-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for CWE 252 #451
Check for CWE 252 #451
Commits on Apr 8, 2024
-
lib/analysis/taint: introduce
handle_empty_state_out
callbackAdd a callback that allows a taint analysis to hook into the fixpoint computation when some transfer function maps its input state(s) to the empty state. For some analyses this event may be a sink, e.g., for CWE252, while for many analyses it does not make sense to propagate empty states further since it is impossible to generate a non-empty state from them; they may use this hook to optimize resource usage. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for e4839b8 - Browse repository at this point
Copy the full SHA e4839b8View commit details -
lib/analysis/taint: add
get_register_taint
andhas_register_taint
…… methods to state Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 30739fe - Browse repository at this point
Copy the full SHA 30739feView commit details -
lib/analysis/taint: introduce
update_extern_call
callbackBreak the transition function for `ExternCallStub` edges up into two parts. This allows analyses that are only interested in handling calls to library functions to do so in a more convenient way. Reduces boilerplate code and makes sure they can not forget to call `handle_empty_state_out`. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 6b4bd4e - Browse repository at this point
Copy the full SHA 6b4bd4eView commit details -
lib/checkers: add initial check for CWE252
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 986ddc5 - Browse repository at this point
Copy the full SHA 986ddc5View commit details -
config/cwe252: initial list of checked symbols
Seed the check for CWE252 with a list of all libc functions that are annotated with the compiler attribute `warn_unused_result` in glibc. Does not include functions that indicate a failure by returning a NULL pointer since those are handled in the check for CWE476. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 437a74a - Browse repository at this point
Copy the full SHA 437a74aView commit details -
lib/checkers/cwe252: add support for LKMs
Enables the CWE252 check for LKMs and seeds it with all functions in the module API that are annotated with the `warn_unused_result` compiler attribute. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 517280f - Browse repository at this point
Copy the full SHA 517280fView commit details -
lib/utils/debug: introduce
ToJsonCompact
traitMany types implement a custom JSON serialization method for internal debugging purposes. Add an abstraction for this pattern in form of the `ToJsonCompact` trait. This enables all types to benefit from the default implementation of a printing method and makes it easier to use generic programming. This commit does not convert any existing types that implement this behavior. They are expected to be converted in an ongoing process. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 772d02d - Browse repository at this point
Copy the full SHA 772d02dView commit details -
lib/analysis/vsa: add
get_call_renaming_map
toVsaResult
Add a method to obtain the information how to translate abstract identifiers from the callee to the caller context given the result of a VSA. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 20311b1 - Browse repository at this point
Copy the full SHA 20311b1View commit details -
lib/analysis/taint: propagate memory taint
Remove the limitation that `update_return_callee` can not be used to propagate memory taint from the callee to the caller. Do so by renaming abstract identifiers in the default implementation of `update_return` in the `TaintAnalysis` trait. In particular, implementers of `update_return_callee` do not have to case about renaming and can return the abstract identifiers of the callee context. Adjust CWE252 to make use of this new feature. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for b450b01 - Browse repository at this point
Copy the full SHA b450b01View commit details -
lib/analysis/taint: add tests for mem obj merging
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for bcbe4a3 - Browse repository at this point
Copy the full SHA bcbe4a3View commit details -
lib/checkers/cwe252: rename
TaCmpCtx
toTaComputationContext
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 46273ba - Browse repository at this point
Copy the full SHA 46273baView commit details -
lib/checkers/cwe252: small doc fixes
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 30e6abc - Browse repository at this point
Copy the full SHA 30e6abcView commit details -
test: add acceptance test for cwe252
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 48196b3 - Browse repository at this point
Copy the full SHA 48196b3View commit details -
test: add LKM acceptance test for cwe252
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for cc39d58 - Browse repository at this point
Copy the full SHA cc39d58View commit details -
lib/abstract_domain: add
merge_with
method toAbstractDomain
