1 //== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This checker defines the attack surface for generic taint propagation. 10 // 11 // The taint information produced by it might be useful to other checkers. For 12 // example, checkers should report errors which involve tainted data more 13 // aggressively, even if the involved symbols are under constrained. 14 // 15 //===----------------------------------------------------------------------===// 16 17 #include "Yaml.h" 18 #include "clang/AST/Attr.h" 19 #include "clang/Basic/Builtins.h" 20 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 21 #include "clang/StaticAnalyzer/Checkers/Taint.h" 22 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 23 #include "clang/StaticAnalyzer/Core/Checker.h" 24 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 29 #include "llvm/ADT/StringExtras.h" 30 #include "llvm/Support/YAMLTraits.h" 31 32 #include <limits> 33 #include <memory> 34 #include <optional> 35 #include <utility> 36 #include <vector> 37 38 #define DEBUG_TYPE "taint-checker" 39 40 using namespace clang; 41 using namespace ento; 42 using namespace taint; 43 44 using llvm::ImmutableSet; 45 46 namespace { 47 48 class GenericTaintChecker; 49 50 /// Check for CWE-134: Uncontrolled Format String. 51 constexpr llvm::StringLiteral MsgUncontrolledFormatString = 52 "Untrusted data is used as a format string " 53 "(CWE-134: Uncontrolled Format String)"; 54 55 /// Check for: 56 /// CERT/STR02-C. "Sanitize data passed to complex subsystems" 57 /// CWE-78, "Failure to Sanitize Data into an OS Command" 58 constexpr llvm::StringLiteral MsgSanitizeSystemArgs = 59 "Untrusted data is passed to a system call " 60 "(CERT/STR02-C. Sanitize data passed to complex subsystems)"; 61 62 /// Check if tainted data is used as a buffer size in strn.. functions, 63 /// and allocators. 64 constexpr llvm::StringLiteral MsgTaintedBufferSize = 65 "Untrusted data is used to specify the buffer size " 66 "(CERT/STR31-C. Guarantee that storage for strings has sufficient space " 67 "for character data and the null terminator)"; 68 69 /// Check if tainted data is used as a custom sink's parameter. 70 constexpr llvm::StringLiteral MsgCustomSink = 71 "Untrusted data is passed to a user-defined sink"; 72 73 using ArgIdxTy = int; 74 using ArgVecTy = llvm::SmallVector<ArgIdxTy, 2>; 75 76 /// Denotes the return value. 77 constexpr ArgIdxTy ReturnValueIndex{-1}; 78 79 static ArgIdxTy fromArgumentCount(unsigned Count) { 80 assert(Count <= 81 static_cast<std::size_t>(std::numeric_limits<ArgIdxTy>::max()) && 82 "ArgIdxTy is not large enough to represent the number of arguments."); 83 return Count; 84 } 85 86 /// Check if the region the expression evaluates to is the standard input, 87 /// and thus, is tainted. 88 /// FIXME: Move this to Taint.cpp. 89 bool isStdin(SVal Val, const ASTContext &ACtx) { 90 // FIXME: What if Val is NonParamVarRegion? 91 92 // The region should be symbolic, we do not know it's value. 93 const auto *SymReg = dyn_cast_or_null<SymbolicRegion>(Val.getAsRegion()); 94 if (!SymReg) 95 return false; 96 97 // Get it's symbol and find the declaration region it's pointing to. 98 const auto *DeclReg = 99 dyn_cast_or_null<DeclRegion>(SymReg->getSymbol()->getOriginRegion()); 100 if (!DeclReg) 101 return false; 102 103 // This region corresponds to a declaration, find out if it's a global/extern 104 // variable named stdin with the proper type. 105 if (const auto *D = dyn_cast_or_null<VarDecl>(DeclReg->getDecl())) { 106 D = D->getCanonicalDecl(); 107 if (D->getName() == "stdin" && D->hasExternalStorage() && D->isExternC()) { 108 const QualType FILETy = ACtx.getFILEType().getCanonicalType(); 109 const QualType Ty = D->getType().getCanonicalType(); 110 111 if (Ty->isPointerType()) 112 return Ty->getPointeeType() == FILETy; 113 } 114 } 115 return false; 116 } 117 118 SVal getPointeeOf(ProgramStateRef State, Loc LValue) { 119 const QualType ArgTy = LValue.getType(State->getStateManager().getContext()); 120 if (!ArgTy->isPointerType() || !ArgTy->getPointeeType()->isVoidType()) 121 return State->getSVal(LValue); 122 123 // Do not dereference void pointers. Treat them as byte pointers instead. 124 // FIXME: we might want to consider more than just the first byte. 125 return State->getSVal(LValue, State->getStateManager().getContext().CharTy); 126 } 127 128 /// Given a pointer/reference argument, return the value it refers to. 129 std::optional<SVal> getPointeeOf(ProgramStateRef State, SVal Arg) { 130 if (auto LValue = Arg.getAs<Loc>()) 131 return getPointeeOf(State, *LValue); 132 return std::nullopt; 133 } 134 135 /// Given a pointer, return the SVal of its pointee or if it is tainted, 136 /// otherwise return the pointer's SVal if tainted. 137 /// Also considers stdin as a taint source. 138 std::optional<SVal> getTaintedPointeeOrPointer(ProgramStateRef State, 139 SVal Arg) { 140 if (auto Pointee = getPointeeOf(State, Arg)) 141 if (isTainted(State, *Pointee)) // FIXME: isTainted(...) ? Pointee : None; 142 return Pointee; 143 144 if (isTainted(State, Arg)) 145 return Arg; 146 return std::nullopt; 147 } 148 149 bool isTaintedOrPointsToTainted(ProgramStateRef State, SVal ExprSVal) { 150 return getTaintedPointeeOrPointer(State, ExprSVal).has_value(); 151 } 152 153 /// Helps in printing taint diagnostics. 154 /// Marks the incoming parameters of a function interesting (to be printed) 155 /// when the return value, or the outgoing parameters are tainted. 