clang 17.0.0git
GenericTaintChecker.cpp
Go to the documentation of this file.
1//== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This checker defines the attack surface for generic taint propagation.
10//
11// The taint information produced by it might be useful to other checkers. For
12// example, checkers should report errors which involve tainted data more
13// aggressively, even if the involved symbols are under constrained.
14//
15//===----------------------------------------------------------------------===//
16
17#include "Yaml.h"
18#include "clang/AST/Attr.h"
29#include "llvm/ADT/StringExtras.h"
30#include "llvm/Support/YAMLTraits.h"
31
32#include <limits>
33#include <memory>
34#include <optional>
35#include <utility>
36#include <vector>
37
38#define DEBUG_TYPE "taint-checker"
39
40using namespace clang;
41using namespace ento;
42using namespace taint;
43
44using llvm::ImmutableSet;
45
46namespace {
47
48class GenericTaintChecker;
49
50/// Check for CWE-134: Uncontrolled Format String.
51constexpr llvm::StringLiteral MsgUncontrolledFormatString =
52 "Untrusted data is used as a format string "
53 "(CWE-134: Uncontrolled Format String)";
54
55/// Check for:
56/// CERT/STR02-C. "Sanitize data passed to complex subsystems"
57/// CWE-78, "Failure to Sanitize Data into an OS Command"
58constexpr llvm::StringLiteral MsgSanitizeSystemArgs =
59 "Untrusted data is passed to a system call "
60 "(CERT/STR02-C. Sanitize data passed to complex subsystems)";
61
62/// Check if tainted data is used as a buffer size in strn.. functions,
63/// and allocators.
64constexpr llvm::StringLiteral MsgTaintedBufferSize =
65 "Untrusted data is used to specify the buffer size "
66 "(CERT/STR31-C. Guarantee that storage for strings has sufficient space "
67 "for character data and the null terminator)";
68
69/// Check if tainted data is used as a custom sink's parameter.
70constexpr llvm::StringLiteral MsgCustomSink =
71 "Untrusted data is passed to a user-defined sink";
72
73using ArgIdxTy = int;
74using ArgVecTy = llvm::SmallVector<ArgIdxTy, 2>;
75
76/// Denotes the return value.
77constexpr ArgIdxTy ReturnValueIndex{-1};
78
79static ArgIdxTy fromArgumentCount(unsigned Count) {
80 assert(Count <=
81 static_cast<std::size_t>(std::numeric_limits<ArgIdxTy>::max()) &&
82 "ArgIdxTy is not large enough to represent the number of arguments.");
83 return Count;
84}
85
86/// Check if the region the expression evaluates to is the standard input,
87/// and thus, is tainted.
88/// FIXME: Move this to Taint.cpp.
89bool isStdin(SVal Val, const ASTContext &ACtx) {
90 // FIXME: What if Val is NonParamVarRegion?
91
92 // The region should be symbolic, we do not know it's value.
93 const auto *SymReg = dyn_cast_or_null<SymbolicRegion>(Val.getAsRegion());
94 if (!SymReg)
95 return false;
96
97 // Get it's symbol and find the declaration region it's pointing to.
98 const auto *DeclReg =
99 dyn_cast_or_null<DeclRegion>(SymReg->getSymbol()->getOriginRegion());
100 if (!DeclReg)
101 return false;
102
103 // This region corresponds to a declaration, find out if it's a global/extern
104 // variable named stdin with the proper type.
105 if (const auto *D = dyn_cast_or_null<VarDecl>(DeclReg->getDecl())) {
106 D = D->getCanonicalDecl();
107 // FIXME: This should look for an exact match.
108 if (D->getName().contains("stdin") && D->isExternC()) {
109 const QualType FILETy = ACtx.getFILEType().getCanonicalType();
110 const QualType Ty = D->getType().getCanonicalType();
111
112 if (Ty->isPointerType())
113 return Ty->getPointeeType() == FILETy;
114 }
115 }
116 return false;
117}
118
119SVal getPointeeOf(ProgramStateRef State, Loc LValue) {
120 const QualType ArgTy = LValue.getType(State->getStateManager().getContext());
121 if (!ArgTy->isPointerType() || !ArgTy->getPointeeType()->isVoidType())
122 return State->getSVal(LValue);
123
124 // Do not dereference void pointers. Treat them as byte pointers instead.
125 // FIXME: we might want to consider more than just the first byte.
126 return State->getSVal(LValue, State->getStateManager().getContext().CharTy);
127}
128
129/// Given a pointer/reference argument, return the value it refers to.
130std::optional<SVal> getPointeeOf(ProgramStateRef State, SVal Arg) {
131 if (auto LValue = Arg.getAs<Loc>())
132 return getPointeeOf(State, *LValue);
133 return std::nullopt;
134}
135
136/// Given a pointer, return the SVal of its pointee or if it is tainted,
137/// otherwise return the pointer's SVal if tainted.
138/// Also considers stdin as a taint source.
139std::optional<SVal> getTaintedPointeeOrPointer(ProgramStateRef State,
140 SVal Arg) {
141 if (auto Pointee = getPointeeOf(State, Arg))
142 if (isTainted(State, *Pointee)) // FIXME: isTainted(...) ? Pointee : None;
143 return Pointee;
144
145 if (isTainted(State, Arg))
146 return Arg;
147 return std::nullopt;
148}
149
150bool isTaintedOrPointsToTainted(ProgramStateRef State, SVal ExprSVal) {
151 return getTaintedPointeeOrPointer(State, ExprSVal).has_value();
152}
153
154/// Helps in printing taint diagnostics.
155/// Marks the incoming parameters of a function interesting (to be printed)
156/// when the return value, or the outgoing parameters are tainted.
157const NoteTag *taintOriginTrackerTag(CheckerContext &C,
158 std::vector<SymbolRef> TaintedSymbols,
159 std::vector<ArgIdxTy> TaintedArgs,
160 const LocationContext *CallLocation) {
161 return C.getNoteTag([TaintedSymbols = std::move(TaintedSymbols),
162 TaintedArgs = std::move(TaintedArgs), CallLocation](
163 PathSensitiveBugReport &BR) -> std::string {
165 // We give diagnostics only for taint related reports
166 if (!BR.isInteresting(CallLocation) ||
168 return "";
169 }
170 if (TaintedSymbols.empty())
171 return "Taint originated here";
172
173 for (auto Sym : TaintedSymbols) {
174 BR.markInteresting(Sym);
175 }
176 LLVM_DEBUG(for (auto Arg
177 : TaintedArgs) {
178 llvm::dbgs() << "Taint Propagated from argument " << Arg + 1 << "\n";
179 });
180 return "";
181 });
182}
183
184/// Helps in printing taint diagnostics.
