From 7be5df384e45fe6cf69183e37c74d6c57dbd772c Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Fri, 4 Aug 2017 11:41:33 -0700 Subject: [PATCH] [quandary] stack allocation of array as sink Reviewed By: grievejia Differential Revision: D5550052 fbshipit-source-id: 17568b1 --- infer/src/quandary/ClangTrace.ml | 7 +++---- infer/tests/codetoanalyze/cpp/quandary/arrays.cpp | 6 ++++++ infer/tests/codetoanalyze/cpp/quandary/issues.exp | 1 + 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/infer/src/quandary/ClangTrace.ml b/infer/src/quandary/ClangTrace.ml index 13a5aaa96..0ab315f6f 100644 --- a/infer/src/quandary/ClangTrace.ml +++ b/infer/src/quandary/ClangTrace.ml @@ -78,8 +78,6 @@ module SourceKind = struct -> get_external_source (Typ.Procname.get_qualifiers pname) ) | Typ.Procname.Block _ -> None - | pname when BuiltinDecl.is_declared pname - -> None | pname -> failwithf "Non-C++ procname %a in C++ analysis@." Typ.Procname.pp pname @@ -189,6 +187,9 @@ module SinkKind = struct -> get_external_sink pname actuals ) | Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__array_access -> taint_all BufferAccess actuals + | Typ.Procname.C _ when Typ.Procname.equal pname BuiltinDecl.__set_array_length + -> (* called when creating a stack-allocated array *) + taint_nth 1 Allocation actuals | Typ.Procname.C _ -> ( match Typ.Procname.to_string pname with | "execl" | "execlp" | "execle" | "execv" | "execve" | "execvp" | "system" @@ -199,8 +200,6 @@ module SinkKind = struct -> get_external_sink pname actuals ) | Typ.Procname.Block _ -> None - | pname when BuiltinDecl.is_declared pname - -> None | pname -> failwithf "Non-C++ procname %a in C++ analysis@." Typ.Procname.pp pname diff --git a/infer/tests/codetoanalyze/cpp/quandary/arrays.cpp b/infer/tests/codetoanalyze/cpp/quandary/arrays.cpp index 4f20dbfe1..0f54c4425 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/arrays.cpp +++ b/infer/tests/codetoanalyze/cpp/quandary/arrays.cpp @@ -42,6 +42,12 @@ void std_string_sink_bad(std::string str) { str[source] = 'a'; } +int stack_smash_bad() { + int source = __infer_taint_source(); + int arr[source]; + return arr[0]; // could read from anywhere in the stack +} + // these examples used to crash the HIL conversion char index_of_literal_ok1() { return "foo"[1]; } diff --git a/infer/tests/codetoanalyze/cpp/quandary/issues.exp b/infer/tests/codetoanalyze/cpp/quandary/issues.exp index 1cfff30fd..29ea2ec3b 100644 --- a/infer/tests/codetoanalyze/cpp/quandary/issues.exp +++ b/infer/tests/codetoanalyze/cpp/quandary/issues.exp @@ -9,6 +9,7 @@ codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink1_bad, 2, QUANDARY_TAIN codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink2_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __array_access] codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink3_bad, 0, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __array_access] codetoanalyze/cpp/quandary/arrays.cpp, arrays::array_sink4_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __array_access] +codetoanalyze/cpp/quandary/arrays.cpp, arrays::stack_smash_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to __set_array_length] codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_array_sink_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to std::array_operator[]] codetoanalyze/cpp/quandary/arrays.cpp, arrays::std_string_sink_bad, 2, QUANDARY_TAINT_ERROR, [Return from __infer_taint_source,Call to std::basic_string,std::allocator>_operator[]] codetoanalyze/cpp/quandary/basics.cpp, basics::Obj_endpoint, 1, QUANDARY_TAINT_ERROR, [Return from basics::Obj_endpoint,Call to basics::Obj_string_sink]