[PATCH] D73536: [analyser][taint] Remove taint from symbolic expressions if used in comparisons
Balázs Benics via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Tue Jan 28 02:42:18 PST 2020
steakhal created this revision.
steakhal added reviewers: NoQ, Szelethus.
steakhal added a project: clang.
Herald added subscribers: cfe-commits, JDevlieghere.
steakhal added a subscriber: boga95.
**Remove taint from symbolic expressions if used in comparison expressions.**
**Problem statement and background:**
TaintConfig was introduced by D59555 <https://reviews.llvm.org/D59555>.
In that config file users are able to specify functions (//sinks//) which are emitting warnings if tainted values are passed to it.
This is great, but we don't have the facilities to suppress those warning.
Consider this example:
int idx;
scanf("%d", &idx);
if (idx < 0 || 42 < idx) { // tainted
return -1;
}
mySink(idx); // Warning {{Untrusted data is passed to a user-defined sink}}
return idx;
Even though we know at the point of `mySink` is called we know that `idx` is properly constrained, `mySink` will emit warning since `idx` holds tainted value.
**Considered solutions:**
Describing value constraints in the taint config file is unfeasible.
We could loosen the rules for evaluating sink functions by checking taint only if the value is not constrained //enough//, but this would require a heuristic to decide that. I believe that no such heuristic would be satisfying.
**Provided solution:**
AFAIK the option we have left is to remove taint from certain symbolic expressions when a tainted expression occur in a comparison expression. This could be fine tuned by a heuristic, let's say:
Remove taint if exactly one operand of the comparison is tainted.
Ignore equality comparisons against null pointer constants.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D73536
Files:
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
clang/lib/StaticAnalyzer/Checkers/Taint.cpp
clang/lib/StaticAnalyzer/Checkers/Taint.h
clang/test/Analysis/taint-tester.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D73536.240800.patch
Type: text/x-patch
Size: 7173 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20200128/1c55deee/attachment-0001.bin>
More information about the cfe-commits
mailing list