pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Added new issues to differentiate tainted buffer accesses and heap allocations

Browse Source 
Reviewed By: mbouaziz

Differential Revision: D9654758

fbshipit-source-id: 1c3c240f8
master
Julian Sutherland 6 years ago committed by Facebook Github Bot
parent 0cffc52b3b
commit 34b0a6165c
4 changed files with 54 additions and 36 deletions
Show Stats Download Patch File Download Diff File

4
infer/src/base/IssueType.ml
Unescape View File

@ -344,12 +344,16 @@ let use_after_lifetime = from_string "USE_AFTER_LIFETIME"
let user_controlled_sql_risk = from_string "USER_CONTROLLED_SQL_RISK"
let untrusted_buffer_access = from_string "UNTRUSTED_BUFFER_ACCESS"
let untrusted_deserialization = from_string "UNTRUSTED_DESERIALIZATION"
let untrusted_file = from_string "UNTRUSTED_FILE"
let untrusted_file_risk = from_string "UNTRUSTED_FILE_RISK"
let untrusted_heap_allocation = from_string "UNTRUSTED_HEAP_ALLOCATION"
let untrusted_intent_creation = from_string "UNTRUSTED_INTENT_CREATION"
let untrusted_url_risk = from_string "UNTRUSTED_URL_RISK"

4
infer/src/base/IssueType.mli
Unescape View File

@ -255,12 +255,16 @@ val use_after_free : t
val use_after_lifetime : t
val untrusted_buffer_access : t
val untrusted_deserialization : t
val untrusted_file : t
val untrusted_file_risk : t
val untrusted_heap_allocation : t
val untrusted_intent_creation : t
val untrusted_url_risk : t

34
infer/src/quandary/ClangTrace.ml
Unescape View File

@ -486,15 +486,15 @@ include Trace.Make (struct
Option.some_if
(is_injection_possible ~typ Sanitizer.EscapeShell sanitizers)
IssueType.shell_injection_risk
| UserControlledEndpoint _, BufferAccess ->
(* untrusted data from an endpoint flowing into a buffer *)
Some IssueType.quandary_taint_error
| Endpoint _, (BufferAccess | HeapAllocation | StackAllocation) ->
(* may want to report this in the future, but don't care for now *)
None
| (CommandLineFlag _ | EnvironmentVariable | ReadFile | Other), BufferAccess ->
(* untrusted flag, environment var, or file data flowing to buffer *)
Some IssueType.quandary_taint_error
| ( ( UserControlledEndpoint _
| Endpoint _
| CommandLineFlag _
| EnvironmentVariable
| ReadFile
| Other )
, BufferAccess ) ->
(* untrusted data of any kind flowing to buffer *)
Some IssueType.untrusted_buffer_access
| (EnvironmentVariable | ReadFile | Other), ShellExec ->
(* environment var, or file data flowing to shell *)
Option.some_if
@ -510,11 +510,21 @@ include Trace.Make (struct
Option.some_if
(is_injection_possible Sanitizer.EscapeURL sanitizers)
IssueType.untrusted_url_risk
| ( (CommandLineFlag _ | UserControlledEndpoint _ | EnvironmentVariable | ReadFile | Other)
| ( ( CommandLineFlag _
| Endpoint _
| UserControlledEndpoint _
| EnvironmentVariable
| ReadFile
| Other )
, HeapAllocation ) ->
(* untrusted data of any kind flowing to heap allocation. this can cause crashes or DOS. *)
Some IssueType.quandary_taint_error
| ( (CommandLineFlag _ | UserControlledEndpoint _ | EnvironmentVariable | ReadFile | Other)
Some IssueType.untrusted_heap_allocation
| ( ( CommandLineFlag _
| Endpoint _
| UserControlledEndpoint _
| EnvironmentVariable
| ReadFile
| Other )
, StackAllocation ) ->
(* untrusted data of any kind flowing to stack buffer allocation. trying to allocate a stack
buffer that's too large will cause a stack overflow. *)

