[PATCH] D159105: [analyzer] ArrayBoundCheckerV2 should check the region for taint as well
Balázs Benics via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Wed Aug 30 02:32:07 PDT 2023
steakhal added a comment.
In D159105#4627724 <https://reviews.llvm.org/D159105#4627724>, @donat.nagy wrote:
> I was thinking about adding an improvement like this for the sake of consistency, but I fear that this might cause a surprising amount of false positives. (Did you test it on larger codebases?)
I'm just done backporting the first batch to our fork and scheduling a large-scale measurement.
But my gut instinct suggests there won't be too many new reports, as I believe "tainted" pointers shouldn't be really a thing, except for really exotic cases, like `scanf` a pointer - which is dubious at best in presence of ASLR.
> As far as I understand (correct me if I'm wrong), there are situations when TaintChecker marks the memory region of e.g. a returned string as tainted to mark that the //contents// of the region are unreliable. (There may be other more exotic situations when even the //pointer value// or the //extent// becomes unreliable e.g. your testcases where you `scanf` into a pointer.)
Taint can only bind to symbols, thus a memregion per-say cannot be tainted, only the "conjured address of it" or the "symbol bound to the pointee's/referred lvalue" can be tainted.
WDYM by "are unreliable" and "becomes unreliable"?
> I fear that the overzealous handling of tainted data would produce too many false positives in situations when code indexes strings that contain user input and the SA engine cannot understand the logic that calculates the indices. For example if I understand it correctly a function like
>
> char f(int n) {
> char *var = getenv("FOO");
> return var[n];
> }
>
> would be reported as an out of bounds memory access, because the region is tainted and the index value is not known. This is especially problematic on the underflow side (which is introduced by your commit), because I'd assume that it's common to have numeric values (e.g. function arguments) where the programmer knows that they're nonnegative, but the analyzer cannot deduce this.
To me, this is a TP. The envvar might not be present, and even if it's present, the relation of the string length of `var` to `n` is not expressed or checked; thus this deserves a report.
But I see your concern, however, I cannot think of valid counterexamples, aka. FPs off the top of my head. I'll come back once I see the real results.
> Also note that the error message "Out of bound memory access (index is tainted)" becomes misleading after this patch -- but don't spend too much time on resolving this, because right now I'm working on a complete rewrite the message generation to replace the current spartan messages with useful error reporting.
I agree, but I'm not sure how much more readable something more accurate like "the location where this pointer points to potentially depends on untrusted tainted data". (Note that this would also work for tainted indexes as well).
I must admit, that reporting and diagnostics were low priorities for this patch stack, so I'd focus on addressing logic concerns first for the whole stack and then come back to reporting to make it consistent across the stack.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D159105/new/
https://reviews.llvm.org/D159105
More information about the cfe-commits
mailing list