//== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=// // // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // See https://llvm.org/LICENSE.txt for license information. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // // This checker defines the attack surface for generic taint propagation. // // The taint information produced by it might be useful to other checkers. For // example, checkers should report errors which involve tainted data more // aggressively, even if the involved symbols are under constrained. // //===----------------------------------------------------------------------===// #include "Yaml.h" #include "clang/AST/Attr.h" #include "clang/Basic/Builtins.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/Taint.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringRef.h" #include "llvm/Support/YAMLTraits.h" #include <limits> #include <memory> #include <optional> #include <utility> #include <vector> #define DEBUG_TYPE … usingnamespaceclang; usingnamespaceento; usingnamespacetaint; ImmutableSet; namespace { class GenericTaintChecker; /// Check for CWE-134: Uncontrolled Format String. constexpr llvm::StringLiteral MsgUncontrolledFormatString = …; /// Check for: /// CERT/STR02-C. "Sanitize data passed to complex subsystems" /// CWE-78, "Failure to Sanitize Data into an OS Command" constexpr llvm::StringLiteral MsgSanitizeSystemArgs = …; /// Check if tainted data is used as a custom sink's parameter. constexpr llvm::StringLiteral MsgCustomSink = …; ArgIdxTy; ArgVecTy; /// Denotes the return value. constexpr ArgIdxTy ReturnValueIndex{ … }; static ArgIdxTy fromArgumentCount(unsigned Count) { … } /// Check if the region the expression evaluates to is the standard input, /// and thus, is tainted. /// FIXME: Move this to Taint.cpp. bool isStdin(SVal Val, const ASTContext &ACtx) { … } SVal getPointeeOf(ProgramStateRef State, Loc LValue) { … } /// Given a pointer/reference argument, return the value it refers to. std::optional<SVal> getPointeeOf(ProgramStateRef State, SVal Arg) { … } /// Given a pointer, return the SVal of its pointee or if it is tainted, /// otherwise return the pointer's SVal if tainted. /// Also considers stdin as a taint source. std::optional<SVal> getTaintedPointeeOrPointer(ProgramStateRef State, SVal Arg) { … } bool isTaintedOrPointsToTainted(ProgramStateRef State, SVal ExprSVal) { … } /// Helps in printing taint diagnostics. /// Marks the incoming parameters of a function interesting (to be printed) /// when the return value, or the outgoing parameters are tainted. const NoteTag *taintOriginTrackerTag(CheckerContext &C, std::vector<SymbolRef> TaintedSymbols, std::vector<ArgIdxTy> TaintedArgs, const LocationContext *CallLocation) { … } /// Helps in printing taint diagnostics. /// Marks the function interesting (to be printed) /// when the return value, or the outgoing parameters are tainted. const NoteTag *taintPropagationExplainerTag( CheckerContext &C, std::vector<SymbolRef> TaintedSymbols, std::vector<ArgIdxTy> TaintedArgs, const LocationContext *CallLocation) { … } /// ArgSet is used to describe arguments relevant for taint detection or /// taint application. A discrete set of argument indexes and a variadic /// argument list signified by a starting index are supported. class ArgSet { … }; /// A struct used to specify taint propagation rules for a function. /// /// If any of the possible taint source arguments is tainted, all of the /// destination arguments should also be tainted. If ReturnValueIndex is added /// to the dst list, the return value will be tainted. class GenericTaintRule { … }; RuleLookupTy; /// Used to parse the configuration file. struct TaintConfiguration { … }; struct GenericTaintRuleParser { … }; class GenericTaintChecker : public Checker<check::PreCall, check::PostCall> { … }; } // end of anonymous namespace /// YAML serialization mapping. LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Sink) LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Filter) LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Propagation) namespace llvm { namespace yaml { template <> struct MappingTraits<TaintConfiguration> { … }; template <> struct MappingTraits<TaintConfiguration::Sink> { … }; template <> struct MappingTraits<TaintConfiguration::Filter> { … }; template <> struct MappingTraits<TaintConfiguration::Propagation> { … }; template <> struct ScalarEnumerationTraits<TaintConfiguration::VariadicType> { … }; } // namespace yaml } // namespace llvm /// A set which is used to pass information from call pre-visit instruction /// to the call post-visit. The values are signed integers, which are either /// ReturnValueIndex, or indexes of the pointer/reference argument, which /// points to data, which should be tainted on return. REGISTER_MAP_WITH_PROGRAMSTATE(…) … REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(…) void GenericTaintRuleParser::validateArgVector(const std::string &Option, const ArgVecTy &Args) const { … } template <typename Config> GenericTaintRuleParser::NamePartsTy GenericTaintRuleParser::parseNameParts(const Config &C) { … } template <typename Config> void GenericTaintRuleParser::consumeRulesFromConfig(const Config &C, GenericTaintRule &&Rule, RulesContTy &Rules) { … } void GenericTaintRuleParser::parseConfig(const std::string &Option, TaintConfiguration::Sink &&S, RulesContTy &Rules) const { … } void GenericTaintRuleParser::parseConfig(const std::string &Option, TaintConfiguration::Filter &&S, RulesContTy &Rules) const { … } void GenericTaintRuleParser::parseConfig(const std::string &Option, TaintConfiguration::Propagation &&P, RulesContTy &Rules) const { … } GenericTaintRuleParser::RulesContTy GenericTaintRuleParser::parseConfiguration(const std::string &Option, TaintConfiguration &&Config) const { … } void GenericTaintChecker::initTaintRules(CheckerContext &C) const { … } void GenericTaintChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { … } void GenericTaintChecker::checkPostCall(const CallEvent &Call, CheckerContext &C) const { … } void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State, const char *NL, const char *Sep) const { … } void GenericTaintRule::process(const GenericTaintChecker &Checker, const CallEvent &Call, CheckerContext &C) const { … } bool GenericTaintRule::UntrustedEnv(CheckerContext &C) { … } bool GenericTaintChecker::generateReportIfTainted(const Expr *E, StringRef Msg, CheckerContext &C) const { … } /// TODO: remove checking for printf format attributes and socket whitelisting /// from GenericTaintChecker, and that means the following functions: /// getPrintfFormatArgumentNum, /// GenericTaintChecker::checkUncontrolledFormatString, /// GenericTaintChecker::taintUnsafeSocketProtocol static bool getPrintfFormatArgumentNum(const CallEvent &Call, const CheckerContext &C, ArgIdxTy &ArgNum) { … } bool GenericTaintChecker::checkUncontrolledFormatString( const CallEvent &Call, CheckerContext &C) const { … } void GenericTaintChecker::taintUnsafeSocketProtocol(const CallEvent &Call, CheckerContext &C) const { … } /// Checker registration void ento::registerTaintPropagationChecker(CheckerManager &Mgr) { … } bool ento::shouldRegisterTaintPropagationChecker(const CheckerManager &mgr) { … } void ento::registerGenericTaintChecker(CheckerManager &Mgr) { … } bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) { … }
Codebase Browser
llvm