<div dir="ltr"><div>Thank you for the clarification, Artem.<br><br></div>I'm going to have a look into that.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Artem Dergachev <<a href="mailto:noqnoqneo@gmail.com">noqnoqneo@gmail.com</a>> ezt írta (időpont: 2020. febr. 11., K, 17:27):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">It's not much of a limitation, just a bug. When `scanf` produces a <br>
default conjured symbol binding in the buffer, this is *the* symbol that <br>
should carry the taint; all derived symbols will automatically be <br>
treated as tainted. If we're being even more precise and consider the <br>
length of the scanned string, then the derived symbol will need to carry <br>
partial taint (i.e., specify TaintedSubRegions such that derived<conj, <br>
R> is tainted iff R is a TaintedSubRegion of buf for conj). I.e., what <br>
i'm saying is that RegionStore is more-or-less flexible enough to <br>
implement this correctly, it's only a matter of getting this done. Those <br>
string functions are just too many and each of them requires individual <br>
attention.<br>
<br>
On 2/10/20 2:43 PM, Balázs Benics via cfe-dev wrote:<br>
> I made the following test case for checking the modeling of taint <br>
> propagation on the `strcpy` function.<br>
> As I observed, only the first byte of the array became tainted, even <br>
> though all bytes should be treated tainted.<br>
> In the test, you can see my expectations and the actual result.<br>
><br>
> ```<br>
> void strcpy_unbounded_tainted_buffer(char *buf) {<br>
> scanf("%s", buf);<br>
><br>
> char dst[32];<br>
> strcpy(dst, buf); // expected---vvv vvv--- <br>
> actual<br>
> clang_analyzer_isTainted_char(dst[0]); // expected-warning{{YES}} YES<br>
> clang_analyzer_isTainted_char(dst[1]); // expected-warning{{YES}} NO<br>
> clang_analyzer_isTainted_char(dst[31]); // expected-warning{{YES}} NO<br>
> }<br>
><br>
> void strcpy_bounded_tainted_buffer(char *buf) {<br>
> scanf("%s", buf);<br>
> buf[10] = '\0';<br>
> clang_analyzer_isTainted_char(buf[0]); // expected-warning{{YES}} YES<br>
> clang_analyzer_isTainted_char(buf[1]); // expected-warning{{YES}} NO<br>
> clang_analyzer_isTainted_char(buf[10]); // expected-warning{{NO}} NO<br>
> clang_analyzer_isTainted_char(buf[20]); // expected-warning{{YES}} NO<br>
><br>
> char dst[32];<br>
> strcpy(dst, buf);<br>
> clang_analyzer_isTainted_char(dst[0]); // expected-warning{{YES}} YES<br>
> clang_analyzer_isTainted_char(dst[1]); // expected-warning{{YES}} NO<br>
> clang_analyzer_isTainted_char(dst[10]); // expected-warning{{NO}} NO<br>
> clang_analyzer_isTainted_char(dst[20]); // expected-warning{{NO}} NO<br>
> }<br>
> ```<br>
><br>
> Some clarification about `TaintedSubRegions` and tainting <br>
> `nonloc::LazyCompoundVal`s would be also helpful since it might be <br>
> related to this topic.<br>
><br>
> What are the reasons for this limitation on modeling taintedness <br>
> regarding arrays?<br>
><br>
><br>
> Background and expectation:<br>
> This change would be the first step in migrating the diagnostic <br>
> emitting parts of the `GenericTaintChecker`.<br>
> Eg.: `checkUncontrolledFormatString`, `checkSystemCall`, <br>
> `checkTaintedBufferSize`.<br>
> As a result, multiple checkers will consume taintedness information <br>
> for reporting warnings in the future and letting the <br>
> `GenericTaintChecker` do only modeling and propagation.<br>
><br>
> Regards, Balazs.<br>
><br>
> _______________________________________________<br>
> cfe-dev mailing list<br>
> <a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
> <a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
<br>
</blockquote></div>