From 60784ad045e1a2871b60618b6b78d1606a9b3918 Mon Sep 17 00:00:00 2001 From: Julian Sutherland Date: Wed, 19 Sep 2018 04:22:13 -0700 Subject: [PATCH] Updated QuandaryBO issue matching. Reviewed By: jvillard Differential Revision: D9923601 fbshipit-source-id: a9791dc6c --- infer/src/quandary/quandaryBO.ml | 57 ++++++++++++------- .../cpp/quandaryBO/tainted_index.cpp | 20 +++++++ 2 files changed, 58 insertions(+), 19 deletions(-) diff --git a/infer/src/quandary/quandaryBO.ml b/infer/src/quandary/quandaryBO.ml index a5d0bdb45..923df8c0a 100644 --- a/infer/src/quandary/quandaryBO.ml +++ b/infer/src/quandary/quandaryBO.ml @@ -8,10 +8,11 @@ open! IStd let update_issues all_issues = - let quandary_bug_names = - IssueType.[untrusted_buffer_access; untrusted_heap_allocation; untrusted_variable_length_array] + let quandary_access_issues = [IssueType.untrusted_buffer_access] in + let quandary_alloc_issues = + IssueType.[untrusted_heap_allocation; untrusted_variable_length_array] in - let inferbo_bug_names = + let inferbo_access_issues = IssueType. [ buffer_overrun_l1 ; buffer_overrun_l2 @@ -19,28 +20,45 @@ let update_issues all_issues = ; buffer_overrun_l4 ; buffer_overrun_l5 ; buffer_overrun_s2 - ; buffer_overrun_u5 - ; inferbo_alloc_is_big + ; buffer_overrun_u5 ] + in + let inferbo_alloc_issues = + IssueType. + [ inferbo_alloc_is_big ; inferbo_alloc_is_zero ; inferbo_alloc_is_negative ; inferbo_alloc_may_be_big ; inferbo_alloc_may_be_negative ] in - let is_quandary_issue issue = - List.mem quandary_bug_names issue.Issue.err_key.err_name ~equal:IssueType.equal + let is_quandary_access_issue issue = + List.mem quandary_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal + in + let is_quandary_alloc_issue issue = + List.mem quandary_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal + in + let is_relevant_quandary_issue issue = + is_quandary_access_issue issue || is_quandary_alloc_issue issue + in + let is_inferbo_access_issue issue = + List.mem inferbo_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal in - let is_inferbo_issue issue = - List.mem inferbo_bug_names issue.Issue.err_key.err_name ~equal:IssueType.equal + let is_inferbo_alloc_issue issue = + List.mem inferbo_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal + in + let is_relevant_inferbo_issue issue = + is_inferbo_access_issue issue || is_inferbo_alloc_issue issue in let quandary_issues, inferBO_issues = List.fold all_issues ~init:([], []) ~f:(fun (q_issues, iBO_issues) issue -> - if is_quandary_issue issue then (issue :: q_issues, iBO_issues) - else if is_inferbo_issue issue then (q_issues, issue :: iBO_issues) + if is_relevant_quandary_issue issue then (issue :: q_issues, iBO_issues) + else if is_relevant_inferbo_issue issue then (q_issues, issue :: iBO_issues) else (q_issues, iBO_issues) ) in let matching_issues quandary_issue inferbo_issue = SourceFile.equal quandary_issue.Issue.proc_location.file inferbo_issue.Issue.proc_location.file && Int.equal quandary_issue.Issue.proc_location.line inferbo_issue.Issue.proc_location.line + && ( (is_quandary_alloc_issue quandary_issue && is_inferbo_alloc_issue inferbo_issue) + || (is_quandary_access_issue quandary_issue && is_inferbo_access_issue inferbo_issue) ) in let paired_issues = (* Can be computed more efficiently (in n*log(n)) by using a Map mapping @@ -62,13 +80,13 @@ let update_issues all_issues = else IssueType.tainted_memory_allocation ) ~merge_descriptions:(fun descs1 descs2 -> String.concat - ( "QuandaryBO error. Quandary error(s):\n" - :: (descs1 @ ("InferBO error(s):\n" :: descs2)) ) ) + ( "QuandaryBO error. Quandary error(s): \"" + :: (descs1 @ ("\". InferBO error(s):\"" :: (descs2 @ ["\"."]))) ) ) ; err_data= Errlog.merge_err_data issue1.Issue.err_data issue2.Issue.err_data } in (* Can merge List.map, List.concat_map and List.filter_map into a single fold. *) let quandaryBO_issues = List.map ~f:merge_issues paired_issues in - let quandary_issuetypes = + let quandary_issues = IssueType. [ quandary_taint_error ; shell_injection @@ -82,16 +100,17 @@ let update_issues all_issues = ; untrusted_variable_length_array ; user_controlled_sql_risk ] in - let inferBO_issuetypes = inferbo_bug_names in + let inferbo_issues = + inferbo_alloc_issues @ inferbo_access_issues @ [IssueType.unreachable_code_after] + in let all_issues_filtered = List.filter ~f:(fun issue -> ( Config.quandary - || not (List.mem quandary_issuetypes issue.Issue.err_key.err_name ~equal:IssueType.equal) - ) + || not (List.mem quandary_issues issue.Issue.err_key.err_name ~equal:IssueType.equal) ) && ( Config.bufferoverrun - || not (List.mem inferBO_issuetypes issue.Issue.err_key.err_name ~equal:IssueType.equal) - ) ) + || not (List.mem inferbo_issues issue.Issue.err_key.err_name ~equal:IssueType.equal) ) + ) all_issues in List.rev_append all_issues_filtered quandaryBO_issues diff --git a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp b/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp index a5b350d0a..3dcbf9feb 100644 --- a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp +++ b/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp @@ -4,6 +4,8 @@ * This source code is licensed under the MIT license found in the * LICENSE file in the root directory of this source tree. */ +#include + extern int __infer_taint_source(); void basic_bad() { @@ -33,3 +35,21 @@ void memory_alloc_bad2() { int arr[s]; } } + +struct st { + int size; + int ind; +}; + +st overlapping_issues_source_good() { + return {.size = __infer_taint_source(), .ind = 10}; +} + +void overlapping_issues_sink_good(st info) { + int arr[info.size]; + arr[info.ind] = 0; +} + +void overlapping_issues_good() { + overlapping_issues_sink_good(overlapping_issues_source_good()); +}