[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)
Artem Dergachev via cfe-commits
cfe-commits at lists.llvm.org
Mon Sep 25 12:37:32 PDT 2023
haoNoQ wrote:
#61826 has my data (which I unfortunately couldn't publish as-is, but the order of magnitude is, around 300 reports).
My main problem with the tainted-number checkers is that they don't consider at constraints at all. Eg., this is clearly a false positive:
```
char buf[100];
size_t size = tainted();
if (size > 100)
return;
memset(buf, 0, size); // EnTrUsTeD DAtA Is UsEd TO sPeCiFY BuFfER SiZe
```
This applies to this checker and the VLA checker that gets turned on when you enable the taint checker (it's already enabled but it never fires because there isn't any taint information in the state).
> Untrusted data is used to specify the buffer size
The report may be technically correct but I think the entire idea of the checker never made sense in the first place. It doesn't matter that untrusted data is used to specify buffer size once; it matters that data with _different levels of trust_, or _coming from different sources_, is used to specify size of the same buffer _on different occasions_.
It's fine to allocate a buffer of tainted size and then copy exactly that many bytes into it. It's not fine to allocate a buffer of fixed size and copy tainted amount of data into it. It's not fine to allocate a buffer of tainted size and copy a fixed amount of data into it.
So I think this checker has to stay in alpha until it can be reworked to make sense.
https://github.com/llvm/llvm-project/pull/67352
More information about the cfe-commits
mailing list