From: Anna Zaks Date: Thu, 8 Dec 2011 22:38:43 +0000 (+0000) Subject: [analyzer] If memory region is tainted mark data as tainted. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5fc7def35ee858791e591d005b4ae343632ca931;p=clang [analyzer] If memory region is tainted mark data as tainted. + random comments git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@146199 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h b/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h index 0c8196e1ab..0d311b8183 100644 --- a/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h +++ b/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h @@ -120,7 +120,7 @@ public: } }; -/// A symbol representing the value of a MemRegion. +///\brief A symbol representing the value stored at a MemRegion. class SymbolRegionValue : public SymbolData { const TypedValueRegion *R; diff --git a/lib/StaticAnalyzer/Core/ProgramState.cpp b/lib/StaticAnalyzer/Core/ProgramState.cpp index 4ea2f4c9f2..807def26ff 100644 --- a/lib/StaticAnalyzer/Core/ProgramState.cpp +++ b/lib/StaticAnalyzer/Core/ProgramState.cpp @@ -709,6 +709,11 @@ bool ProgramState::isTainted(const SymExpr* Sym, TaintTagType Kind) const { // If this is a SymbolDerived with a tainted parent, it's also tainted. if (const SymbolDerived *SD = dyn_cast(*SI)) Tainted = Tainted || isTainted(SD->getParentSymbol(), Kind); + + // If memory region is tainted, data is also tainted. + if (const SymbolRegionValue *SRV = dyn_cast(*SI)) + Tainted = Tainted || isTainted(SRV->getRegion(), Kind); + if (Tainted) return true; } diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp index da07d8ad0f..89d9dc0242 100644 --- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp +++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp @@ -97,10 +97,12 @@ SVal SimpleSValBuilder::evalCastFromNonLoc(NonLoc val, QualType castTy) { return UnknownVal(); } + // If value is a non integer constant, produce unknown. if (!isa(val)) return UnknownVal(); - // Only handle casts from integers to integers. + // Only handle casts from integers to integers - if val is an integer constant + // being cast to a non integer type, produce unknown. if (!isLocType && !castTy->isIntegerType()) return UnknownVal(); diff --git a/test/Analysis/taint-tester.c b/test/Analysis/taint-tester.c index 23b5744f8c..f1dd5d0f03 100644 --- a/test/Analysis/taint-tester.c +++ b/test/Analysis/taint-tester.c @@ -8,7 +8,8 @@ int Buffer[BUFSIZE]; struct XYStruct { int x; - float y; + int y; + char z; }; void taintTracking(int x) { @@ -26,9 +27,31 @@ void taintTracking(int x) { // Tainted ptr arithmetic/array element address. int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}} + // Dereference. + int *ptr; + scanf("%p", &ptr); + int ptrDeref = *ptr; // expected-warning 2 {{tainted}} + int _ptrDeref = ptrDeref + 13; // expected-warning 2 {{tainted}} + + // Pointer arithmetic + dereferencing. + // FIXME: We fail to propagate the taint here because RegionStore does not + // handle ElementRegions with symbolic indexes. + int addrDeref = *addr; // expected-warning {{tainted}} + int _addrDeref = addrDeref; + // Tainted struct address, casts. struct XYStruct *xyPtr = 0; scanf("%p", &xyPtr); void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}} struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}} + int ptrtx = xyPtr->x;// expected-warning 2 {{tainted}} + int ptrty = xyPtr->y;// expected-warning 2 {{tainted}} + + // Taint on fields of a struct. + struct XYStruct xy = {2, 3, 11}; + scanf("%f", &xy.y); + scanf("%f", &xy.x); + int tx = xy.x; // expected-warning {{tainted}} + int ty = xy.y; // FIXME: This should be tainted as well. + char ntz = xy.z;// no warning }