Blame - lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp - fp2-dev/platform/external/clang

2011-11-16 19:58:13 +0000

[diff] [blame]

1

//== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=//

2

//

3

// The LLVM Compiler Infrastructure

4

//

5

// This file is distributed under the University of Illinois Open Source

6

// License. See LICENSE.TXT for details.

7

//

8

//===----------------------------------------------------------------------===//

9

//

10

// This checker defines the attack surface for generic taint propagation.

11

//

12

// The taint information produced by it might be useful to other checkers. For

13

// example, checkers should report errors which involve tainted data more

14

// aggressively, even if the involved symbols are under constrained.

15

//

16

//===----------------------------------------------------------------------===//

17

#include "ClangSACheckers.h"

18

#include "clang/StaticAnalyzer/Core/Checker.h"

19

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

20

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

21

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

22

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

23

#include "clang/Basic/Builtins.h"

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

24

#include <climits>

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

25

26

using namespace clang;

27

using namespace ento;

28

29

namespace {

Anna Zaks

2011-12-14 00:56:18 +0000

[diff] [blame]

30

class GenericTaintChecker : public Checker< check::PostStmt<CallExpr>,

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

31

check::PreStmt<CallExpr> > {

32

public:

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

33

static void *getTag() { static int Tag; return &Tag; }

34

35

void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;

36

void checkPostStmt(const DeclRefExpr *DRE, CheckerContext &C) const;

37

38

void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

39

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

40

private:

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

41

static const unsigned ReturnValueIndex = UINT_MAX;

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

42

static const unsigned InvalidArgIndex = UINT_MAX - 1;

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

43

Anna Zaks

2011-11-18 02:26:36 +0000

[diff] [blame]

44

mutable llvm::OwningPtr<BugType> BT;

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

45

inline void initBugType() const {

46

if (!BT)

47

BT.reset(new BugType("Taint Analysis", "General"));

48

}

Anna Zaks

2011-11-18 02:26:36 +0000

[diff] [blame]

49

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

50

/// \brief Catch taint related bugs. Check if tainted data is passed to a

51

/// system call etc.

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

52

bool checkPre(const CallExpr *CE, CheckerContext &C) const;

53

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

54

/// \brief Add taint sources on a pre-visit.

55

void addSourcesPre(const CallExpr *CE, CheckerContext &C) const;

56

57

/// \brief Propagate taint generated at pre-visit.

58

bool propagateFromPre(const CallExpr *CE, CheckerContext &C) const;

59

60

/// \brief Add taint sources on a post visit.

61

void addSourcesPost(const CallExpr *CE, CheckerContext &C) const;

62

63

/// \brief Given a pointer argument, get the symbol of the value it contains

Anna Zaks

2011-11-18 02:26:36 +0000

[diff] [blame]

64

/// (points to).

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

65

static SymbolRef getPointedToSymbol(CheckerContext &C, const Expr *Arg);

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

66

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

67

static inline bool isTaintedOrPointsToTainted(const Expr *E,

68

const ProgramState *State,

69

CheckerContext &C) {

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

70

return (State->isTainted(E, C.getLocationContext()) ||

71

(E->getType().getTypePtr()->isPointerType() &&

72

State->isTainted(getPointedToSymbol(C, E))));

73

}

74

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

75

/// Functions defining the attack surface.

76

typedef const ProgramState *(GenericTaintChecker::*FnCheck)(const CallExpr *,

77

CheckerContext &C) const;

78

const ProgramState *postScanf(const CallExpr *CE, CheckerContext &C) const;

Anna Zaks

2012-01-20 00:11:19 +0000

[diff] [blame^]

79

const ProgramState *postSocket(const CallExpr *CE, CheckerContext &C) const;

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

80

const ProgramState *postRetTaint(const CallExpr *CE, CheckerContext &C) const;

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

81

82

/// Taint the scanned input if the file is tainted.

