StaticAnalyzer/Checkers/GenericTaintChecker.cpp

5c5bf9b6SAnna Zaks//== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=//
5c5bf9b6SAnna Zaks//
2946cd70SChandler Carruth// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
2946cd70SChandler Carruth// See https://llvm.org/LICENSE.txt for license information.
2946cd70SChandler Carruth// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
5c5bf9b6SAnna Zaks//
5c5bf9b6SAnna Zaks//===----------------------------------------------------------------------===//
5c5bf9b6SAnna Zaks//
5c5bf9b6SAnna Zaks// This checker defines the attack surface for generic taint propagation.
5c5bf9b6SAnna Zaks//
5c5bf9b6SAnna Zaks// The taint information produced by it might be useful to other checkers. For
5c5bf9b6SAnna Zaks// example, checkers should report errors which involve tainted data more
5c5bf9b6SAnna Zaks// aggressively, even if the involved symbols are under constrained.
5c5bf9b6SAnna Zaks//
5c5bf9b6SAnna Zaks//===----------------------------------------------------------------------===//
44551cf6SArtem Dergachev
4bde15feSGabor Borsik#include "Yaml.h"
3a02247dSChandler Carruth#include "clang/AST/Attr.h"
3a02247dSChandler Carruth#include "clang/Basic/Builtins.h"
4bde15feSGabor Borsik#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
82f3ed99STom Ritter#include "clang/StaticAnalyzer/Checkers/Taint.h"
3a02247dSChandler Carruth#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
5c5bf9b6SAnna Zaks#include "clang/StaticAnalyzer/Core/Checker.h"
5c5bf9b6SAnna Zaks#include "clang/StaticAnalyzer/Core/CheckerManager.h"
17f74240SEndre Fülöp#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
95a94df5SBalazs Benics#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
5c5bf9b6SAnna Zaks#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
3b0ab206SAnna Zaks#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
4bde15feSGabor Borsik#include "llvm/Support/YAMLTraits.h"
95a94df5SBalazs Benics
4bde15feSGabor Borsik#include <limits>
95a94df5SBalazs Benics#include <memory>
2a5fb125SArtem Dergachev#include <utility>
5c5bf9b6SAnna Zaks
fa0a80e0SBalazs Benics#define DEBUG_TYPE "taint-checker"
fa0a80e0SBalazs Benics
5c5bf9b6SAnna Zaksusing namespace clang;
5c5bf9b6SAnna Zaksusing namespace ento;
44551cf6SArtem Dergachevusing namespace taint;
5c5bf9b6SAnna Zaks
a848a5cfSBalazs Benicsusing llvm::ImmutableSet;
a848a5cfSBalazs Benics
5c5bf9b6SAnna Zaksnamespace {
17f74240SEndre Fülöp
17f74240SEndre Fülöpclass GenericTaintChecker;
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Check for CWE-134: Uncontrolled Format String.
17f74240SEndre Fülöpconstexpr llvm::StringLiteral MsgUncontrolledFormatString =
17f74240SEndre Fülöp    "Untrusted data is used as a format string "
17f74240SEndre Fülöp    "(CWE-134: Uncontrolled Format String)";
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Check for:
17f74240SEndre Fülöp/// CERT/STR02-C. "Sanitize data passed to complex subsystems"
17f74240SEndre Fülöp/// CWE-78, "Failure to Sanitize Data into an OS Command"
17f74240SEndre Fülöpconstexpr llvm::StringLiteral MsgSanitizeSystemArgs =
17f74240SEndre Fülöp    "Untrusted data is passed to a system call "
17f74240SEndre Fülöp    "(CERT/STR02-C. Sanitize data passed to complex subsystems)";
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Check if tainted data is used as a buffer size in strn.. functions,
17f74240SEndre Fülöp/// and allocators.
17f74240SEndre Fülöpconstexpr llvm::StringLiteral MsgTaintedBufferSize =
17f74240SEndre Fülöp    "Untrusted data is used to specify the buffer size "
17f74240SEndre Fülöp    "(CERT/STR31-C. Guarantee that storage for strings has sufficient space "
17f74240SEndre Fülöp    "for character data and the null terminator)";
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Check if tainted data is used as a custom sink's parameter.
