Mercurial > hg > CbC > CbC_gcc

annotate gcc/analyzer/sm-taint.cc @ 158:494b0b89df80 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
...
author Shinji KONO <kono@ie.u-ryukyu.ac.jp>
date Mon, 25 May 2020 18:13:55 +0900
parents 1830386684a0
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
145
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
1 /* An experimental state machine, for tracking "taint": unsanitized uses
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
2 of data potentially under an attacker's control.
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
3
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
4 Copyright (C) 2019-2020 Free Software Foundation, Inc.
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
5 Contributed by David Malcolm <dmalcolm@redhat.com>.
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
6
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
7 This file is part of GCC.
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
8
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
9 GCC is free software; you can redistribute it and/or modify it
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
10 under the terms of the GNU General Public License as published by
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
11 the Free Software Foundation; either version 3, or (at your option)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
12 any later version.
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
13
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
14 GCC is distributed in the hope that it will be useful, but
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
15 WITHOUT ANY WARRANTY; without even the implied warranty of
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
17 General Public License for more details.
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
18
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
19 You should have received a copy of the GNU General Public License
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
20 along with GCC; see the file COPYING3. If not see
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
21 <http://www.gnu.org/licenses/>. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
22
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
23 #include "config.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
24 #include "system.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
25 #include "coretypes.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
26 #include "tree.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
27 #include "function.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
28 #include "basic-block.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
29 #include "gimple.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
30 #include "options.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
31 #include "diagnostic-path.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
32 #include "diagnostic-metadata.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
33 #include "function.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
34 #include "analyzer/analyzer.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
35 #include "diagnostic-event-id.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
36 #include "analyzer/analyzer-logging.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
37 #include "analyzer/sm.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
38 #include "analyzer/pending-diagnostic.h"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
39
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
40 #if ENABLE_ANALYZER
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
41
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
42 namespace ana {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
43
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
44 namespace {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
45
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
46 /* An experimental state machine, for tracking "taint": unsanitized uses
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
47 of data potentially under an attacker's control. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
48
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
49 class taint_state_machine : public state_machine
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
50 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
51 public:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
52 taint_state_machine (logger *logger);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
53
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
54 bool inherited_state_p () const FINAL OVERRIDE { return true; }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
55
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
56 bool on_stmt (sm_context *sm_ctxt,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
57 const supernode *node,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
58 const gimple *stmt) const FINAL OVERRIDE;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
59
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
60 void on_condition (sm_context *sm_ctxt,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
61 const supernode *node,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
62 const gimple *stmt,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
63 tree lhs,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
64 enum tree_code op,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
65 tree rhs) const FINAL OVERRIDE;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
66
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
67 bool can_purge_p (state_t s) const FINAL OVERRIDE;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
68
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
69 /* Start state. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
70 state_t m_start;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
71
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
72 /* State for a "tainted" value: unsanitized data potentially under an
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
73 attacker's control. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
74 state_t m_tainted;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
75
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
76 /* State for a "tainted" value that has a lower bound. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
77 state_t m_has_lb;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
78
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
79 /* State for a "tainted" value that has an upper bound. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
80 state_t m_has_ub;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
81
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
82 /* Stop state, for a value we don't want to track any more. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
83 state_t m_stop;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
84 };
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
85
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
86 enum bounds
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
87 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
88 BOUNDS_NONE,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
89 BOUNDS_UPPER,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
90 BOUNDS_LOWER
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
91 };
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
92
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
93 class tainted_array_index
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
94 : public pending_diagnostic_subclass<tainted_array_index>
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
95 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
96 public:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
97 tainted_array_index (const taint_state_machine &sm, tree arg,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
98 enum bounds has_bounds)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
99 : m_sm (sm), m_arg (arg), m_has_bounds (has_bounds) {}
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
100
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
101 const char *get_kind () const FINAL OVERRIDE { return "tainted_array_index"; }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
102
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
103 bool operator== (const tainted_array_index &other) const
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
104 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
105 return same_tree_p (m_arg, other.m_arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
106 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
107
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
108 bool emit (rich_location *rich_loc) FINAL OVERRIDE
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
109 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
110 diagnostic_metadata m;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
111 m.add_cwe (129);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
112 switch (m_has_bounds)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
113 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
114 default:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
115 gcc_unreachable ();
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
116 case BOUNDS_NONE:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
117 return warning_meta (rich_loc, m, OPT_Wanalyzer_tainted_array_index,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
118 "use of tainted value %qE in array lookup"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
119 " without bounds checking",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
120 m_arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
121 break;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
122 case BOUNDS_UPPER:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
123 return warning_meta (rich_loc, m, OPT_Wanalyzer_tainted_array_index,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
124 "use of tainted value %qE in array lookup"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
125 " without lower-bounds checking",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
126 m_arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
127 break;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
128 case BOUNDS_LOWER:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
129 return warning_meta (rich_loc, m, OPT_Wanalyzer_tainted_array_index,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
130 "use of tainted value %qE in array lookup"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
131 " without upper-bounds checking",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
132 m_arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
133 break;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
134 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
135 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
136
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
137 label_text describe_state_change (const evdesc::state_change &change)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
138 FINAL OVERRIDE
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
139 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
140 if (change.m_new_state == m_sm.m_tainted)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
141 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
142 if (change.m_origin)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
143 return change.formatted_print ("%qE has an unchecked value here"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
144 " (from %qE)",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
145 change.m_expr, change.m_origin);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
146 else
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
147 return change.formatted_print ("%qE gets an unchecked value here",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
148 change.m_expr);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
149 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
150 else if (change.m_new_state == m_sm.m_has_lb)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
151 return change.formatted_print ("%qE has its lower bound checked here",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
152 change.m_expr);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
153 else if (change.m_new_state == m_sm.m_has_ub)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
154 return change.formatted_print ("%qE has its upper bound checked here",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
155 change.m_expr);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
156 return label_text ();
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
157 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
158
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
159 label_text describe_final_event (const evdesc::final_event &ev) FINAL OVERRIDE
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
160 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
161 switch (m_has_bounds)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
162 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
163 default:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
164 gcc_unreachable ();
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
165 case BOUNDS_NONE:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
166 return ev.formatted_print ("use of tainted value %qE in array lookup"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
167 " without bounds checking",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
168 m_arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
169 case BOUNDS_UPPER:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
170 return ev.formatted_print ("use of tainted value %qE in array lookup"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
171 " without lower-bounds checking",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
172 m_arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
173 case BOUNDS_LOWER:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
174 return ev.formatted_print ("use of tainted value %qE in array lookup"
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
175 " without upper-bounds checking",
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
176 m_arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
177 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
178 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
179
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
180 private:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
181 const taint_state_machine &m_sm;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
182 tree m_arg;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
183 enum bounds m_has_bounds;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
184 };
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
185
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
186 /* taint_state_machine's ctor. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
187
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
188 taint_state_machine::taint_state_machine (logger *logger)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
189 : state_machine ("taint", logger)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
190 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
191 m_start = add_state ("start");
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
192 m_tainted = add_state ("tainted");
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
193 m_has_lb = add_state ("has_lb");
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
194 m_has_ub = add_state ("has_ub");
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
195 m_stop = add_state ("stop");
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
196 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
197
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
198 /* Implementation of state_machine::on_stmt vfunc for taint_state_machine. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
199
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
200 bool
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
201 taint_state_machine::on_stmt (sm_context *sm_ctxt,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
202 const supernode *node,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
203 const gimple *stmt) const
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
204 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
205 if (const gcall *call = dyn_cast <const gcall *> (stmt))
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
206 if (tree callee_fndecl = sm_ctxt->get_fndecl_for_call (call))
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
207 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
208 if (is_named_call_p (callee_fndecl, "fread", call, 4))
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
209 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
210 tree arg = gimple_call_arg (call, 0);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
211 arg = sm_ctxt->get_readable_tree (arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
212
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
213 sm_ctxt->on_transition (node, stmt, arg, m_start, m_tainted);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
214
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
215 /* Dereference an ADDR_EXPR. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
216 // TODO: should the engine do this?
