[cfe-dev] Static Analyzer Rocks Hard
kremenek at apple.com
Mon Jun 23 10:15:04 PDT 2008
On Jun 23, 2008, at 9:05 AM, Török Edwin wrote:
> Not handling allocation failures can lead to security holes if the
> parameter to malloc
> can be somehow controlled by an attacker.
I'm inclined to believe that this is a slightly orthogonal issue,
although your point is well-taken. The security bug comes from using
an untrusted value as the size argument to malloc. While checking for
malloc failure might indirectly handle some of these issues, it
doesn't really address the original security problem, as the untrusted
data could be used to wreck havoc in other ways.
The more complete way to catch these bugs (and potentially verify
their absence) is to flag dangerous uses of untrusted data: using it
as a size parameter to malloc, using it as an array index, and so on.
My point here is that not checking for malloc failure is not
inherently a security bug.
> However in practice most allocations are unchecked leading to huge
> number of warnings, so I think it would be best
> to have an option to toggle checking for malloc failures.
> Or classify them differently so you can filter the errors from the
> null dereference on allocation failure, uninitialized value on
> allocation failure, ...
I agree. I think it all depends on the particular goals of the
programmer for the application they are writing.
The reality is that most code doesn't check to see if allocation
fails. In such cases, I don't believe that programmers are interested
in seeing warnings from a tool that involve allocation failure. When
some warnings systematically become noise to the user, they really do
compromise the value of the bug-finding tool.
For those who want to be particularly vigilant about their code (at
least as far as memory allocation failure is concerned), there
certainly should be an option to either have the analyzer perform more
aggressive checking (i.e., assume malloc can fail) or have the
interface for inspecting bugs allow users to filter which bug reports
they see based on whether or not the bug assumes malloc fails, etc.
More information about the cfe-dev