https://github.com/dkrupp closed https://github.com/llvm/llvm-project/pull/98157
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/98157
>From 75675417c324a2d1df5e42a8549f6d4bcb779ab4 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Fri, 5 Jul 2024 14:02:00 +0200
Subject: [PATCH 1/5] [analyzer] Splitting TaintPropagation checker into
reporting
dkrupp wrote:
Thanks for the review. I updated the patch with your suggestions.
-std::unique_pointer changed to std::optional
-I fixed documentation related grammatical and refernce errors.
https://github.com/llvm/llvm-project/pull/98157
___
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/98157
>From 75675417c324a2d1df5e42a8549f6d4bcb779ab4 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Fri, 5 Jul 2024 14:02:00 +0200
Subject: [PATCH 1/4] [analyzer] Splitting TaintPropagation checker into
reporting
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/98157
>From 75675417c324a2d1df5e42a8549f6d4bcb779ab4 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Fri, 5 Jul 2024 14:02:00 +0200
Subject: [PATCH 1/3] [analyzer] Splitting TaintPropagation checker into
reporting
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/98157
>From 75675417c324a2d1df5e42a8549f6d4bcb779ab4 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Fri, 5 Jul 2024 14:02:00 +0200
Subject: [PATCH 1/2] [analyzer] Splitting TaintPropagation checker into
reporting
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/98157
>From 75675417c324a2d1df5e42a8549f6d4bcb779ab4 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Fri, 5 Jul 2024 14:02:00 +0200
Subject: [PATCH] [analyzer] Splitting TaintPropagation checker into reporting
and
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/98157
>From b8c54d9e91b7ec6760db24b687091246c7c31e3e Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Fri, 5 Jul 2024 14:02:00 +0200
Subject: [PATCH] [analyzer] Splitting TaintPropagation checker into reporting
and
https://github.com/dkrupp created
https://github.com/llvm/llvm-project/pull/98157
…ling checkers
Taint propagation is a a generic modeling feature of the Clang Static Analyzer
which many other checkers depend on. Therefore GenericTaintChecker is split
into a TaintPropagation modeling checker
dkrupp wrote:
> > Even protobuf contains this type of code:
> > https://codechecker-demo.eastus.cloudapp.azure.com/Default/report-detail?run=protobuf_v3.13.0_pointersub1=on=New=alpha.core.PointerSub=5545776=1bcd310fbaeccbcc13645b9b277239a2=%2adescriptor.pb.cc
>
> I still think that this (1) is
https://github.com/dkrupp closed https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From f6fdd544a90b865e5e0e530930db87cad405216e Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/8] [analyzer] Adding taint analysis capability to
unix.Malloc
dkrupp wrote:
Now the checker is renamed to optin.taint.TaintedAlloc as requested by the
reviewers.
https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From f6fdd544a90b865e5e0e530930db87cad405216e Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/7] [analyzer] Adding taint analysis capability to
unix.Malloc
dkrupp wrote:
In the latest commit I fixed all remaining review comments.
GenericTaintchecker should be a dependency as mentioned in the FIXME, but it
cannot be one until the checker is not a modeling checker. This separation will
be done in a later follow-up patch. Until then, the
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From f6fdd544a90b865e5e0e530930db87cad405216e Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/6] [analyzer] Adding taint analysis capability to
unix.Malloc
https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
@@ -1730,6 +1721,21 @@ def UnixAPIPortabilityChecker : Checker<"UnixAPI">,
} // end optin.portability
+
+//===--===//
+// Taint checkers.
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From f6fdd544a90b865e5e0e530930db87cad405216e Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/5] [analyzer] Adding taint analysis capability to
unix.Malloc
dkrupp wrote:
- Handling of C++ operator new[] allocation was added to the checker with test
cases
- The checker is renamed to optin.taint.TaintAlloc, as besides malloc it
handles the c++ new array allocations too
- Test cases and documentation was updated
@NagyDonat , @steakhal please check
https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From f6fdd544a90b865e5e0e530930db87cad405216e Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/4] [analyzer] Adding taint analysis capability to
unix.Malloc
https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/4] [analyzer] Adding taint analysis capability to
unix.Malloc
dkrupp wrote:
> @NagyDonat , @steakhal I fixed the additional remarks. Is there anything else
> that's need to be done before merging? Thanks.