48
infer/tests/codetoanalyze/cpp/quandary/issues.exp
Unescape View File

@ -1,25 +1,25 @@
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_brk_bad, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to brk with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad1, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to calloc with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad2, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to calloc with tainted index 1]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_malloc_bad, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to malloc with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad1, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to realloc with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad2, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to realloc with tainted index 1]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_sbrk_bad, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from allocs::allocation_source,Call to sbrk with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink1_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink2_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink3_bad, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink4_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_brk_bad, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to brk with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad1, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to calloc with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad2, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to calloc with tainted index 1]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_malloc_bad, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to malloc with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad1, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to realloc with tainted index 0]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad2, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to realloc with tainted index 1]
codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_sbrk_bad, 0, UNTRUSTED_HEAP_ALLOCATION, no_bucket, ERROR, [Return from allocs::allocation_source,Call to sbrk with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink1_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink2_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink3_bad, 0, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink4_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::gflag_to_stack_allocated_array_bad, 0, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __global_access,Call to __set_array_length with tainted index 1]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::memcpy_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to memcpy with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::memmove_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to memmove with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::memset_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to memset with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::memcpy_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to memcpy with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::memmove_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to memmove with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::memset_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to memset with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::stack_smash_bad, 2, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_array_sink_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::array<int,2>_operator[] with tainted index 1]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_string_sink_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::basic_string<char,std::char_traits<char>,std::allocator<char>>_operator[] with tainted index 1]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::strcpy_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from getenv,Call to strcpy with tainted index 1]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::strncpy_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to strncpy with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::wmemcpy_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to wmemcpy with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::wmemmove_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to wmemmove with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_array_sink_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::array<int,2>_operator[] with tainted index 1]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_string_sink_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::basic_string<char,std::char_traits<char>,std::allocator<char>>_operator[] with tainted index 1]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::strcpy_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from getenv,Call to strcpy with tainted index 1]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::strncpy_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to strncpy with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::wmemcpy_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to wmemcpy with tainted index 2]
codetoanalyze/cpp/quandary/arrays.cpp, arrays::wmemmove_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to wmemmove with tainted index 2]
codetoanalyze/cpp/quandary/basics.cpp, basics::Obj_endpoint, 1, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from basics::Obj_endpoint,Call to basics::Obj_string_sink with tainted index 1]
codetoanalyze/cpp/quandary/basics.cpp, basics::Obj_endpoint, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from basics::Obj_endpoint,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/basics.cpp, basics::funCall_bad1, 0, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to basics::funCall_bad2 with tainted index 1,Call to __infer_taint_sink with tainted index 0]
@ -131,9 +131,9 @@ codetoanalyze/cpp/quandary/strings.cpp, strings::replace1_bad, 2, QUANDARY_TAINT
codetoanalyze/cpp/quandary/strings.cpp, strings::replace2_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/strings.cpp, strings::sprintf1_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/strings.cpp, strings::sprintf2_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy1_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to strcpy with tainted index 1]
codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy1_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to strcpy with tainted index 1]
codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy1_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy2_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to strcpy with tainted index 1]
codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy2_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to strcpy with tainted index 1]
codetoanalyze/cpp/quandary/strings.cpp, strings::strcpy2_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/strings.cpp, strings::strncpy_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/strings.cpp, strings::swap_bad, 4, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
@ -145,5 +145,5 @@ codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::direct_bad, 2, QUANDA
codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::skip_indirect_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::skip_pointer_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/unknown_code.cpp, unknown_code::skip_value_bad, 3, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to __infer_taint_sink with tainted index 0]
codetoanalyze/cpp/quandary/vectors.cpp, vectors::read_vector_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::vector<int,std::allocator<int>>_operator[] with tainted index 1]
codetoanalyze/cpp/quandary/vectors.cpp, vectors::write_vector_bad, 2, QUANDARY_TAINT_ERROR, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::vector<int,std::allocator<int>>_operator[] with tainted index 1]
codetoanalyze/cpp/quandary/vectors.cpp, vectors::read_vector_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::vector<int,std::allocator<int>>_operator[] with tainted index 1]
codetoanalyze/cpp/quandary/vectors.cpp, vectors::write_vector_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to std::vector<int,std::allocator<int>>_operator[] with tainted index 1]

Write Preview
Loading…
Cancel
Save