[PATCH] D155848: [clang][analyzer]Fix non-effective taint sanitation
Daniel Krupp via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Jul 21 07:11:29 PDT 2023
dkrupp updated this revision to Diff 542903.
dkrupp added a comment.
-formatting issues fixed
-sanitizecCmd changed to void
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D155848/new/
https://reviews.llvm.org/D155848
Files:
clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
clang/test/Analysis/Inputs/taint-generic-config.yaml
clang/test/Analysis/taint-generic.c
Index: clang/test/Analysis/taint-generic.c
===================================================================
--- clang/test/Analysis/taint-generic.c
+++ clang/test/Analysis/taint-generic.c
@@ -1010,7 +1010,8 @@
void myScanf(const char*, ...);
int myPropagator(int, int*);
int mySnprintf(char*, size_t, const char*, ...);
-bool isOutOfRange(const int*);
+bool isOutOfRange(const int*); // const filter function
+void sanitizeCmd(char*); // non-const filter function
void mySink(int, int, int);
void testConfigurationSources1(void) {
@@ -1044,6 +1045,19 @@
Buffer[x] = 1; // no-warning
}
+void testConfigurationFilterNonConst(void) {
+ char buffer[1000];
+ myScanf("%s", buffer); // makes buffer tainted
+ system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
+}
+
+void testConfigurationFilterNonConst2(void) {
+ char buffer[1000];
+ myScanf("%s", buffer); // makes buffer tainted
+ sanitizeCmd(buffer); // removes taintedness
+ system(buffer); // no-warning
+}
+
void testConfigurationSinks(void) {
int x = mySource1();
mySink(x, 1, 2);
Index: clang/test/Analysis/Inputs/taint-generic-config.yaml
===================================================================
--- clang/test/Analysis/Inputs/taint-generic-config.yaml
+++ clang/test/Analysis/Inputs/taint-generic-config.yaml
@@ -69,6 +69,11 @@
Scope: "myAnotherNamespace::"
Args: [0]
+ # char *str; // str is tainted
+ # sanitizeCmd(str) // str is not tainted anymore
+ - Name: sanitizeCmd
+ Args: [0]
+
# A list of sink functions
Sinks:
# int x, y; // x and y are tainted
Index: clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -926,7 +926,9 @@
});
/// Check for taint propagation sources.
- /// A rule is relevant if PropSrcArgs is empty, or if any of its signified
+ /// A rule will make the destination variables tainted if PropSrcArgs
+ /// is empty (taints the destination
+ /// arguments unconditionally), or if any of its signified
/// args are tainted in context of the current CallEvent.
bool IsMatching = PropSrcArgs.isEmpty();
std::vector<SymbolRef> TaintedSymbols;
@@ -949,6 +951,8 @@
}
});
+ // Early return for propagation rules which dont match.
+ // Matching propagations, Sinks and Filters will pass this point.
if (!IsMatching)
return;
@@ -975,10 +979,13 @@
Result = F.add(Result, I);
}
+ // Taint property gets lost if the variable is passed as a
+ // non-const pointer or reference to a function which is
+ // not inlined. For matching rules we want to preserve the taintedness.
// TODO: We should traverse all reachable memory regions via the
// escaping parameter. Instead of doing that we simply mark only the
// referred memory region as tainted.
- if (WouldEscape(V, E->getType())) {
+ if (WouldEscape(V, E->getType()) && getTaintedPointeeOrPointer(State, V)) {
LLVM_DEBUG(if (!Result.contains(I)) {
llvm::dbgs() << "PreCall<";
Call.dump(llvm::dbgs());
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D155848.542903.patch
Type: text/x-patch
Size: 3282 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20230721/fa01c4ff/attachment.bin>
More information about the cfe-commits
mailing list