156 const NoteTag *taintOriginTrackerTag(CheckerContext &C, 157 std::vector<SymbolRef> TaintedSymbols, 158 std::vector<ArgIdxTy> TaintedArgs, 159 const LocationContext *CallLocation) { 160 return C.getNoteTag([TaintedSymbols = std::move(TaintedSymbols), 161 TaintedArgs = std::move(TaintedArgs), CallLocation]( 162 PathSensitiveBugReport &BR) -> std::string { 163 SmallString<256> Msg; 164 // We give diagnostics only for taint related reports 165 if (!BR.isInteresting(CallLocation) || 166 BR.getBugType().getCategory() != categories::TaintedData) { 167 return ""; 168 } 169 if (TaintedSymbols.empty()) 170 return "Taint originated here"; 171 172 for (auto Sym : TaintedSymbols) { 173 BR.markInteresting(Sym); 174 } 175 LLVM_DEBUG(for (auto Arg 176 : TaintedArgs) { 177 llvm::dbgs() << "Taint Propagated from argument " << Arg + 1 << "\n"; 178 }); 179 return ""; 180 }); 181 } 182 183 /// Helps in printing taint diagnostics. 184 /// Marks the function interesting (to be printed) 185 /// when the return value, or the outgoing parameters are tainted. 186 const NoteTag *taintPropagationExplainerTag( 187 CheckerContext &C, std::vector<SymbolRef> TaintedSymbols, 188 std::vector<ArgIdxTy> TaintedArgs, const LocationContext *CallLocation) { 189 assert(TaintedSymbols.size() == TaintedArgs.size()); 190 return C.getNoteTag([TaintedSymbols = std::move(TaintedSymbols), 191 TaintedArgs = std::move(TaintedArgs), CallLocation]( 192 PathSensitiveBugReport &BR) -> std::string { 193 SmallString<256> Msg; 194 llvm::raw_svector_ostream Out(Msg); 195 // We give diagnostics only for taint related reports 196 if (TaintedSymbols.empty() || 197 BR.getBugType().getCategory() != categories::TaintedData) { 198 return ""; 199 } 200 int nofTaintedArgs = 0; 201 for (auto [Idx, Sym] : llvm::enumerate(TaintedSymbols)) { 202 if (BR.isInteresting(Sym)) { 203 BR.markInteresting(CallLocation); 204 if (TaintedArgs[Idx] != ReturnValueIndex) { 205 LLVM_DEBUG(llvm::dbgs() << "Taint Propagated to argument " 206 << TaintedArgs[Idx] + 1 << "\n"); 207 if (nofTaintedArgs == 0) 208 Out << "Taint propagated to the "; 209 else 210 Out << ", "; 211 Out << TaintedArgs[Idx] + 1 212 << llvm::getOrdinalSuffix(TaintedArgs[Idx] + 1) << " argument"; 213 nofTaintedArgs++; 214 } else { 215 LLVM_DEBUG(llvm::dbgs() << "Taint Propagated to return value.\n"); 216 Out << "Taint propagated to the return value"; 217 } 218 } 219 } 220 return std::string(Out.str()); 221 }); 222 } 223 224 /// ArgSet is used to describe arguments relevant for taint detection or 225 /// taint application. A discrete set of argument indexes and a variadic 226 /// argument list signified by a starting index are supported. 227 class ArgSet { 228 public: 229 ArgSet() = default; 230 ArgSet(ArgVecTy &&DiscreteArgs, 231 std::optional<ArgIdxTy> VariadicIndex = std::nullopt) 232 : DiscreteArgs(std::move(DiscreteArgs)), 233 VariadicIndex(std::move(VariadicIndex)) {} 234 235 bool contains(ArgIdxTy ArgIdx) const { 236 if (llvm::is_contained(DiscreteArgs, ArgIdx)) 237 return true; 238 239 return VariadicIndex && ArgIdx >= *VariadicIndex; 240 } 241 242 bool isEmpty() const { return DiscreteArgs.empty() && !VariadicIndex; } 243 244 private: 245 ArgVecTy DiscreteArgs; 246 std::optional<ArgIdxTy> VariadicIndex; 247 }; 248 249 /// A struct used to specify taint propagation rules for a function. 250 /// 251 /// If any of the possible taint source arguments is tainted, all of the 252 /// destination arguments should also be tainted. If ReturnValueIndex is added 253 /// to the dst list, the return value will be tainted. 254 class GenericTaintRule { 255 /// Arguments which are taints sinks and should be checked, and a report 256 /// should be emitted if taint reaches these. 257 ArgSet SinkArgs; 258 /// Arguments which should be sanitized on function return. 259 ArgSet FilterArgs; 260 /// Arguments which can participate in taint propagation. If any of the 261 /// arguments in PropSrcArgs is tainted, all arguments in PropDstArgs should 262 /// be tainted. 263 ArgSet PropSrcArgs; 264 ArgSet PropDstArgs; 265 266 /// A message that explains why the call is sensitive to taint. 267 std::optional<StringRef> SinkMsg; 268 269 GenericTaintRule() = default; 270 271 GenericTaintRule(ArgSet &&Sink, ArgSet &&Filter, ArgSet &&Src, ArgSet &&Dst, 272 std::optional<StringRef> SinkMsg = std::nullopt) 273 : SinkArgs(std::move(Sink)), FilterArgs(std::move(Filter)), 274 PropSrcArgs(std::move(Src)), PropDstArgs(std::move(Dst)), 275 SinkMsg(SinkMsg) {} 276 277 public: 278 /// Make a rule that reports a warning if taint reaches any of \p FilterArgs 279 /// arguments. 280 static GenericTaintRule Sink(ArgSet &&SinkArgs, 281 std::optional<StringRef> Msg = std::nullopt) { 282 return {std::move(SinkArgs), {}, {}, {}, Msg}; 283 } 284 285 /// Make a rule that sanitizes all FilterArgs arguments. 286 static GenericTaintRule Filter(ArgSet &&FilterArgs) { 287 return {{}, std::move(FilterArgs), {}, {}}; 288 } 289 290 /// Make a rule that unconditionally taints all Args. 291 /// If Func is provided, it must also return true for taint to propagate. 292 static GenericTaintRule Source(ArgSet &&SourceArgs) { 293 return {{}, {}, {}, std::move(SourceArgs)}; 294 } 295 296 /// Make a rule that taints all PropDstArgs if any of PropSrcArgs is tainted. 297 static GenericTaintRule Prop(ArgSet &&SrcArgs, ArgSet &&DstArgs) { 298 return {{}, {}, std::move(SrcArgs), std::move(DstArgs)}; 299 } 300 301 /// Make a rule that taints all PropDstArgs if any of PropSrcArgs is tainted. 302 static GenericTaintRule 303 SinkProp(ArgSet &&SinkArgs, ArgSet &&SrcArgs, ArgSet &&DstArgs, 304 std::optional<StringRef> Msg = std::nullopt) { 305 return { 306 std::move(SinkArgs), {}, std::move(SrcArgs), std::move(DstArgs), Msg}; 307 } 308 309 /// Process a function which could either be a taint source, a taint sink, a 310 /// taint filter or a taint propagator. 