigned to 'x'}} - // expected-note@-1 {{Taint originated here}} + // expected-note@-1 {{Taint originated here}} expected-note@-1 {{Propagated taint to the 2nd parameter}} int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}} // expected-note@-1 {{Declared variable-length array (VLA) has tainted size}} } + +void taintDiagnosticMalloc(int conj) { + int x; + scanf("%d", &x); // expected-note {{Taint originated here}} + // expected-note@-1 2 {{Propagated taint to the 2nd parameter}} Once for malloc(tainted), once for BoundsV2. + + int *p = (int *)malloc(x + conj); // Generic taint checker forbids tainted allocation. + // expected-warning@-1 {{Untrusted data is used to specify the buffer size}} + // expected-note@-2{{Untrusted data is used to specify the buffer size}} + // expected-note@-3 {{Allocating tainted amount of memory}} + + p[1] = 1; // BoundsV2 checker can not prove that the access is safe. + // expected-warning@-1 {{Out of bound memory access (index is tainted)}} + // expected-note@-2{{Out of bound memory access (index is tainted)}} + free(p); +} Index: clang/test/Analysis/string.c === --- clang/test/Analysis/string.c +++ clang/test/Analysis/string.c @@ -1,10