185/// Marks the function interesting (to be printed)
186/// when the return value, or the outgoing parameters are tainted.
187const NoteTag *taintPropagationExplainerTag(
188 CheckerContext &C, std::vector<SymbolRef> TaintedSymbols,
189 std::vector<ArgIdxTy> TaintedArgs, const LocationContext *CallLocation) {
190 assert(TaintedSymbols.size() == TaintedArgs.size());
191 return C.getNoteTag([TaintedSymbols = std::move(TaintedSymbols),
192 TaintedArgs = std::move(TaintedArgs), CallLocation](
193 PathSensitiveBugReport &BR) -> std::string {
195 llvm::raw_svector_ostream Out(Msg);
196 // We give diagnostics only for taint related reports
197 if (TaintedSymbols.empty() ||
199 return "";
200 }
201 int nofTaintedArgs = 0;
202 for (auto [Idx, Sym] : llvm::enumerate(TaintedSymbols)) {
203 if (BR.isInteresting(Sym)) {
204 BR.markInteresting(CallLocation);
205 if (TaintedArgs[Idx] != ReturnValueIndex) {
206 LLVM_DEBUG(llvm::dbgs() << "Taint Propagated to argument "
207 << TaintedArgs[Idx] + 1 << "\n");
208 if (nofTaintedArgs == 0)
209 Out << "Taint propagated to the ";
210 else
211 Out << ", ";
212 Out << TaintedArgs[Idx] + 1
213 << llvm::getOrdinalSuffix(TaintedArgs[Idx] + 1) << " argument";
214 nofTaintedArgs++;
215 } else {
216 LLVM_DEBUG(llvm::dbgs() << "Taint Propagated to return value.\n");
217 Out << "Taint propagated to the return value";
218 }
219 }
220 }
221 return std::string(Out.str());
222 });
223}
224
225/// ArgSet is used to describe arguments relevant for taint detection or
226/// taint application. A discrete set of argument indexes and a variadic
227/// argument list signified by a starting index are supported.
228class ArgSet {
229public:
230 ArgSet() = default;
231 ArgSet(ArgVecTy &&DiscreteArgs,
232 std::optional<ArgIdxTy> VariadicIndex = std::nullopt)
233 : DiscreteArgs(std::move(DiscreteArgs)),
234 VariadicIndex(std::move(VariadicIndex)) {}
235
236 bool contains(ArgIdxTy ArgIdx) const {
237 if (llvm::is_contained(DiscreteArgs, ArgIdx))
238 return true;
239
240 return VariadicIndex && ArgIdx >= *VariadicIndex;
241 }
242
243 bool isEmpty() const { return DiscreteArgs.empty() && !VariadicIndex; }
244
245private:
246 ArgVecTy DiscreteArgs;
247 std::optional<ArgIdxTy> VariadicIndex;
248};
249
250/// A struct used to specify taint propagation rules for a function.
251///
252/// If any of the possible taint source arguments is tainted, all of the
253/// destination arguments should also be tainted. If ReturnValueIndex is added
254/// to the dst list, the return value will be tainted.
255class GenericTaintRule {
256 /// Arguments which are taints sinks and should be checked, and a report
257 /// should be emitted if taint reaches these.
258 ArgSet SinkArgs;
259 /// Arguments which should be sanitized on function return.
260 ArgSet FilterArgs;
261 /// Arguments which can participate in taint propagation. If any of the
262 /// arguments in PropSrcArgs is tainted, all arguments in PropDstArgs should
263 /// be tainted.
264 ArgSet PropSrcArgs;
265 ArgSet PropDstArgs;
266
267 /// A message that explains why the call is sensitive to taint.
268 std::optional<StringRef> SinkMsg;
269
270 GenericTaintRule() = default;
271
272 GenericTaintRule(ArgSet &&Sink, ArgSet &&Filter, ArgSet &&Src, ArgSet &&Dst,
273 std::optional<StringRef> SinkMsg = std::nullopt)
274 : SinkArgs(std::move(Sink)), FilterArgs(std::move(Filter)),
275 PropSrcArgs(std::move(Src)), PropDstArgs(std::move(Dst)),
276 SinkMsg(SinkMsg) {}
277
278public:
279 /// Make a rule that reports a warning if taint reaches any of \p FilterArgs
280 /// arguments.
281 static GenericTaintRule Sink(ArgSet &&SinkArgs,
282 std::optional<StringRef> Msg = std::nullopt) {
283 return {std::move(SinkArgs), {}, {}, {}, Msg};
284 }
285
286 /// Make a rule that sanitizes all FilterArgs arguments.
287 static GenericTaintRule Filter(ArgSet &&FilterArgs) {
288 return {{}, std::move(FilterArgs), {}, {}};
289 }
290
291 /// Make a rule that unconditionally taints all Args.
292 /// If Func is provided, it must also return true for taint to propagate.
293 static GenericTaintRule Source(ArgSet &&SourceArgs) {
294 return {{}, {}, {}, std::move(SourceArgs)};
295 }
296
297 /// Make a rule that taints all PropDstArgs if any of PropSrcArgs is tainted.
298 static GenericTaintRule Prop(ArgSet &&SrcArgs, ArgSet &&DstArgs) {
299 return {{}, {}, std::move(SrcArgs), std::move(DstArgs)};
300 }
301
302 /// Make a rule that taints all PropDstArgs if any of PropSrcArgs is tainted.
303 static GenericTaintRule
304 SinkProp(ArgSet &&SinkArgs, ArgSet &&SrcArgs, ArgSet &&DstArgs,
305 std::optional<StringRef> Msg = std::nullopt) {
306 return {
307 std::move(SinkArgs), {}, std::move(SrcArgs), std::move(DstArgs), Msg};
308 }
309
310 /// Process a function which could either be a taint source, a taint sink, a
311 /// taint filter or a taint propagator.
312 void process(const GenericTaintChecker &Checker, const CallEvent &Call,
313 CheckerContext &C) const;
314
315 /// Handles the resolution of indexes of type ArgIdxTy to Expr*-s.
