[cfe-commits] r144826 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp test/Analysis/taint-generic.c
Anna Zaks
ganna at apple.com
Wed Nov 16 11:58:17 PST 2011
Author: zaks
Date: Wed Nov 16 13:58:17 2011
New Revision: 144826
URL: http://llvm.org/viewvc/llvm-project?rev=144826&view=rev
Log:
[analyzer] Catch the first taint propagation implied buffer overflow.
Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows
when the offset is tainted. Previously, we did not report bugs when the state was
underconstrained (not enough information about the bound to determine if there is
an overflow) to avoid false positives. However, if we know that the buffer
offset is tainted - comes in from the user space and can be anything, we should
report it as a bug.
+ The very first example of us catching a taint related bug.
This is the only example we can currently handle. More to come...
Added:
cfe/trunk/test/Analysis/taint-generic.c
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp?rev=144826&r1=144825&r2=144826&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp Wed Nov 16 13:58:17 2011
@@ -153,9 +153,17 @@
const ProgramState *state_exceedsUpperBound, *state_withinUpperBound;
llvm::tie(state_exceedsUpperBound, state_withinUpperBound) =
state->assume(*upperboundToCheck);
+
+ // If we are under constrained and the index variables are tainted, report.
+ if (state_exceedsUpperBound && state_withinUpperBound) {
+ if (state->isTainted(rawOffset.getByteOffset()))
+ reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);
+ return;
+ }
- // Are we constrained enough to definitely exceed the upper bound?
- if (state_exceedsUpperBound && !state_withinUpperBound) {
+ // If we are constrained enough to definitely exceed the upper bound, report.
+ if (state_exceedsUpperBound) {
+ assert(!state_withinUpperBound);
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);
return;
}
@@ -277,9 +285,9 @@
offset = addValue(state,
getValue(offset, svalBuilder),
scaleValue(state,
- cast<NonLoc>(index),
- astContext.getTypeSizeInChars(elemType),
- svalBuilder),
+ cast<NonLoc>(index),
+ astContext.getTypeSizeInChars(elemType),
+ svalBuilder),
svalBuilder);
if (offset.isUnknownOrUndef())
Added: cfe/trunk/test/Analysis/taint-generic.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=144826&view=auto
==============================================================================
--- cfe/trunk/test/Analysis/taint-generic.c (added)
+++ cfe/trunk/test/Analysis/taint-generic.c Wed Nov 16 13:58:17 2011
@@ -0,0 +1,14 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -verify %s
+
+int scanf(const char *restrict format, ...);
+int getchar(void);
+
+#define BUFSIZE 10
+
+int Buffer[BUFSIZE];
+void bufferFoo1(void)
+{
+ int n;
+ scanf("%d", &n);
+ Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
+}
More information about the cfe-commits
mailing list