[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-28 Thread Daniel Krupp via cfe-commits
https://github.com/dkrupp updated https://github.com/llvm/llvm-project/pull/92420 >From f6fdd544a90b865e5e0e530930db87cad405216e Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Tue, 30 Apr 2024 15:20:52 +0200 Subject: [PATCH 1/4] [analyzer] Adding taint analysis capability to unix.Malloc

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-28 Thread Daniel Krupp via cfe-commits
https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/92420 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-28 Thread Daniel Krupp via cfe-commits
https://github.com/dkrupp updated https://github.com/llvm/llvm-project/pull/92420 >From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Tue, 30 Apr 2024 15:20:52 +0200 Subject: [PATCH 1/4] [analyzer] Adding taint analysis capability to unix.Malloc

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Daniel Krupp via cfe-commits
dkrupp wrote: > @NagyDonat , @steakhal I fixed the additional remarks. Is there anything else > that's need to be done before merging? Thanks. I see now, that there is still one unaddressed remark from @NagyDonat regarding a new testcase for array new allocations. I will be adding it

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Daniel Krupp via cfe-commits
dkrupp wrote: @NagyDonat , @steakhal I fixed the additional remarks. Is there anything else that's need to be done before merging? Thanks. https://github.com/llvm/llvm-project/pull/92420 ___ cfe-commits mailing list cfe-commits@lists.llvm.org

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Daniel Krupp via cfe-commits
dkrupp wrote: > The patch makes sense to me. Have you considered applying the same heuristic > to C++ array new allocations? > > I'll port this patch downstream to see how this would behave on the Juliet > C++ benchmark or on some real-world code. I will check C++ > The patch makes sense to

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
NagyDonat wrote: > Have you considered applying the same heuristic to C++ array new allocations? Actually, I'm almost certain that this patch already affects the C++ array new allocations, because `MallocMemAux` is called from the callback which handles the array new operator. @dkrupp Please

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
@@ -1730,6 +1721,21 @@ def UnixAPIPortabilityChecker : Checker<"UnixAPI">, } // end optin.portability + +//===--===// +// Taint checkers.

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Daniel Krupp via cfe-commits
https://github.com/dkrupp updated https://github.com/llvm/llvm-project/pull/92420 >From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Tue, 30 Apr 2024 15:20:52 +0200 Subject: [PATCH 1/3] [analyzer] Adding taint analysis capability to unix.Malloc

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
https://github.com/NagyDonat edited https://github.com/llvm/llvm-project/pull/92420 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
@@ -625,6 +628,16 @@ def BlockInCriticalSectionChecker : Checker<"BlockInCriticalSection">, } // end "alpha.unix" +let ParentPackage = TaintOptIn in { NagyDonat wrote: Is this the right place for this? I'd guess that this should be placed next to other

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
@@ -452,6 +454,7 @@ def EnumCastOutOfRangeChecker : Checker<"EnumCastOutOfRange">, } // end "optin.core" + NagyDonat wrote: Remove this irrelevant empty line. https://github.com/llvm/llvm-project/pull/92420 ___

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
@@ -36,6 +36,8 @@ def CoreAlpha : Package<"core">, ParentPackage; // Note: OptIn is *not* intended for checkers that are too noisy to be on by // default. Such checkers belong in the alpha package. def OptIn : Package<"optin">; +def TaintOptIn : Package<"taint">,

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
https://github.com/NagyDonat commented: Oops, I noticed that I had some minor review commits that were left in a "Pending" state for at least a week. Anyway, I'm publishing them now. https://github.com/llvm/llvm-project/pull/92420 ___ cfe-commits

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
@@ -599,7 +599,47 @@ Warns when a nullable pointer is returned from a function that has _Nonnull retu optin ^ -Checkers for portability, performance or coding style specific rules. +Checkers for portability, performance, optional security and coding style specific

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-27 Thread Donát Nagy via cfe-commits
https://github.com/NagyDonat edited https://github.com/llvm/llvm-project/pull/92420 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-26 Thread Balazs Benics via cfe-commits
steakhal wrote: > I'll port this patch downstream to see how this would behave on the Juliet > C++ benchmark or on some real-world code. Ah nvm. llvm/main diverged quite a bit since 18.1.6. I can't just pick this one. Given this, I won't backport and test this PR.

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-26 Thread Balazs Benics via cfe-commits
https://github.com/steakhal commented: The patch makes sense to me. Have you considered applying the same heuristic to C++ array new allocations? I'll port this patch downstream to see how this would behave on the Juliet C++ benchmark or on some real-world code.

