Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[analyzer] Taint is not being applied to classes, only class members #114270

Open
tomrittervg opened this issue Oct 30, 2024 · 1 comment
Open

Comments

@tomrittervg
Copy link
Contributor

This might be working as intended, but just to be sure.

C++ file

class PortClass 
{
public:
    int foo;
};

void clang_analyzer_isTainted(int);
void clang_analyzer_isTainted(PortClass);

int ThisFunctionReturnsSomethingTainted1();
PortClass ThisFunctionReturnsSomethingTainted2();

template<typename T>
T ReadPrivilegedParam();


void foo()
{
    int port1 = ThisFunctionReturnsSomethingTainted1();
    clang_analyzer_isTainted(port1); // Tainted, as expected

    int port2 = ReadPrivilegedParam<int>();
    clang_analyzer_isTainted(port2); // Tainted, as expected

    PortClass port3 = ThisFunctionReturnsSomethingTainted2();
    clang_analyzer_isTainted(port3); // Not tainted ???
    clang_analyzer_isTainted(port3.foo); // Tainted...

    PortClass port4 = ReadPrivilegedParam<PortClass>();
    clang_analyzer_isTainted(port4); // Not tainted ???
    clang_analyzer_isTainted(port4.foo); // Tainted...
}

taint config file:

Propagations:
  - Name: ReadPrivilegedParam
    DstArgs: [-1]

  - Name: privilegedextract
    DstArgs: [-1]

  - Name: ThisFunctionReturnsSomethingTainted1
    DstArgs: [-1]  

  - Name: ThisFunctionReturnsSomethingTainted2
    DstArgs: [-1]  

Commands:

#!/bin/bash

echo "Generating AST"
clang-20 \
-c \
-x c++ \
-emit-ast \
-D__clang_analyzer__ \
-w \
-o repro.cpp.ast \
repro.cpp

touch externalDefMap.txt

echo "extdef mapping"
clang-extdef-mapping \
repro.cpp \
-- \
-c \
-x c++ \
>> externalDefMap.txt 

echo "Analyzing"
clang-20 \
--analyze \
-Qunused-arguments \
-Xclang -analyzer-opt-analyze-headers \
-Xclang -analyzer-config \
-Xclang expand-macros=true \
-Xclang -analyzer-config \
-Xclang optin.taint.TaintPropagation:Config=myconfig.yaml \
-Xclang -analyzer-checker=debug.TaintTest,debug.ExprInspection,optin.taint.TaintedAlloc,optin.taint.TaintedDiv,optin.taint.GenericTaint \
-Xclang -analyzer-config \
-Xclang ctu-dir=. \
-Xclang -analyzer-config \
-Xclang display-ctu-progress=true \
-x c++ \
repro.cpp 

This is run from a version of clang built from git on approximately October 9th

Output:

repro.cpp:19:17: warning: tainted [debug.TaintTest]
   19 |     int port1 = ThisFunctionReturnsSomethingTainted1();
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:20:5: warning: YES [debug.ExprInspection]
   20 |     clang_analyzer_isTainted(port1); // Tainted, as expected
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:20:30: warning: tainted [debug.TaintTest]
   20 |     clang_analyzer_isTainted(port1); // Tainted, as expected
      |                              ^~~~~
repro.cpp:22:17: warning: tainted [debug.TaintTest]
   22 |     int port2 = ReadPrivilegedParam<int>();
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:23:5: warning: YES [debug.ExprInspection]
   23 |     clang_analyzer_isTainted(port2); // Tainted, as expected
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:23:30: warning: tainted [debug.TaintTest]
   23 |     clang_analyzer_isTainted(port2); // Tainted, as expected
      |                              ^~~~~
repro.cpp:26:5: warning: NO [debug.ExprInspection] <---------------------------------------------
   26 |     clang_analyzer_isTainted(port3); // Not tainted ???
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:5: warning: YES [debug.ExprInspection]
   27 |     clang_analyzer_isTainted(port3.foo); // Tainted...
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:30: warning: tainted [debug.TaintTest]
   27 |     clang_analyzer_isTainted(port3.foo); // Tainted...
      |                              ^~~~~~~~~
repro.cpp:30:5: warning: NO [debug.ExprInspection] <---------------------------------------------
   30 |     clang_analyzer_isTainted(port4); // Not tainted ???
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:31:5: warning: YES [debug.ExprInspection]
   31 |     clang_analyzer_isTainted(port4.foo); // Tainted...
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:31:30: warning: tainted [debug.TaintTest]
   31 |     clang_analyzer_isTainted(port4.foo); // Tainted...
      |                              ^~~~~~~~~
12 warnings generated.

cc @llvm/issue-subscribers-clang-static-analyzer

@llvmbot
Copy link
Collaborator

llvmbot commented Oct 30, 2024

@llvm/issue-subscribers-clang-static-analyzer

Author: Tom Ritter (tomrittervg)

This might be working as intended, but just to be sure.

