Reviewed By: mbouaziz Differential Revision: D9615368 fbshipit-source-id: 56888a18fmaster
parent
3afec7f2f9
commit
e715d48c12
@ -0,0 +1,71 @@
|
|||||||
|
(*
|
||||||
|
* Copyright (c) 2018-present, Facebook, Inc.
|
||||||
|
*
|
||||||
|
* This source code is licensed under the MIT license found in the
|
||||||
|
* LICENSE file in the root directory of this source tree.
|
||||||
|
*)
|
||||||
|
|
||||||
|
open! IStd
|
||||||
|
|
||||||
|
let get_issues all_issues =
|
||||||
|
let quandary_bug_names =
|
||||||
|
IssueType.[untrusted_buffer_access; untrusted_heap_allocation; untrusted_variable_length_array]
|
||||||
|
in
|
||||||
|
let inferbo_bug_names =
|
||||||
|
IssueType.
|
||||||
|
[ buffer_overrun_l1
|
||||||
|
; buffer_overrun_l2
|
||||||
|
; buffer_overrun_l3
|
||||||
|
; buffer_overrun_l4
|
||||||
|
; buffer_overrun_l5
|
||||||
|
; buffer_overrun_s2
|
||||||
|
; buffer_overrun_u5
|
||||||
|
; inferbo_alloc_is_big
|
||||||
|
; inferbo_alloc_is_zero
|
||||||
|
; inferbo_alloc_is_negative
|
||||||
|
; inferbo_alloc_may_be_big
|
||||||
|
; inferbo_alloc_may_be_negative ]
|
||||||
|
in
|
||||||
|
let is_quandary_issue issue =
|
||||||
|
List.mem quandary_bug_names issue.Issue.err_key.err_name ~equal:IssueType.equal
|
||||||
|
in
|
||||||
|
let is_inferbo_issue issue =
|
||||||
|
List.mem inferbo_bug_names issue.Issue.err_key.err_name ~equal:IssueType.equal
|
||||||
|
in
|
||||||
|
let quandary_issues, inferBO_issues =
|
||||||
|
List.fold all_issues ~init:([], []) ~f:(fun (q_issues, iBO_issues) issue ->
|
||||||
|
if is_quandary_issue issue then (issue :: q_issues, iBO_issues)
|
||||||
|
else if is_inferbo_issue issue then (q_issues, issue :: iBO_issues)
|
||||||
|
else (q_issues, iBO_issues) )
|
||||||
|
in
|
||||||
|
let matching_issues quandary_issue inferbo_issue =
|
||||||
|
SourceFile.equal quandary_issue.Issue.proc_location.file inferbo_issue.Issue.proc_location.file
|
||||||
|
&& Int.equal quandary_issue.Issue.proc_location.line inferbo_issue.Issue.proc_location.line
|
||||||
|
in
|
||||||
|
let paired_issues =
|
||||||
|
(* Can be computed more efficiently (in n*log(n)) by using a Map mapping
|
||||||
|
file name + line number to quandary_issues to match with inferbo_issues *)
|
||||||
|
List.concat_map quandary_issues ~f:(fun quandary_issue ->
|
||||||
|
List.filter_map inferBO_issues ~f:(fun inferbo_issue ->
|
||||||
|
if matching_issues quandary_issue inferbo_issue then
|
||||||
|
Some (quandary_issue, inferbo_issue)
|
||||||
|
else None ) )
|
||||||
|
in
|
||||||
|
let merge_issues (issue1, issue2) =
|
||||||
|
{ Issue.proc_name= issue1.Issue.proc_name
|
||||||
|
; proc_location= {issue1.Issue.proc_location with col= -1}
|
||||||
|
; err_key=
|
||||||
|
Errlog.merge_err_key issue1.Issue.err_key issue2.Issue.err_key
|
||||||
|
~merge_issues:(fun issue1 _ ->
|
||||||
|
if IssueType.equal issue1 IssueType.untrusted_buffer_access then
|
||||||
|
IssueType.tainted_buffer_access
|
||||||
|
else IssueType.tainted_memory_allocation )
|
||||||
|
~merge_descriptions:(fun descs1 descs2 ->
|
||||||
|
String.concat
|
||||||
|
( "QuandaryBO error. Quandary error(s):\n"
|
||||||
|
:: (descs1 @ ("InferBO error(s):\n" :: descs2)) ) )
|
||||||
|
; err_data= Errlog.merge_err_data issue1.Issue.err_data issue2.Issue.err_data }
|
||||||
|
in
|
||||||
|
(* Can merge List.map, List.concat_map and List.filter_map into a single fold. *)
|
||||||
|
let quandaryBO_issues = List.map ~f:merge_issues paired_issues in
|
||||||
|
quandaryBO_issues
|
@ -0,0 +1,10 @@
|
|||||||
|
(*
|
||||||
|
* Copyright (c) 2018-present, Facebook, Inc.
