[cfe-dev] [analyzer][taint] More precise taint modelling on arrays

Bal√°zs Benics via cfe-dev cfe-dev at lists.llvm.org
Mon Feb 10 03:43:06 PST 2020


I made the following test case for checking the modeling of taint
propagation on the `strcpy` function.
As I observed, only the first byte of the array became tainted, even though
all bytes should be treated tainted.
In the test, you can see my expectations and the actual result.

```
void strcpy_unbounded_tainted_buffer(char *buf) {
  scanf("%s", buf);

  char dst[32];
  strcpy(dst, buf);                       //        expected---vvv   vvv---
actual
  clang_analyzer_isTainted_char(dst[0]);  // expected-warning{{YES}} YES
  clang_analyzer_isTainted_char(dst[1]);  // expected-warning{{YES}} NO
  clang_analyzer_isTainted_char(dst[31]); // expected-warning{{YES}} NO
}

void strcpy_bounded_tainted_buffer(char *buf) {
  scanf("%s", buf);
  buf[10] = '\0';
  clang_analyzer_isTainted_char(buf[0]);  // expected-warning{{YES}} YES
  clang_analyzer_isTainted_char(buf[1]);  // expected-warning{{YES}} NO
  clang_analyzer_isTainted_char(buf[10]); // expected-warning{{NO}}  NO
  clang_analyzer_isTainted_char(buf[20]); // expected-warning{{YES}} NO

  char dst[32];
  strcpy(dst, buf);
  clang_analyzer_isTainted_char(dst[0]);  // expected-warning{{YES}} YES
  clang_analyzer_isTainted_char(dst[1]);  // expected-warning{{YES}} NO
  clang_analyzer_isTainted_char(dst[10]); // expected-warning{{NO}}  NO
  clang_analyzer_isTainted_char(dst[20]); // expected-warning{{NO}}  NO
}
```

Some clarification about `TaintedSubRegions` and tainting `
nonloc::LazyCompoundVal`s would be also helpful since it might be related
to this topic.

What are the reasons for this limitation on modeling taintedness regarding
arrays?


Background and expectation:
This change would be the first step in migrating the diagnostic emitting
parts of the `GenericTaintChecker`.
Eg.: `checkUncontrolledFormatString`, `checkSystemCall`, `
checkTaintedBufferSize`.
As a result, multiple checkers will consume taintedness information for
reporting warnings in the future and letting the `GenericTaintChecker` do
only modeling and propagation.

Regards, Balazs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20200210/92f0bac4/attachment-0001.html>


More information about the cfe-dev mailing list