I see now, that there is still one unaddressed remark from @NagyDonat regarding
a new testcase for array new allocations. I will be adding it
dkrupp wrote:
@NagyDonat , @steakhal I fixed the additional remarks.
Is there anything else that's need to be done before merging? Thanks.
https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
dkrupp wrote:
> The patch makes sense to me. Have you considered applying the same heuristic
> to C++ array new allocations?
>
> I'll port this patch downstream to see how this would behave on the Juliet
> C++ benchmark or on some real-world code.
I will check C++
> The patch makes sense to
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/3] [analyzer] Adding taint analysis capability to
unix.Malloc
dkrupp wrote:
Thanks for the reviews. I updated the patch.
@haoNoQ
- I changed the report to non-fatal
- I factored out the warning into a new checker optin.taint.TaintMalloc. This
way the checker can be enabled separately. Of course, the
alpha.security.taint.TaintPropagation checker is a
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/2] [analyzer] Adding taint analysis capability to
unix.Malloc
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/2] [analyzer] Adding taint analysis capability to
unix.Malloc
https://github.com/dkrupp created
https://github.com/llvm/llvm-project/pull/92420
unix.Malloc checker will warn if a memory allocation function (malloc, calloc,
realloc, alloca) is called with a tainted (attacker controlled) size parameter.
A large, maliciously set size value can trigger
=?utf-8?q?Donát?= Nagy ,Daniel Krupp
,
=?utf-8?q?Donát?= Nagy ,Daniel Krupp
Message-ID:
In-Reply-To:
https://github.com/dkrupp closed https://github.com/llvm/llvm-project/pull/68607
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
=?utf-8?q?Donát?= Nagy ,Daniel Krupp
,
=?utf-8?q?Donát?= Nagy ,Daniel Krupp
Message-ID:
In-Reply-To:
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68607
>From 143db26ffe8620c2b45eb15d331466c883bbfce0 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Mon, 9
=?utf-8?q?Donát?= Nagy ,Daniel Krupp
Message-ID:
In-Reply-To:
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68607
>From 143db26ffe8620c2b45eb15d331466c883bbfce0 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Mon, 9 Oct 2023 16:52:13 +0200
Subject: [PATCH
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68607
>From 143db26ffe8620c2b45eb15d331466c883bbfce0 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Mon, 9 Oct 2023 16:52:13 +0200
Subject: [PATCH 1/5] [analyzer] Removing untrusted buffer size taint warning
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68607
>From 143db26ffe8620c2b45eb15d331466c883bbfce0 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Mon, 9 Oct 2023 16:52:13 +0200
Subject: [PATCH 1/4] [analyzer] Removing untrusted buffer size taint warning
https://github.com/dkrupp approved this pull request.
The suggested change make a lot of sense. Thanks.
LGTM.
https://github.com/llvm/llvm-project/pull/89606
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://github.com/dkrupp closed https://github.com/llvm/llvm-project/pull/68140
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68140
>From 4b310278d2923ff718d074a7f7c8806ad03c6401 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 3 Oct 2023 19:58:28 +0200
Subject: [PATCH 1/5] [analyzer] Fix core.VLASize checker false positive taint
dkrupp wrote:
I executed the analysis with this patch on the following open source projects:
memcached,tmux,curl,twin,vim,openssl,sqlite,ffmpeg,postgres, xerces
And it did not bring any visible change in the reports. So there were no new or
resolved findings compared to the baseline.