|
||||||
|
*
|
||||||
|
* This source code is licensed under the MIT license found in the
|
||||||
|
* LICENSE file in the root directory of this source tree.
|
||||||
|
*)
|
||||||
|
|
||||||
|
open! IStd
|
||||||
|
|
||||||
|
val get_issues : Issue.t list -> Issue.t list
|
@ -0,0 +1,8 @@
|
|||||||
|
{
|
||||||
|
"quandary-sources": [
|
||||||
|
{
|
||||||
|
"procedure": "__infer_taint_source",
|
||||||
|
"kind": "Other"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
@ -0,0 +1,19 @@
|
|||||||
|
# Copyright (c) 2016-present, Facebook, Inc.
|
||||||
|
#
|
||||||
|
# This source code is licensed under the MIT license found in the
|
||||||
|
# LICENSE file in the root directory of this source tree.
|
||||||
|
|
||||||
|
TESTS_DIR = ../../..
|
||||||
|
|
||||||
|
ANALYZER = checkers
|
||||||
|
# see explanations in cpp/errors/Makefile for the custom isystem
|
||||||
|
CLANG_OPTIONS = -x c++ -std=c++11 -nostdinc++ -isystem$(ROOT_DIR) -isystem$(CLANG_INCLUDES)/c++/v1/ -c
|
||||||
|
INFER_OPTIONS = \
|
||||||
|
-F --quandaryBO-only --passthroughs --debug-exceptions \
|
||||||
|
--project-root $(TESTS_DIR) \
|
||||||
|
|
||||||
|
INFERPRINT_OPTIONS = --issues-tests
|
||||||
|
|
||||||
|
SOURCES = $(wildcard *.cpp)
|
||||||
|
|
||||||
|
include $(TESTS_DIR)/clang.make
|
@ -0,0 +1,6 @@
|
|||||||
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [ArrayDeclaration,Unknown value from: __infer_taint_source,Assignment,ArrayAccess: Offset: [-oo, +oo] Size: 10]
|
||||||
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, []
|
||||||
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
|
||||||
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Return,Assignment,Call,ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
|
||||||
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, []
|
||||||
|
codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0]
|
@ -0,0 +1,26 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018-present, Facebook, Inc.
|
||||||
|
*
|
||||||
|
* This source code is licensed under the MIT license found in the
|
||||||
|
* LICENSE file in the root directory of this source tree.
|
||||||
|
*/
|
||||||
|
extern int __infer_taint_source();
|
||||||
|
|
||||||
|
void basic_bad() {
|
||||||
|
int arr[10];
|
||||||
|
int source = __infer_taint_source();
|
||||||
|
arr[source] = 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
int multi_level_source_bad() { return __infer_taint_source(); }
|
||||||
|
|
||||||
|
void multi_level_sink_bad(int i) {
|
||||||
|
int arr[10];
|
||||||
|
if (i > 0)
|
||||||
|
arr[i] = 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
void multi_level_bad() {
|
||||||
|
int i = multi_level_source_bad();
|
||||||
|
multi_level_sink_bad(i);
|
||||||
|
}
|
Loading…
Reference in new issue