316 static const Expr *GetArgExpr(ArgIdxTy ArgIdx, const CallEvent &Call) {
317 return ArgIdx == ReturnValueIndex ? Call.getOriginExpr()
318 : Call.getArgExpr(ArgIdx);
319 };
320
321 /// Functions for custom taintedness propagation.
322 static bool UntrustedEnv(CheckerContext &C);
323};
324
325using RuleLookupTy = CallDescriptionMap<GenericTaintRule>;
326
327/// Used to parse the configuration file.
328struct TaintConfiguration {
329 using NameScopeArgs = std::tuple<std::string, std::string, ArgVecTy>;
330 enum class VariadicType { None, Src, Dst };
331
332 struct Common {
333 std::string Name;
334 std::string Scope;
335 };
336
337 struct Sink : Common {
338 ArgVecTy SinkArgs;
339 };
340
341 struct Filter : Common {
342 ArgVecTy FilterArgs;
343 };
344
345 struct Propagation : Common {
346 ArgVecTy SrcArgs;
347 ArgVecTy DstArgs;
348 VariadicType VarType;
349 ArgIdxTy VarIndex;
350 };
351
352 std::vector<Propagation> Propagations;
353 std::vector<Filter> Filters;
354 std::vector<Sink> Sinks;
355
356 TaintConfiguration() = default;
357 TaintConfiguration(const TaintConfiguration &) = default;
358 TaintConfiguration(TaintConfiguration &&) = default;
359 TaintConfiguration &operator=(const TaintConfiguration &) = default;
360 TaintConfiguration &operator=(TaintConfiguration &&) = default;
361};
362
363struct GenericTaintRuleParser {
364 GenericTaintRuleParser(CheckerManager &Mgr) : Mgr(Mgr) {}
365 /// Container type used to gather call identification objects grouped into
366 /// pairs with their corresponding taint rules. It is temporary as it is used
367 /// to finally initialize RuleLookupTy, which is considered to be immutable.
368 using RulesContTy = std::vector<std::pair<CallDescription, GenericTaintRule>>;
369 RulesContTy parseConfiguration(const std::string &Option,
370 TaintConfiguration &&Config) const;
371
372private:
373 using NamePartsTy = llvm::SmallVector<StringRef, 2>;
374
375 /// Validate part of the configuration, which contains a list of argument
376 /// indexes.
377 void validateArgVector(const std::string &Option, const ArgVecTy &Args) const;
378
379 template <typename Config> static NamePartsTy parseNameParts(const Config &C);
380
381 // Takes the config and creates a CallDescription for it and associates a Rule
382 // with that.
383 template <typename Config>
384 static void consumeRulesFromConfig(const Config &C, GenericTaintRule &&Rule,
385 RulesContTy &Rules);
386
387 void parseConfig(const std::string &Option, TaintConfiguration::Sink &&P,
388 RulesContTy &Rules) const;
389 void parseConfig(const std::string &Option, TaintConfiguration::Filter &&P,
390 RulesContTy &Rules) const;
391 void parseConfig(const std::string &Option,
392 TaintConfiguration::Propagation &&P,
393 RulesContTy &Rules) const;
394
395 CheckerManager &Mgr;
396};
397
398class GenericTaintChecker : public Checker<check::PreCall, check::PostCall> {
399public:
400 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
401 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
402
403 void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
404 const char *Sep) const override;
405
406 /// Generate a report if the expression is tainted or points to tainted data.
407 bool generateReportIfTainted(const Expr *E, StringRef Msg,
408 CheckerContext &C) const;
409
410private:
411 const BugType BT{this, "Use of Untrusted Data", categories::TaintedData};
412
413 bool checkUncontrolledFormatString(const CallEvent &Call,
414 CheckerContext &C) const;
415
416 void taintUnsafeSocketProtocol(const CallEvent &Call,
417 CheckerContext &C) const;
418
419 /// Default taint rules are initalized with the help of a CheckerContext to
420 /// access the names of built-in functions like memcpy.
421 void initTaintRules(CheckerContext &C) const;
422
423 /// CallDescription currently cannot restrict matches to the global namespace
424 /// only, which is why multiple CallDescriptionMaps are used, as we want to
425 /// disambiguate global C functions from functions inside user-defined
426 /// namespaces.
427 // TODO: Remove separation to simplify matching logic once CallDescriptions
428 // are more expressive.
429
430 mutable std::optional<RuleLookupTy> StaticTaintRules;
431 mutable std::optional<RuleLookupTy> DynamicTaintRules;
432};
433} // end of anonymous namespace
434
435/// YAML serialization mapping.
436LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Sink)
437LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Filter)
438LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Propagation)
439
440namespace llvm {
441namespace yaml {
442template <> struct MappingTraits<TaintConfiguration> {
443 static void mapping(IO &IO, TaintConfiguration &Config) {
444 IO.mapOptional("Propagations", Config.Propagations);
445 IO.mapOptional("Filters", Config.Filters);
446 IO.mapOptional("Sinks", Config.Sinks);
447 }
448};
449
450template <> struct MappingTraits<TaintConfiguration::Sink> {
451 static void mapping(IO &IO, TaintConfiguration::Sink &Sink) {
452 IO.mapRequired("Name", Sink.Name);
453 IO.mapOptional("Scope", Sink.Scope);
454 IO.mapRequired("Args", Sink.SinkArgs);
455 }
456};
457
458template <> struct MappingTraits<TaintConfiguration::Filter> {
459 static void mapping(IO &IO, TaintConfiguration::Filter &Filter) {
460 IO.mapRequired("Name", Filter.Name);
461 IO.mapOptional("Scope", Filter.Scope);
462 IO.mapRequired("Args", Filter.FilterArgs);
463 }
464};
465
466template <> struct MappingTraits<TaintConfiguration::Propagation> {
467 static void mapping(IO &IO, TaintConfiguration::Propagation &Propagation) {
468 IO.mapRequired("Name", Propagation.Name);
469 IO.mapOptional("Scope", Propagation.Scope);
470 IO.mapOptional("SrcArgs", Propagation.SrcArgs);
471 IO.mapOptional("DstArgs", Propagation.DstArgs);
472 IO.mapOptional("VariadicType", Propagation.VarType);
473 IO.mapOptional("VariadicIndex", Propagation.VarIndex);
474 }
475};
476
477template <> struct ScalarEnumerationTraits<TaintConfiguration::VariadicType> {
478 static void enumeration(IO &IO, TaintConfiguration::VariadicType &Value) {
479 IO.enumCase(Value, "None", TaintConfiguration::VariadicType::None);
480 IO.enumCase(Value, "Src", TaintConfiguration::VariadicType::Src);
481 IO.enumCase(Value, "Dst", TaintConfiguration::VariadicType::Dst);
482 }
483};
484} // namespace yaml
485} // namespace llvm
486
487/// A set which is used to pass information from call pre-visit instruction
488/// to the call post-visit. The values are signed integers, which are either
489/// ReturnValueIndex, or indexes of the pointer/reference argument, which
490/// points to data, which should be tainted on return.