311 void process(const GenericTaintChecker &Checker, const CallEvent &Call, 312 CheckerContext &C) const; 313 314 /// Handles the resolution of indexes of type ArgIdxTy to Expr*-s. 315 static const Expr *GetArgExpr(ArgIdxTy ArgIdx, const CallEvent &Call) { 316 return ArgIdx == ReturnValueIndex ? Call.getOriginExpr() 317 : Call.getArgExpr(ArgIdx); 318 }; 319 320 /// Functions for custom taintedness propagation. 321 static bool UntrustedEnv(CheckerContext &C); 322 }; 323 324 using RuleLookupTy = CallDescriptionMap<GenericTaintRule>; 325 326 /// Used to parse the configuration file. 327 struct TaintConfiguration { 328 using NameScopeArgs = std::tuple<std::string, std::string, ArgVecTy>; 329 enum class VariadicType { None, Src, Dst }; 330 331 struct Common { 332 std::string Name; 333 std::string Scope; 334 }; 335 336 struct Sink : Common { 337 ArgVecTy SinkArgs; 338 }; 339 340 struct Filter : Common { 341 ArgVecTy FilterArgs; 342 }; 343 344 struct Propagation : Common { 345 ArgVecTy SrcArgs; 346 ArgVecTy DstArgs; 347 VariadicType VarType; 348 ArgIdxTy VarIndex; 349 }; 350 351 std::vector<Propagation> Propagations; 352 std::vector<Filter> Filters; 353 std::vector<Sink> Sinks; 354 355 TaintConfiguration() = default; 356 TaintConfiguration(const TaintConfiguration &) = default; 357 TaintConfiguration(TaintConfiguration &&) = default; 358 TaintConfiguration &operator=(const TaintConfiguration &) = default; 359 TaintConfiguration &operator=(TaintConfiguration &&) = default; 360 }; 361 362 struct GenericTaintRuleParser { 363 GenericTaintRuleParser(CheckerManager &Mgr) : Mgr(Mgr) {} 364 /// Container type used to gather call identification objects grouped into 365 /// pairs with their corresponding taint rules. It is temporary as it is used 366 /// to finally initialize RuleLookupTy, which is considered to be immutable. 367 using RulesContTy = std::vector<std::pair<CallDescription, GenericTaintRule>>; 368 RulesContTy parseConfiguration(const std::string &Option, 369 TaintConfiguration &&Config) const; 370 371 private: 372 using NamePartsTy = llvm::SmallVector<StringRef, 2>; 373 374 /// Validate part of the configuration, which contains a list of argument 375 /// indexes. 376 void validateArgVector(const std::string &Option, const ArgVecTy &Args) const; 377 378 template <typename Config> static NamePartsTy parseNameParts(const Config &C); 379 380 // Takes the config and creates a CallDescription for it and associates a Rule 381 // with that. 382 template <typename Config> 383 static void consumeRulesFromConfig(const Config &C, GenericTaintRule &&Rule, 384 RulesContTy &Rules); 385 386 void parseConfig(const std::string &Option, TaintConfiguration::Sink &&P, 387 RulesContTy &Rules) const; 388 void parseConfig(const std::string &Option, TaintConfiguration::Filter &&P, 389 RulesContTy &Rules) const; 390 void parseConfig(const std::string &Option, 391 TaintConfiguration::Propagation &&P, 392 RulesContTy &Rules) const; 393 394 CheckerManager &Mgr; 395 }; 396 397 class GenericTaintChecker : public Checker<check::PreCall, check::PostCall> { 398 public: 399 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 400 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 401 402 void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, 403 const char *Sep) const override; 404 405 /// Generate a report if the expression is tainted or points to tainted data. 406 bool generateReportIfTainted(const Expr *E, StringRef Msg, 407 CheckerContext &C) const; 408 409 private: 410 const BugType BT{this, "Use of Untrusted Data", categories::TaintedData}; 411 412 bool checkUncontrolledFormatString(const CallEvent &Call, 413 CheckerContext &C) const; 414 415 void taintUnsafeSocketProtocol(const CallEvent &Call, 416 CheckerContext &C) const; 417 418 /// Default taint rules are initalized with the help of a CheckerContext to 419 /// access the names of built-in functions like memcpy. 420 void initTaintRules(CheckerContext &C) const; 421 422 /// CallDescription currently cannot restrict matches to the global namespace 423 /// only, which is why multiple CallDescriptionMaps are used, as we want to 424 /// disambiguate global C functions from functions inside user-defined 425 /// namespaces. 426 // TODO: Remove separation to simplify matching logic once CallDescriptions 427 // are more expressive. 428 429 mutable std::optional<RuleLookupTy> StaticTaintRules; 430 mutable std::optional<RuleLookupTy> DynamicTaintRules; 431 }; 432 } // end of anonymous namespace 433 434 /// YAML serialization mapping. 435 LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Sink) 436 LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Filter) 437 LLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Propagation) 438 439 namespace llvm { 440 namespace yaml { 441 template <> struct MappingTraits<TaintConfiguration> { 442 static void mapping(IO &IO, TaintConfiguration &Config) { 443 IO.mapOptional("Propagations", Config.Propagations); 444 IO.mapOptional("Filters", Config.Filters); 445 IO.mapOptional("Sinks", Config.Sinks); 446 } 447 }; 448 449 template <> struct MappingTraits<TaintConfiguration::Sink> { 450 static void mapping(IO &IO, TaintConfiguration::Sink &Sink) { 451 IO.mapRequired("Name", Sink.Name); 452 IO.mapOptional("Scope", Sink.Scope); 453 IO.mapRequired("Args", Sink.SinkArgs); 454 } 455 }; 456 457 template <> struct MappingTraits<TaintConfiguration::Filter> { 458 static void mapping(IO &IO, TaintConfiguration::Filter &Filter) { 459 