From 6c8f3fe6189eb3b7ffa08e076eb2ecb5cc9f77b1 Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Wed, 10 May 2017 07:36:30 -0700 Subject: [PATCH] [quandary] allocation as a sink Reviewed By: the-st0rm Differential Revision: D5029613 fbshipit-source-id: db0924e --- infer/src/quandary/ClangTrace.ml | 23 ++++++++++---- .../codetoanalyze/cpp/quandary/.inferconfig | 4 +++ .../codetoanalyze/cpp/quandary/allocs.cpp | 30 +++++++++++++++++++ .../codetoanalyze/cpp/quandary/issues.exp | 7 +++++ 4 files changed, 58 insertions(+), 6 deletions(-) create mode 100644 infer/tests/codetoanalyze/cpp/quandary/allocs.cpp diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml index d799b4198..7513e99a8 100644 --- a/infer/src/quandary/ClangTrace.ml +++ b/infer/src/quandary/ClangTrace.ml @@ -91,11 +91,13 @@ module CppSource = Source.Make(SourceKind) module SinkKind = struct type t = + | Allocation (** memory allocation *) | ShellExec (** shell exec function *) | Other (** for testing or uncategorized sinks *) [@@deriving compare] let of_string = function + | "Allocation" -> Allocation | "ShellExec" -> ShellExec | _ -> Other @@ -141,6 +143,8 @@ module SinkKind = struct match Typ.Procname.to_string pname with | "execl" | "execlp" | "execle" | "execv" | "execvp" -> taint_all actuals ShellExec ~report_reachable:false + | "brk" | "calloc" | "malloc" | "realloc" | "sbrk" -> + taint_all actuals Allocation ~report_reachable:false | _ -> Option.value (get_external_sink pname actuals) ~default:[] end @@ -151,9 +155,12 @@ module SinkKind = struct | pname -> failwithf "Non-C++ procname %a in C++ analysis@." Typ.Procname.pp pname - let pp fmt = function - | ShellExec -> F.fprintf fmt "ShellExec" - | Other -> F.fprintf fmt "Other" + let pp fmt kind = + F.fprintf fmt + (match kind with + | Allocation -> "Allocation" + | ShellExec -> "ShellExec" + | Other -> "Other") end module CppSink = Sink.Make(SinkKind) @@ -165,11 +172,15 @@ include let should_report source sink = match Source.kind source, Sink.kind sink with - | EnvironmentVariable, ShellExec - | File, ShellExec -> + | (EnvironmentVariable | File), ShellExec -> (* untrusted data flowing to exec *) true - | Other, Other -> + | (EnvironmentVariable | File), Allocation -> + (* untrusted data flowing to memory allocation *) + true + | Other, _ + | _, Other -> + (* Other matches everything *) true | _ -> false diff --git a/infer/tests/codetoanalyze/cpp/quandary/.inferconfig b/infer/tests/codetoanalyze/cpp/quandary/.inferconfig index 6eb0f03d2..a8c925212 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/.inferconfig +++ b/infer/tests/codetoanalyze/cpp/quandary/.inferconfig @@ -19,6 +19,10 @@ { "procedure": "basics::Obj::string_source", "kind": "Other" + }, + { + "procedure": "allocs::allocation_source", + "kind": "EnvironmentVariable" } ], "quandary-sinks": [ diff --git a/infer/tests/codetoanalyze/cpp/quandary/allocs.cpp b/infer/tests/codetoanalyze/cpp/quandary/allocs.cpp new file mode 100644 index 000000000..de919f30e --- /dev/null +++ b/infer/tests/codetoanalyze/cpp/quandary/allocs.cpp @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2017 - present Facebook, Inc. + * All rights reserved. + * + * This source code is licensed under the BSD style license found in the + * LICENSE file in the root directory of this source tree. An additional grant + * of patent rights can be found in the PATENTS file in the same directory. + */ + +#include +#include + +namespace allocs { + +extern int* allocation_source(); + +void untrusted_malloc_bad() { malloc(*allocation_source()); } + +void untrusted_calloc_bad1() { calloc(*allocation_source(), sizeof(int)); } + +void untrusted_calloc_bad2() { calloc(5, *allocation_source()); } + +void untrusted_reaalloc_bad1() { realloc(allocation_source(), sizeof(int)); } + +void untrusted_reaalloc_bad2(int* i) { realloc(i, *allocation_source()); } + +void untrusted_brk_bad() { brk((void*)allocation_source()); } + +void untrusted_sbrk_bad() { sbrk(*allocation_source()); } +} diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp index 7315d046e..941d5c9cb 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp +++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp @@ -1,3 +1,10 @@ +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_brk_bad, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to brk] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad1, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to calloc] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_calloc_bad2, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to calloc] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_malloc_bad, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to malloc] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad1, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to realloc] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_reaalloc_bad2, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to realloc] +codetoanalyze/cpp/quandary/allocs.cpp, allocs::untrusted_sbrk_bad, 1, QUANDARY_TAINT_ERROR, [return from allocs::allocation_source,call to sbrk] codetoanalyze/cpp/quandary/basics.cpp, basics::object_source_sink_bad, 2, QUANDARY_TAINT_ERROR, [return from basics::Obj_method_source,call to basics::Obj_method_sink] codetoanalyze/cpp/quandary/basics.cpp, basics::propagateBad, 3, QUANDARY_TAINT_ERROR, [return from __infer_taint_source,flow through basics::id,call to basics::callSink,call to __infer_taint_sink] codetoanalyze/cpp/quandary/basics.cpp, basics::returnSourceToSinkBad, 2, QUANDARY_TAINT_ERROR, [return from __infer_taint_source,return from basics::returnSource,call to __infer_taint_sink]