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-23 Thread Daniel Krupp via cfe-commits
dkrupp wrote: Thanks for the reviews. I updated the patch. @haoNoQ - I changed the report to non-fatal - I factored out the warning into a new checker optin.taint.TaintMalloc. This way the checker can be enabled separately. Of course, the alpha.security.taint.TaintPropagation checker is a

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-23 Thread Daniel Krupp via cfe-commits
https://github.com/dkrupp updated https://github.com/llvm/llvm-project/pull/92420 >From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Tue, 30 Apr 2024 15:20:52 +0200 Subject: [PATCH 1/2] [analyzer] Adding taint analysis capability to unix.Malloc

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-23 Thread via cfe-commits
github-actions[bot] wrote: :warning: C/C++ code formatter, clang-format found issues in your code. :warning: You can test this locally with the following command: ``bash git-clang-format --diff 1cde1240ed6e45012d7510f4aa39badbdb4a4721 b31ec694c88635404b252f00472140e83083fd02 --

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-23 Thread Daniel Krupp via cfe-commits
https://github.com/dkrupp updated https://github.com/llvm/llvm-project/pull/92420 >From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Tue, 30 Apr 2024 15:20:52 +0200 Subject: [PATCH 1/2] [analyzer] Adding taint analysis capability to unix.Malloc

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Balazs Benics via cfe-commits
@@ -1273,6 +1273,41 @@ Check for memory leaks, double free, and use-after-free problems. Traces memory .. literalinclude:: checkers/unix_malloc_example.c :language: c +If the ``alpha.security.taint.TaintPropagation`` checker is enabled, the checker +warns for cases when

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Balazs Benics via cfe-commits
@@ -1779,18 +1790,79 @@ ProgramStateRef MallocChecker::MallocMemAux(CheckerContext , const CallEvent , const Expr *SizeEx, SVal Init,

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Balazs Benics via cfe-commits
@@ -48,6 +49,45 @@ void myfoo(int *p); void myfooint(int p); char *fooRetPtr(void); +void t1(void) { + size_t size; + scanf("%zu", ); + int *p = malloc(size); // expected-warning{{malloc is called with a tainted (potentially attacker controlled) value}} + free(p); +} +

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Balazs Benics via cfe-commits
@@ -1779,18 +1790,79 @@ ProgramStateRef MallocChecker::MallocMemAux(CheckerContext , const CallEvent , const Expr *SizeEx, SVal Init,

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Balazs Benics via cfe-commits
https://github.com/steakhal edited https://github.com/llvm/llvm-project/pull/92420 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Balazs Benics via cfe-commits
@@ -1273,6 +1273,41 @@ Check for memory leaks, double free, and use-after-free problems. Traces memory .. literalinclude:: checkers/unix_malloc_example.c :language: c +If the ``alpha.security.taint.TaintPropagation`` checker is enabled, the checker +warns for cases when

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Balazs Benics via cfe-commits
@@ -48,6 +49,45 @@ void myfoo(int *p); void myfooint(int p); char *fooRetPtr(void); +void t1(void) { + size_t size; + scanf("%zu", ); + int *p = malloc(size); // expected-warning{{malloc is called with a tainted (potentially attacker controlled) value}} + free(p); +} +

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Balazs Benics via cfe-commits
https://github.com/steakhal commented: The patch makes sense to me. I'll not repeat the existing comments, they raise relevant concerns. It would be nice to extend some test case with a tainted malloc to see how those note tags play out from the generic taint checker in this context. For

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-17 Thread Donát Nagy via cfe-commits
NagyDonat wrote: > I think the error node needs to be non-fatal. Good point, I completely agree. > For these applications it's more important to catch cases where malloc size > and index used for access are coming from "different sources", eg. one is > tainted and another isn't, doesn't

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-16 Thread Artem Dergachev via cfe-commits
haoNoQ wrote: I think there should be a way to enable/disable this check separately because memory exhaustion / denial of service isn't necessarily something you care about when you enable taint analysis. It's essential for web servers when the attacker is interested in interrupting their

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-16 Thread via cfe-commits
llvmbot wrote: @llvm/pr-subscribers-clang-static-analyzer-1 Author: Daniel Krupp (dkrupp) Changes unix.Malloc checker will warn if a memory allocation function (malloc, calloc, realloc, alloca) is called with a tainted (attacker controlled) size parameter. A large, maliciously set size

[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

2024-05-16 Thread Daniel Krupp via cfe-commits
https://github.com/dkrupp created https://github.com/llvm/llvm-project/pull/92420 unix.Malloc checker will warn if a memory allocation function (malloc, calloc, realloc, alloca) is called with a tainted (attacker controlled) size parameter. A large, maliciously set size value can trigger