IO.mapRequired("Name", Filter.Name); 460 IO.mapOptional("Scope", Filter.Scope); 461 IO.mapRequired("Args", Filter.FilterArgs); 462 } 463 }; 464 465 template <> struct MappingTraits<TaintConfiguration::Propagation> { 466 static void mapping(IO &IO, TaintConfiguration::Propagation &Propagation) { 467 IO.mapRequired("Name", Propagation.Name); 468 IO.mapOptional("Scope", Propagation.Scope); 469 IO.mapOptional("SrcArgs", Propagation.SrcArgs); 470 IO.mapOptional("DstArgs", Propagation.DstArgs); 471 IO.mapOptional("VariadicType", Propagation.VarType); 472 IO.mapOptional("VariadicIndex", Propagation.VarIndex); 473 } 474 }; 475 476 template <> struct ScalarEnumerationTraits<TaintConfiguration::VariadicType> { 477 static void enumeration(IO &IO, TaintConfiguration::VariadicType &Value) { 478 IO.enumCase(Value, "None", TaintConfiguration::VariadicType::None); 479 IO.enumCase(Value, "Src", TaintConfiguration::VariadicType::Src); 480 IO.enumCase(Value, "Dst", TaintConfiguration::VariadicType::Dst); 481 } 482 }; 483 } // namespace yaml 484 } // namespace llvm 485 486 /// A set which is used to pass information from call pre-visit instruction 487 /// to the call post-visit. The values are signed integers, which are either 488 /// ReturnValueIndex, or indexes of the pointer/reference argument, which 489 /// points to data, which should be tainted on return. 490 REGISTER_MAP_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, const LocationContext *, 491 ImmutableSet<ArgIdxTy>) 492 REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(ArgIdxFactory, ArgIdxTy) 493 494 void GenericTaintRuleParser::validateArgVector(const std::string &Option, 495 const ArgVecTy &Args) const { 496 for (ArgIdxTy Arg : Args) { 497 if (Arg < ReturnValueIndex) { 498 Mgr.reportInvalidCheckerOptionValue( 499 Mgr.getChecker<GenericTaintChecker>(), Option, 500 "an argument number for propagation rules greater or equal to -1"); 501 } 502 } 503 } 504 505 template <typename Config> 506 GenericTaintRuleParser::NamePartsTy 507 GenericTaintRuleParser::parseNameParts(const Config &C) { 508 NamePartsTy NameParts; 509 if (!C.Scope.empty()) { 510 // If the Scope argument contains multiple "::" parts, those are considered 511 // namespace identifiers. 512 StringRef{C.Scope}.split(NameParts, "::", /*MaxSplit*/ -1, 513 /*KeepEmpty*/ false); 514 } 515 NameParts.emplace_back(C.Name); 516 return NameParts; 517 } 518 519 template <typename Config> 520 void GenericTaintRuleParser::consumeRulesFromConfig(const Config &C, 521 GenericTaintRule &&Rule, 522 RulesContTy &Rules) { 523 NamePartsTy NameParts = parseNameParts(C); 524 Rules.emplace_back(CallDescription(NameParts), std::move(Rule)); 525 } 526 527 void GenericTaintRuleParser::parseConfig(const std::string &Option, 528 TaintConfiguration::Sink &&S, 529 RulesContTy &Rules) const { 530 validateArgVector(Option, S.SinkArgs); 531 consumeRulesFromConfig(S, GenericTaintRule::Sink(std::move(S.SinkArgs)), 532 Rules); 533 } 534 535 void GenericTaintRuleParser::parseConfig(const std::string &Option, 536 TaintConfiguration::Filter &&S, 537 RulesContTy &Rules) const { 538 validateArgVector(Option, S.FilterArgs); 539 consumeRulesFromConfig(S, GenericTaintRule::Filter(std::move(S.FilterArgs)), 540 Rules); 541 } 542 543 void GenericTaintRuleParser::parseConfig(const std::string &Option, 544 TaintConfiguration::Propagation &&P, 545 RulesContTy &Rules) const { 546 validateArgVector(Option, P.SrcArgs); 547 validateArgVector(Option, P.DstArgs); 548 bool IsSrcVariadic = P.VarType == TaintConfiguration::VariadicType::Src; 549 bool IsDstVariadic = P.VarType == TaintConfiguration::VariadicType::Dst; 550 std::optional<ArgIdxTy> JustVarIndex = P.VarIndex; 551 552 ArgSet SrcDesc(std::move(P.SrcArgs), 553 IsSrcVariadic ? JustVarIndex : std::nullopt); 554 ArgSet DstDesc(std::move(P.DstArgs), 555 IsDstVariadic ? JustVarIndex : std::nullopt); 556 557 consumeRulesFromConfig( 558 P, GenericTaintRule::Prop(std::move(SrcDesc), std::move(DstDesc)), Rules); 559 } 560 561 GenericTaintRuleParser::RulesContTy 562 GenericTaintRuleParser::parseConfiguration(const std::string &Option, 563 TaintConfiguration &&Config) const { 564 565 RulesContTy Rules; 566 567 for (auto &F : Config.Filters) 568 parseConfig(Option, std::move(F), Rules); 569 570 for (auto &S : Config.Sinks) 571 parseConfig(Option, std::move(S), Rules); 572 573 for (auto &P : Config.Propagations) 574 parseConfig(Option, std::move(P), Rules); 575 576 return Rules; 577 } 578 579 void GenericTaintChecker::initTaintRules(CheckerContext &C) const { 580 // Check for exact name match for functions without builtin substitutes. 581 // Use qualified name, because these are C functions without namespace. 582 583 if (StaticTaintRules || DynamicTaintRules) 584 return; 585 586 using RulesConstructionTy = 587 std::vector<std::pair<CallDescription, GenericTaintRule>>; 588 using TR = GenericTaintRule; 589 590 const Builtin::Context &BI = C.getASTContext().BuiltinInfo; 591 592 RulesConstructionTy GlobalCRules{ 593 // Sources 594 {{{"fdopen"}}, TR::Source({{ReturnValueIndex}})}, 595 {{{"fopen"}}, TR::Source({{ReturnValueIndex}})}, 596 {{{"freopen"}}, TR::Source({{ReturnValueIndex}})}, 597 {{{"getch"}}, TR::Source({{ReturnValueIndex}})}, 598 {{{"getchar"}}, TR::Source({{ReturnValueIndex}})}, 599 {{{"getchar_unlocked"}}, TR::Source({{ReturnValueIndex}})}, 600 {{{"gets"}}, TR::Source({{0}, ReturnValueIndex})}, 601 {{{"gets_s"}}, TR::Source({{0}, ReturnValueIndex})}, 602 {{{"scanf"}}, TR::Source({{}, 1})}, 603 {{{"scanf_s"}}, TR::Source({{}, {1}})}, 604 {{{"wgetch"}}, TR::Source({{}, ReturnValueIndex})}, 605 // Sometimes the line between taint sources and propagators is blurry. 