[quandary] stack allocation of array as sink

Reviewed By: grievejia Differential Revision: D5550052 fbshipit-source-id: 17568b1
7 years ago · 7be5df384e
parent ccdf15a1ca
commit 7be5df384e
3 changed files with 10 additions and 4 deletions
--- a/infer/src/quandary/ClangTrace.ml
+++ b/infer/src/quandary/ClangTrace.ml
@ -78,8 +78,6 @@ module SourceKind = struct
       -> get_external_source (Typ.Procname.get_qualifiers pname) )
    | Typ.Procname.Block _
     -> None
-    | pname when BuiltinDecl.is_declared pname
-     -> None
    | pname
     -> failwithf "Non-C++ procname %a in C++ analysis@." Typ.Procname.pp pname

@ -189,6 +187,9 @@ module SinkKind = struct
        -> get_external_sink pname actuals )
    | Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__array_access
      -> taint_all BufferAccess actuals
+    | Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__set_array_length
+     -> (* called when creating a stack-allocated array *)
+       taint_nth 1 Allocation actuals
    | Typ.Procname.C _ -> (
      match Typ.Procname.to_string pname with
      | "execl" | "execlp" | "execle" | "execv" | "execve" | "execvp" | "system"
@ -199,8 +200,6 @@ module SinkKind = struct
       -> get_external_sink pname actuals )
    | Typ.Procname.Block _
     -> None
-    | pname when BuiltinDecl.is_declared pname
-     -> None
    | pname
     -> failwithf "Non-C++ procname %a in C++ analysis@." Typ.Procname.pp pname

--- a/infer/tests/codetoanalyze/cpp/quandary/arrays.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandary/arrays.cpp
@ -42,6 +42,12 @@ void std_string_sink_bad(std::string str) {
  str[source] = 'a';
 }

+int stack_smash_bad() {
+  int source = __infer_taint_source();
+  int arr[source];
+  return arr[0]; // could read from anywhere in the stack
+}
+
 // these examples used to crash the HIL conversion
 char index_of_literal_ok1() { return "foo"[1]; }

--- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp
@ -9,6 +9,7 @@ codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink1_bad, 2, QUANDARY_TAIN
 codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink2_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __array_access]
 codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink3_bad, 0, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __array_access]
 codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink4_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __array_access]
+codetoanalyze/cpp/quandary/arrays.cpp, arrays::stack_smash_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __set_array_length]
 codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_array_sink_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to std::array<int,_>_operator[]]
 codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_string_sink_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to std::basic_string<char,std::char_traits<char>,std::allocator<char>>_operator[]]
 codetoanalyze/cpp/quandary/basics.cpp, basics::Obj_endpoint, 1, QUANDARY_TAINT_ERROR, [Return from basics::Obj_endpoint,Call to basics::Obj_string_sink]