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
217 if (TREE_CODE (arg) == ADDR_EXPR)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
218 sm_ctxt->on_transition (node, stmt, TREE_OPERAND (arg, 0),
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
219 m_start, m_tainted);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
220 return true;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
221 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
222 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
223 // TODO: ...etc; many other sources of untrusted data
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
224
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
225 if (const gassign *assign = dyn_cast <const gassign *> (stmt))
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
226 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
227 tree rhs1 = gimple_assign_rhs1 (assign);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
228 enum tree_code op = gimple_assign_rhs_code (assign);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
229
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
230 /* Check array accesses. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
231 if (op == ARRAY_REF)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
232 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
233 tree arg = TREE_OPERAND (rhs1, 1);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
234 arg = sm_ctxt->get_readable_tree (arg);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
235
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
236 /* Unsigned types have an implicit lower bound. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
237 bool is_unsigned = false;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
238 if (INTEGRAL_TYPE_P (TREE_TYPE (arg)))
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
239 is_unsigned = TYPE_UNSIGNED (TREE_TYPE (arg));
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
240
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
241 /* Complain about missing bounds. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
242 sm_ctxt->warn_for_state
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
243 (node, stmt, arg, m_tainted,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
244 new tainted_array_index (*this, arg,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
245 is_unsigned
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
246 ? BOUNDS_LOWER : BOUNDS_NONE));
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
247 sm_ctxt->on_transition (node, stmt, arg, m_tainted, m_stop);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
248
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
249 /* Complain about missing upper bound. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
250 sm_ctxt->warn_for_state (node, stmt, arg, m_has_lb,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
251 new tainted_array_index (*this, arg,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
252 BOUNDS_LOWER));
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
253 sm_ctxt->on_transition (node, stmt, arg, m_has_lb, m_stop);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
254
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
255 /* Complain about missing lower bound. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
256 if (!is_unsigned)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
257 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
258 sm_ctxt->warn_for_state (node, stmt, arg, m_has_ub,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
259 new tainted_array_index (*this, arg,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
260 BOUNDS_UPPER));
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
261 sm_ctxt->on_transition (node, stmt, arg, m_has_ub, m_stop);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
262 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
263 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
264 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
265
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
266 return false;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
267 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
268
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
269 /* Implementation of state_machine::on_condition vfunc for taint_state_machine.
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
270 Potentially transition state 'tainted' to 'has_ub' or 'has_lb',
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
271 and states 'has_ub' and 'has_lb' to 'stop'. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
272
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
273 void
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
274 taint_state_machine::on_condition (sm_context *sm_ctxt,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
275 const supernode *node,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
276 const gimple *stmt,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
277 tree lhs,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
278 enum tree_code op,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
279 tree rhs ATTRIBUTE_UNUSED) const
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
280 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
281 if (stmt == NULL)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
282 return;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
283
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
284 // TODO: this doesn't use the RHS; should we make it symmetric?
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
285
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
286 // TODO
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
287 switch (op)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
288 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
289 //case NE_EXPR:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
290 //case EQ_EXPR:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
291 case GE_EXPR:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
292 case GT_EXPR:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
293 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
294 sm_ctxt->on_transition (node, stmt, lhs, m_tainted,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
295 m_has_lb);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
296 sm_ctxt->on_transition (node, stmt, lhs, m_has_ub,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
297 m_stop);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
298 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
299 break;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
300 case LE_EXPR:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
301 case LT_EXPR:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
302 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
303 sm_ctxt->on_transition (node, stmt, lhs, m_tainted,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
304 m_has_ub);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
305 sm_ctxt->on_transition (node, stmt, lhs, m_has_lb,
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
306 m_stop);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
307 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
308 break;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
309 default:
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
310 break;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
311 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
312 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
313
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
314 bool
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
315 taint_state_machine::can_purge_p (state_t s ATTRIBUTE_UNUSED) const
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
316 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
317 return true;
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
318 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
319
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
320 } // anonymous namespace
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
321
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
322 /* Internal interface to this file. */
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
323
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
324 state_machine *
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
325 make_taint_state_machine (logger *logger)
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
326 {
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
327 return new taint_state_machine (logger);
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
328 }
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
329
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
330 } // namespace ana
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
331
1830386684a0 gcc-9.2.0
anatofuz
parents:
diff changeset
332 #endif /* #if ENABLE_ANALYZER */