[cfe-dev] Questions on Clang DataflowSanitizer Taint Propagation

Jong-Ju Park via cfe-dev cfe-dev at lists.llvm.org
Tue Oct 11 14:25:27 PDT 2016


I have attached two C files.

The first one will be okay, whereas the second one will fail the assertions.

In the second one, it is important to note that dfsan_label bufRegionLabel1 = dfsan_read_label(&buf[someIndex], 1)
still works like it should despite being in a different function,
whereas bufRegionLabel2, 3, 4 do not.

Sincerely,

JongJu Park

----- Original Message -----
From: "Peter Collingbourne" <peter at pcc.me.uk>
To: "Jong-Ju Park" <jongjup at sfu.ca>
Cc: "cfe-dev" <cfe-dev at lists.llvm.org>, "Nick Sumner" <wsumner at sfu.ca>
Sent: Tuesday, October 11, 2016 9:43:07 AM
Subject: Re: [cfe-dev] Questions on Clang DataflowSanitizer Taint Propagation

It may be a bug, but unless you can provide a *self contained* example that
I can easily run (i.e. a main function, not just code snippets), I can't
help you.

Peter

On Tue, Oct 11, 2016 at 3:37 AM, Jong-Ju Park <jongjup at sfu.ca> wrote:

> Dear Peter:
>
> Thank you for taking your time to respond!
>
> Consider the following code:
>
> --------------------------------------------------------------------
>
> //buf is some heap array of unsigned 8-bit integers
>
> //Labels is a global pointer to dfsan_label
> labels = malloc(sizeof(*labels) * something);
>
> int index;
>
> for (index = 0; index < something; index++) {
>     char* desc;
>     asprintf(&desc, "%d", index);
>     dfsan_label byteLabel = dfsan_create_label(desc, 0);
>     dfsan_set_label(byteLabel, &buf[index], 1);
>     labels[index] = byteLabel;
> }
>
>
> /* The code below will behave differently depending on
>  * whether it is within the same function as the for-loop or not
>  *
>  */
>
> //-----------------START---------------------------
>
> u_int8_t copy = buf[someIndex];
>
> dfsan_label bufRegionLabel1 = dfsan_read_label(&buf[someIndex], 1);
> dfsan_label bufRegionLabel2 = dfsan_get_label(buf[someIndex]);
> dfsan_label bufRegionLabel3 = dfsan_read_label(&copy, 1);
> dfsan_label bufRegionLabel4 = dfsan_get_label(copy);
>
> assert (bufRegionLabel1 == bufRegionLabel2);
> assert (bufRegionLabel2 == bufRegionLabel3);
> assert (bufRegionLabel3 == bufRegionLabel4);
>
> //-----------------END--------------------------
>
> /* The code above will behave differently depending on
>  * whether it is within the same function as the for-loop or not
>  */
>
> -------------------------------------------------------------------------
>
> The 4 labels, bufRegionLabel1, bufRegionLabel2, bufRegionLabel3, and
> bufRegionLabel4,
> are indeed identical if you have those lines within the same function as
> the above for-loop;
> however, if you have them in a *different* function (of course, assuming
> that
> you pass buf into the said function), then bufRegionLabel2,
> bufRegionLabel3,
> and bufRegionLabel4 will all have (null) and (nil) label and data.
> Only bufRegionLabel1 will work as expected.
>
> Why is this so? What is going on?
>
>
> Sincerely,
>
> JongJu Park
>



-- 
-- 
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: taint_prop_1.c
Type: text/x-c++src
Size: 1305 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20161011/e2aee9ab/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: taint_prop_2.c
Type: text/x-c++src
Size: 1349 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20161011/e2aee9ab/attachment-0001.c>


More information about the cfe-dev mailing list