606 // _IO_getc is choosen to be a source, but could also be a propagator. 607 // This way it is simpler, as modeling it as a propagator would require 608 // to model the possible sources of _IO_FILE * values, which the _IO_getc 609 // function takes as parameters. 610 {{{"_IO_getc"}}, TR::Source({{ReturnValueIndex}})}, 611 {{{"getcwd"}}, TR::Source({{0, ReturnValueIndex}})}, 612 {{{"getwd"}}, TR::Source({{0, ReturnValueIndex}})}, 613 {{{"readlink"}}, TR::Source({{1, ReturnValueIndex}})}, 614 {{{"readlinkat"}}, TR::Source({{2, ReturnValueIndex}})}, 615 {{{"get_current_dir_name"}}, TR::Source({{ReturnValueIndex}})}, 616 {{{"gethostname"}}, TR::Source({{0}})}, 617 {{{"getnameinfo"}}, TR::Source({{2, 4}})}, 618 {{{"getseuserbyname"}}, TR::Source({{1, 2}})}, 619 {{{"getgroups"}}, TR::Source({{1, ReturnValueIndex}})}, 620 {{{"getlogin"}}, TR::Source({{ReturnValueIndex}})}, 621 {{{"getlogin_r"}}, TR::Source({{0}})}, 622 623 // Props 624 {{{"accept"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 625 {{{"atoi"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 626 {{{"atol"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 627 {{{"atoll"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 628 {{{"fgetc"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 629 {{{"fgetln"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 630 {{{"fgets"}}, TR::Prop({{2}}, {{0, ReturnValueIndex}})}, 631 {{{"fgetws"}}, TR::Prop({{2}}, {{0, ReturnValueIndex}})}, 632 {{{"fscanf"}}, TR::Prop({{0}}, {{}, 2})}, 633 {{{"fscanf_s"}}, TR::Prop({{0}}, {{}, {2}})}, 634 {{{"sscanf"}}, TR::Prop({{0}}, {{}, 2})}, 635 636 {{{"getc"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 637 {{{"getc_unlocked"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 638 {{{"getdelim"}}, TR::Prop({{3}}, {{0}})}, 639 {{{"getline"}}, TR::Prop({{2}}, {{0}})}, 640 {{{"getw"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 641 {{{"pread"}}, TR::Prop({{0, 1, 2, 3}}, {{1, ReturnValueIndex}})}, 642 {{{"read"}}, TR::Prop({{0, 2}}, {{1, ReturnValueIndex}})}, 643 {{{"strchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 644 {{{"strrchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 645 {{{"tolower"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 646 {{{"toupper"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 647 {{{"fread"}}, TR::Prop({{3}}, {{0, ReturnValueIndex}})}, 648 {{{"recv"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, 649 {{{"recvfrom"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, 650 651 {{{"ttyname"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 652 {{{"ttyname_r"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, 653 654 {{{"basename"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 655 {{{"dirname"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 656 {{{"fnmatch"}}, TR::Prop({{1}}, {{ReturnValueIndex}})}, 657 {{{"memchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 658 {{{"memrchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 659 {{{"rawmemchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 660 661 {{{"mbtowc"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})}, 662 {{{"wctomb"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})}, 663 {{{"wcwidth"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 664 665 {{{"memcmp"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, 666 {{{"memcpy"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})}, 667 {{{"memmove"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})}, 668 // If memmem was called with a tainted needle and the search was 669 // successful, that would mean that the value pointed by the return value 670 // has the same content as the needle. If we choose to go by the policy of 671 // content equivalence implies taintedness equivalence, that would mean 672 // haystack should be considered a propagation source argument. 673 {{{"memmem"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 674 675 // The comment for memmem above also applies to strstr. 676 {{{"strstr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 677 {{{"strcasestr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 678 679 {{{"strchrnul"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 680 681 {{{"index"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 682 {{{"rindex"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 683 684 // FIXME: In case of arrays, only the first element of the array gets 685 // tainted. 686 {{{"qsort"}}, TR::Prop({{0}}, {{0}})}, 687 {{{"qsort_r"}}, TR::Prop({{0}}, {{0}})}, 688 689 {{{"strcmp"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, 690 {{{"strcasecmp"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, 691 {{{"strncmp"}}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})}, 692 {{{"strncasecmp"}}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})}, 693 {{{"strspn"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, 694 {{{"strcspn"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, 695 {{{"strpbrk"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 696 {{{"strndup"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 697 {{{"strndupa"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 698 699 // strlen, wcslen, strnlen and alike intentionally don't propagate taint. 