C++ file

class PortClass 
{
public:
    int foo;
};

void clang_analyzer_isTainted(int);
void clang_analyzer_isTainted(PortClass);

int ThisFunctionReturnsSomethingTainted1();
PortClass ThisFunctionReturnsSomethingTainted2();

template&lt;typename T&gt;
T ReadPrivilegedParam();


void foo()
{
    int port1 = ThisFunctionReturnsSomethingTainted1();
    clang_analyzer_isTainted(port1); // Tainted, as expected

    int port2 = ReadPrivilegedParam&lt;int&gt;();
    clang_analyzer_isTainted(port2); // Tainted, as expected

    PortClass port3 = ThisFunctionReturnsSomethingTainted2();
    clang_analyzer_isTainted(port3); // Not tainted ???
    clang_analyzer_isTainted(port3.foo); // Tainted...

    PortClass port4 = ReadPrivilegedParam&lt;PortClass&gt;();
    clang_analyzer_isTainted(port4); // Not tainted ???
    clang_analyzer_isTainted(port4.foo); // Tainted...
}

taint config file:

Propagations:
  - Name: ReadPrivilegedParam
    DstArgs: [-1]

  - Name: privilegedextract
    DstArgs: [-1]

  - Name: ThisFunctionReturnsSomethingTainted1
    DstArgs: [-1]  

  - Name: ThisFunctionReturnsSomethingTainted2
    DstArgs: [-1]  

Commands:

#!/bin/bash

echo "Generating AST"
clang-20 \
-c \
-x c++ \
-emit-ast \
-D__clang_analyzer__ \
-w \
-o repro.cpp.ast \
repro.cpp

touch externalDefMap.txt

echo "extdef mapping"
clang-extdef-mapping \
repro.cpp \
-- \
-c \
-x c++ \
&gt;&gt; externalDefMap.txt 

echo "Analyzing"
clang-20 \
--analyze \
-Qunused-arguments \
-Xclang -analyzer-opt-analyze-headers \
-Xclang -analyzer-config \
-Xclang expand-macros=true \
-Xclang -analyzer-config \
-Xclang optin.taint.TaintPropagation:Config=myconfig.yaml \
-Xclang -analyzer-checker=debug.TaintTest,debug.ExprInspection,optin.taint.TaintedAlloc,optin.taint.TaintedDiv,optin.taint.GenericTaint \
-Xclang -analyzer-config \
-Xclang ctu-dir=. \
-Xclang -analyzer-config \
-Xclang display-ctu-progress=true \
-x c++ \
repro.cpp 

This is run from a version of clang built from git on approximately October 9th

Output:

repro.cpp:19:17: warning: tainted [debug.TaintTest]
   19 |     int port1 = ThisFunctionReturnsSomethingTainted1();
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:20:5: warning: YES [debug.ExprInspection]
   20 |     clang_analyzer_isTainted(port1); // Tainted, as expected
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:20:30: warning: tainted [debug.TaintTest]
   20 |     clang_analyzer_isTainted(port1); // Tainted, as expected
      |                              ^~~~~
repro.cpp:22:17: warning: tainted [debug.TaintTest]
   22 |     int port2 = ReadPrivilegedParam&lt;int&gt;();
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:23:5: warning: YES [debug.ExprInspection]
   23 |     clang_analyzer_isTainted(port2); // Tainted, as expected
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:23:30: warning: tainted [debug.TaintTest]
   23 |     clang_analyzer_isTainted(port2); // Tainted, as expected
      |                              ^~~~~
repro.cpp:26:5: warning: NO [debug.ExprInspection] &lt;---------------------------------------------
   26 |     clang_analyzer_isTainted(port3); // Not tainted ???
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:5: warning: YES [debug.ExprInspection]
   27 |     clang_analyzer_isTainted(port3.foo); // Tainted...
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:30: warning: tainted [debug.TaintTest]
   27 |     clang_analyzer_isTainted(port3.foo); // Tainted...
      |                              ^~~~~~~~~
repro.cpp:30:5: warning: NO [debug.ExprInspection] &lt;---------------------------------------------
   30 |     clang_analyzer_isTainted(port4); // Not tainted ???
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:31:5: warning: YES [debug.ExprInspection]
   31 |     clang_analyzer_isTainted(port4.foo); // Tainted...
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:31:30: warning: tainted [debug.TaintTest]
   31 |     clang_analyzer_isTainted(port4.foo); // Tainted...
      |                              ^~~~~~~~~
12 warnings generated.

cc @llvm/issue-subscribers-clang-static-analyzer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants