Summary: This was never quite finished and inferbo has a new way to do sort of the same thing. Reviewed By: skcho, ngorogiannis Differential Revision: D20362619 fbshipit-source-id: 7c7935d47master
							parent
							
								
									1faf00e58e
								
							
						
					
					
						commit
						e5b50d7d46
					
				| @ -1,127 +0,0 @@ | |||||||
| (* |  | ||||||
|  * Copyright (c) Facebook, Inc. and its affiliates. |  | ||||||
|  * |  | ||||||
|  * This source code is licensed under the MIT license found in the |  | ||||||
|  * LICENSE file in the root directory of this source tree. |  | ||||||
|  *) |  | ||||||
| 
 |  | ||||||
| open! IStd |  | ||||||
| 
 |  | ||||||
| let update_issues all_issues = |  | ||||||
|   let quandary_access_issues = [IssueType.untrusted_buffer_access] in |  | ||||||
|   let quandary_alloc_issues = |  | ||||||
|     IssueType.[untrusted_heap_allocation; untrusted_variable_length_array] |  | ||||||
|   in |  | ||||||
|   let inferbo_access_issues = |  | ||||||
|     IssueType. |  | ||||||
|       [ buffer_overrun_l1 |  | ||||||
|       ; buffer_overrun_l2 |  | ||||||
|       ; buffer_overrun_l3 |  | ||||||
|       ; buffer_overrun_l4 |  | ||||||
|       ; buffer_overrun_l5 |  | ||||||
|       ; buffer_overrun_s2 |  | ||||||
|       ; buffer_overrun_u5 ] |  | ||||||
|   in |  | ||||||
|   let inferbo_alloc_issues = |  | ||||||
|     IssueType. |  | ||||||
|       [ inferbo_alloc_is_big |  | ||||||
|       ; inferbo_alloc_is_zero |  | ||||||
|       ; inferbo_alloc_is_negative |  | ||||||
|       ; inferbo_alloc_may_be_big |  | ||||||
|       ; inferbo_alloc_may_be_negative ] |  | ||||||
|   in |  | ||||||
|   let is_quandary_access_issue issue = |  | ||||||
|     List.mem quandary_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal |  | ||||||
|   in |  | ||||||
|   let is_quandary_alloc_issue issue = |  | ||||||
|     List.mem quandary_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal |  | ||||||
|   in |  | ||||||
|   let is_relevant_quandary_issue issue = |  | ||||||
|     is_quandary_access_issue issue || is_quandary_alloc_issue issue |  | ||||||
|   in |  | ||||||
|   let is_inferbo_access_issue issue = |  | ||||||
|     List.mem inferbo_access_issues issue.Issue.err_key.err_name ~equal:IssueType.equal |  | ||||||
|   in |  | ||||||
|   let is_inferbo_alloc_issue issue = |  | ||||||
|     List.mem inferbo_alloc_issues issue.Issue.err_key.err_name ~equal:IssueType.equal |  | ||||||
|   in |  | ||||||
|   let is_relevant_inferbo_issue issue = |  | ||||||
|     is_inferbo_access_issue issue || is_inferbo_alloc_issue issue |  | ||||||
|   in |  | ||||||
|   let quandary_issues, inferBO_issues = |  | ||||||
|     List.fold all_issues ~init:([], []) ~f:(fun (q_issues, iBO_issues) issue -> |  | ||||||
|         if is_relevant_quandary_issue issue then (issue :: q_issues, iBO_issues) |  | ||||||
|         else if is_relevant_inferbo_issue issue then (q_issues, issue :: iBO_issues) |  | ||||||
|         else (q_issues, iBO_issues) ) |  | ||||||
|   in |  | ||||||
|   let matching_issues quandary_issue inferbo_issue = |  | ||||||
|     let trace_end_match () = |  | ||||||
