[cfe-dev] Symbolic value assumption for some libc function
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Thu Mar 21 18:16:05 PDT 2019
Yup, you're correct, the analyzer knows that read() doesn't return an
arbitrary integer. If your `buf` was only, say, 2 characters long, you
should have received the warning that the attacker can trigger a buffer
overflow by forging a successful read of 3 bytes.
You've correctly pin-pointed the entity that's responsible for that. The
easiest way to figure this stuff out is to pay attention to checker tags
in the Exploded Graph dump
(https://clang-analyzer.llvm.org/checker_dev_manual.html#visualizing).
The reason for not having cross-translation-unit analysis is mostly
because it's technically annoying to pass data between multiple clang
processes. But, yeah, also scalability. There's an experimental attempt
to set up the infrastructure that might help you - see `-analyzer-config
experimental-enable-naive-ctu-analysis=true`.
You might be interested in https://reviews.llvm.org/D59516 - it's a
series of patches on review that adds support for loading taint
propagation rules from yaml files (uhm, i also need to take a look at
that). If you happen to develop something that auto-generates such yaml
files and turn it into some sort of pre-analysis pass across the whole
project, you'll essentially develop a certain kind of summary-based
cross translation unit analysis for the taint checker. But if you dive
into that, please also consider discussing how to make it re-usable
enough for other checkers to use :)
On 3/21/19 5:58 PM, Gavin Cui via cfe-dev wrote:
> Never mind, I have found them in StdLibraryFunctionsChecker. Sorry for disturbing you with stupid question.
> By the way, I notice that the Clang Static Analyzer currently dose not support analysis across translational unit for scalability concern. Do you have any suggested direction if I really want to do the taint tracking across files?
>
> Thank you,
>
> Sincerely,
> Gavin
>
>> On Mar 21, 2019, at 7:52 PM, Gavin Cui <gavincrz at gmail.com> wrote:
>>
>> Hi, I was exploring the ArrayboundChecker and TaintPropagation. I tried to make the return value of read() system call a taint source. I have seen that you already defined it in the GenericTaintChecker.cpp. And I found that the checker will not raise an error for the following code even I replace .Case("read", TaintPropagationRule({0, 2}, {1, ReturnValueIndex})) with .Case("read", TaintPropagationRule({}, {ReturnValueIndex})):
>>
>> char buf[20];
>> int ret = read(0, buf, 3);
>> buf[ret] = 0; // expect to get warning: index is tainted
>>
>> I think it is because the tool makes the assumption that the return is less than or equal to 3 after read() syscall somewhere. But I have a hard time to locate the code which handle this specific case. Could you give me some suggestion about which files should I look into in order to turn off the assumption on read() return values?
>>
>> Thank you!
>> Regards,
>> Gavin
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
More information about the cfe-dev
mailing list