In both
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68140
>From 4b310278d2923ff718d074a7f7c8806ad03c6401 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 3 Oct 2023 19:58:28 +0200
Subject: [PATCH 1/4] [analyzer] Fix core.VLASize checker false positive taint
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68140
>From 4b310278d2923ff718d074a7f7c8806ad03c6401 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 3 Oct 2023 19:58:28 +0200
Subject: [PATCH 1/3] [analyzer] Fix core.VLASize checker false positive taint
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68140
>From 4b310278d2923ff718d074a7f7c8806ad03c6401 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 3 Oct 2023 19:58:28 +0200
Subject: [PATCH 1/2] [analyzer] Fix core.VLASize checker false positive taint
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68140
>From 4b310278d2923ff718d074a7f7c8806ad03c6401 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 3 Oct 2023 19:58:28 +0200
Subject: [PATCH 1/2] [analyzer] Fix core.VLASize checker false positive taint
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68607
>From 143db26ffe8620c2b45eb15d331466c883bbfce0 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Mon, 9 Oct 2023 16:52:13 +0200
Subject: [PATCH 1/3] [analyzer] Removing untrusted buffer size taint warning
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68607
>From 143db26ffe8620c2b45eb15d331466c883bbfce0 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Mon, 9 Oct 2023 16:52:13 +0200
Subject: [PATCH 1/3] [analyzer] Removing untrusted buffer size taint warning
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/68607
>From 143db26ffe8620c2b45eb15d331466c883bbfce0 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Mon, 9 Oct 2023 16:52:13 +0200
Subject: [PATCH 1/2] [analyzer] Removing untrusted buffer size taint warning
dkrupp wrote:
@haoNoQ thanks for pointing out #61826 umbrella issue, I somehow missed that.
I see this TaintPropagation checker as a generic flexible tool to find
potential vulnerable data flows between any taint source and taint sink. The
user should be configure sources and sinks in the
https://github.com/dkrupp created
https://github.com/llvm/llvm-project/pull/68607
alpha.security.taint.TaintPropagation checker
emitted a false warning to the following code
char buf[100];
size_t size = tainted();
if (size > 100)
return;
memset(buf, 0, size); // warn: untrusted data used as
https://github.com/dkrupp created
https://github.com/llvm/llvm-project/pull/68140
The checker reported a false positive on this code
void testTaintedSanitizedVLASize(void) {
int x;
scanf("%d", );
if (x<1)
return;
int vla[x]; // no-warning
}
After the fix, the checker only emits
https://github.com/dkrupp created
https://github.com/llvm/llvm-project/pull/67352
This commit renames alpha.security.taint.TaintPropagation checker to
optin.security.taint.TaintPropagation.
This checker was stabilized and improved by recent commits thus it's ready for
production use.
The
https://github.com/dkrupp closed https://github.com/llvm/llvm-project/pull/66086
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
dkrupp wrote:
> As I'm not a maintainer, I could not push to your branch. Here is a patch
> that I think has the missing pieces to satisfy my review.