700 // See the details here: https://github.com/llvm/llvm-project/pull/66086 701 702 {{{"strtol"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, 703 {{{"strtoll"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, 704 {{{"strtoul"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, 705 {{{"strtoull"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, 706 707 {{{"isalnum"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 708 {{{"isalpha"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 709 {{{"isascii"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 710 {{{"isblank"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 711 {{{"iscntrl"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 712 {{{"isdigit"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 713 {{{"isgraph"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 714 {{{"islower"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 715 {{{"isprint"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 716 {{{"ispunct"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 717 {{{"isspace"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 718 {{{"isupper"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 719 {{{"isxdigit"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 720 721 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncat)}}, 722 TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})}, 723 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcpy)}}, 724 TR::Prop({{1, 2}}, {{0}})}, 725 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcat)}}, 726 TR::Prop({{1, 2}}, {{0}})}, 727 {{CDF_MaybeBuiltin, {{"snprintf"}}}, 728 TR::Prop({{1}, 3}, {{0, ReturnValueIndex}})}, 729 {{CDF_MaybeBuiltin, {{"sprintf"}}}, 730 TR::Prop({{1}, 2}, {{0, ReturnValueIndex}})}, 731 {{CDF_MaybeBuiltin, {{"strcpy"}}}, 732 TR::Prop({{1}}, {{0, ReturnValueIndex}})}, 733 {{CDF_MaybeBuiltin, {{"stpcpy"}}}, 734 TR::Prop({{1}}, {{0, ReturnValueIndex}})}, 735 {{CDF_MaybeBuiltin, {{"strcat"}}}, 736 TR::Prop({{1}}, {{0, ReturnValueIndex}})}, 737 {{CDF_MaybeBuiltin, {{"wcsncat"}}}, 738 TR::Prop({{1}}, {{0, ReturnValueIndex}})}, 739 {{CDF_MaybeBuiltin, {{"strdup"}}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 740 {{CDF_MaybeBuiltin, {{"strdupa"}}}, 741 TR::Prop({{0}}, {{ReturnValueIndex}})}, 742 {{CDF_MaybeBuiltin, {{"wcsdup"}}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, 743 744 // Sinks 745 {{{"system"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)}, 746 {{{"popen"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)}, 747 {{{"execl"}}, TR::Sink({{}, {0}}, MsgSanitizeSystemArgs)}, 748 {{{"execle"}}, TR::Sink({{}, {0}}, MsgSanitizeSystemArgs)}, 749 {{{"execlp"}}, TR::Sink({{}, {0}}, MsgSanitizeSystemArgs)}, 750 {{{"execv"}}, TR::Sink({{0, 1}}, MsgSanitizeSystemArgs)}, 751 {{{"execve"}}, TR::Sink({{0, 1, 2}}, MsgSanitizeSystemArgs)}, 752 {{{"fexecve"}}, TR::Sink({{0, 1, 2}}, MsgSanitizeSystemArgs)}, 753 {{{"execvp"}}, TR::Sink({{0, 1}}, MsgSanitizeSystemArgs)}, 754 {{{"execvpe"}}, TR::Sink({{0, 1, 2}}, MsgSanitizeSystemArgs)}, 755 {{{"dlopen"}}, TR::Sink({{0}}, MsgSanitizeSystemArgs)}, 756 {{CDF_MaybeBuiltin, {{"malloc"}}}, TR::Sink({{0}}, MsgTaintedBufferSize)}, 757 {{CDF_MaybeBuiltin, {{"calloc"}}}, TR::Sink({{0}}, MsgTaintedBufferSize)}, 758 {{CDF_MaybeBuiltin, {{"alloca"}}}, TR::Sink({{0}}, MsgTaintedBufferSize)}, 759 {{CDF_MaybeBuiltin, {{"memccpy"}}}, 760 TR::Sink({{3}}, MsgTaintedBufferSize)}, 761 {{CDF_MaybeBuiltin, {{"realloc"}}}, 762 TR::Sink({{1}}, MsgTaintedBufferSize)}, 763 {{{{"setproctitle"}}}, TR::Sink({{0}, 1}, MsgUncontrolledFormatString)}, 764 {{{{"setproctitle_fast"}}}, 765 TR::Sink({{0}, 1}, MsgUncontrolledFormatString)}, 766 767 // SinkProps 768 {{CDF_MaybeBuiltin, BI.getName(Builtin::BImemcpy)}, 769 TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}}, 770 MsgTaintedBufferSize)}, 771 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BImemmove)}}, 772 TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}}, 773 MsgTaintedBufferSize)}, 774 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncpy)}}, 775 TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}}, 776 MsgTaintedBufferSize)}, 777 {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrndup)}}, 778 TR::SinkProp({{1}}, {{0, 1}}, {{ReturnValueIndex}}, 779 MsgTaintedBufferSize)}, 780 {{CDF_MaybeBuiltin, {{"bcopy"}}}, 781 TR::SinkProp({{2}}, {{0, 2}}, {{1}}, MsgTaintedBufferSize)}}; 782 783 // `getenv` returns taint only in untrusted environments. 784 if (TR::UntrustedEnv(C)) { 785 // void setproctitle_init(int argc, char *argv[], char *envp[]) 786 GlobalCRules.push_back( 787 {{{"setproctitle_init"}}, TR::Sink({{1, 2}}, MsgCustomSink)}); 788 GlobalCRules.push_back({{{"getenv"}}, TR::Source({{ReturnValueIndex}})}); 789 } 790 791 StaticTaintRules.emplace(std::make_move_iterator(GlobalCRules.begin()), 792 std::make_move_iterator(GlobalCRules.end())); 793 794 // User-provided taint configuration. 795 CheckerManager *Mgr = C.getAnalysisManager().getCheckerManager(); 796 assert(Mgr); 797 GenericTaintRuleParser ConfigParser{*Mgr}; 798 std::string Option{"Config"}; 799 StringRef ConfigFile = 800 Mgr->getAnalyzerOptions().getCheckerStringOption(this, Option); 801 std::optional<TaintConfiguration> Config = 802 getConfiguration<TaintConfiguration>(*Mgr, this, Option, ConfigFile); 803 if (!Config) { 804 // We don't have external taint config, no parsing required. 805 DynamicTaintRules = RuleLookupTy{}; 806 return; 807 } 808 809 GenericTaintRuleParser::RulesContTy Rules{ 810 ConfigParser.parseConfiguration(Option, std::move(*Config))}; 811 812 DynamicTaintRules.emplace(std::make_move_iterator(Rules.begin()), 813 std::make_move_iterator(Rules.end())); 814 } 815 816 void GenericTaintChecker::checkPreCall(const CallEvent &Call, 817 CheckerContext &C) const { 818 initTaintRules(C); 819 820 // FIXME: this should be much simpler. 