|       let quandary_trace_end = List.last quandary_issue.Issue.err_data.loc_trace in |  | ||||||
|       let inferbo_trace_end = List.last inferbo_issue.Issue.err_data.loc_trace in |  | ||||||
|       match (quandary_trace_end, inferbo_trace_end) with |  | ||||||
|       | Some quandary_trace_elem, Some inferbo_trace_elem -> |  | ||||||
|           let q_loc = quandary_trace_elem.lt_loc in |  | ||||||
|           let i_loc = inferbo_trace_elem.lt_loc in |  | ||||||
|           SourceFile.equal q_loc.file i_loc.file && Int.equal q_loc.line i_loc.line |  | ||||||
|       | _ -> |  | ||||||
|           false |  | ||||||
|     in |  | ||||||
|     SourceFile.equal quandary_issue.Issue.proc_location.file inferbo_issue.Issue.proc_location.file |  | ||||||
|     && Int.equal quandary_issue.Issue.proc_location.line inferbo_issue.Issue.proc_location.line |  | ||||||
|     && trace_end_match () |  | ||||||
|     && ( (is_quandary_alloc_issue quandary_issue && is_inferbo_alloc_issue inferbo_issue) |  | ||||||
|        || (is_quandary_access_issue quandary_issue && is_inferbo_access_issue inferbo_issue) ) |  | ||||||
|   in |  | ||||||
|   let paired_issues = |  | ||||||
|     (* Can be computed more efficiently (in n*log(n)) by using a Map mapping |  | ||||||
|        file name + line number to quandary_issues to match with inferbo_issues *) |  | ||||||
|     List.concat_map quandary_issues ~f:(fun quandary_issue -> |  | ||||||
|         List.filter_map inferBO_issues ~f:(fun inferbo_issue -> |  | ||||||
|             if matching_issues quandary_issue inferbo_issue then Some (quandary_issue, inferbo_issue) |  | ||||||
|             else None ) ) |  | ||||||
|   in |  | ||||||
|   let merge_issues (issue1, issue2) = |  | ||||||
|     { Issue.proc_name= issue1.Issue.proc_name |  | ||||||
|     ; proc_location= {issue1.Issue.proc_location with col= -1} |  | ||||||
|     ; err_key= |  | ||||||
|         Errlog.merge_err_key issue1.Issue.err_key issue2.Issue.err_key |  | ||||||
|           ~merge_issues:(fun issue1 _ -> |  | ||||||
|             if IssueType.equal issue1 IssueType.untrusted_buffer_access then |  | ||||||
|               IssueType.tainted_buffer_access |  | ||||||
|             else IssueType.tainted_memory_allocation ) |  | ||||||
|           ~merge_descriptions:(fun descs1 descs2 -> |  | ||||||
|             String.concat |  | ||||||
|               ( "QuandaryBO error. Quandary error(s): \"" |  | ||||||
|               :: (descs1 @ ("\". InferBO error(s):\"" :: (descs2 @ ["\"."]))) ) ) |  | ||||||
|     ; err_data= Errlog.merge_err_data issue1.Issue.err_data issue2.Issue.err_data } |  | ||||||
|   in |  | ||||||
|   (* Can merge List.map, List.concat_map and List.filter_map into a single fold. *) |  | ||||||
|   let quandaryBO_issues = List.map ~f:merge_issues paired_issues in |  | ||||||
|   let quandary_issues = |  | ||||||
|     IssueType. |  | ||||||
|       [ quandary_taint_error |  | ||||||
|       ; shell_injection |  | ||||||
|       ; shell_injection_risk |  | ||||||
|       ; sql_injection |  | ||||||
|       ; sql_injection_risk |  | ||||||
|       ; untrusted_buffer_access |  | ||||||
|       ; untrusted_file_risk |  | ||||||
|       ; untrusted_heap_allocation |  | ||||||
|       ; untrusted_url_risk |  | ||||||
|       ; untrusted_variable_length_array |  | ||||||
|       ; user_controlled_sql_risk ] |  | ||||||
|   in |  | ||||||
|   let inferbo_issues = |  | ||||||
|     inferbo_alloc_issues @ inferbo_access_issues @ [IssueType.unreachable_code_after] |  | ||||||
|   in |  | ||||||
|   let filtered_issues = Config.quandaryBO_filtered_issues in |  | ||||||
|   let all_issues_filtered = |  | ||||||
|     List.filter |  | ||||||
|       ~f:(fun issue -> |  | ||||||
|         let issue_in ls = List.mem ls issue.Issue.err_key.err_name ~equal:IssueType.equal in |  | ||||||
|         (Config.is_checker_enabled Quandary || not (issue_in quandary_issues)) |  | ||||||
|         && (Config.is_checker_enabled BufferOverrun || not (issue_in inferbo_issues)) |  | ||||||
|         && not (issue_in filtered_issues) ) |  | ||||||
|       all_issues |  | ||||||
|   in |  | ||||||
|   List.rev_append all_issues_filtered quandaryBO_issues |  | ||||||
| @ -1,10 +0,0 @@ | |||||||
| (* |  | ||||||
|  * Copyright (c) Facebook, Inc. and its affiliates. |  | ||||||
|  * |  | ||||||
|  * This source code is licensed under the MIT license found in the |  | ||||||
|  * LICENSE file in the root directory of this source tree. |  | ||||||
|  *) |  | ||||||
| 
 |  | ||||||
| open! IStd |  | ||||||
| 
 |  | ||||||
| val update_issues : Issue.t list -> Issue.t list |  | ||||||
| @ -1,8 +0,0 @@ | |||||||
| { |  | ||||||
|   "quandary-sources": [ |  | ||||||
|     { |  | ||||||
|       "procedure": "__infer_taint_source", |  | ||||||
|       "kind": "Other" |  | ||||||
|     } |  | ||||||
|   ] |  | ||||||
| } |  | ||||||
| @ -1,57 +0,0 @@ | |||||||
| # Copyright (c) Facebook, Inc. and its affiliates.
 |  | ||||||
| #
 |  | ||||||
| # This source code is licensed under the MIT license found in the
 |  | ||||||
| # LICENSE file in the root directory of this source tree.
 |  | ||||||
| TESTS_DIR = ../../.. |  | ||||||
| 
 |  | ||||||
| OPTIONS_1 = \
 |  | ||||||
|   --quandaryBO-only --passthroughs --debug-exceptions --filtering \
 |  | ||||||
|   --project-root $(TESTS_DIR) \
 |  | ||||||
| 
 |  | ||||||
| OPTIONS_2 = \
 |  | ||||||
|    --quandaryBO-only --quandary --enable-issue-type UNTRUSTED_BUFFER_ACCESS \
 |  | ||||||
|    --passthroughs --debug-exceptions --filtering \
 |  | ||||||
|    --project-root $(TESTS_DIR) \
 |  | ||||||
| 
 |  | ||||||
| OPTIONS_3 = \
 |  | ||||||
|     --quandaryBO-only --bufferoverrun --enable-issue-type BUFFER_OVERRUN_U5 \
 |  | ||||||
|     --passthroughs --debug-exceptions --filtering \
 |  | ||||||
|     --project-root $(TESTS_DIR) \
 |  | ||||||
| 
 |  | ||||||
| OPTIONS_4 = \
 |  | ||||||
|     --quandaryBO-only --bufferoverrun --debug-exceptions --no-filtering \
 |  | ||||||
|     --project-root $(TESTS_DIR) \
 |  | ||||||
| 
 |  | ||||||
| test: test1 test2 test3 test4 |  | ||||||
| 
 |  | ||||||
| test1: |  | ||||||
| 	$(MAKE) -f multitest.make test TEST_SUFFIX=-t1 TEST_RESULT_SUFFIX=-t1 INFER_OPTIONS="$(OPTIONS_1)" |  | ||||||
| 
 |  | ||||||
| test2: |  | ||||||
| 	$(MAKE) -f multitest.make test TEST_SUFFIX=-t2 TEST_RESULT_SUFFIX=-t2 INFER_OPTIONS="$(OPTIONS_2)" |  | ||||||
| 
 |  | ||||||
| test3: |  | ||||||
| 	$(MAKE) -f multitest.make test TEST_SUFFIX=-t3 TEST_RESULT_SUFFIX=-t3 INFER_OPTIONS="$(OPTIONS_3)" |  | ||||||
| 
 |  | ||||||
| test4: |  | ||||||
| 	$(MAKE) -f multitest.make test TEST_SUFFIX=-t4 TEST_RESULT_SUFFIX=-t4 INFER_OPTIONS="$(OPTIONS_4)" |  | ||||||
| 
 |  | ||||||
| replace: replace1 replace2 replace3 replace4 |  | ||||||
| 
 |  | ||||||
| replace1: |  | ||||||
| 	$(MAKE) -f multitest.make replace TEST_SUFFIX=-t1 TEST_RESULT_SUFFIX=-t1 INFER_OPTIONS="$(OPTIONS_1)" |  | ||||||
| 
 |  | ||||||
| replace2: |  | ||||||
| 	$(MAKE) -f multitest.make replace TEST_SUFFIX=-t2 TEST_RESULT_SUFFIX=-t2 INFER_OPTIONS="$(OPTIONS_2)" |  | ||||||
| 
 |  | ||||||
| replace3: |  | ||||||
| 	$(MAKE) -f multitest.make replace TEST_SUFFIX=-t3 TEST_RESULT_SUFFIX=-t3 INFER_OPTIONS="$(OPTIONS_3)" |  | ||||||
| 
 |  | ||||||
| replace4: |  | ||||||
| 	$(MAKE) -f multitest.make replace TEST_SUFFIX=-t4 TEST_RESULT_SUFFIX=-t4 INFER_OPTIONS="$(OPTIONS_4)" |  | ||||||
| 
 |  | ||||||
| clean: |  | ||||||
| 	$(MAKE) -f multitest.make clean TEST_SUFFIX=-t1 |  | ||||||
| 	$(MAKE) -f multitest.make clean TEST_SUFFIX=-t2 |  | ||||||
| 	$(MAKE) -f multitest.make clean TEST_SUFFIX=-t3 |  | ||||||
| 	$(MAKE) -f multitest.make clean TEST_SUFFIX=-t4 |  | ||||||
| @ -1,64 +0,0 @@ | |||||||
| /*
 |  | ||||||
|  * Copyright (c) Facebook, Inc. and its affiliates. |  | ||||||
|  * |  | ||||||
|  * This source code is licensed under the MIT license found in the |  | ||||||
|  * LICENSE file in the root directory of this source tree. |  | ||||||
|  */ |  | ||||||
| 
 |  | ||||||
| #include <cstdint> |  | ||||||
| #include <memory> |  | ||||||
| #include <stdexcept> |  | ||||||
| 
 |  | ||||||
| extern int __infer_taint_source(); |  | ||||||
| 
 |  | ||||||
| namespace std { |  | ||||||
| template <class T> |  | ||||||
| unique_ptr<T> make_unique(size_t n) { |  | ||||||
|   typedef typename remove_extent<T>::type U; |  | ||||||
|   return unique_ptr<T>(new U[n]()); |  | ||||||
| } |  | ||||||
| } // namespace std
 |  | ||||||
| 
 |  | ||||||
| namespace Codec_Bad { |  | ||||||
| uint32_t getP_Bad(uint32_t w) { |  | ||||||
|   auto w4 = w * 4; // BUG: can overflow
 |  | ||||||
|   auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0)
 |  | ||||||
|   auto w4m1o15 = w4m1 | 15; // ALWAYS OK
 |  | ||||||
|   auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow
 |  | ||||||
|   return w4m1o15p1; |  | ||||||
| } |  | ||||||
| void foo_Bad_FN() { |  | ||||||
|   int w = __infer_taint_source(); |  | ||||||
|   int h = __infer_taint_source(); |  | ||||||
|   auto p = |  | ||||||
|       getP_Bad(w); // MISSED BUG: downcasting signed int64 -> unsigned int32
 |  | ||||||
|   auto s = h * p; // BUG: multiplication can overflow
 |  | ||||||
|   auto d = std::make_unique<uint8_t[]>(s); // MISSED BUG: casting signed int64
 |  | ||||||
|                                            // -> unsigned int64,
 |  | ||||||
| } |  | ||||||
| } // namespace Codec_Bad
 |  | ||||||
| 
 |  | ||||||
| namespace Codec_Bad2 { |  | ||||||