>
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/66086
>From 889c886c3eed31335531ec61ad2b48bef15414d8 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Fri, 8 Sep 2023 16:57:49 +0200
Subject: [PATCH] [analyzer] TaintPropagation checker strlen() should not
propagate
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/66086
>From f8997b16c74543eb57b272c4dd4abca1a10d9ac7 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Fri, 8 Sep 2023 16:57:49 +0200
Subject: [PATCH] [analyzer] TaintPropagation checker strlen() should not
propagate
dkrupp wrote:
If we remove the malloc(..) as the taint sink, we would lose some true positive
findings where the size of the allocated
area is specified directly as a number by the attacker:
```
char *size=getenv("SIZE");
if (size){
pathbuf=(char*) malloc(atoi(size)+1); // warn: denial of
https://github.com/dkrupp review_requested
https://github.com/llvm/llvm-project/pull/66086
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp review_requested
https://github.com/llvm/llvm-project/pull/66086
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp review_requested
https://github.com/llvm/llvm-project/pull/66086
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp review_requested
https://github.com/llvm/llvm-project/pull/66086
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp created
https://github.com/llvm/llvm-project/pull/66086:
strlen(..) call should not propagate taintedness,
because it brings in many false positive findings. It is a common pattern to
copy user provided input to another buffer. In these cases we always
get warnings
Author: Daniel Krupp
Date: 2023-07-25T11:34:11+02:00
New Revision: 4dbe2db02d03ffee27feb43a6ef332ca6a3cbca2
URL:
https://github.com/llvm/llvm-project/commit/4dbe2db02d03ffee27feb43a6ef332ca6a3cbca2
DIFF:
https://github.com/llvm/llvm-project/commit/4dbe2db02d03ffee27feb43a6ef332ca6a3cbca2.diff
Author: Daniel Krupp
Date: 2023-07-21T15:11:13+02:00
New Revision: 26b19a67e5c398a30b26214544878ec364dc59af
URL:
https://github.com/llvm/llvm-project/commit/26b19a67e5c398a30b26214544878ec364dc59af
DIFF:
https://github.com/llvm/llvm-project/commit/26b19a67e5c398a30b26214544878ec364dc59af.diff
Author: Daniel Krupp
Date: 2023-04-26T12:43:36+02:00
New Revision: 343bdb10940cb2387c0b9bd3caccee7bb56c937b
URL:
https://github.com/llvm/llvm-project/commit/343bdb10940cb2387c0b9bd3caccee7bb56c937b
DIFF:
https://github.com/llvm/llvm-project/commit/343bdb10940cb2387c0b9bd3caccee7bb56c937b.diff
dkrupp added a comment.
Thanks. Gabor, could you please merge this? I don't have commit right.
https://reviews.llvm.org/D24307
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
dkrupp marked 11 inline comments as done.
dkrupp added a comment.
issues fixed
https://reviews.llvm.org/D24307
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
dkrupp added inline comments.
Comment at: lib/StaticAnalyzer/Checkers/MallocChecker.cpp:1011
@@ +1010,3 @@
+// containing the elements.
+Region = (State->getSVal(NE, LCtx))
+ .getAsRegion()
MemRegion has now method called castAs<>, only
dkrupp added inline comments.
Comment at: lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp:83
@@ -78,1 +82,3 @@
+ // we can assume that the region starts at 0.
+ if (!state->isNull(extentVal).isConstrained()) {
return UnknownVal();
NoQ
dkrupp added inline comments.
Comment at: lib/StaticAnalyzer/Checkers/MallocChecker.cpp:1003
@@ +1002,3 @@
+//
+ProgramStateRef MallocChecker::addExtentSize(CheckerContext ,
+ const CXXNewExpr *NE,
xazax.hun wrote:
>
dkrupp created this revision.
dkrupp added reviewers: xazax.hun, NoQ, dcoughlin, zaks.anna.
dkrupp added a subscriber: cfe-commits.
ArrayBoundChecker did not detect out of bounds memory access errors in case an
array was allocated by the new expression.
1. MallocChecker.cpp was updated to
dkrupp added a comment.
Hi,
its a good idea to include in LLVM/Clang i will propose it
In http://reviews.llvm.org/D12906#272265, @zaks.anna wrote:
> Hi Daniel,
>
> Have you considered contributing this work to clang/llvm?
It's a good idea I will propose this at cfe-dev.
Daniel
dkrupp added a comment.
In http://reviews.llvm.org/D12906#272243, @zaks.anna wrote:
> > > In http://reviews.llvm.org/D10305#224956, @zaks.anna wrote:
>
> >
>
> > > For example, you could keep the information about the reports in the
> > > plist files and use those to
>
> >
>
> > > render
dkrupp added a comment.
Hi,
Regarding testing:
I think we should create a RecursiveASTvistor based "test checker" that matches
every statement and declaration and reports a bug there.
Then we could create a test file similar to what we have in
77 matches
Mail list logo
