[all-commits] [llvm/llvm-project] 343bdb: [analyzer] Show taint origin and propagation corre...

Daniel Krupp via All-commits all-commits at lists.llvm.org
Wed Apr 26 03:50:42 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 343bdb10940cb2387c0b9bd3caccee7bb56c937b
  Author: Daniel Krupp <daniel.krupp at ericsson.com>
  Date:   2023-04-26 (Wed, 26 Apr 2023)

  Changed paths:
    M clang/include/clang/StaticAnalyzer/Checkers/Taint.h
    M clang/include/clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h
    M clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
    M clang/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp
    M clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
    M clang/lib/StaticAnalyzer/Checkers/Taint.cpp
    M clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
    M clang/lib/StaticAnalyzer/Core/CommonBugCategories.cpp
    M clang/test/Analysis/taint-diagnostic-visitor.c
    M clang/test/Analysis/taint-tester.c

  Log Message:
  [analyzer] Show taint origin and propagation correctly

This patch improves the diagnostics of the alpha.security.taint.TaintPropagation
checker and taint related checkers by showing the "Taint originated here" note
at the correct place, where the attacker may inject it. This greatly improves
the understandability of the taint reports.

In the baseline the taint source was pointing to an invalid location, typically
somewhere between the real taint source and sink.

After the fix, the "Taint originated here" tag is correctly shown at the taint
source. This is the function call where the attacker can inject a malicious data
(e.g. reading from environment variable, reading from file, reading from
standard input etc.).

This patch removes the BugVisitor from the implementation and replaces it with 2
new NoteTags. One, in the taintOriginTrackerTag() prints the "taint originated
here" Note and the other in taintPropagationExplainerTag() explaining how the
taintedness is propagating from argument to argument or to the return value
("Taint propagated to the Xth argument"). This implementation uses the
interestingess BugReport utility to track back the tainted symbols through
propagating function calls to the point where the taintedness was introduced by
a source function call.

The checker which wishes to emit a Taint related diagnostic must use the
categories::TaintedData BugType category and must mark the tainted symbols as
interesting. Then the TaintPropagationChecker will automatically generate the
"Taint originated here" and the "Taint propagated to..." diagnostic notes.

More information about the All-commits mailing list