[cfe-dev] Tainting adjacent variables
cmp xchg8b
f00fbugx86 at gmail.com
Mon Apr 22 08:33:24 PDT 2013
Hello!
I'm new to LLVM and am trying to build a checker for clang. In a program
like
void foo()
{
int a;
int b;
int c;
int d;
doSomeThingWith(c);
doSomeThingWith(a);
}
If doSomeThingWith(c) detects a problem with the value c, I want to taint
variables beyond c (aka c, b and a) so that when calling
doSomeThingWith(a), the function says "hey, this value is tainted but it
shouldn't".
I did something like :
const StackLocalsSpaceRegion *stackFrame =
R->getMemRegionManager()->getStackLocalsRegion(C.getStackFrame());
state->addTaint(dyn_cast<MemRegion>(stackFrame));
state->addTaint(stackFrame);
in checkLocation to say "hey, I want to taint the entire stack frame". And
then, I do the check in checkPreCall with :
if (State->isTainted(dyn_cast<MemRegion>(stackFrame)))
// bad
or
if (R && State->isTainted(dyn_cast<MemRegion>(R)))
std::cout << "Corrupted stack" << std::endl;
or
State->isTainted(R->getMemRegionManager()->getStackLocalsRegion(C.getStackFrame()))
But when I test my checker on a buggy program, the taint checking doesn't
work. Stack frames are note the same. If I only taint MemRegions, I
actually only taint a chunk of a variable. (like a byte of a buffer) I
can't taint adjacent data. I can't say for example "I can overflow a buffer
from up to 12 bytes so I will taint the 12 bytes that follow that buffer
aka the 3 4-bytes integers that are above the buffer in the code".
Could you please give me some help doing that? What is the proper way to
taint / checker the taint of the stack frame? How can I find adjacent
variables? (didn't find anything that fits in the doxygene doc)
Thank you in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130422/4ac91b88/attachment.html>
More information about the cfe-dev
mailing list