Skip to content

Commit

Permalink
[analyzer] Add taint to the BoolAssignmentChecker
Browse files Browse the repository at this point in the history
BoolAssignment checker is now taint-aware and warns if a tainted value is
assigned.

Original author: steakhal

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D125360
  • Loading branch information
Endre Fülöp authored and memfrob committed Oct 4, 2022
1 parent 5ee301a commit c0a427f
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 7 deletions.
16 changes: 11 additions & 5 deletions clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/Taint.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
Expand All @@ -23,20 +24,23 @@ using namespace ento;
namespace {
class BoolAssignmentChecker : public Checker< check::Bind > {
mutable std::unique_ptr<BuiltinBug> BT;
void emitReport(ProgramStateRef state, CheckerContext &C) const;
void emitReport(ProgramStateRef state, CheckerContext &C,
bool IsTainted = false) const;

public:
void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
};
} // end anonymous namespace

void BoolAssignmentChecker::emitReport(ProgramStateRef state,
CheckerContext &C) const {
void BoolAssignmentChecker::emitReport(ProgramStateRef state, CheckerContext &C,
bool IsTainted) const {
if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
if (!BT)
BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value"));

C.emitReport(
std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N));
StringRef Msg = IsTainted ? "Might assign a tainted non-Boolean value"
: "Assignment of a non-Boolean value";
C.emitReport(std::make_unique<PathSensitiveBugReport>(*BT, Msg, N));
}
}

Expand Down Expand Up @@ -90,6 +94,8 @@ void BoolAssignmentChecker::checkBind(SVal loc, SVal val, const Stmt *S,

if (!StIn)
emitReport(StOut, C);
if (StIn && StOut && taint::isTainted(state, *NV))
emitReport(StOut, C, /*IsTainted=*/true);
}

void ento::registerBoolAssignmentChecker(CheckerManager &mgr) {
Expand Down
11 changes: 9 additions & 2 deletions clang/test/Analysis/bool-assignment.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment -analyzer-store=region -verify -std=c99 -Dbool=_Bool %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment -analyzer-store=region -verify -x c++ %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,alpha.security.taint -analyzer-store=region -verify -std=c99 -Dbool=_Bool %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,alpha.security.taint -analyzer-store=region -verify -x c++ %s

// Test C++'s bool and C's _Bool.
// FIXME: We stopped warning on these when SValBuilder got smarter about
Expand Down Expand Up @@ -104,3 +104,10 @@ void test_Boolean_assignment(int y) {
}
x = y; // no-warning
}

int scanf(const char *format, ...);
void test_tainted_Boolean() {
int n;
scanf("%d", &n);
Boolean copy = n; // expected-warning {{Might assign a tainted non-Boolean value}}
}

0 comments on commit c0a427f

Please sign in to comment.