83

const ProgramState *preFscanf(const CallExpr *CE, CheckerContext &C) const;

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

84

Anna Zaks

2011-12-16 18:28:50 +0000

[diff] [blame]

85

/// Check if the region the expression evaluates to is the standard input,

86

/// and thus, is tainted.

Anna Zaks

2011-12-14 00:56:18 +0000

[diff] [blame]

87

bool isStdin(const Expr *E, CheckerContext &C) const;

Anna Zaks

2011-12-14 00:56:18 +0000

[diff] [blame]

88

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

89

/// Check for CWE-134: Uncontrolled Format String.

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

90

static const char MsgUncontrolledFormatString[];

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

91

bool checkUncontrolledFormatString(const CallExpr *CE,

92

CheckerContext &C) const;

93

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

94

/// Check for:

95

/// CERT/STR02-C. "Sanitize data passed to complex subsystems"

96

/// CWE-78, "Failure to Sanitize Data into an OS Command"

97

static const char MsgSanitizeSystemArgs[];

98

bool checkSystemCall(const CallExpr *CE, StringRef Name,

99

CheckerContext &C) const;

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

100

Anna Zaks

2012-01-18 02:45:11 +0000

[diff] [blame]

101

/// Check if tainted data is used as a buffer size ins strn.. functions,

102

/// and allocators.

103

static const char MsgTaintedBufferSize[];

104

bool checkTaintedBufferSize(const CallExpr *CE, const FunctionDecl *FDecl,

105

CheckerContext &C) const;

106

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

107

/// Generate a report if the expression is tainted or points to tainted data.

108

bool generateReportIfTainted(const Expr *E, const char Msg[],

109

CheckerContext &C) const;

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

110

111

112

typedef llvm::SmallVector<unsigned, 2> ArgVector;

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

113

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

114

/// \brief A struct used to specify taint propagation rules for a function.

115

///

116

/// If any of the possible taint source arguments is tainted, all of the

117

/// destination arguments should also be tainted. Use InvalidArgIndex in the

118

/// src list to specify that all of the arguments can introduce taint. Use

119

/// InvalidArgIndex in the dst arguments to signify that all the non-const

120

/// pointer and reference arguments might be tainted on return. If

121

/// ReturnValueIndex is added to the dst list, the return value will be

122

/// tainted.

123

struct TaintPropagationRule {

124

/// List of arguments which can be taint sources and should be checked.

125

ArgVector SrcArgs;

126

/// List of arguments which should be tainted on function return.

127

ArgVector DstArgs;

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

128

// TODO: Check if using other data structures would be more optimal.

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

129

130

TaintPropagationRule() {}

131

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

132

TaintPropagationRule(unsigned SArg,

133

unsigned DArg, bool TaintRet = false) {

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

134

SrcArgs.push_back(SArg);

135

DstArgs.push_back(DArg);

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

136

if (TaintRet)

137

DstArgs.push_back(ReturnValueIndex);

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

138

}

139

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

140

TaintPropagationRule(unsigned SArg1, unsigned SArg2,

141

unsigned DArg, bool TaintRet = false) {

142

SrcArgs.push_back(SArg1);

143

SrcArgs.push_back(SArg2);

144

DstArgs.push_back(DArg);

145

if (TaintRet)

146

DstArgs.push_back(ReturnValueIndex);

147

}

148

149

/// Get the propagation rule for a given function.

150

static TaintPropagationRule

151

getTaintPropagationRule(const FunctionDecl *FDecl,

StringRef Name,

CheckerContext &C);

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

155

inline void addSrcArg(unsigned A) { SrcArgs.push_back(A); }

156

inline void addDstArg(unsigned A) { DstArgs.push_back(A); }

157

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

158

inline bool isNull() const { return SrcArgs.empty(); }

159

160

inline bool isDestinationArgument(unsigned ArgNum) const {

161

return (std::find(DstArgs.begin(),

162

DstArgs.end(), ArgNum) != DstArgs.end());

163

}

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

164

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

165

/// \brief Pre-process a function which propagates taint according to the

166

/// taint rule.

167

const ProgramState *process(const CallExpr *CE, CheckerContext &C) const;

168

169

};

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

170

};

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

171

172

const unsigned GenericTaintChecker::ReturnValueIndex;

173

const unsigned GenericTaintChecker::InvalidArgIndex;

174

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

175

const char GenericTaintChecker::MsgUncontrolledFormatString[] =

176

"Tainted format string (CWE-134: Uncontrolled Format String)";

177

178

const char GenericTaintChecker::MsgSanitizeSystemArgs[] =

179

"Tainted data passed to a system call "

180

"(CERT/STR02-C. Sanitize data passed to complex subsystems)";

Anna Zaks

2012-01-18 02:45:11 +0000

[diff] [blame]

181

182

const char GenericTaintChecker::MsgTaintedBufferSize[] =

183

"Tainted data is used to specify the buffer size "

184

"(CERT/STR31-C. Guarantee that storage for strings has sufficient space for "

185

"character data and the null terminator)";

186

187

} // end of anonymous namespace

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

188

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

189

/// A set which is used to pass information from call pre-visit instruction

190

/// to the call post-visit. The values are unsigned integers, which are either

191

/// ReturnValueIndex, or indexes of the pointer/reference argument, which

192

/// points to data, which should be tainted on return.

193

namespace { struct TaintArgsOnPostVisit{}; }

194

namespace clang { namespace ento {

195

template<> struct ProgramStateTrait<TaintArgsOnPostVisit>

196

: public ProgramStatePartialTrait<llvm::ImmutableSet<unsigned> > {

197

static void *GDMIndex() { return GenericTaintChecker::getTag(); }

198

};

199

}}

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

200

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

201

GenericTaintChecker::TaintPropagationRule

202

GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(

203

const FunctionDecl *FDecl,

204

StringRef Name,

205

CheckerContext &C) {

206

// Check for exact name match for functions without builtin substitutes.

207

TaintPropagationRule Rule = llvm::StringSwitch<TaintPropagationRule>(Name)

208

.Case("atoi", TaintPropagationRule(0, ReturnValueIndex))

209

.Case("atol", TaintPropagationRule(0, ReturnValueIndex))

210

.Case("atoll", TaintPropagationRule(0, ReturnValueIndex))

Anna Zaks

2012-01-20 00:11:19 +0000

[diff] [blame^]

211

.Case("read", TaintPropagationRule(0, 2, 1, true))

212

.Case("pread", TaintPropagationRule(InvalidArgIndex, 1, true))

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

213

.Default(TaintPropagationRule());

if (!Rule.isNull())

return Rule;

// Check if it's one of the memory setting/copying functions.

219

// This check is specialized but faster then calling isCLibraryFunction.

220

unsigned BId = 0;

221

if ( (BId = FDecl->getMemoryFunctionKind()) )

222

switch(BId) {

223

case Builtin::BImemcpy:

224

case Builtin::BImemmove:

225

case Builtin::BIstrncpy:

226

case Builtin::BIstrncat:

227

return TaintPropagationRule(1, 2, 0, true);

228

break;

229

case Builtin::BIstrlcpy:

230

case Builtin::BIstrlcat:

231

return TaintPropagationRule(1, 2, 0, false);

232

break;

233

case Builtin::BIstrndup:

234

return TaintPropagationRule(0, 1, ReturnValueIndex);

break;

default:

break;

};

// Process all other functions which could be defined as builtins.

242

if (Rule.isNull()) {

243

if (C.isCLibraryFunction(FDecl, "snprintf") ||

244

C.isCLibraryFunction(FDecl, "sprintf"))

245

return TaintPropagationRule(InvalidArgIndex, 0, true);

246

else if (C.isCLibraryFunction(FDecl, "strcpy") ||

247

C.isCLibraryFunction(FDecl, "stpcpy") ||

248

C.isCLibraryFunction(FDecl, "strcat"))

249

return TaintPropagationRule(1, 0, true);

250

else if (C.isCLibraryFunction(FDecl, "bcopy"))

251

return TaintPropagationRule(0, 2, 1, false);

252

else if (C.isCLibraryFunction(FDecl, "strdup") ||

253

C.isCLibraryFunction(FDecl, "strdupa"))

254

return TaintPropagationRule(0, ReturnValueIndex);

Anna Zaks

2012-01-18 02:45:11 +0000

[diff] [blame]

255

else if (C.isCLibraryFunction(FDecl, "wcsdup"))

256

return TaintPropagationRule(0, ReturnValueIndex);

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

257

}

258

259

// Skipping the following functions, since they might be used for cleansing

260

// or smart memory copy:

261

// - memccpy - copying untill hitting a special character.

262

263

return TaintPropagationRule();

Anna Zaks

2011-11-18 02:26:36 +0000

[diff] [blame]

264

}

265

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

266

void GenericTaintChecker::checkPreStmt(const CallExpr *CE,

267

CheckerContext &C) const {

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

268

// Check for errors first.

269

if (checkPre(CE, C))

270

return;

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

271

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

272

// Add taint second.

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

273

addSourcesPre(CE, C);

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

274

}

275

276

void GenericTaintChecker::checkPostStmt(const CallExpr *CE,

277

CheckerContext &C) const {

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

278

if (propagateFromPre(CE, C))

279

return;

280

addSourcesPost(CE, C);

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

281

}

282

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

283

void GenericTaintChecker::addSourcesPre(const CallExpr *CE,

284

CheckerContext &C) const {

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

285

const ProgramState *State = 0;

286

const FunctionDecl *FDecl = C.getCalleeDecl(CE);

287

StringRef Name = C.getCalleeName(FDecl);

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

288

if (Name.empty())

289

return;

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

290

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

291

// First, try generating a propagation rule for this function.

292

TaintPropagationRule Rule =

293

TaintPropagationRule::getTaintPropagationRule(FDecl, Name, C);

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

294

if (!Rule.isNull()) {

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

295

State = Rule.process(CE, C);

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

296

if (!State)

297

return;

298

C.addTransition(State);

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

299

return;

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

300

}

301

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

302

// Otherwise, check if we have custom pre-processing implemented.

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

303

FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

304

.Case("fscanf", &GenericTaintChecker::preFscanf)

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

305

.Default(0);

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

306

// Check and evaluate the call.

307

if (evalFunction)

308

State = (this->*evalFunction)(CE, C);

309

if (!State)

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

310

return;

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

311

C.addTransition(State);

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

312

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

313

}

314

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

315

bool GenericTaintChecker::propagateFromPre(const CallExpr *CE,

316

CheckerContext &C) const {

317

const ProgramState *State = C.getState();

318

319

// Depending on what was tainted at pre-visit, we determined a set of

320

// arguments which should be tainted after the function returns. These are

321

// stored in the state as TaintArgsOnPostVisit set.

322

llvm::ImmutableSet<unsigned> TaintArgs = State->get<TaintArgsOnPostVisit>();

323

for (llvm::ImmutableSet<unsigned>::iterator

324

I = TaintArgs.begin(), E = TaintArgs.end(); I != E; ++I) {

325

unsigned ArgNum = *I;

326

327

// Special handling for the tainted return value.

328

if (ArgNum == ReturnValueIndex) {

329

State = State->addTaint(CE, C.getLocationContext());

continue;

}

// The arguments are pointer arguments. The data they are pointing at is

334

// tainted after the call.

335

const Expr* Arg = CE->getArg(ArgNum);

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

336

SymbolRef Sym = getPointedToSymbol(C, Arg);

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

337

if (Sym)

338

State = State->addTaint(Sym);

339

}

340

341

// Clear up the taint info from the state.

342

State = State->remove<TaintArgsOnPostVisit>();

343

344

if (State != C.getState()) {

345

C.addTransition(State);

return true;

}

return false;

}

void GenericTaintChecker::addSourcesPost(const CallExpr *CE,

352

CheckerContext &C) const {

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

353

// Define the attack surface.

354

// Set the evaluation function by switching on the callee name.

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

355

StringRef Name = C.getCalleeName(CE);

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

356

if (Name.empty())

357

return;

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

358

FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

359

.Case("scanf", &GenericTaintChecker::postScanf)

Anna Zaks

1009ac7

2011-12-14 00:56:02 +0000

[diff] [blame]

360

// TODO: Add support for vfscanf & family.

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

361

.Case("getchar", &GenericTaintChecker::postRetTaint)

362

.Case("getenv", &GenericTaintChecker::postRetTaint)

363

.Case("fopen", &GenericTaintChecker::postRetTaint)

364

.Case("fdopen", &GenericTaintChecker::postRetTaint)

365

.Case("freopen", &GenericTaintChecker::postRetTaint)

Anna Zaks

2012-01-20 00:11:19 +0000

[diff] [blame^]

366

.Case("socket", &GenericTaintChecker::postSocket)

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

367

.Default(0);

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

368

369

// If the callee isn't defined, it is not of security concern.

370

// Check and evaluate the call.

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

371

const ProgramState *State = 0;

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

372

if (evalFunction)

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

373

State = (this->*evalFunction)(CE, C);

374

if (!State)

375

return;

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

376

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

377

C.addTransition(State);

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

378

}

Anna Zaks

2011-11-18 02:26:36 +0000

[diff] [blame]

379

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

380

bool GenericTaintChecker::checkPre(const CallExpr *CE, CheckerContext &C) const{

381

382

if (checkUncontrolledFormatString(CE, C))

383

return true;

384

Anna Zaks

2012-01-18 02:45:11 +0000

[diff] [blame]

385

const FunctionDecl *FDecl = C.getCalleeDecl(CE);

386

StringRef Name = C.getCalleeName(FDecl);

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

if (Name.empty())

return false;

if (checkSystemCall(CE, Name, C))

391

return true;

392

Anna Zaks

2012-01-18 02:45:11 +0000

[diff] [blame]

393

if (checkTaintedBufferSize(CE, FDecl, C))

394

return true;

395

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

return false;

}

Anna Zaks

2011-11-18 02:26:36 +0000

[diff] [blame]

399

SymbolRef GenericTaintChecker::getPointedToSymbol(CheckerContext &C,

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

400

const Expr* Arg) {

Anna Zaks

2011-11-18 02:26:36 +0000

[diff] [blame]

401

const ProgramState *State = C.getState();

Ted Kremenek

2012-01-06 22:09:28 +0000

[diff] [blame]

402

SVal AddrVal = State->getSVal(Arg->IgnoreParens(), C.getLocationContext());

Anna Zaks

2011-12-16 18:28:50 +0000

[diff] [blame]

403

if (AddrVal.isUnknownOrUndef())

Anna Zaks

e3d250e

2011-12-11 18:43:40 +0000

[diff] [blame]

404

return 0;

405

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

406

Loc *AddrLoc = dyn_cast<Loc>(&AddrVal);

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

407

if (!AddrLoc)

Anna Zaks

2011-11-18 02:26:36 +0000

[diff] [blame]

408

return 0;

409

Anna Zaks

71d2909

2012-01-13 00:56:51 +0000

[diff] [blame]

410

const PointerType *ArgTy =

411

dyn_cast<PointerType>(Arg->getType().getCanonicalType().getTypePtr());

412

assert(ArgTy);

413

SVal Val = State->getSVal(*AddrLoc, ArgTy->getPointeeType());

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

414

return Val.getAsSymbol();

415

}

416

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

417

const ProgramState *

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

418

GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE,

419

CheckerContext &C) const {

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

420

const ProgramState *State = C.getState();

421

422

// Check for taint in arguments.

423

bool IsTainted = false;

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

424

for (ArgVector::const_iterator I = SrcArgs.begin(),

425

E = SrcArgs.end(); I != E; ++I) {

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

426

unsigned ArgNum = *I;

427

428

if (ArgNum == InvalidArgIndex) {

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

429

// Check if any of the arguments is tainted, but skip the

430

// destination arguments.

431

for (unsigned int i = 0; i < CE->getNumArgs(); ++i) {

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

432

if (isDestinationArgument(i))

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

433

continue;

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

434

if ((IsTainted =

435

GenericTaintChecker::isTaintedOrPointsToTainted(CE->getArg(i),

436

State, C)))

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

437

break;

Anna Zaks

2012-01-18 02:45:07 +0000

[diff] [blame]

438

}

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

break;

}

assert(ArgNum < CE->getNumArgs());

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

443

if ((IsTainted =

444

GenericTaintChecker::isTaintedOrPointsToTainted(CE->getArg(ArgNum),

445

State, C)))

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

break;

}

if (!IsTainted)

return State;

// Mark the arguments which should be tainted after the function returns.

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

452

for (ArgVector::const_iterator I = DstArgs.begin(),

453

E = DstArgs.end(); I != E; ++I) {

Anna Zaks

2012-01-17 00:37:02 +0000

[diff] [blame]

454

unsigned ArgNum = *I;

455

456

// Should we mark all arguments as tainted?

457

if (ArgNum == InvalidArgIndex) {

458

// For all pointer and references that were passed in:

459

// If they are not pointing to const data, mark data as tainted.

460

// TODO: So far we are just going one level down; ideally we'd need to

461

// recurse here.

462

for (unsigned int i = 0; i < CE->getNumArgs(); ++i) {

463

const Expr *Arg = CE->getArg(i);

464

// Process pointer argument.

465

const Type *ArgTy = Arg->getType().getTypePtr();

466

QualType PType = ArgTy->getPointeeType();

467

if ((!PType.isNull() && !PType.isConstQualified())

468

|| (ArgTy->isReferenceType() && !Arg->getType().isConstQualified()))

469

State = State->add<TaintArgsOnPostVisit>(i);

}

continue;

}

// Should mark the return value?

475

if (ArgNum == ReturnValueIndex) {

476

State = State->add<TaintArgsOnPostVisit>(ReturnValueIndex);

continue;

}

// Mark the given argument.

481

assert(ArgNum < CE->getNumArgs());

482

State = State->add<TaintArgsOnPostVisit>(ArgNum);

}

return State;

}

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

489

// If argument 0 (file descriptor) is tainted, all arguments except for arg 0

490

// and arg 1 should get taint.

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

491

const ProgramState *GenericTaintChecker::preFscanf(const CallExpr *CE,

492

CheckerContext &C) const {

493

assert(CE->getNumArgs() >= 2);

494

const ProgramState *State = C.getState();

495

496

// Check is the file descriptor is tainted.

Ted Kremenek

2012-01-06 22:09:28 +0000

[diff] [blame]

497

if (State->isTainted(CE->getArg(0), C.getLocationContext()) ||

Anna Zaks

2012-01-12 02:22:34 +0000

[diff] [blame]

498

isStdin(CE->getArg(0), C)) {

499

// All arguments except for the first two should get taint.

500

for (unsigned int i = 2; i < CE->getNumArgs(); ++i)

501

State = State->add<TaintArgsOnPostVisit>(i);

return State;

}

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

return 0;

}

Anna Zaks

2012-01-20 00:11:19 +0000

[diff] [blame^]

508

509

// If argument 0(protocol domain) is network, the return value should get taint.

510

const ProgramState *GenericTaintChecker::postSocket(const CallExpr *CE,

511

CheckerContext &C) const {

512

assert(CE->getNumArgs() >= 3);

513

const ProgramState *State = C.getState();

514

515

SourceLocation DomLoc = CE->getArg(0)->getExprLoc();

516

StringRef DomName = C.getMacroNameOrSpelling(DomLoc);

517

// White list the internal communication protocols.

518

if (DomName.equals("AF_SYSTEM") || DomName.equals("AF_LOCAL") ||

519

DomName.equals("AF_UNIX") || DomName.equals("AF_RESERVED_36"))

520

return State;

521

State = State->addTaint(CE, C.getLocationContext());

return State;

}

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

525

const ProgramState *GenericTaintChecker::postScanf(const CallExpr *CE,

526

CheckerContext &C) const {

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

527

const ProgramState *State = C.getState();

Anna Zaks

1009ac7

2011-12-14 00:56:02 +0000

[diff] [blame]

528

assert(CE->getNumArgs() >= 2);

Ted Kremenek

2012-01-06 22:09:28 +0000

[diff] [blame]

529

SVal x = State->getSVal(CE->getArg(1), C.getLocationContext());

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

530

// All arguments except for the very first one should get taint.

531

for (unsigned int i = 1; i < CE->getNumArgs(); ++i) {

532

// The arguments are pointer arguments. The data they are pointing at is

533

// tainted after the call.

534

const Expr* Arg = CE->getArg(i);

Anna Zaks

2012-01-18 02:45:13 +0000

[diff] [blame]

535

SymbolRef Sym = getPointedToSymbol(C, Arg);

Anna Zaks

1009ac7

2011-12-14 00:56:02 +0000

[diff] [blame]

536

if (Sym)

537

State = State->addTaint(Sym);

538

}

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

539

return State;

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

540

}

541

Anna Zaks

2011-12-17 00:26:34 +0000

[diff] [blame]

542

const ProgramState *GenericTaintChecker::postRetTaint(const CallExpr *CE,

543

CheckerContext &C) const {

Ted Kremenek

2012-01-06 22:09:28 +0000

[diff] [blame]

544

return C.getState()->addTaint(CE, C.getLocationContext());

Anna Zaks

2011-11-16 19:58:13 +0000

[diff] [blame]

545

}

546

Anna Zaks

2011-12-14 00:56:18 +0000

[diff] [blame]

547

bool GenericTaintChecker::isStdin(const Expr *E,

548

CheckerContext &C) const {

Anna Zaks

2011-12-16 18:28:50 +0000

[diff] [blame]

549

const ProgramState *State = C.getState();

Ted Kremenek

2012-01-06 22:09:28 +0000

[diff] [blame]

550

SVal Val = State->getSVal(E, C.getLocationContext());

Anna Zaks

2011-12-14 00:56:18 +0000

[diff] [blame]

551

Anna Zaks

2011-12-16 18:28:50 +0000

[diff] [blame]

552

// stdin is a pointer, so it would be a region.

553

const MemRegion *MemReg = Val.getAsRegion();

554

555

// The region should be symbolic, we do not know it's value.

556

const SymbolicRegion *SymReg = dyn_cast_or_null<SymbolicRegion>(MemReg);

557

if (!SymReg)

Anna Zaks

2011-12-14 00:56:18 +0000

[diff] [blame]

558

return false;

559

Anna Zaks

2011-12-16 18:28:50 +0000

[diff] [blame]

560

// Get it's symbol and find the declaration region it's pointing to.

561

const SymbolRegionValue *Sm =dyn_cast<SymbolRegionValue>(SymReg->getSymbol());

562

if (!Sm)

563

return false;

564

const DeclRegion *DeclReg = dyn_cast_or_null<DeclRegion>(Sm->getRegion());

565

if (!DeclReg)

566

return false;

Anna Zaks

2011-12-14 00:56:18 +0000

[diff] [blame]

567

Anna Zaks

2011-12-16 18:28:50 +0000

[diff] [blame]

568

// This region corresponds to a declaration, find out if it's a global/extern

569

// variable named stdin with the proper type.

570

if (const VarDecl *D = dyn_cast_or_null<VarDecl>(DeclReg->getDecl())) {

571

D = D->getCanonicalDecl();

572

if ((D->getName().find("stdin") != StringRef::npos) && D->isExternC())

573

if (const PointerType * PtrTy =

574

dyn_cast<PointerType>(D->getType().getTypePtr()))

575

if (PtrTy->getPointeeType() == C.getASTContext().getFILEType())

576

return true;

577

}

Anna Zaks

2011-12-14 00:56:18 +0000

[diff] [blame]

return false;

}

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

581

static bool getPrintfFormatArgumentNum(const CallExpr *CE,

582

const CheckerContext &C,

583

unsigned int &ArgNum) {

584

// Find if the function contains a format string argument.

585

// Handles: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf,

586

// vsnprintf, syslog, custom annotated functions.

587

const FunctionDecl *FDecl = C.getCalleeDecl(CE);

588

if (!FDecl)

589

return false;

590

for (specific_attr_iterator<FormatAttr>

591

i = FDecl->specific_attr_begin<FormatAttr>(),

592

e = FDecl->specific_attr_end<FormatAttr>(); i != e ; ++i) {

593

594

const FormatAttr *Format = *i;

595

ArgNum = Format->getFormatIdx() - 1;

596

if ((Format->getType() == "printf") && CE->getNumArgs() > ArgNum)

return true;

}

// Or if a function is named setproctitle (this is a heuristic).

601

if (C.getCalleeName(CE).find("setproctitle") != StringRef::npos) {

ArgNum = 0;

return true;

}

return false;

}

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

609

bool GenericTaintChecker::generateReportIfTainted(const Expr *E,

610

const char Msg[],

611

CheckerContext &C) const {

assert(E);

// Check for taint.

const ProgramState *State = C.getState();

616

if (!State->isTainted(getPointedToSymbol(C, E)) &&

617

!State->isTainted(E, C.getLocationContext()))

618

return false;

619

620

// Generate diagnostic.

621

if (ExplodedNode *N = C.addTransition()) {

622

initBugType();

623

BugReport *report = new BugReport(*BT, Msg, N);

624

report->addRange(E->getSourceRange());

625

C.EmitReport(report);

return true;

}

return false;

}

Anna Zaks

2012-01-07 02:33:10 +0000

[diff] [blame]

631

bool GenericTaintChecker::checkUncontrolledFormatString(const CallExpr *CE,

632

CheckerContext &C) const{

633

// Check if the function contains a format string argument.

634

unsigned int ArgNum = 0;

635

if (!getPrintfFormatArgumentNum(CE, C, ArgNum))

636

return false;

637

638

// If either the format string content or the pointer itself are tainted, warn.

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

639

if (generateReportIfTainted(CE->getArg(ArgNum),

640

MsgUncontrolledFormatString, C))

return true;

return false;

}

bool GenericTaintChecker::checkSystemCall(const CallExpr *CE,

646

StringRef Name,

647

CheckerContext &C) const {

648

unsigned ArgNum = llvm::StringSwitch<unsigned>(Name)

649

.Case("system", 0)

650

.Case("popen", 0)

Anna Zaks

2012-01-20 00:11:19 +0000

[diff] [blame^]

.Case("execl", 0)

.Case("execle", 0)

.Case("execlp", 0)

.Case("execv", 0)

.Case("execvp", 0)

.Case("execvP", 0)

Anna Zaks

2012-01-14 02:48:40 +0000

[diff] [blame]

657

.Default(UINT_MAX);

658

659

if (ArgNum == UINT_MAX)

660

return false;

661

662

if (generateReportIfTainted(CE->getArg(ArgNum),

663

MsgSanitizeSystemArgs, C))

664

return true;

665

Anna Zaks