492 ImmutableSet<ArgIdxTy>)
493REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(ArgIdxFactory, ArgIdxTy)
494
495void GenericTaintRuleParser::validateArgVector(const std::string &Option,
496 const ArgVecTy &Args) const {
497 for (ArgIdxTy Arg : Args) {
498 if (Arg < ReturnValueIndex) {
499 Mgr.reportInvalidCheckerOptionValue(
500 Mgr.getChecker<GenericTaintChecker>(), Option,
501 "an argument number for propagation rules greater or equal to -1");
502 }
503 }
504}
505
506template <typename Config>
508GenericTaintRuleParser::parseNameParts(const Config &C) {
509 NamePartsTy NameParts;
510 if (!C.Scope.empty()) {
511 // If the Scope argument contains multiple "::" parts, those are considered
512 // namespace identifiers.
513 StringRef{C.Scope}.split(NameParts, "::", /*MaxSplit*/ -1,
514 /*KeepEmpty*/ false);
515 }
516 NameParts.emplace_back(C.Name);
517 return NameParts;
518}
519
520template <typename Config>
521void GenericTaintRuleParser::consumeRulesFromConfig(const Config &C,
522 GenericTaintRule &&Rule,
523 RulesContTy &Rules) {
524 NamePartsTy NameParts = parseNameParts(C);
525 Rules.emplace_back(CallDescription(NameParts), std::move(Rule));
526}
527
528void GenericTaintRuleParser::parseConfig(const std::string &Option,
529 TaintConfiguration::Sink &&S,
530 RulesContTy &Rules) const {
531 validateArgVector(Option, S.SinkArgs);
532 consumeRulesFromConfig(S, GenericTaintRule::Sink(std::move(S.SinkArgs)),
533 Rules);
534}
535
536void GenericTaintRuleParser::parseConfig(const std::string &Option,
537 TaintConfiguration::Filter &&S,
538 RulesContTy &Rules) const {
539 validateArgVector(Option, S.FilterArgs);
540 consumeRulesFromConfig(S, GenericTaintRule::Filter(std::move(S.FilterArgs)),
541 Rules);
542}
543
544void GenericTaintRuleParser::parseConfig(const std::string &Option,
545 TaintConfiguration::Propagation &&P,
546 RulesContTy &Rules) const {
547 validateArgVector(Option, P.SrcArgs);
548 validateArgVector(Option, P.DstArgs);
549 bool IsSrcVariadic = P.VarType == TaintConfiguration::VariadicType::Src;
550 bool IsDstVariadic = P.VarType == TaintConfiguration::VariadicType::Dst;
551 std::optional<ArgIdxTy> JustVarIndex = P.VarIndex;
552
553 ArgSet SrcDesc(std::move(P.SrcArgs),
554 IsSrcVariadic ? JustVarIndex : std::nullopt);
555 ArgSet DstDesc(std::move(P.DstArgs),
556 IsDstVariadic ? JustVarIndex : std::nullopt);
557
558 consumeRulesFromConfig(
559 P, GenericTaintRule::Prop(std::move(SrcDesc), std::move(DstDesc)), Rules);
560}
561
562GenericTaintRuleParser::RulesContTy
563GenericTaintRuleParser::parseConfiguration(const std::string &Option,
564 TaintConfiguration &&Config) const {
565
566 RulesContTy Rules;
567
568 for (auto &F : Config.Filters)
569 parseConfig(Option, std::move(F), Rules);
570
571 for (auto &S : Config.Sinks)
572 parseConfig(Option, std::move(S), Rules);
573
574 for (auto &P : Config.Propagations)
575 parseConfig(Option, std::move(P), Rules);
576
577 return Rules;
578}
579
580void GenericTaintChecker::initTaintRules(CheckerContext &C) const {
581 // Check for exact name match for functions without builtin substitutes.
582 // Use qualified name, because these are C functions without namespace.
583
584 if (StaticTaintRules || DynamicTaintRules)
585 return;
586
587 using RulesConstructionTy =
588 std::vector<std::pair<CallDescription, GenericTaintRule>>;
589 using TR = GenericTaintRule;
590
591 const Builtin::Context &BI = C.getASTContext().BuiltinInfo;
592
593 RulesConstructionTy GlobalCRules{
594 // Sources
595 {{{"fdopen"}}, TR::Source({{ReturnValueIndex}})},
596 {{{"fopen"}}, TR::Source({{ReturnValueIndex}})},
597 {{{"freopen"}}, TR::Source({{ReturnValueIndex}})},
598 {{{"getch"}}, TR::Source({{ReturnValueIndex}})},
599 {{{"getchar"}}, TR::Source({{ReturnValueIndex}})},
600 {{{"getchar_unlocked"}}, TR::Source({{ReturnValueIndex}})},
601 {{{"gets"}}, TR::Source({{0}, ReturnValueIndex})},
602 {{{"gets_s"}}, TR::Source({{0}, ReturnValueIndex})},
603 {{{"scanf"}}, TR::Source({{}, 1})},
604 {{{"scanf_s"}}, TR::Source({{}, {1}})},
605 {{{"wgetch"}}, TR::Source({{}, ReturnValueIndex})},
606 // Sometimes the line between taint sources and propagators is blurry.
607 // _IO_getc is choosen to be a source, but could also be a propagator.
608 // This way it is simpler, as modeling it as a propagator would require
609 // to model the possible sources of _IO_FILE * values, which the _IO_getc
610 // function takes as parameters.
611 {{{"_IO_getc"}}, TR::Source({{ReturnValueIndex}})},
612 {{{"getcwd"}}, TR::Source({{0, ReturnValueIndex}})},
613 {{{"getwd"}}, TR::Source({{0, ReturnValueIndex}})},
614 {{{"readlink"}}, TR::Source({{1, ReturnValueIndex}})},
615 {{{"readlinkat"}}, TR::Source({{2, ReturnValueIndex}})},
616 {{{"get_current_dir_name"}}, TR::Source({{ReturnValueIndex}})},
617 {{{"gethostname"}}, TR::Source({{0}})},
618 {{{"getnameinfo"}}, TR::Source({{2, 4}})},
619 {{{"getseuserbyname"}}, TR::Source({{1, 2}})},
620 {{{"getgroups"}}, TR::Source({{1, ReturnValueIndex}})},
621 {{{"getlogin"}}, TR::Source({{ReturnValueIndex}})},
622 {{{"getlogin_r"}}, TR::Source({{0}})},
623
624 // Props
625 {{{"atoi"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
626 {{{"atol"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
627 {{{"atoll"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
628 {{{"fgetc"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
629 {{{"fgetln"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
630 {{{"fgets"}}, TR::Prop({{2}}, {{0, ReturnValueIndex}})},
631 {{{"fscanf"}}, TR::Prop({{0}}, {{}, 2})},
632 {{{"fscanf_s"}}, TR::Prop({{0}}, {{}, {2}})},
633 {{{"sscanf"}}, TR::Prop({{0}}, {{}, 2})},
634
635 {{{"getc"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
636 {{{"getc_unlocked"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
637 {{{"getdelim"}}, TR::Prop({{3}}, {{0}})},
638 {{{"getline"}}, TR::Prop({{2}}, {{0}})},
639 {{{"getw"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
640 {{{"pread"}}, TR::Prop({{0, 1, 2, 3}}, {{1, ReturnValueIndex}})},
641 {{{"read"}}, TR::Prop({{0, 2}}, {{1, ReturnValueIndex}})},
642 {{{"strchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
643 {{{"strrchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
644 {{{"tolower"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
645 {{{"toupper"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
646 {{{"fread"}}, TR::Prop({{3}}, {{0, ReturnValueIndex}})},
647 {{{"recv"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
648 {{{"recvfrom"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
649
650 {{{"ttyname"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
651 {{{"ttyname_r"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
652
653 {{{"basename"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
654 {{{"dirname"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
655 {{{"fnmatch"}}, TR::Prop({{1}}, {{ReturnValueIndex}})},
656 {{{"memchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
657 {{{"memrchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
658 {{{"rawmemchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
659
660 {{{"mbtowc"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
661 {{{"wctomb"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
662 {{{"wcwidth"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
663
664 {{{"memcmp"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
665 {{{"memcpy"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
666 {{{"memmove"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
667 // If memmem was called with a tainted needle and the search was
668 // successful, that would mean that the value pointed by the return value
669 // has the same content as the needle. If we choose to go by the policy of
670 // content equivalence implies taintedness equivalence, that would mean
671 // haystack should be considered a propagation source argument.
672 {{{"memmem"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
673
674 // The comment for memmem above also applies to strstr.
675 {{{"strstr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
676 {{{"strcasestr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
677
678 {{{"strchrnul"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
679
680 {{{"index"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
681 {{{"rindex"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
682
683 // FIXME: In case of arrays, only the first element of the array gets
684 // tainted.
685 {{{"qsort"}}, TR::Prop({{0}}, {{0}})},
686 {{{"qsort_r"}}, TR::Prop({{0}}, {{0}})},
687
688 {{{"strcmp"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
689 {{{"strcasecmp"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
690 {{{"strncmp"}}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})},
691 {{{"strncasecmp"}}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})},
692 {{{"strspn"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
693 {{{"strcspn"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
694 {{{"strpbrk"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
695 {{{"strndup"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
696 {{{"strndupa"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
697 {{{"strlen"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
698 {{{"strnlen"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
699 {{{"strtol"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
700 {{{"strtoll"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
701 {{{"strtoul"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
702 {{{"strtoull"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
703
704 {{{"isalnum"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
705 {{{"isalpha"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
706 {{{"isascii"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
707 {{{"isblank"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
708 {{{"iscntrl"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
709 {{{"isdigit"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
710 {{{"isgraph"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
711 {{{"islower"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
712 {{{"isprint"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
713 {{{"ispunct"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
714 {{{"isspace"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
715 {{{"isupper"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
716 {{{"isxdigit"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
717
718 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncat)}},
719 TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})},
720 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcpy)}},
721 TR::Prop({{1, 2}}, {{0}})},
722 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcat)}},
723 TR::Prop({{1, 2}}, {{0}})},
724 {{CDF_MaybeBuiltin, {{"snprintf"}}},
725 TR::Prop({{1}, 3}, {{0, ReturnValueIndex}})},
726 {{CDF_MaybeBuiltin, {{"sprintf"}}},
727 TR::Prop({{1}, 2}, {{0, ReturnValueIndex}})},
728 {{CDF_MaybeBuiltin, {{"strcpy"}}},
729 TR::Prop({{1}}, {{0, ReturnValueIndex}})},
730 {{CDF_MaybeBuiltin, {{"stpcpy"}}},
731 TR::Prop({{1}}, {{0, ReturnValueIndex}})},
732 {{CDF_MaybeBuiltin, {{"strcat"}}},
733 TR::Prop({{1}}, {{0, ReturnValueIndex}})},
734 {{CDF_MaybeBuiltin, {{"strdup"}}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
735 {{CDF_MaybeBuiltin, {{"strdupa"}}},
736 TR::Prop({{0}}, {{ReturnValueIndex}})},
737 {{CDF_MaybeBuiltin, {{"wcsdup"}}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
738
739 // Sinks
740 {{{"system"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
741 {{{"popen"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
742 {{{"execl"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
743 {{{"execle"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
744 {{{"execlp"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
745 {{{"execvp"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
746 {{{"execvP"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
747 {{{"execve"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
748 {{{"dlopen"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
749 {{CDF_MaybeBuiltin, {{"malloc"}}}, TR::Sink({{0}}, MsgTaintedBufferSize)},
750 {{CDF_MaybeBuiltin, {{"calloc"}}}, TR::Sink({{0}}, MsgTaintedBufferSize)},
751 {{CDF_MaybeBuiltin, {{"alloca"}}}, TR::Sink({{0}}, MsgTaintedBufferSize)},
752 {{CDF_MaybeBuiltin, {{"memccpy"}}},
753 TR::Sink({{3}}, MsgTaintedBufferSize)},
754 {{CDF_MaybeBuiltin, {{"realloc"}}},
755 TR::Sink({{1}}, MsgTaintedBufferSize)},
756 {{{{"setproctitle"}}}, TR::Sink({{0}, 1}, MsgUncontrolledFormatString)},
757 {{{{"setproctitle_fast"}}},
758 TR::Sink({{0}, 1}, MsgUncontrolledFormatString)},
759
760 // SinkProps
761 {{CDF_MaybeBuiltin, BI.getName(Builtin::BImemcpy)},
762 TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}},
763 MsgTaintedBufferSize)},
764 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BImemmove)}},
765 TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}},
766 MsgTaintedBufferSize)},
767 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncpy)}},
768 TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}},
769 MsgTaintedBufferSize)},
770 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrndup)}},
771 TR::SinkProp({{1}}, {{0, 1}}, {{ReturnValueIndex}},
772 MsgTaintedBufferSize)},
773 {{CDF_MaybeBuiltin, {{"bcopy"}}},
774 TR::SinkProp({{2}}, {{0, 2}}, {{1}}, MsgTaintedBufferSize)}};
775
776 // `getenv` returns taint only in untrusted environments.
777 if (TR::UntrustedEnv(C)) {
778 // void setproctitle_init(int argc, char *argv[], char *envp[])
779 GlobalCRules.push_back(
780 {{{"setproctitle_init"}}, TR::Sink({{1, 2}}, MsgCustomSink)});
781 GlobalCRules.push_back({{{"getenv"}}, TR::Source({{ReturnValueIndex}})});
782 }
783
784 StaticTaintRules.emplace(std::make_move_iterator(GlobalCRules.begin()),
785 std::make_move_iterator(GlobalCRules.end()));
786
787 // User-provided taint configuration.
788 CheckerManager *Mgr = C.getAnalysisManager().getCheckerManager();
789 assert(Mgr);
790 GenericTaintRuleParser ConfigParser{*Mgr};
791 std::string Option{"Config"};
792 StringRef ConfigFile =
793 Mgr->getAnalyzerOptions().getCheckerStringOption(this, Option);
794 std::optional<TaintConfiguration> Config =
795 getConfiguration<TaintConfiguration>(*Mgr, this, Option, ConfigFile);
796 if (!Config) {
797 // We don't have external taint config, no parsing required.
798 DynamicTaintRules = RuleLookupTy{};
799 return;
800 }
801
802 GenericTaintRuleParser::RulesContTy Rules{
803 ConfigParser.parseConfiguration(Option, std::move(*Config))};
804
805 DynamicTaintRules.emplace(std::make_move_iterator(Rules.begin()),
806 std::make_move_iterator(Rules.end()));
807}
808
809void GenericTaintChecker::checkPreCall(const CallEvent &Call,
810 CheckerContext &C) const {
811 initTaintRules(C);
812
813 // FIXME: this should be much simpler.
814 if (const auto *Rule =
815 Call.isGlobalCFunction() ? StaticTaintRules->lookup(Call) : nullptr)
816 Rule->process(*this, Call, C);
817 else if (const auto *Rule = DynamicTaintRules->lookup(Call))
818 Rule->process(*this, Call, C);
819
820 // FIXME: These edge cases are to be eliminated from here eventually.
821 //
822 // Additional check that is not supported by CallDescription.
823 // TODO: Make CallDescription be able to match attributes such as printf-like
824 // arguments.
825 checkUncontrolledFormatString(Call, C);
826
827 // TODO: Modeling sockets should be done in a specific checker.
828 // Socket is a source, which taints the return value.
829 taintUnsafeSocketProtocol(Call, C);
830}
831
832void GenericTaintChecker::checkPostCall(const CallEvent &Call,
833 CheckerContext &C) const {
834 // Set the marked values as tainted. The return value only accessible from
835 // checkPostStmt.
836 ProgramStateRef State = C.getState();
837 const StackFrameContext *CurrentFrame = C.getStackFrame();
838
839 // Depending on what was tainted at pre-visit, we determined a set of
840 // arguments which should be tainted after the function returns. These are
841 // stored in the state as TaintArgsOnPostVisit set.
842 TaintArgsOnPostVisitTy TaintArgsMap = State->get<TaintArgsOnPostVisit>();
843
844 const ImmutableSet<ArgIdxTy> *TaintArgs = TaintArgsMap.lookup(CurrentFrame);
845 if (!TaintArgs)
846 return;
847 assert(!TaintArgs->isEmpty());
848
849 LLVM_DEBUG(for (ArgIdxTy I
850 : *TaintArgs) {
851 llvm::dbgs() << "PostCall<";
852 Call.dump(llvm::dbgs());
853 llvm::dbgs() << "> actually wants to taint arg index: " << I << '\n';
854 });
855
856 const NoteTag *InjectionTag = nullptr;
857 std::vector<SymbolRef> TaintedSymbols;
858 std::vector<ArgIdxTy> TaintedIndexes;
859 for (ArgIdxTy ArgNum : *TaintArgs) {
860 // Special handling for the tainted return value.
861 if (ArgNum == ReturnValueIndex) {
862 State = addTaint(State, Call.getReturnValue());
863 std::vector<SymbolRef> TaintedSyms =
864 getTaintedSymbols(State, Call.getReturnValue());
865 if (!TaintedSyms.empty()) {
866 TaintedSymbols.push_back(TaintedSyms[0]);
867 TaintedIndexes.push_back(ArgNum);
868 }
869 continue;
870 }
871 // The arguments are pointer arguments. The data they are pointing at is
872 // tainted after the call.
873 if (auto V = getPointeeOf(State, Call.getArgSVal(ArgNum))) {
874 State = addTaint(State, *V);
875 std::vector<SymbolRef> TaintedSyms = getTaintedSymbols(State, *V);
876 if (!TaintedSyms.empty()) {
877 TaintedSymbols.push_back(TaintedSyms[0]);
878 TaintedIndexes.push_back(ArgNum);
879 }
880 }
881 }
882 // Create a NoteTag callback, which prints to the user where the taintedness
883 // was propagated to.
884 InjectionTag = taintPropagationExplainerTag(C, TaintedSymbols, TaintedIndexes,
885 Call.getCalleeStackFrame(0));
886 // Clear up the taint info from the state.
887 State = State->remove<TaintArgsOnPostVisit>(CurrentFrame);
888 C.addTransition(State, InjectionTag);
889}
890
891void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State,
892 const char *NL, const char *Sep) const {
893 printTaint(State, Out, NL, Sep);
894}
895
896void GenericTaintRule::process(const GenericTaintChecker &Checker,
897 const CallEvent &Call, CheckerContext &C) const {
898 ProgramStateRef State = C.getState();
899 const ArgIdxTy CallNumArgs = fromArgumentCount(Call.getNumArgs());
900
901 /// Iterate every call argument, and get their corresponding Expr and SVal.
902 const auto ForEachCallArg = [&C, &Call, CallNumArgs](auto &&Fun) {
903 for (ArgIdxTy I = ReturnValueIndex; I < CallNumArgs; ++I) {
904 const Expr *E = GetArgExpr(I, Call);
905 Fun(I, E, C.getSVal(E));
906 }
907 };
908
909 /// Check for taint sinks.
910 ForEachCallArg([this, &Checker, &C, &State](ArgIdxTy I, const Expr *E, SVal) {
911 // Add taintedness to stdin parameters
912 if (isStdin(C.getSVal(E), C.getASTContext())) {
913 State = addTaint(State, C.getSVal(E));
914 }
915 if (SinkArgs.contains(I) && isTaintedOrPointsToTainted(State, C.getSVal(E)))
916 Checker.generateReportIfTainted(E, SinkMsg.value_or(MsgCustomSink), C);
917 });
918
919 /// Check for taint filters.
920 ForEachCallArg([this, &State](ArgIdxTy I, const Expr *E, SVal S) {
921 if (FilterArgs.contains(I)) {
922 State = removeTaint(State, S);
923 if (auto P = getPointeeOf(State, S))
924 State = removeTaint(State, *P);
925 }
926 });
927
928 /// Check for taint propagation sources.
929 /// A rule is relevant if PropSrcArgs is empty, or if any of its signified
930 /// args are tainted in context of the current CallEvent.
931 bool IsMatching = PropSrcArgs.isEmpty();
932 std::vector<SymbolRef> TaintedSymbols;
933 std::vector<ArgIdxTy> TaintedIndexes;
934 ForEachCallArg([this, &C, &IsMatching, &State, &TaintedSymbols,
935 &TaintedIndexes](ArgIdxTy I, const Expr *E, SVal) {
936 std::optional<SVal> TaintedSVal =
937 getTaintedPointeeOrPointer(State, C.getSVal(E));
938 IsMatching =
939 IsMatching || (PropSrcArgs.contains(I) && TaintedSVal.has_value());
940
941 // We track back tainted arguments except for stdin
942 if (TaintedSVal && !isStdin(*TaintedSVal, C.getASTContext())) {
943 std::vector<SymbolRef> TaintedArgSyms =
944 getTaintedSymbols(State, *TaintedSVal);
945 if (!TaintedArgSyms.empty()) {
946 llvm::append_range(TaintedSymbols, TaintedArgSyms);
947 TaintedIndexes.push_back(I);
948 }
949 }
950 });
951
952 if (!IsMatching)
953 return;
954
955 const auto WouldEscape = [](SVal V, QualType Ty) -> bool {
956 if (!isa<Loc>(V))
957 return false;
958
959 const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified();
960 const bool IsNonConstPtr =
961 Ty->isPointerType() && !Ty->getPointeeType().isConstQualified();
962
963 return IsNonConstRef || IsNonConstPtr;
964 };
965
966 /// Propagate taint where it is necessary.
967 auto &F = State->getStateManager().get_context<ArgIdxFactory>();
968 ImmutableSet<ArgIdxTy> Result = F.getEmptySet();
969 ForEachCallArg(
970 [&](ArgIdxTy I, const Expr *E, SVal V) {
971 if (PropDstArgs.contains(I)) {
972 LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs());
973 llvm::dbgs()
974 << "> prepares tainting arg index: " << I << '\n';);
975 Result = F.add(Result, I);
976 }
977
978 // TODO: We should traverse all reachable memory regions via the
979 // escaping parameter. Instead of doing that we simply mark only the
980 // referred memory region as tainted.
981 if (WouldEscape(V, E->getType())) {
982 LLVM_DEBUG(if (!Result.contains(I)) {
983 llvm::dbgs() << "PreCall<";
984 Call.dump(llvm::dbgs());
985 llvm::dbgs() << "> prepares tainting arg index: " << I << '\n';
986 });
987 Result = F.add(Result, I);
988 }
989 });
990
991 if (!Result.isEmpty())
992 State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
993 const NoteTag *InjectionTag = taintOriginTrackerTag(
994 C, std::move(TaintedSymbols), std::move(TaintedIndexes),
995 Call.getCalleeStackFrame(0));
996 C.addTransition(State, InjectionTag);
997}
998
999bool GenericTaintRule::UntrustedEnv(CheckerContext &C) {
1000 return !C.getAnalysisManager()
1001 .getAnalyzerOptions()
1002 .ShouldAssumeControlledEnvironment;
1003}
1004
1005bool GenericTaintChecker::generateReportIfTainted(const Expr *E, StringRef Msg,
1006 CheckerContext &C) const {
1007 assert(E);
1008 std::optional<SVal> TaintedSVal =
1009 getTaintedPointeeOrPointer(C.getState(), C.getSVal(E));
1010
1011 if (!TaintedSVal)
1012 return false;
1013
1014 // Generate diagnostic.
1015 if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
1016 auto report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);
1017 report->addRange(E->getSourceRange());
1018 for (auto TaintedSym : getTaintedSymbols(C.getState(), *TaintedSVal)) {
1019 report->markInteresting(TaintedSym);
1020 }
1021
1022 C.emitReport(std::move(report));
1023 return true;
1024 }
1025 return false;
1026}
1027
1028/// TODO: remove checking for printf format attributes and socket whitelisting
1029/// from GenericTaintChecker, and that means the following functions:
1030/// getPrintfFormatArgumentNum,
1031/// GenericTaintChecker::checkUncontrolledFormatString,
1032/// GenericTaintChecker::taintUnsafeSocketProtocol
1033
1035 const CheckerContext &C,
1036 ArgIdxTy &ArgNum) {
1037 // Find if the function contains a format string argument.
1038 // Handles: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf,
1039 // vsnprintf, syslog, custom annotated functions.
1040 const Decl *CallDecl = Call.getDecl();
1041 if (!CallDecl)
1042 return false;
1043 const FunctionDecl *FDecl = CallDecl->getAsFunction();
1044 if (!FDecl)
1045 return false;
1046
1047 const ArgIdxTy CallNumArgs = fromArgumentCount(Call.getNumArgs());
1048
1049 for (const auto *Format : FDecl->specific_attrs<FormatAttr>()) {
1050 ArgNum = Format->getFormatIdx() - 1;
1051 if ((Format->getType()->getName() == "printf") && CallNumArgs > ArgNum)
1052 return true;
1053 }
1054
1055 return false;
1056}
1057
1058bool GenericTaintChecker::checkUncontrolledFormatString(
1059 const CallEvent &Call, CheckerContext &C) const {
1060 // Check if the function contains a format string argument.
1061 ArgIdxTy ArgNum = 0;
1062 if (!getPrintfFormatArgumentNum(Call, C, ArgNum))
1063 return false;
1064
1065 // If either the format string content or the pointer itself are tainted,
1066 // warn.
1067 return generateReportIfTainted(Call.getArgExpr(ArgNum),
1068 MsgUncontrolledFormatString, C);
1069}
1070
1071void GenericTaintChecker::taintUnsafeSocketProtocol(const CallEvent &Call,
1072 CheckerContext &C) const {
1073 if (Call.getNumArgs() < 1)
1074 return;
1075 const IdentifierInfo *ID = Call.getCalleeIdentifier();
1076 if (!ID)
1077 return;
1078 if (!ID->getName().equals("socket"))
1079 return;
1080
1081 SourceLocation DomLoc = Call.getArgExpr(0)->getExprLoc();
1082 StringRef DomName = C.getMacroNameOrSpelling(DomLoc);
1083 // Allow internal communication protocols.
1084 bool SafeProtocol = DomName.equals("AF_SYSTEM") ||
1085 DomName.equals("AF_LOCAL") || DomName.equals("AF_UNIX") ||
1086 DomName.equals("AF_RESERVED_36");
1087 if (SafeProtocol)
1088 return;
1089
1090 ProgramStateRef State = C.getState();
1091 auto &F = State->getStateManager().get_context<ArgIdxFactory>();
1092 ImmutableSet<ArgIdxTy> Result = F.add(F.getEmptySet(), ReturnValueIndex);
1093 State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
1094 C.addTransition(State);
1095}
1096
1097/// Checker registration
1098void ento::registerGenericTaintChecker(CheckerManager &Mgr) {
1099 Mgr.registerChecker<GenericTaintChecker>();
1100}
1101
1102bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) {
1103 return true;
1104}
#define V(N, I)
Definition: ASTContext.h:3230
StringRef P
Defines enum values for all the target-independent builtin functions.
static bool getPrintfFormatArgumentNum(const CallEvent &Call, const CheckerContext &C, ArgIdxTy &ArgNum)
TODO: remove checking for printf format attributes and socket whitelisting from GenericTaintChecker,...
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
#define REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set type Name and registers the factory for such sets in the program state,...
static bool contains(const std::set< tok::TokenKind > &Terminators, const Token &Tok)
Definition: SourceCode.cpp:152
__device__ int
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182
QualType getFILEType() const
Retrieve the C FILE type.
Definition: ASTContext.h:1922
StringRef getCheckerStringOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Query an option's string value.
Holds information about both target-independent and target-specific builtins, allowing easy queries b...
Definition: Builtins.h:85
llvm::StringRef getName(unsigned ID) const
Return the identifier name for the specified builtin, e.g.
Definition: Builtins.h:103
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:83
static void add(Kind k)
Definition: DeclBase.cpp:203
FunctionDecl * getAsFunction() LLVM_READONLY
Returns the function itself, or the templated function if this is a function template.
Definition: DeclBase.cpp:228
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:542
This represents one expression.
Definition: Expr.h:110
QualType getType() const
Definition: Expr.h:142
Represents a function declaration or definition.
Definition: Decl.h:1917
One of these records is kept for each identifier that is lexed.
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
A (possibly-)qualified type.
Definition: Type.h:736
QualType getCanonicalType() const
Definition: Type.h:6716
Scope - A scope is a transient data structure that is used while parsing the program.
Definition: Scope.h:41
Encodes a location in the source.
It represents a stack frame of the call stack (based on CallEvent).
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325
bool isVoidType() const
Definition: Type.h:7224
bool isPointerType() const
Definition: Type.h:6916
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:631
const BugType & getBugType() const
Definition: BugReporter.h:149
StringRef getCategory() const
Definition: BugType.h:49
An immutable map from CallDescriptions to arbitrary data.
This class represents a description of a function call using the number of arguments and the name of ...
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149
virtual void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, const char *Sep) const
See CheckerManager::runCheckersForPrintState.
Definition: Checker.h:501
const AnalyzerOptions & getAnalyzerOptions() const
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
The tag upon which the TagVisitor reacts.
Definition: BugReporter.h:763
void markInteresting(SymbolRef sym, bugreporter::TrackingKind TKind=bugreporter::TrackingKind::Thorough)
Marks a symbol as interesting.
bool isInteresting(SymbolRef sym) const
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:103
QualType getType(const ASTContext &) const
Try to get a reasonable type for the given value.
Definition: SVals.cpp:184
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Create a new state in which the value of the statement is marked as tainted.
Definition: Taint.cpp:45
std::vector< SymbolRef > getTaintedSymbols(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Returns the tainted Symbols for a given Statement and state.
Definition: Taint.cpp:169
bool isTainted(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Check if the statement has a tainted value in the given state.
Definition: Taint.cpp:147
void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl="\n", const char *sep="")
@ CDF_MaybeBuiltin
Describes a C standard function that is sometimes implemented as a macro that expands to a compiler b...
bool Call(InterpState &S, CodePtr OpPC, const Function *Func)
Definition: Interp.h:1585
for(unsigned I=0, E=TL.getNumArgs();I !=E;++I)
@ C
Languages that the frontend can parse and compile.
if(T->getSizeExpr()) TRY_TO(TraverseStmt(T -> getSizeExpr()))
@ None
The alignment was not explicit in code.
YAML serialization mapping.
Definition: Dominators.h:30
static void mapping(IO &IO, TaintConfiguration &Config)
static void mapping(IO &IO, TaintConfiguration::Filter &Filter)
static void mapping(IO &IO, TaintConfiguration::Propagation &Propagation)
static void mapping(IO &IO, TaintConfiguration::Sink &Sink)
static void enumeration(IO &IO, TaintConfiguration::VariadicType &Value)