821 if (const auto *Rule = 822 Call.isGlobalCFunction() ? StaticTaintRules->lookup(Call) : nullptr) 823 Rule->process(*this, Call, C); 824 else if (const auto *Rule = DynamicTaintRules->lookup(Call)) 825 Rule->process(*this, Call, C); 826 827 // FIXME: These edge cases are to be eliminated from here eventually. 828 // 829 // Additional check that is not supported by CallDescription. 830 // TODO: Make CallDescription be able to match attributes such as printf-like 831 // arguments. 832 checkUncontrolledFormatString(Call, C); 833 834 // TODO: Modeling sockets should be done in a specific checker. 835 // Socket is a source, which taints the return value. 836 taintUnsafeSocketProtocol(Call, C); 837 } 838 839 void GenericTaintChecker::checkPostCall(const CallEvent &Call, 840 CheckerContext &C) const { 841 // Set the marked values as tainted. The return value only accessible from 842 // checkPostStmt. 843 ProgramStateRef State = C.getState(); 844 const StackFrameContext *CurrentFrame = C.getStackFrame(); 845 846 // Depending on what was tainted at pre-visit, we determined a set of 847 // arguments which should be tainted after the function returns. These are 848 // stored in the state as TaintArgsOnPostVisit set. 849 TaintArgsOnPostVisitTy TaintArgsMap = State->get<TaintArgsOnPostVisit>(); 850 851 const ImmutableSet<ArgIdxTy> *TaintArgs = TaintArgsMap.lookup(CurrentFrame); 852 if (!TaintArgs) 853 return; 854 assert(!TaintArgs->isEmpty()); 855 856 LLVM_DEBUG(for (ArgIdxTy I 857 : *TaintArgs) { 858 llvm::dbgs() << "PostCall<"; 859 Call.dump(llvm::dbgs()); 860 llvm::dbgs() << "> actually wants to taint arg index: " << I << '\n'; 861 }); 862 863 const NoteTag *InjectionTag = nullptr; 864 std::vector<SymbolRef> TaintedSymbols; 865 std::vector<ArgIdxTy> TaintedIndexes; 866 for (ArgIdxTy ArgNum : *TaintArgs) { 867 // Special handling for the tainted return value. 868 if (ArgNum == ReturnValueIndex) { 869 State = addTaint(State, Call.getReturnValue()); 870 std::vector<SymbolRef> TaintedSyms = 871 getTaintedSymbols(State, Call.getReturnValue()); 872 if (!TaintedSyms.empty()) { 873 TaintedSymbols.push_back(TaintedSyms[0]); 874 TaintedIndexes.push_back(ArgNum); 875 } 876 continue; 877 } 878 // The arguments are pointer arguments. The data they are pointing at is 879 // tainted after the call. 880 if (auto V = getPointeeOf(State, Call.getArgSVal(ArgNum))) { 881 State = addTaint(State, *V); 882 std::vector<SymbolRef> TaintedSyms = getTaintedSymbols(State, *V); 883 if (!TaintedSyms.empty()) { 884 TaintedSymbols.push_back(TaintedSyms[0]); 885 TaintedIndexes.push_back(ArgNum); 886 } 887 } 888 } 889 // Create a NoteTag callback, which prints to the user where the taintedness 890 // was propagated to. 891 InjectionTag = taintPropagationExplainerTag(C, TaintedSymbols, TaintedIndexes, 892 Call.getCalleeStackFrame(0)); 893 // Clear up the taint info from the state. 894 State = State->remove<TaintArgsOnPostVisit>(CurrentFrame); 895 C.addTransition(State, InjectionTag); 896 } 897 898 void GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State, 899 const char *NL, const char *Sep) const { 900 printTaint(State, Out, NL, Sep); 901 } 902 903 void GenericTaintRule::process(const GenericTaintChecker &Checker, 904 const CallEvent &Call, CheckerContext &C) const { 905 ProgramStateRef State = C.getState(); 906 const ArgIdxTy CallNumArgs = fromArgumentCount(Call.getNumArgs()); 907 908 /// Iterate every call argument, and get their corresponding Expr and SVal. 909 const auto ForEachCallArg = [&C, &Call, CallNumArgs](auto &&Fun) { 910 for (ArgIdxTy I = ReturnValueIndex; I < CallNumArgs; ++I) { 911 const Expr *E = GetArgExpr(I, Call); 912 Fun(I, E, C.getSVal(E)); 913 } 914 }; 915 916 /// Check for taint sinks. 917 ForEachCallArg([this, &Checker, &C, &State](ArgIdxTy I, const Expr *E, SVal) { 918 // Add taintedness to stdin parameters 919 if (isStdin(C.getSVal(E), C.getASTContext())) { 920 State = addTaint(State, C.getSVal(E)); 921 } 922 if (SinkArgs.contains(I) && isTaintedOrPointsToTainted(State, C.getSVal(E))) 923 Checker.generateReportIfTainted(E, SinkMsg.value_or(MsgCustomSink), C); 924 }); 925 926 /// Check for taint filters. 927 ForEachCallArg([this, &State](ArgIdxTy I, const Expr *E, SVal S) { 928 if (FilterArgs.contains(I)) { 929 State = removeTaint(State, S); 930 if (auto P = getPointeeOf(State, S)) 931 State = removeTaint(State, *P); 932 } 933 }); 934 935 /// Check for taint propagation sources. 936 /// A rule will make the destination variables tainted if PropSrcArgs 937 /// is empty (taints the destination 938 /// arguments unconditionally), or if any of its signified 939 /// args are tainted in context of the current CallEvent. 940 bool IsMatching = PropSrcArgs.isEmpty(); 941 std::vector<SymbolRef> TaintedSymbols; 942 std::vector<ArgIdxTy> TaintedIndexes; 943 ForEachCallArg([this, &C, &IsMatching, &State, &TaintedSymbols, 944 &TaintedIndexes](ArgIdxTy I, const Expr *E, SVal) { 945 std::optional<SVal> TaintedSVal = 946 getTaintedPointeeOrPointer(State, C.getSVal(E)); 947 IsMatching = 948 IsMatching || (PropSrcArgs.contains(I) && TaintedSVal.has_value()); 949 950 // We track back tainted arguments except for stdin 951 if (TaintedSVal && !isStdin(*TaintedSVal, C.getASTContext())) { 952 std::vector<SymbolRef> TaintedArgSyms = 953 getTaintedSymbols(State, *TaintedSVal); 954 if (!TaintedArgSyms.empty()) { 955 llvm::append_range(TaintedSymbols, TaintedArgSyms); 956 TaintedIndexes.push_back(I); 957 } 958 } 959 }); 960 961 // Early return for propagation rules which dont match. 962 // Matching propagations, Sinks and Filters will pass this point. 