https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From f6fdd544a90b865e5e0e530930db87cad405216e Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/4] [analyzer] Adding taint analysis capability to
unix.Malloc
https://github.com/dkrupp edited https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/4] [analyzer] Adding taint analysis capability to
unix.Malloc
dkrupp wrote:
> @NagyDonat , @steakhal I fixed the additional remarks. Is there anything else
> that's need to be done before merging? Thanks.
I see now, that there is still one unaddressed remark from @NagyDonat regarding
a new testcase for array new allocations. I will be adding it
dkrupp wrote:
@NagyDonat , @steakhal I fixed the additional remarks.
Is there anything else that's need to be done before merging? Thanks.
https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
dkrupp wrote:
> The patch makes sense to me. Have you considered applying the same heuristic
> to C++ array new allocations?
>
> I'll port this patch downstream to see how this would behave on the Juliet
> C++ benchmark or on some real-world code.
I will check C++
> The patch makes sense to
NagyDonat wrote:
> Have you considered applying the same heuristic to C++ array new allocations?
Actually, I'm almost certain that this patch already affects the C++ array new
allocations, because `MallocMemAux` is called from the callback which handles
the array new operator.
@dkrupp Please
@@ -1730,6 +1721,21 @@ def UnixAPIPortabilityChecker : Checker<"UnixAPI">,
} // end optin.portability
+
+//===--===//
+// Taint checkers.
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/3] [analyzer] Adding taint analysis capability to
unix.Malloc
https://github.com/NagyDonat edited
https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
@@ -625,6 +628,16 @@ def BlockInCriticalSectionChecker :
Checker<"BlockInCriticalSection">,
} // end "alpha.unix"
+let ParentPackage = TaintOptIn in {
NagyDonat wrote:
Is this the right place for this? I'd guess that this should be placed next to
other
@@ -452,6 +454,7 @@ def EnumCastOutOfRangeChecker :
Checker<"EnumCastOutOfRange">,
} // end "optin.core"
+
NagyDonat wrote:
Remove this irrelevant empty line.
https://github.com/llvm/llvm-project/pull/92420
___
@@ -36,6 +36,8 @@ def CoreAlpha : Package<"core">, ParentPackage;
// Note: OptIn is *not* intended for checkers that are too noisy to be on by
// default. Such checkers belong in the alpha package.
def OptIn : Package<"optin">;
+def TaintOptIn : Package<"taint">,
https://github.com/NagyDonat commented:
Oops, I noticed that I had some minor review commits that were left in a
"Pending" state for at least a week. Anyway, I'm publishing them now.
https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits
@@ -599,7 +599,47 @@ Warns when a nullable pointer is returned from a function
that has _Nonnull retu
optin
^
-Checkers for portability, performance or coding style specific rules.
+Checkers for portability, performance, optional security and coding style
specific
https://github.com/NagyDonat edited
https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
steakhal wrote:
> I'll port this patch downstream to see how this would behave on the Juliet
> C++ benchmark or on some real-world code.
Ah nvm. llvm/main diverged quite a bit since 18.1.6. I can't just pick this
one. Given this, I won't backport and test this PR.
https://github.com/steakhal commented:
The patch makes sense to me.
Have you considered applying the same heuristic to C++ array new allocations?
I'll port this patch downstream to see how this would behave on the Juliet C++
benchmark or on some real-world code.
dkrupp wrote:
Thanks for the reviews. I updated the patch.
@haoNoQ
- I changed the report to non-fatal
- I factored out the warning into a new checker optin.taint.TaintMalloc. This
way the checker can be enabled separately. Of course, the
alpha.security.taint.TaintPropagation checker is a
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/2] [analyzer] Adding taint analysis capability to
unix.Malloc
github-actions[bot] wrote:
:warning: C/C++ code formatter, clang-format found issues in your code.
:warning:
You can test this locally with the following command:
``bash
git-clang-format --diff 1cde1240ed6e45012d7510f4aa39badbdb4a4721
b31ec694c88635404b252f00472140e83083fd02 --
https://github.com/dkrupp updated
https://github.com/llvm/llvm-project/pull/92420
>From 80767176cbe8e5717c5f42b113f305d81b635cb9 Mon Sep 17 00:00:00 2001
From: Daniel Krupp
Date: Tue, 30 Apr 2024 15:20:52 +0200
Subject: [PATCH 1/2] [analyzer] Adding taint analysis capability to
unix.Malloc
@@ -1273,6 +1273,41 @@ Check for memory leaks, double free, and use-after-free
problems. Traces memory
.. literalinclude:: checkers/unix_malloc_example.c
:language: c
+If the ``alpha.security.taint.TaintPropagation`` checker is enabled, the
checker
+warns for cases when
@@ -1779,18 +1790,79 @@ ProgramStateRef
MallocChecker::MallocMemAux(CheckerContext ,
const CallEvent ,
const Expr *SizeEx, SVal Init,
@@ -48,6 +49,45 @@ void myfoo(int *p);
void myfooint(int p);
char *fooRetPtr(void);
+void t1(void) {
+ size_t size;
+ scanf("%zu", );
+ int *p = malloc(size); // expected-warning{{malloc is called with a tainted
(potentially attacker controlled) value}}
+ free(p);
+}
+
@@ -1779,18 +1790,79 @@ ProgramStateRef
MallocChecker::MallocMemAux(CheckerContext ,
const CallEvent ,
const Expr *SizeEx, SVal Init,
https://github.com/steakhal edited
https://github.com/llvm/llvm-project/pull/92420
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
@@ -1273,6 +1273,41 @@ Check for memory leaks, double free, and use-after-free
problems. Traces memory
.. literalinclude:: checkers/unix_malloc_example.c
:language: c
+If the ``alpha.security.taint.TaintPropagation`` checker is enabled, the
checker
+warns for cases when
@@ -48,6 +49,45 @@ void myfoo(int *p);
void myfooint(int p);
char *fooRetPtr(void);
+void t1(void) {
+ size_t size;
+ scanf("%zu", );
+ int *p = malloc(size); // expected-warning{{malloc is called with a tainted
(potentially attacker controlled) value}}
+ free(p);
+}
+
https://github.com/steakhal commented:
The patch makes sense to me.
I'll not repeat the existing comments, they raise relevant concerns.
It would be nice to extend some test case with a tainted malloc to see how
those note tags play out from the generic taint checker in this context. For
NagyDonat wrote:
> I think the error node needs to be non-fatal.
Good point, I completely agree.
> For these applications it's more important to catch cases where malloc size
> and index used for access are coming from "different sources", eg. one is
> tainted and another isn't, doesn't
haoNoQ wrote:
I think there should be a way to enable/disable this check separately because
memory exhaustion / denial of service isn't necessarily something you care
about when you enable taint analysis.
It's essential for web servers when the attacker is interested in interrupting
their
llvmbot wrote:
@llvm/pr-subscribers-clang-static-analyzer-1
Author: Daniel Krupp (dkrupp)
Changes
unix.Malloc checker will warn if a memory allocation function (malloc, calloc,
realloc, alloca) is called with a tainted (attacker controlled) size parameter.
A large, maliciously set size
https://github.com/dkrupp created
https://github.com/llvm/llvm-project/pull/92420
unix.Malloc checker will warn if a memory allocation function (malloc, calloc,
realloc, alloca) is called with a tainted (attacker controlled) size parameter.
A large, maliciously set size value can trigger
34 matches
Mail list logo
