[cfe-dev] Symbolic value assumption for some libc function
Gavin Cui via cfe-dev
cfe-dev at lists.llvm.org
Thu Mar 21 16:52:13 PDT 2019
Hi, I was exploring the ArrayboundChecker and TaintPropagation. I tried to
make the return value of read() system call a taint source. I have seen
that you already defined it in the GenericTaintChecker.cpp. And I found
that the checker will not raise an error for the following code even I
replace .Case("read", TaintPropagationRule({0, 2}, {1, ReturnValueIndex}))
with .Case("read", TaintPropagationRule({}, {ReturnValueIndex})):
char buf[20];
int ret = read(0, buf, 3);
buf[ret] = 0; // expect to get warning: index is tainted
I think it is because the tool makes the assumption that the return is less
than or equal to 3 after read() syscall somewhere. But I have a hard time
to locate the code which handle this specific case. Could you give me some
suggestion about which files should I look into in order to turn off the
assumption on read() return values?
Thank you!
Regards,
Gavin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190321/eb6470c3/attachment.html>
More information about the cfe-dev
mailing list