| uint64_t getP_Bad(uint64_t w) { |  | ||||||
|   auto w4 = w * 4; // BUG: can overflow
 |  | ||||||
|   auto w4m1 = w4 - 1; // BUG: can underflow (if w = 0)
 |  | ||||||
|   auto w4m1o15 = w4m1 | 15; // ALWAYS OK
 |  | ||||||
|   auto w4m1o15p1 = w4m1o15 + 1; // BUG: can overflow
 |  | ||||||
|   return w4m1o15p1; |  | ||||||
| } |  | ||||||
| uint64_t checkedMultiply_Good(uint64_t a, uint64_t b) { |  | ||||||
|   __uint128_t mul = ((__uint128_t)a) * b; // OK: no overflow
 |  | ||||||
|   if ((mul >> 64) != 0) { |  | ||||||
|     throw std::runtime_error("Detected overflow in checked multiplcation"); |  | ||||||
|   } |  | ||||||
|   auto result = (uint64_t)mul; // OK: within the bounds
 |  | ||||||
|   return result; |  | ||||||
| } |  | ||||||
| void foo_Bad_FN_FP() { |  | ||||||
|   int w = __infer_taint_source(); |  | ||||||
|   int h = __infer_taint_source(); |  | ||||||
|   auto p = getP_Bad(w); // MISSED BUG: casting signed int64 -> unsigned int64
 |  | ||||||
|   auto s = checkedMultiply_Good(h, p); // OK, FP
 |  | ||||||
|   auto d = std::make_unique<uint8_t[]>(s); // OK
 |  | ||||||
| } |  | ||||||
| } // namespace Codec_Bad2
 |  | ||||||
| @ -1,5 +0,0 @@ | |||||||
| codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ] |  | ||||||
| codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] |  | ||||||
| @ -1,10 +0,0 @@ | |||||||
| codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ] |  | ||||||
| codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad1_FN, 0, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, overlapping_issues_good, 1, UNTRUSTED_VARIABLE_LENGTH_ARRAY, no_bucket, ERROR, [Return from __infer_taint_source with tainted data @val$0.size*,Return from overlapping_issues_source_good,Call to overlapping_issues_sink_good with tainted index 0,Call to __set_array_length with tainted index 1] |  | ||||||
| @ -1,8 +0,0 @@ | |||||||
| codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad2::foo_Bad_FN_FP, 3, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned64 by call to `Codec_Bad2::getP_Bad` ] |  | ||||||
| codetoanalyze/cpp/quandaryBO/codec.cpp, Codec_Bad::foo_Bad_FN, 4, INTEGER_OVERFLOW_L2, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Call,<LHS trace>,Parameter `w`,Assignment,Binary operation: ([0, +oo] - 1):unsigned32 by call to `Codec_Bad::getP_Bad` ] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,<Offset trace>,Unknown value from: __infer_taint_source,Assignment,<Length trace>,Array declaration,Array access: Offset: [-oo, +oo] Size: 10] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, INFERBO_ALLOC_MAY_BE_BIG, no_bucket, ERROR, [Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Allocation: Length: [-oo, 2147483647]] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] |  | ||||||
| codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Assignment,Call,<Offset trace>,Parameter `i`,<Length trace>,Array declaration,Array access: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ] |  | ||||||
| @ -1,15 +0,0 @@ | |||||||
| # Copyright (c) Facebook, Inc. and its affiliates. |  | ||||||
| # |  | ||||||
| # This source code is licensed under the MIT license found in the |  | ||||||
