[cfe-dev] Tainting adjacent variables

cmp xchg8b f00fbugx86 at gmail.com
Mon Apr 22 08:33:24 PDT 2013


Hello!

I'm new to LLVM and am trying to build a checker for clang. In a program
like

void foo()
{
int a;
int b;
int c;
int d;
doSomeThingWith(c);
doSomeThingWith(a);
}

If doSomeThingWith(c) detects a problem with the value c, I want to taint
variables beyond c (aka c, b and a) so that when calling
doSomeThingWith(a), the function says "hey, this value is tainted but it
shouldn't".

I did something like :

const StackLocalsSpaceRegion *stackFrame =
R->getMemRegionManager()->getStackLocalsRegion(C.getStackFrame());

state->addTaint(dyn_cast<MemRegion>(stackFrame));
state->addTaint(stackFrame);

in checkLocation to say "hey, I want to taint the entire stack frame". And
then, I do the check in checkPreCall with :

if (State->isTainted(dyn_cast<MemRegion>(stackFrame)))
 // bad

or

if (R && State->isTainted(dyn_cast<MemRegion>(R)))
std::cout << "Corrupted stack" << std::endl;

or

State->isTainted(R->getMemRegionManager()->getStackLocalsRegion(C.getStackFrame()))


But when I test my checker on a buggy program, the taint checking doesn't
work. Stack frames are note the same. If I only taint MemRegions, I
actually only taint a chunk of a variable. (like a byte of a buffer) I
can't taint adjacent data. I can't say for example "I can overflow a buffer
from up to 12 bytes so I will taint the 12 bytes that follow that buffer
aka the 3 4-bytes integers that are above the buffer in the code".

Could you please give me some help doing that? What is the proper way to
taint / checker the taint of the stack frame? How can I find adjacent
variables? (didn't find anything that fits in the doxygene doc)

Thank you in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130422/4ac91b88/attachment.html>


More information about the cfe-dev mailing list