The `merge` method always produces a new, owned value. This might be undesirable in situations where it is possible to modify an existing value in-place. Add a new method that allows an abstract domain to provide a method to merge one object into another in-place. It is a common pattern to see something like this: ``` *mut_ref = mut_ref.merge(other_ref); ``` where `mut_ref` is a mutable reference to a type that implements `AbstractDomain`. Note that it is common that such types are just wrappers around an `Arc` to an inner type that is expensive to clone. However, while cloning of one of the refs in `merge` may be cheap, it means that then there are >= 2 references to the underlying `Arc`, which means that it can never be cheaply modified, i.e., the retuned owned value will usually involve an expensive clone. However: ``` mut_ref.merge_with(other_ref); ``` can potentially do a cheap modification of the underlying `Arc`. Due to the default implementation it should always be OK to replace the first pattern with the second in generic code, i.e., it never decreases performance and can only increase it if the type provides an optimized implementation. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 1c0303b - Browse repository at this point
Copy the full SHA 1c0303bView commit details -
lib/abstract_domain/domain_map: add
merge_map_with
to `MapMergeStra……tegy`, implement `merge_with` Add a `merge_map_with` method to the `MapMergeStrategy` and provide a default implementation in terms of it for the `merge_map` method. Use `merge_map_with` to provide an optimized implementation of `merge_with` for `DomainMap`. Convert all existing implementations of `MapMergeStrategy` to implement `merge_map_with` instead. The rationale is change similar to the one detailed in Commit(" 7c0ffbe lib/abstract_domain: add `merge_with` method to `AbstractDomain`"). Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 108f3c4 - Browse repository at this point
Copy the full SHA 108f3c4View commit details -
lib/analysis/taint: override
merge_with
impl forTaint
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 2d25372 - Browse repository at this point
Copy the full SHA 2d25372View commit details -
lib/analysis/taint: use
DomainMap
for register and memory taintIn the original implementation of memory taint propagation in Commit("e7c25f7 lib/analysis/taint: propagate memory taint") it was overlooked that we already have an abstraction for maps into abstract domains that are abstract domains themselves. Use the `DomainMap` abstraction for the register and memory taint maps that make up the `State` type. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 1b599fb - Browse repository at this point
Copy the full SHA 1b599fbView commit details -
lib/abstract_domain: make
merge_with
return&mut Self
This facilitates method chaining. Added to make the API more flexible, even though there are no users of it at the moment. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for fdc81d2 - Browse repository at this point
Copy the full SHA fdc81d2View commit details -
lib/analysis/taint/state: overwrite memory taint in more cases
Currently we only overwrite memory taint if the PI result for the target address is very exact. Weaken the conditions under which we overwrite taint information by allowing possibly constant or top values for the target address as long as the target memory object and offset are unique. This may lead to taint being overwritten with non-tainted values in more cases. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 28882ba - Browse repository at this point
Copy the full SHA 28882baView commit details -
test/cwe252: use
-O0
, do not skip mingwWe gain 4 arch-compiler pairs and loose 2 by making this change. Tests were developed with `-O2` in mind so they might not work as expected, despite reporting the correct number of warnings. I only verified correctness manually for `aarch64-clang`. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 4a07762 - Browse repository at this point
Copy the full SHA 4a07762View commit details -
test/cwe252: add explanatory comment
Add instructions how to interpret the acceptance tests for CWE252 to the source file. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 54df500 - Browse repository at this point
Copy the full SHA 54df500View commit details -
test/cwe252: memory object propagation with offset
Modify existing test case such that it also covers the case where a memory object from the callee must be merged into an object in the caller with a non-zero offset. Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 575fa31 - Browse repository at this point
Copy the full SHA 575fa31View commit details -
changes: remove trailing whitespace
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 5bcf58f - Browse repository at this point
Copy the full SHA 5bcf58fView commit details -
changes: add addition of new check for CWE252
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for f155f1c - Browse repository at this point
Copy the full SHA f155f1cView commit details -
changes: add improvements made to
TaintAnalysis
Signed-off-by: Valentin Obst <[email protected]>
Valentin Obst committedApr 8, 2024 Configuration menu - View commit details
-
Copy full SHA for 12012cd - Browse repository at this point
Copy the full SHA 12012cdView commit details