Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for CWE 252 #451

Merged
merged 26 commits into from
Apr 8, 2024
Merged

Check for CWE 252 #451

merged 26 commits into from
Apr 8, 2024

Commits on Apr 8, 2024

  1. lib/analysis/taint: introduce handle_empty_state_out callback 

    Add a callback that allows a taint analysis to hook into the fixpoint
computation when some transfer function maps its input state(s) to the
empty state.

For some analyses this event may be a sink, e.g., for CWE252, while for
many analyses it does not make sense to propagate empty states further
since it is impossible to generate a non-empty state from them; they
may use this hook to optimize resource usage.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    e4839b8 View commit details
    Browse the repository at this point in the history

  2. lib/analysis/taint: add get_register_taint and has_register_taint 

    … methods to state

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    30739fe View commit details
    Browse the repository at this point in the history

  3. lib/analysis/taint: introduce update_extern_call callback 

    Break the transition function for `ExternCallStub` edges up into two
parts. This allows analyses that are only interested in handling calls
to library functions to do so in a more convenient way. Reduces
boilerplate code and makes sure they can not forget to call
`handle_empty_state_out`.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    6b4bd4e View commit details
    Browse the repository at this point in the history

  4. lib/checkers: add initial check for CWE252 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    986ddc5 View commit details
    Browse the repository at this point in the history

  5. config/cwe252: initial list of checked symbols 

    Seed the check for CWE252 with a list of all libc functions that are
annotated with the compiler attribute `warn_unused_result` in glibc.

Does not include functions that indicate a failure by returning a NULL
pointer since those are handled in the check for CWE476.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    437a74a View commit details
    Browse the repository at this point in the history

  6. lib/checkers/cwe252: add support for LKMs 

    Enables the CWE252 check for LKMs and seeds it with all functions in the
module API that are annotated with the `warn_unused_result` compiler
attribute.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    517280f View commit details
    Browse the repository at this point in the history

  7. lib/utils/debug: introduce ToJsonCompact trait 

    Many types implement a custom JSON serialization method for
internal debugging purposes.

Add an abstraction for this pattern in form of the `ToJsonCompact` trait.
This enables all types to benefit from the default implementation of a
printing method and makes it easier to use generic programming.

This commit does not convert any existing types that implement this
behavior. They are expected to be converted in an ongoing process.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    772d02d View commit details
    Browse the repository at this point in the history

  8. lib/analysis/vsa: add get_call_renaming_map to VsaResult 

    Add a method to obtain the information how to translate abstract
identifiers from the callee to the caller context given the result of a
VSA.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    20311b1 View commit details
    Browse the repository at this point in the history

  9. lib/analysis/taint: propagate memory taint 

    Remove the limitation that `update_return_callee` can not be used to
propagate memory taint from the callee to the caller. Do so by renaming
abstract identifiers in the default implementation of `update_return` in
the `TaintAnalysis` trait. In particular, implementers of
`update_return_callee` do not have to case about renaming and can return
the abstract identifiers of the callee context.

Adjust CWE252 to make use of this new feature.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    b450b01 View commit details
    Browse the repository at this point in the history

  10. lib/analysis/taint: add tests for mem obj merging 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    bcbe4a3 View commit details
    Browse the repository at this point in the history

  11. lib/checkers/cwe252: rename TaCmpCtx to TaComputationContext 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    46273ba View commit details
    Browse the repository at this point in the history

  12. lib/checkers/cwe252: small doc fixes 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    30e6abc View commit details
    Browse the repository at this point in the history

  13. test: add acceptance test for cwe252 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    48196b3 View commit details
    Browse the repository at this point in the history

  14. test: add LKM acceptance test for cwe252 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    cc39d58 View commit details
    Browse the repository at this point in the history

  15. lib/abstract_domain: add merge_with method to AbstractDomain 

    The `merge` method always produces a new, owned value. This might
be undesirable in situations where it is possible to modify an
existing value in-place.

