[cfe-dev] pointer values, taint propogation

McDowell, Raymond C. via cfe-dev cfe-dev at lists.llvm.org
Mon Feb 13 14:36:10 PST 2017


I would like to write a checker to make sure that pointers from untrusted sources are not dereferenced.  So I am playing around with the alpha.security.taint checker to try to understand how taint propagation works.  I put together some simple test cases:

[cid:image001.png at 01D28604.F242C920]

The indicated calls to printf should be flagged because an untrusted value is passed as the format string (the first argument).  When I run the alpha.security.taint checker on this, it only flags the last two.  Looking into this, I found that the static analyzer often assigns an unknown value to the result of casting from an integer to a pointer.  Taint can't be attached to an unknown value, so I need a known value for the pointer.  Although I'm not sure if this is really what we want to do, for now I added a post-check call-back on cast expressions to my checker that casts the integer to unsigned and then assigns the result as the pointer value.

[cid:image002.png at 01D28605.94CB8510]

When I run alpha.security.taint together with this on the test file, it flags the calls to printf where (char *)l and (char *)u are passed, but not the calls where sv1, sp1, (char *)NULL+l, sv2, or sp2 are passed, even though these are just different expressions with the same value.  I tried looking into this using the debugger, and found that when the analyzer calls ExprEngine::evalStore for the assignment statement (say "sv1 = (char *)ll"), it gives the pointer the appropriate value, but when the analyzer calls GenericTaintChecker::checkUncontrolledFormatString from the pre-check call-back for the call to printf on the following line of the test file, the pointer has an UnknownVal.  (See excepts from the debugging session below.)

Can anyone help me understand what is going on here?

Thanks,
Ray

[cid:image003.png at 01D2861A.EB785810]

[cid:image004.png at 01D2861B.4E6FBB70]

[cid:image005.png at 01D2861C.95CDE270]

[cid:image006.png at 01D2861E.3A1E4990]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170213/cebd00e2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 60202 bytes
Desc: image001.png
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170213/cebd00e2/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 50294 bytes
Desc: image002.png
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170213/cebd00e2/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 24875 bytes
Desc: image003.png
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170213/cebd00e2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 20327 bytes
Desc: image004.png
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170213/cebd00e2/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 46457 bytes
Desc: image005.png
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170213/cebd00e2/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 13298 bytes
Desc: image006.png
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170213/cebd00e2/attachment-0005.png>


More information about the cfe-dev mailing list