Reviewed By: skcho Differential Revision: D13000192 fbshipit-source-id: ba1e3eb37master
Mehdi Bouaziz
6 years ago
committed by
Facebook Github Bot
parent
32f448a6f0
commit
a7921536da
@ -0,0 +1,64 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018-present, Facebook, Inc.
|
||||||
|
*
|
||||||
|
* This source code is licensed under the MIT license found in the
|
||||||
|
* LICENSE file in the root directory of this source tree.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <cstdint>
|
||||||
|
#include <memory>
|
||||||
|
#include <stdexcept>
|
||||||
|
|
||||||
|
extern int __infer_taint_source();
|
||||||
|
|
||||||
|
namespace std {
|
||||||
|
template <class T>
|
||||||
|
unique_ptr<T> make_unique(size_t n) {
|
||||||
|
typedef typename remove_extent<T>::type U;
|
||||||
|
return unique_ptr<T>(new U[n]());
|
||||||
|
}
|
||||||
|
} // namespace std
|
||||||
|
|
||||||
|
namespace Codec_Bad {
|
||||||
|
uint32_t getP_Bad(uint32_t w) {
|
||||||
|
auto w4 = w * 4; // BUG: can overflow
|
||||||
|
auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0)
|
||||||
|
auto w4m1o15 = w4m1 | 15; // ALWAYS OK
|
||||||
|
auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow
|
||||||
|
return w4m1o15p1;
|
||||||
|
}
|
||||||
|
void foo_Bad_FN() {
|
||||||
|
int w = __infer_taint_source();
|
||||||
|
int h = __infer_taint_source();
|
||||||
|
auto p =
|
||||||
|
getP_Bad(w); // MISSED BUG: downcasting signed int64 -> unsigned int32
|
||||||
|
auto s = h * p; // BUG: multiplication can overflow
|
||||||
|
auto d = std::make_unique<uint8_t[]>(s); // MISSED BUG: casting signed int64
|
||||||
|
// -> unsigned int64,
|
||||||
|
}
|
||||||
|
} // namespace Codec_Bad
|
||||||
|
|
||||||
|
namespace Codec_Bad2 {
|
||||||
|
uint64_t getP_Bad(uint64_t w) {
|
||||||
|
auto w4 = w * 4; // BUG: can overflow
|
||||||
|
auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0)
|
||||||
|
auto w4m1o15 = w4m1 | 15; // ALWAYS OK
|
||||||
|
auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow
|
||||||
|
return w4m1o15p1;
|
||||||
|
}
|
||||||
|
uint64_t checkedMultiply_Good_FP(uint64_t a, uint64_t b) {
|
||||||
|
__uint128_t mul = ((__uint128_t)a) * b; // OK: no overflow
|
||||||
|
if ((mul >> 64) != 0) {
|
||||||
|
throw std::runtime_error("Detected overflow in checked multiplcation");
|
||||||
|
}
|
||||||
|
auto result = (uint64_t)mul; // OK: within the bounds
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
void foo_Bad_FN() {
|
||||||
|
int w = __infer_taint_source();
|
||||||
|
int h = __infer_taint_source();
|
||||||
|
auto p = getP_Bad(w); // MISSED BUG: casting signed int64 -> unsigned int64
|
||||||
|
auto s = checkedMultiply_Good_FP(h, p); // OK
|
||||||
|
auto d = std::make_unique<uint8_t[]>(s); // OK
|
||||||
|
}
|
||||||
|
} // namespace Codec_Bad2
|
||||||
@ -1,3 +1,5 @@
|
|||||||
|
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,Parameter: w,Assignment,Binop: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ]
|
||||||
|
codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,Parameter: w,Assignment,Binop: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ]
|
||||||
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,ArrayDeclaration,Unknown value from: __infer_taint_source,Assignment,ArrayAccess: Offset: [-oo, +oo] Size: 10]
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,ArrayDeclaration,Unknown value from: __infer_taint_source,Assignment,ArrayAccess: Offset: [-oo, +oo] Size: 10]
|
||||||
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Alloc: Length: [-oo, 2147483647]]
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Alloc: Length: [-oo, 2147483647]]
|
||||||
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Return,Assignment,Call,ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Return,Assignment,Call,ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
|
||||||
|
|||||||
Loading…
Reference in new issue