[clang] [clang][StaticAnalyzer] Adding getentropy to CStringChecker. (PR #83675)

via cfe-commits cfe-commits at lists.llvm.org
Fri Mar 22 06:13:07 PDT 2024 

================
@@ -2515,6 +2517,53 @@ void CStringChecker::evalSprintfCommon(CheckerContext &C, const CallEvent &Call,
   C.addTransition(State);
 }
 
+void CStringChecker::evalGetentropy(CheckerContext &C, const CallEvent &Call) const {
+  DestinationArgExpr Buffer = {{Call.getArgExpr(0), 0}};
+  SizeArgExpr Size = {{Call.getArgExpr(1), 1}};
+  ProgramStateRef State = C.getState();
+  SValBuilder &SVB = C.getSValBuilder();
+  SVal MaxLength = SVB.makeIntVal(256, C.getASTContext().IntTy);
+
+  SVal SizeVal = C.getSVal(Size.Expression);
+  QualType SizeTy = Size.Expression->getType();
+
+  ProgramStateRef StateZeroSize, StateNonZeroSize;
+  std::tie(StateZeroSize, StateNonZeroSize) =
+      assumeZero(C, State, SizeVal, SizeTy);
+
+  if (StateZeroSize) {
+    StateZeroSize = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
+                              SVB.makeZeroVal(C.getASTContext().IntTy));
+    C.addTransition(StateZeroSize);
+    return;
+  }
+
+  SVal Buff = C.getSVal(Buffer.Expression);
+  State = checkNonNull(C, StateNonZeroSize, Buffer, Buff);
+  if (!State)
+    return;
+
+  QualType cmpTy = C.getSValBuilder().getConditionType();
+  ProgramStateRef sizeAboveLimit, sizeNotAboveLimit;
+  std::tie(sizeAboveLimit, sizeNotAboveLimit) = State->assume(
+	 SVB
+	.evalBinOpNN(State, BO_GT, *SizeVal.getAs<NonLoc>(), *MaxLength.getAs<NonLoc>(), cmpTy)
+	.castAs<DefinedOrUnknownSVal>());
+  if (sizeAboveLimit) {
----------------
NagyDonat wrote:

```suggestion
  if (sizeAboveLimit && !sizeNotAboveLimit) {
```
In ambiguous situations (when both situations may be possible) the checkers must be lenient -- they should report errors only when they're certain that the error will happen. (Otherwise we'd get an overwhelming amount of false positives from the code parts where the analyzer doesn't know the values of the variables.)

The only exception is that if a value is marked as "tainted" (attacker controlled, see the GenericTaint checker which can mark values as tainted), then we assume the worst about it (if the situation is ambiguous and a tainted variable is involved, then we report an error). Some checkers are "taint aware" and incorporate this check into their logic, but it's perfectly fine if a checker is not (yet) taint aware, so you shouldn't bother with this (in this commit).

https://github.com/llvm/llvm-project/pull/83675

More information about the cfe-commits mailing list