[cfe-dev] Possible inconsistency in DataFlowSanitizer label propagation

Jong-Ju Park via cfe-dev cfe-dev at lists.llvm.org
Tue Oct 18 11:05:59 PDT 2016 

Hello all,

I have two cases to present: an isolated test case handwritten by me (taint_prop_1.c),
and the source of the Ping utility off of a Debian package dated 2012-12-21
(the actual tests are located around lines 795~834 in ping.c; 
ping_common.c, SNAPSHOT.h, and ping_common.h are needed for compiling, though).

Compile ping with clang -fsanitize=dataflow ping.c ping_common.c SNAPSHOT.h ping_common.h
Compile taint_prop_1.c with clang -fsanitize=dataflow taint_prop_1.c

The exact same test case has been applied to both programs, 
but one passes whereas the other does not. For ping, go to ping.c, lines 795~834.

Let me describe the situation at hand.

When you receive a datagram in a byte array and extract the fields,
the ICMP header portion typically begins 20 bytes in (assume no IP options).
At the 21st byte, the ICMP type code sits there.
This can be extracted by either indexing from the array or
typecasting the array to struct icmphdr* and using the "type" field in the structure.

Now, after marking all bytes, I want to see how the labels propagate 
after assigning the tainted portions to different variables.
In taint_prop_1.c, they work as expected;
however, in ping.c, the label information appears to have been wiped out along the way, 
or they fail to propagate properly; the descriptions of the labels return "null".


I don't think 84 labels is too many for the framework, is it?

In the case of DataFlowSanitizer, what can cause labels to not be propagated properly?
What can cause the description and the data to be "lost" during the propagation process?

Thank you for looking into this!


Sincerely,

JongJu Park
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping.c
Type: text/x-c++src
Size: 35732 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20161018/58f89fe0/attachment.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: taint_prop_1.c
Type: text/x-c++src
Size: 2024 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20161018/58f89fe0/attachment-0001.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping_common.c
Type: text/x-c++src
Size: 24426 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20161018/58f89fe0/attachment-0002.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SNAPSHOT.h
Type: text/x-chdr
Size: 38 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20161018/58f89fe0/attachment.h>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping_common.h
Type: text/x-chdr
Size: 7754 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20161018/58f89fe0/attachment-0001.h>

More information about the cfe-dev mailing list