| # LICENSE file in the root directory of this source tree. |  | ||||||
| 
 |  | ||||||
| TESTS_DIR = ../../.. |  | ||||||
| 
 |  | ||||||
| # see explanations in cpp/errors/Makefile for the custom isystem |  | ||||||
| CLANG_OPTIONS = -x c++ -std=c++11 -nostdinc++ -isystem$(ROOT_DIR) -isystem$(CLANG_INCLUDES)/c++/v1/ -c |  | ||||||
| 
 |  | ||||||
| INFERPRINT_OPTIONS = --issues-tests |  | ||||||
| 
 |  | ||||||
| SOURCES = $(wildcard *.cpp) |  | ||||||
| 
 |  | ||||||
| include $(TESTS_DIR)/clang.make |  | ||||||
| @ -1,73 +0,0 @@ | |||||||
| /*
 |  | ||||||
|  * Copyright (c) Facebook, Inc. and its affiliates. |  | ||||||
|  * |  | ||||||
|  * This source code is licensed under the MIT license found in the |  | ||||||
|  * LICENSE file in the root directory of this source tree. |  | ||||||
|  */ |  | ||||||
| #include <stdlib.h> |  | ||||||
| 
 |  | ||||||
| extern int __infer_taint_source(); |  | ||||||
| extern void __infer_taint_sink(int i); |  | ||||||
| 
 |  | ||||||
| void basic_bad() { |  | ||||||
|   int arr[10]; |  | ||||||
|   int source = __infer_taint_source(); |  | ||||||
|   arr[source] = 2; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| int multi_level_source_bad() { return __infer_taint_source(); } |  | ||||||
| 
 |  | ||||||
| void multi_level_sink_bad(int i) { |  | ||||||
|   int arr[10]; |  | ||||||
|   if (i > 0) |  | ||||||
|     arr[i] = 2; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| struct arg { |  | ||||||
|   int taint; |  | ||||||
|   int bo; |  | ||||||
| }; |  | ||||||
| 
 |  | ||||||
| arg multi_level_source_ok() { |  | ||||||
|   return {.taint = __infer_taint_source(), .bo = 12}; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| void multi_level_sink_ok(int taint, int bo) { |  | ||||||
|   __infer_taint_sink(taint); |  | ||||||
|   int arr[10]; |  | ||||||
|   arr[bo] = 0; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| void multi_level_bad() { |  | ||||||
|   int i = multi_level_source_bad(); |  | ||||||
|   multi_level_sink_bad(i); |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| void multi_level_good() { int i = multi_level_source_bad(); } |  | ||||||
| 
 |  | ||||||
| void memory_alloc_bad1_FN() { int arr[__infer_taint_source()]; } |  | ||||||
| 
 |  | ||||||
| void memory_alloc_bad2() { |  | ||||||
|   int s = __infer_taint_source(); |  | ||||||
|   if (s <= 2147483647) { |  | ||||||
|     int arr[s]; |  | ||||||
|   } |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| struct st { |  | ||||||
|   int size; |  | ||||||
|   int ind; |  | ||||||
| }; |  | ||||||
| 
 |  | ||||||
| st overlapping_issues_source_good() { |  | ||||||
|   return {.size = __infer_taint_source(), .ind = 10}; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| void overlapping_issues_sink_good(st info) { |  | ||||||
|   int arr[info.size]; |  | ||||||
|   arr[info.ind] = 0; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| void overlapping_issues_good() { |  | ||||||
|   overlapping_issues_sink_good(overlapping_issues_source_good()); |  | ||||||
| } |  | ||||||
					Loading…
					
					
				
		Reference in new issue