963 if (!IsMatching) 964 return; 965 966 const auto WouldEscape = [](SVal V, QualType Ty) -> bool { 967 if (!isa<Loc>(V)) 968 return false; 969 970 const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified(); 971 const bool IsNonConstPtr = 972 Ty->isPointerType() && !Ty->getPointeeType().isConstQualified(); 973 974 return IsNonConstRef || IsNonConstPtr; 975 }; 976 977 /// Propagate taint where it is necessary. 978 auto &F = State->getStateManager().get_context<ArgIdxFactory>(); 979 ImmutableSet<ArgIdxTy> Result = F.getEmptySet(); 980 ForEachCallArg( 981 [&](ArgIdxTy I, const Expr *E, SVal V) { 982 if (PropDstArgs.contains(I)) { 983 LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs()); 984 llvm::dbgs() 985 << "> prepares tainting arg index: " << I << '\n';); 986 Result = F.add(Result, I); 987 } 988 989 // Taint property gets lost if the variable is passed as a 990 // non-const pointer or reference to a function which is 991 // not inlined. For matching rules we want to preserve the taintedness. 992 // TODO: We should traverse all reachable memory regions via the 993 // escaping parameter. Instead of doing that we simply mark only the 994 // referred memory region as tainted. 995 if (WouldEscape(V, E->getType()) && getTaintedPointeeOrPointer(State, V)) { 996 LLVM_DEBUG(if (!Result.contains(I)) { 997 llvm::dbgs() << "PreCall<"; 998 Call.dump(llvm::dbgs()); 999 llvm::dbgs() << "> prepares tainting arg index: " << I << '\n'; 1000 }); 1001 Result = F.add(Result, I); 1002 } 1003 }); 1004 1005 if (!Result.isEmpty()) 1006 State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result); 1007 const NoteTag *InjectionTag = taintOriginTrackerTag( 1008 C, std::move(TaintedSymbols), std::move(TaintedIndexes), 1009 Call.getCalleeStackFrame(0)); 1010 C.addTransition(State, InjectionTag); 1011 } 1012 1013 bool GenericTaintRule::UntrustedEnv(CheckerContext &C) { 1014 return !C.getAnalysisManager() 1015 .getAnalyzerOptions() 1016 .ShouldAssumeControlledEnvironment; 1017 } 1018 1019 bool GenericTaintChecker::generateReportIfTainted(const Expr *E, StringRef Msg, 1020 CheckerContext &C) const { 1021 assert(E); 1022 std::optional<SVal> TaintedSVal = 1023 getTaintedPointeeOrPointer(C.getState(), C.getSVal(E)); 1024 1025 if (!TaintedSVal) 1026 return false; 1027 1028 // Generate diagnostic. 1029 if (ExplodedNode *N = C.generateNonFatalErrorNode()) { 1030 auto report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N); 1031 report->addRange(E->getSourceRange()); 1032 for (auto TaintedSym : getTaintedSymbols(C.getState(), *TaintedSVal)) { 1033 report->markInteresting(TaintedSym); 1034 } 1035 1036 C.emitReport(std::move(report)); 1037 return true; 1038 } 1039 return false; 1040 } 1041 1042 /// TODO: remove checking for printf format attributes and socket whitelisting 1043 /// from GenericTaintChecker, and that means the following functions: 1044 /// getPrintfFormatArgumentNum, 1045 /// GenericTaintChecker::checkUncontrolledFormatString, 1046 /// GenericTaintChecker::taintUnsafeSocketProtocol 1047 1048 static bool getPrintfFormatArgumentNum(const CallEvent &Call, 1049 const CheckerContext &C, 1050 ArgIdxTy &ArgNum) { 1051 // Find if the function contains a format string argument. 1052 // Handles: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, 1053 // vsnprintf, syslog, custom annotated functions. 1054 const Decl *CallDecl = Call.getDecl(); 1055 if (!CallDecl) 1056 return false; 1057 const FunctionDecl *FDecl = CallDecl->getAsFunction(); 1058 if (!FDecl) 1059 return false; 1060 1061 const ArgIdxTy CallNumArgs = fromArgumentCount(Call.getNumArgs()); 1062 1063 for (const auto *Format : FDecl->specific_attrs<FormatAttr>()) { 1064 ArgNum = Format->getFormatIdx() - 1; 1065 if ((Format->getType()->getName() == "printf") && CallNumArgs > ArgNum) 1066 return true; 1067 } 1068 1069 return false; 1070 } 1071 1072 bool GenericTaintChecker::checkUncontrolledFormatString( 1073 const CallEvent &Call, CheckerContext &C) const { 1074 // Check if the function contains a format string argument. 1075 ArgIdxTy ArgNum = 0; 1076 if (!getPrintfFormatArgumentNum(Call, C, ArgNum)) 1077 return false; 1078 1079 // If either the format string content or the pointer itself are tainted, 1080 // warn. 1081 return generateReportIfTainted(Call.getArgExpr(ArgNum), 1082 MsgUncontrolledFormatString, C); 1083 } 1084 1085 void GenericTaintChecker::taintUnsafeSocketProtocol(const CallEvent &Call, 1086 CheckerContext &C) const { 1087 if (Call.getNumArgs() < 1) 1088 return; 1089 const IdentifierInfo *ID = Call.getCalleeIdentifier(); 1090 if (!ID) 1091 return; 1092 if (!ID->getName().equals("socket")) 1093 return; 1094 1095 SourceLocation DomLoc = Call.getArgExpr(0)->getExprLoc(); 1096 StringRef DomName = C.getMacroNameOrSpelling(DomLoc); 1097 // Allow internal communication protocols. 1098 bool SafeProtocol = DomName.equals("AF_SYSTEM") || 1099 DomName.equals("AF_LOCAL") || DomName.equals("AF_UNIX") || 1100 DomName.equals("AF_RESERVED_36"); 1101 if (SafeProtocol) 1102 return; 1103 1104 ProgramStateRef State = C.getState(); 1105 auto &F = State->getStateManager().get_context<ArgIdxFactory>(); 1106 ImmutableSet<ArgIdxTy> Result = F.add(F.getEmptySet(), ReturnValueIndex); 1107 State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result); 1108 C.addTransition(State); 1109 } 1110 1111 /// Checker registration 1112 void ento::registerGenericTaintChecker(CheckerManager &Mgr) { 1113 Mgr.registerChecker<GenericTaintChecker>(); 1114 } 1115 1116 bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) { 1117 return true; 1118 } 1119