Add a new method that allows an abstract domain to provide a method to
merge one object into another in-place.

It is a common pattern to see something like this:

```
*mut_ref = mut_ref.merge(other_ref);
```

where `mut_ref` is a mutable reference to a type that implements
`AbstractDomain`. Note that it is common that such types are just
wrappers around an `Arc` to an inner type that is expensive to clone.
However, while cloning of one of the refs in `merge` may be cheap, it
means that then there are >= 2 references to the underlying `Arc`, which
means that it can never be cheaply modified, i.e., the retuned owned
value will usually involve an expensive clone. However:

```
mut_ref.merge_with(other_ref);
```

can potentially do a cheap modification of the underlying `Arc`.

Due to the default implementation it should always be OK to replace the
first pattern with the second in generic code, i.e., it never decreases
performance and can only increase it if the type provides an optimized
implementation.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    1c0303b View commit details
    Browse the repository at this point in the history

  16. lib/abstract_domain/domain_map: add merge_map_with to `MapMergeStra… 

    …tegy`, implement `merge_with`

Add a `merge_map_with` method to the `MapMergeStrategy` and provide a
default implementation in terms of it for the `merge_map` method.

Use `merge_map_with` to provide an optimized implementation of
`merge_with` for `DomainMap`.

Convert all existing implementations of `MapMergeStrategy` to implement
`merge_map_with` instead.

The rationale is change similar to the one detailed in Commit("
7c0ffbe lib/abstract_domain: add `merge_with` method to
`AbstractDomain`").

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    108f3c4 View commit details
    Browse the repository at this point in the history

  17. lib/analysis/taint: override merge_with impl for Taint 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    2d25372 View commit details
    Browse the repository at this point in the history

  18. lib/analysis/taint: use DomainMap for register and memory taint 

    In the original implementation of memory taint propagation in
Commit("e7c25f7 lib/analysis/taint: propagate memory taint") it was
overlooked that we already have an abstraction for maps into abstract
domains that are abstract domains themselves.

Use the `DomainMap` abstraction for the register and memory taint maps
that make up the `State` type.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    1b599fb View commit details
    Browse the repository at this point in the history

  19. lib/abstract_domain: make merge_with return &mut Self 

    This facilitates method chaining. Added to make the API more flexible,
even though there are no users of it at the moment.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    fdc81d2 View commit details
    Browse the repository at this point in the history

  20. lib/analysis/taint/state: overwrite memory taint in more cases 

    Currently we only overwrite memory taint if the PI result for the
target address is very exact.

Weaken the conditions under which we overwrite taint information by
allowing possibly constant or top values for the target address
as long as the target memory object and offset are unique.

This may lead to taint being overwritten with non-tainted values in more
cases.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    28882ba View commit details
    Browse the repository at this point in the history

  21. test/cwe252: use -O0, do not skip mingw 

    We gain 4 arch-compiler pairs and loose 2 by making this change.

Tests were developed with `-O2` in mind so they might not work as
expected, despite reporting the correct number of warnings. I only
verified correctness manually for `aarch64-clang`.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    4a07762 View commit details
    Browse the repository at this point in the history

  22. test/cwe252: add explanatory comment 

    Add instructions how to interpret the acceptance tests for CWE252 to the
source file.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    54df500 View commit details
    Browse the repository at this point in the history

  23. test/cwe252: memory object propagation with offset 

    Modify existing test case such that it also covers the case where a
memory object from the callee must be merged into an object in the
caller with a non-zero offset.

Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    575fa31 View commit details
    Browse the repository at this point in the history

  24. changes: remove trailing whitespace 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    5bcf58f View commit details
    Browse the repository at this point in the history

  25. changes: add addition of new check for CWE252 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    f155f1c View commit details
    Browse the repository at this point in the history

  26. changes: add improvements made to TaintAnalysis 

    Signed-off-by: Valentin Obst <[email protected]>
    Valentin Obst committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    12012cd View commit details
    Browse the repository at this point in the history