[quandary] allocation as a sink

Reviewed By: the-st0rm Differential Revision: D5029613 fbshipit-source-id: db0924e
8 years ago · 6c8f3fe618
parent 6d1d78bb60
commit 6c8f3fe618
4 changed files with 58 additions and 6 deletions
--- a/infer/src/quandary/ClangTrace.ml
+++ b/infer/src/quandary/ClangTrace.ml
@ -91,11 +91,13 @@ module CppSource = Source.Make(SourceKind)
 module SinkKind = struct

  type t =
+    | Allocation (** memory allocation *)
    | ShellExec (** shell exec function *)
    | Other (** for testing or uncategorized sinks *)
  [@@deriving compare]

  let of_string = function
+    | "Allocation" -> Allocation
    | "ShellExec" -> ShellExec
    | _ -> Other

@ -141,6 +143,8 @@ module SinkKind = struct
          match Typ.Procname.to_string pname with
          | "execl" | "execlp" | "execle" | "execv" | "execvp" ->
              taint_all actuals ShellExec ~report_reachable:false
+          | "brk" | "calloc" | "malloc" | "realloc" | "sbrk" ->
+              taint_all actuals Allocation ~report_reachable:false
          | _ ->
              Option.value (get_external_sink pname actuals) ~default:[]
        end
@ -151,9 +155,12 @@ module SinkKind = struct
    | pname ->
        failwithf "Non-C++ procname %a in C++ analysis@." Typ.Procname.pp pname

-  let pp fmt = function
-    | ShellExec -> F.fprintf fmt "ShellExec"
-    | Other -> F.fprintf fmt "Other"
+  let pp fmt kind =
+    F.fprintf fmt
+      (match kind with
+       | Allocation -> "Allocation"
+       | ShellExec -> "ShellExec"
+       | Other -> "Other")
 end

 module CppSink = Sink.Make(SinkKind)
@ -165,11 +172,15 @@ include

    let should_report source sink =
      match Source.kind source, Sink.kind sink with
-      | EnvironmentVariable, ShellExec
-      | File, ShellExec ->
+      | (EnvironmentVariable | File), ShellExec ->
          (* untrusted data flowing to exec *)
          true
-      | Other, Other ->
+      | (EnvironmentVariable | File), Allocation ->
+          (* untrusted data flowing to memory allocation *)
+          true
+      | Other, _
+      | _, Other ->
+          (* Other matches everything *)
          true
      | _ ->
          false
--- a/infer/tests/codetoanalyze/cpp/quandary/.inferconfig
+++ b/infer/tests/codetoanalyze/cpp/quandary/.inferconfig
@ -19,6 +19,10 @@
    {
      "procedure": "basics::Obj::string_source",
      "kind": "Other"
+    },
+    {
+      "procedure": "allocs::allocation_source",
+      "kind": "EnvironmentVariable"
    }
  ],
  "quandary-sinks": [
--- a/infer/tests/codetoanalyze/cpp/quandary/allocs.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandary/allocs.cpp
@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2017 - present Facebook, Inc.
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD style license found in the
+ * LICENSE file in the root directory of this source tree. An additional grant
+ * of patent rights can be found in the PATENTS file in the same directory.
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+
+namespace allocs {
+
+extern int* allocation_source();
+
+void untrusted_malloc_bad() { malloc(*allocation_source()); }
+
+void untrusted_calloc_bad1() { calloc(*allocation_source(), sizeof(int)); }
+
+void untrusted_calloc_bad2() { calloc(5, *allocation_source()); }
+
+void untrusted_reaalloc_bad1() { realloc(allocation_source(), sizeof(int)); }
+
+void untrusted_reaalloc_bad2(int* i) { realloc(i, *allocation_source()); }
+
+void untrusted_brk_bad() { brk((void*)allocation_source()); }
+
+void untrusted_sbrk_bad() { sbrk(*allocation_source()); }
+}
--- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
@ -1,3 +1,10 @@
+codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_brk_bad, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to brk]
+codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad1, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to calloc]
+codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad2, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to calloc]
+codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_malloc_bad, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to malloc]
+codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad1, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to realloc]
+codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad2, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to realloc]
+codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_sbrk_bad, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to sbrk]
 codetoanalyze/cpp/quandary/basics.cpp, basics::object_source_sink_bad, 2, QUANDARY_TAINT_ERROR, [return from basics::Obj_method_source,call to basics::Obj_method_sink]
 codetoanalyze/cpp/quandary/basics.cpp, basics::propagateBad, 3, QUANDARY_TAINT_ERROR, [return from __infer_taint_source,flow through basics::id,call to basics::callSink,call to __infer_taint_sink]
 codetoanalyze/cpp/quandary/basics.cpp, basics::returnSourceToSinkBad, 2, QUANDARY_TAINT_ERROR, [return from __infer_taint_source,return from basics::returnSource,call to __infer_taint_sink]