17f74240SEndre Fülöpconstexpr llvm::StringLiteral MsgCustomSink =
17f74240SEndre Fülöp    "Untrusted data is passed to a user-defined sink";
17f74240SEndre Fülöp
17f74240SEndre Fülöpusing ArgIdxTy = int;
17f74240SEndre Fülöpusing ArgVecTy = llvm::SmallVector<ArgIdxTy, 2>;
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Denotes the return value.
17f74240SEndre Fülöpconstexpr ArgIdxTy ReturnValueIndex{-1};
17f74240SEndre Fülöp
17f74240SEndre Fülöpstatic ArgIdxTy fromArgumentCount(unsigned Count) {
17f74240SEndre Fülöp  assert(Count <=
17f74240SEndre Fülöp             static_cast<std::size_t>(std::numeric_limits<ArgIdxTy>::max()) &&
17f74240SEndre Fülöp         "ArgIdxTy is not large enough to represent the number of arguments.");
17f74240SEndre Fülöp  return Count;
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Check if the region the expression evaluates to is the standard input,
17f74240SEndre Fülöp/// and thus, is tainted.
17f74240SEndre Fülöp/// FIXME: Move this to Taint.cpp.
17f74240SEndre Fülöpbool isStdin(SVal Val, const ASTContext &ACtx) {
17f74240SEndre Fülöp  // FIXME: What if Val is NonParamVarRegion?
17f74240SEndre Fülöp
17f74240SEndre Fülöp  // The region should be symbolic, we do not know it's value.
17f74240SEndre Fülöp  const auto *SymReg = dyn_cast_or_null<SymbolicRegion>(Val.getAsRegion());
17f74240SEndre Fülöp  if (!SymReg)
17f74240SEndre Fülöp    return false;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  // Get it's symbol and find the declaration region it's pointing to.
f4fc3f6bSBalazs Benics  const auto *DeclReg =
f4fc3f6bSBalazs Benics      dyn_cast_or_null<DeclRegion>(SymReg->getSymbol()->getOriginRegion());
17f74240SEndre Fülöp  if (!DeclReg)
17f74240SEndre Fülöp    return false;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  // This region corresponds to a declaration, find out if it's a global/extern
17f74240SEndre Fülöp  // variable named stdin with the proper type.
17f74240SEndre Fülöp  if (const auto *D = dyn_cast_or_null<VarDecl>(DeclReg->getDecl())) {
17f74240SEndre Fülöp    D = D->getCanonicalDecl();
17f74240SEndre Fülöp    // FIXME: This should look for an exact match.
17f74240SEndre Fülöp    if (D->getName().contains("stdin") && D->isExternC()) {
17f74240SEndre Fülöp      const QualType FILETy = ACtx.getFILEType().getCanonicalType();
17f74240SEndre Fülöp      const QualType Ty = D->getType().getCanonicalType();
17f74240SEndre Fülöp
17f74240SEndre Fülöp      if (Ty->isPointerType())
17f74240SEndre Fülöp        return Ty->getPointeeType() == FILETy;
17f74240SEndre Fülöp    }
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp  return false;
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre FülöpSVal getPointeeOf(const CheckerContext &C, Loc LValue) {
17f74240SEndre Fülöp  const QualType ArgTy = LValue.getType(C.getASTContext());
17f74240SEndre Fülöp  if (!ArgTy->isPointerType() || !ArgTy->getPointeeType()->isVoidType())
17f74240SEndre Fülöp    return C.getState()->getSVal(LValue);
17f74240SEndre Fülöp
17f74240SEndre Fülöp  // Do not dereference void pointers. Treat them as byte pointers instead.
17f74240SEndre Fülöp  // FIXME: we might want to consider more than just the first byte.
17f74240SEndre Fülöp  return C.getState()->getSVal(LValue, C.getASTContext().CharTy);
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Given a pointer/reference argument, return the value it refers to.
17f74240SEndre FülöpOptional<SVal> getPointeeOf(const CheckerContext &C, SVal Arg) {
17f74240SEndre Fülöp  if (auto LValue = Arg.getAs<Loc>())
17f74240SEndre Fülöp    return getPointeeOf(C, *LValue);
17f74240SEndre Fülöp  return None;
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Given a pointer, return the SVal of its pointee or if it is tainted,
17f74240SEndre Fülöp/// otherwise return the pointer's SVal if tainted.
17f74240SEndre Fülöp/// Also considers stdin as a taint source.
17f74240SEndre FülöpOptional<SVal> getTaintedPointeeOrPointer(const CheckerContext &C, SVal Arg) {
17f74240SEndre Fülöp  const ProgramStateRef State = C.getState();
17f74240SEndre Fülöp
17f74240SEndre Fülöp  if (auto Pointee = getPointeeOf(C, Arg))
17f74240SEndre Fülöp    if (isTainted(State, *Pointee)) // FIXME: isTainted(...) ? Pointee : None;
17f74240SEndre Fülöp      return Pointee;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  if (isTainted(State, Arg))
17f74240SEndre Fülöp    return Arg;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  // FIXME: This should be done by the isTainted() API.
17f74240SEndre Fülöp  if (isStdin(Arg, C.getASTContext()))
17f74240SEndre Fülöp    return Arg;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  return None;
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre Fülöpbool isTaintedOrPointsToTainted(const Expr *E, const ProgramStateRef &State,
17f74240SEndre Fülöp                                CheckerContext &C) {
064a08cdSKazu Hirata  return getTaintedPointeeOrPointer(C, C.getSVal(E)).has_value();
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// ArgSet is used to describe arguments relevant for taint detection or
17f74240SEndre Fülöp/// taint application. A discrete set of argument indexes and a variadic
17f74240SEndre Fülöp/// argument list signified by a starting index are supported.
17f74240SEndre Fülöpclass ArgSet {
17f74240SEndre Fülöppublic:
17f74240SEndre Fülöp  ArgSet() = default;
17f74240SEndre Fülöp  ArgSet(ArgVecTy &&DiscreteArgs, Optional<ArgIdxTy> VariadicIndex = None)
17f74240SEndre Fülöp      : DiscreteArgs(std::move(DiscreteArgs)),
17f74240SEndre Fülöp        VariadicIndex(std::move(VariadicIndex)) {}
17f74240SEndre Fülöp
17f74240SEndre Fülöp  bool contains(ArgIdxTy ArgIdx) const {
17f74240SEndre Fülöp    if (llvm::is_contained(DiscreteArgs, ArgIdx))
17f74240SEndre Fülöp      return true;
17f74240SEndre Fülöp
17f74240SEndre Fülöp    return VariadicIndex && ArgIdx >= *VariadicIndex;
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp
17f74240SEndre Fülöp  bool isEmpty() const { return DiscreteArgs.empty() && !VariadicIndex; }
17f74240SEndre Fülöp
17f74240SEndre Fülöpprivate:
17f74240SEndre Fülöp  ArgVecTy DiscreteArgs;
17f74240SEndre Fülöp  Optional<ArgIdxTy> VariadicIndex;
17f74240SEndre Fülöp};
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// A struct used to specify taint propagation rules for a function.
17f74240SEndre Fülöp///
17f74240SEndre Fülöp/// If any of the possible taint source arguments is tainted, all of the
17f74240SEndre Fülöp/// destination arguments should also be tainted. If ReturnValueIndex is added
17f74240SEndre Fülöp/// to the dst list, the return value will be tainted.
17f74240SEndre Fülöpclass GenericTaintRule {
17f74240SEndre Fülöp  /// Arguments which are taints sinks and should be checked, and a report
17f74240SEndre Fülöp  /// should be emitted if taint reaches these.
17f74240SEndre Fülöp  ArgSet SinkArgs;
17f74240SEndre Fülöp  /// Arguments which should be sanitized on function return.
17f74240SEndre Fülöp  ArgSet FilterArgs;
17f74240SEndre Fülöp  /// Arguments which can participate in taint propagationa. If any of the
17f74240SEndre Fülöp  /// arguments in PropSrcArgs is tainted, all arguments in  PropDstArgs should
17f74240SEndre Fülöp  /// be tainted.
17f74240SEndre Fülöp  ArgSet PropSrcArgs;
17f74240SEndre Fülöp  ArgSet PropDstArgs;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// A message that explains why the call is sensitive to taint.
17f74240SEndre Fülöp  Optional<StringRef> SinkMsg;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  GenericTaintRule() = default;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  GenericTaintRule(ArgSet &&Sink, ArgSet &&Filter, ArgSet &&Src, ArgSet &&Dst,
17f74240SEndre Fülöp                   Optional<StringRef> SinkMsg = None)
17f74240SEndre Fülöp      : SinkArgs(std::move(Sink)), FilterArgs(std::move(Filter)),
17f74240SEndre Fülöp        PropSrcArgs(std::move(Src)), PropDstArgs(std::move(Dst)),
17f74240SEndre Fülöp        SinkMsg(SinkMsg) {}
17f74240SEndre Fülöp
17f74240SEndre Fülöppublic:
17f74240SEndre Fülöp  /// Make a rule that reports a warning if taint reaches any of \p FilterArgs
17f74240SEndre Fülöp  /// arguments.
17f74240SEndre Fülöp  static GenericTaintRule Sink(ArgSet &&SinkArgs,
17f74240SEndre Fülöp                               Optional<StringRef> Msg = None) {
17f74240SEndre Fülöp    return {std::move(SinkArgs), {}, {}, {}, Msg};
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Make a rule that sanitizes all FilterArgs arguments.
17f74240SEndre Fülöp  static GenericTaintRule Filter(ArgSet &&FilterArgs) {
17f74240SEndre Fülöp    return {{}, std::move(FilterArgs), {}, {}};
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Make a rule that unconditionally taints all Args.
17f74240SEndre Fülöp  /// If Func is provided, it must also return true for taint to propagate.
17f74240SEndre Fülöp  static GenericTaintRule Source(ArgSet &&SourceArgs) {
17f74240SEndre Fülöp    return {{}, {}, {}, std::move(SourceArgs)};
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Make a rule that taints all PropDstArgs if any of PropSrcArgs is tainted.
17f74240SEndre Fülöp  static GenericTaintRule Prop(ArgSet &&SrcArgs, ArgSet &&DstArgs) {
17f74240SEndre Fülöp    return {{}, {}, std::move(SrcArgs), std::move(DstArgs)};
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Make a rule that taints all PropDstArgs if any of PropSrcArgs is tainted.
17f74240SEndre Fülöp  static GenericTaintRule SinkProp(ArgSet &&SinkArgs, ArgSet &&SrcArgs,
17f74240SEndre Fülöp                                   ArgSet &&DstArgs,
17f74240SEndre Fülöp                                   Optional<StringRef> Msg = None) {
17f74240SEndre Fülöp    return {
17f74240SEndre Fülöp        std::move(SinkArgs), {}, std::move(SrcArgs), std::move(DstArgs), Msg};
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Process a function which could either be a taint source, a taint sink, a
17f74240SEndre Fülöp  /// taint filter or a taint propagator.
17f74240SEndre Fülöp  void process(const GenericTaintChecker &Checker, const CallEvent &Call,
17f74240SEndre Fülöp               CheckerContext &C) const;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Handles the resolution of indexes of type ArgIdxTy to Expr*-s.
17f74240SEndre Fülöp  static const Expr *GetArgExpr(ArgIdxTy ArgIdx, const CallEvent &Call) {
17f74240SEndre Fülöp    return ArgIdx == ReturnValueIndex ? Call.getOriginExpr()
17f74240SEndre Fülöp                                      : Call.getArgExpr(ArgIdx);
17f74240SEndre Fülöp  };
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Functions for custom taintedness propagation.
17f74240SEndre Fülöp  static bool UntrustedEnv(CheckerContext &C);
17f74240SEndre Fülöp};
17f74240SEndre Fülöp
17f74240SEndre Fülöpusing RuleLookupTy = CallDescriptionMap<GenericTaintRule>;
17f74240SEndre Fülöp
17f74240SEndre Fülöp/// Used to parse the configuration file.
17f74240SEndre Fülöpstruct TaintConfiguration {
17f74240SEndre Fülöp  using NameScopeArgs = std::tuple<std::string, std::string, ArgVecTy>;
17f74240SEndre Fülöp  enum class VariadicType { None, Src, Dst };
17f74240SEndre Fülöp
17f74240SEndre Fülöp  struct Common {
17f74240SEndre Fülöp    std::string Name;
17f74240SEndre Fülöp    std::string Scope;
17f74240SEndre Fülöp  };
17f74240SEndre Fülöp
17f74240SEndre Fülöp  struct Sink : Common {
17f74240SEndre Fülöp    ArgVecTy SinkArgs;
17f74240SEndre Fülöp  };
17f74240SEndre Fülöp
17f74240SEndre Fülöp  struct Filter : Common {
17f74240SEndre Fülöp    ArgVecTy FilterArgs;
17f74240SEndre Fülöp  };
17f74240SEndre Fülöp
17f74240SEndre Fülöp  struct Propagation : Common {
17f74240SEndre Fülöp    ArgVecTy SrcArgs;
17f74240SEndre Fülöp    ArgVecTy DstArgs;
17f74240SEndre Fülöp    VariadicType VarType;
17f74240SEndre Fülöp    ArgIdxTy VarIndex;
17f74240SEndre Fülöp  };
17f74240SEndre Fülöp
17f74240SEndre Fülöp  std::vector<Propagation> Propagations;
17f74240SEndre Fülöp  std::vector<Filter> Filters;
17f74240SEndre Fülöp  std::vector<Sink> Sinks;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  TaintConfiguration() = default;
17f74240SEndre Fülöp  TaintConfiguration(const TaintConfiguration &) = default;
17f74240SEndre Fülöp  TaintConfiguration(TaintConfiguration &&) = default;
17f74240SEndre Fülöp  TaintConfiguration &operator=(const TaintConfiguration &) = default;
17f74240SEndre Fülöp  TaintConfiguration &operator=(TaintConfiguration &&) = default;
17f74240SEndre Fülöp};
17f74240SEndre Fülöp
17f74240SEndre Fülöpstruct GenericTaintRuleParser {
17f74240SEndre Fülöp  GenericTaintRuleParser(CheckerManager &Mgr) : Mgr(Mgr) {}
17f74240SEndre Fülöp  /// Container type used to gather call identification objects grouped into
17f74240SEndre Fülöp  /// pairs with their corresponding taint rules. It is temporary as it is used
17f74240SEndre Fülöp  /// to finally initialize RuleLookupTy, which is considered to be immutable.
17f74240SEndre Fülöp  using RulesContTy = std::vector<std::pair<CallDescription, GenericTaintRule>>;
17f74240SEndre Fülöp  RulesContTy parseConfiguration(const std::string &Option,
17f74240SEndre Fülöp                                 TaintConfiguration &&Config) const;
17f74240SEndre Fülöp
17f74240SEndre Fülöpprivate:
17f74240SEndre Fülöp  using NamePartsTy = llvm::SmallVector<SmallString<32>, 2>;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Validate part of the configuration, which contains a list of argument
17f74240SEndre Fülöp  /// indexes.
17f74240SEndre Fülöp  void validateArgVector(const std::string &Option, const ArgVecTy &Args) const;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  template <typename Config> static NamePartsTy parseNameParts(const Config &C);
17f74240SEndre Fülöp
17f74240SEndre Fülöp  // Takes the config and creates a CallDescription for it and associates a Rule
17f74240SEndre Fülöp  // with that.
17f74240SEndre Fülöp  template <typename Config>
17f74240SEndre Fülöp  static void consumeRulesFromConfig(const Config &C, GenericTaintRule &&Rule,
17f74240SEndre Fülöp                                     RulesContTy &Rules);
17f74240SEndre Fülöp
17f74240SEndre Fülöp  void parseConfig(const std::string &Option, TaintConfiguration::Sink &&P,
17f74240SEndre Fülöp                   RulesContTy &Rules) const;
17f74240SEndre Fülöp  void parseConfig(const std::string &Option, TaintConfiguration::Filter &&P,
17f74240SEndre Fülöp                   RulesContTy &Rules) const;
17f74240SEndre Fülöp  void parseConfig(const std::string &Option,
17f74240SEndre Fülöp                   TaintConfiguration::Propagation &&P,
17f74240SEndre Fülöp                   RulesContTy &Rules) const;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  CheckerManager &Mgr;
17f74240SEndre Fülöp};
17f74240SEndre Fülöp
95a94df5SBalazs Benicsclass GenericTaintChecker : public Checker<check::PreCall, check::PostCall> {
3b0ab206SAnna Zakspublic:
95a94df5SBalazs Benics  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
95a94df5SBalazs Benics  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
5c5bf9b6SAnna Zaks
4bde15feSGabor Borsik  void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
4bde15feSGabor Borsik                  const char *Sep) const override;
4bde15feSGabor Borsik
080ecafdSGabor Borsik  /// Generate a report if the expression is tainted or points to tainted data.
080ecafdSGabor Borsik  bool generateReportIfTainted(const Expr *E, StringRef Msg,
080ecafdSGabor Borsik                               CheckerContext &C) const;
080ecafdSGabor Borsik
17f74240SEndre Fülöpprivate:
17f74240SEndre Fülöp  const BugType BT{this, "Use of Untrusted Data", "Untrusted Data"};
273e6742SBorsik Gabor
17f74240SEndre Fülöp  bool checkUncontrolledFormatString(const CallEvent &Call,
17f74240SEndre Fülöp                                     CheckerContext &C) const;
080ecafdSGabor Borsik
17f74240SEndre Fülöp  void taintUnsafeSocketProtocol(const CallEvent &Call,
17f74240SEndre Fülöp                                 CheckerContext &C) const;
2827349cSKristof Umann
17f74240SEndre Fülöp  /// Default taint rules are initilized with the help of a CheckerContext to
17f74240SEndre Fülöp  /// access the names of built-in functions like memcpy.
17f74240SEndre Fülöp  void initTaintRules(CheckerContext &C) const;
3666d2c1SAnna Zaks
17f74240SEndre Fülöp  /// CallDescription currently cannot restrict matches to the global namespace
17f74240SEndre Fülöp  /// only, which is why multiple CallDescriptionMaps are used, as we want to
17f74240SEndre Fülöp  /// disambiguate global C functions from functions inside user-defined
17f74240SEndre Fülöp  /// namespaces.
17f74240SEndre Fülöp  // TODO: Remove separation to simplify matching logic once CallDescriptions
17f74240SEndre Fülöp  // are more expressive.
3666d2c1SAnna Zaks
17f74240SEndre Fülöp  mutable Optional<RuleLookupTy> StaticTaintRules;
17f74240SEndre Fülöp  mutable Optional<RuleLookupTy> DynamicTaintRules;
7f6a6b75SAnna Zaks};
560dbe9aSAnna Zaks} // end of anonymous namespace
5c5bf9b6SAnna Zaks
17f74240SEndre Fülöp/// YAML serialization mapping.
17f74240SEndre FülöpLLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Sink)
17f74240SEndre FülöpLLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Filter)
17f74240SEndre FülöpLLVM_YAML_IS_SEQUENCE_VECTOR(TaintConfiguration::Propagation)
4bde15feSGabor Borsik
4bde15feSGabor Borsiknamespace llvm {
4bde15feSGabor Borsiknamespace yaml {
17f74240SEndre Fülöptemplate <> struct MappingTraits<TaintConfiguration> {
17f74240SEndre Fülöp  static void mapping(IO &IO, TaintConfiguration &Config) {
4bde15feSGabor Borsik    IO.mapOptional("Propagations", Config.Propagations);
4bde15feSGabor Borsik    IO.mapOptional("Filters", Config.Filters);
4bde15feSGabor Borsik    IO.mapOptional("Sinks", Config.Sinks);
4bde15feSGabor Borsik  }
4bde15feSGabor Borsik};
4bde15feSGabor Borsik
17f74240SEndre Fülöptemplate <> struct MappingTraits<TaintConfiguration::Sink> {
17f74240SEndre Fülöp  static void mapping(IO &IO, TaintConfiguration::Sink &Sink) {
17f74240SEndre Fülöp    IO.mapRequired("Name", Sink.Name);
17f74240SEndre Fülöp    IO.mapOptional("Scope", Sink.Scope);
17f74240SEndre Fülöp    IO.mapRequired("Args", Sink.SinkArgs);
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp};
17f74240SEndre Fülöp
17f74240SEndre Fülöptemplate <> struct MappingTraits<TaintConfiguration::Filter> {
17f74240SEndre Fülöp  static void mapping(IO &IO, TaintConfiguration::Filter &Filter) {
17f74240SEndre Fülöp    IO.mapRequired("Name", Filter.Name);
17f74240SEndre Fülöp    IO.mapOptional("Scope", Filter.Scope);
17f74240SEndre Fülöp    IO.mapRequired("Args", Filter.FilterArgs);
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp};
17f74240SEndre Fülöp
17f74240SEndre Fülöptemplate <> struct MappingTraits<TaintConfiguration::Propagation> {
17f74240SEndre Fülöp  static void mapping(IO &IO, TaintConfiguration::Propagation &Propagation) {
4bde15feSGabor Borsik    IO.mapRequired("Name", Propagation.Name);
273e6742SBorsik Gabor    IO.mapOptional("Scope", Propagation.Scope);
4bde15feSGabor Borsik    IO.mapOptional("SrcArgs", Propagation.SrcArgs);
4bde15feSGabor Borsik    IO.mapOptional("DstArgs", Propagation.DstArgs);
17f74240SEndre Fülöp    IO.mapOptional("VariadicType", Propagation.VarType);
17f74240SEndre Fülöp    IO.mapOptional("VariadicIndex", Propagation.VarIndex);
4bde15feSGabor Borsik  }
4bde15feSGabor Borsik};
4bde15feSGabor Borsik
17f74240SEndre Fülöptemplate <> struct ScalarEnumerationTraits<TaintConfiguration::VariadicType> {
17f74240SEndre Fülöp  static void enumeration(IO &IO, TaintConfiguration::VariadicType &Value) {
17f74240SEndre Fülöp    IO.enumCase(Value, "None", TaintConfiguration::VariadicType::None);
17f74240SEndre Fülöp    IO.enumCase(Value, "Src", TaintConfiguration::VariadicType::Src);
17f74240SEndre Fülöp    IO.enumCase(Value, "Dst", TaintConfiguration::VariadicType::Dst);
4bde15feSGabor Borsik  }
4bde15feSGabor Borsik};
4bde15feSGabor Borsik} // namespace yaml
4bde15feSGabor Borsik} // namespace llvm
4bde15feSGabor Borsik
b3fa8d7dSAnna Zaks/// A set which is used to pass information from call pre-visit instruction
17f74240SEndre Fülöp/// to the call post-visit. The values are signed integers, which are either
b3fa8d7dSAnna Zaks/// ReturnValueIndex, or indexes of the pointer/reference argument, which
b3fa8d7dSAnna Zaks/// points to data, which should be tainted on return.
a848a5cfSBalazs BenicsREGISTER_MAP_WITH_PROGRAMSTATE(TaintArgsOnPostVisit, const LocationContext *,
a848a5cfSBalazs Benics                               ImmutableSet<ArgIdxTy>)
a848a5cfSBalazs BenicsREGISTER_SET_FACTORY_WITH_PROGRAMSTATE(ArgIdxFactory, ArgIdxTy)
3b0ab206SAnna Zaks
17f74240SEndre Fülöpvoid GenericTaintRuleParser::validateArgVector(const std::string &Option,
17f74240SEndre Fülöp                                               const ArgVecTy &Args) const {
17f74240SEndre Fülöp  for (ArgIdxTy Arg : Args) {
17f74240SEndre Fülöp    if (Arg < ReturnValueIndex) {
4bde15feSGabor Borsik      Mgr.reportInvalidCheckerOptionValue(
17f74240SEndre Fülöp          Mgr.getChecker<GenericTaintChecker>(), Option,
4bde15feSGabor Borsik          "an argument number for propagation rules greater or equal to -1");
4bde15feSGabor Borsik    }
4bde15feSGabor Borsik  }
4bde15feSGabor Borsik}
4bde15feSGabor Borsik
17f74240SEndre Fülöptemplate <typename Config>
17f74240SEndre FülöpGenericTaintRuleParser::NamePartsTy
17f74240SEndre FülöpGenericTaintRuleParser::parseNameParts(const Config &C) {
17f74240SEndre Fülöp  NamePartsTy NameParts;
17f74240SEndre Fülöp  if (!C.Scope.empty()) {
17f74240SEndre Fülöp    // If the Scope argument contains multiple "::" parts, those are considered
17f74240SEndre Fülöp    // namespace identifiers.
17f74240SEndre Fülöp    llvm::SmallVector<StringRef, 2> NSParts;
17f74240SEndre Fülöp    StringRef{C.Scope}.split(NSParts, "::", /*MaxSplit*/ -1,
17f74240SEndre Fülöp                             /*KeepEmpty*/ false);
17f74240SEndre Fülöp    NameParts.append(NSParts.begin(), NSParts.end());
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp  NameParts.emplace_back(C.Name);
17f74240SEndre Fülöp  return NameParts;
273e6742SBorsik Gabor}
273e6742SBorsik Gabor
17f74240SEndre Fülöptemplate <typename Config>
17f74240SEndre Fülöpvoid GenericTaintRuleParser::consumeRulesFromConfig(const Config &C,
17f74240SEndre Fülöp                                                    GenericTaintRule &&Rule,
17f74240SEndre Fülöp                                                    RulesContTy &Rules) {
17f74240SEndre Fülöp  NamePartsTy NameParts = parseNameParts(C);
17f74240SEndre Fülöp  llvm::SmallVector<const char *, 2> CallDescParts{NameParts.size()};
17f74240SEndre Fülöp  llvm::transform(NameParts, CallDescParts.begin(),
17f74240SEndre Fülöp                  [](SmallString<32> &S) { return S.c_str(); });
262cc74eSTres Popp  Rules.emplace_back(CallDescription(CallDescParts), std::move(Rule));
17f74240SEndre Fülöp}
bf740512SAnna Zaks
17f74240SEndre Fülöpvoid GenericTaintRuleParser::parseConfig(const std::string &Option,
17f74240SEndre Fülöp                                         TaintConfiguration::Sink &&S,
17f74240SEndre Fülöp                                         RulesContTy &Rules) const {
17f74240SEndre Fülöp  validateArgVector(Option, S.SinkArgs);
17f74240SEndre Fülöp  consumeRulesFromConfig(S, GenericTaintRule::Sink(std::move(S.SinkArgs)),
17f74240SEndre Fülöp                         Rules);
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre Fülöpvoid GenericTaintRuleParser::parseConfig(const std::string &Option,
17f74240SEndre Fülöp                                         TaintConfiguration::Filter &&S,
17f74240SEndre Fülöp                                         RulesContTy &Rules) const {
17f74240SEndre Fülöp  validateArgVector(Option, S.FilterArgs);
17f74240SEndre Fülöp  consumeRulesFromConfig(S, GenericTaintRule::Filter(std::move(S.FilterArgs)),
17f74240SEndre Fülöp                         Rules);
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre Fülöpvoid GenericTaintRuleParser::parseConfig(const std::string &Option,
17f74240SEndre Fülöp                                         TaintConfiguration::Propagation &&P,
17f74240SEndre Fülöp                                         RulesContTy &Rules) const {
17f74240SEndre Fülöp  validateArgVector(Option, P.SrcArgs);
17f74240SEndre Fülöp  validateArgVector(Option, P.DstArgs);
17f74240SEndre Fülöp  bool IsSrcVariadic = P.VarType == TaintConfiguration::VariadicType::Src;
17f74240SEndre Fülöp  bool IsDstVariadic = P.VarType == TaintConfiguration::VariadicType::Dst;
17f74240SEndre Fülöp  Optional<ArgIdxTy> JustVarIndex = P.VarIndex;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  ArgSet SrcDesc(std::move(P.SrcArgs), IsSrcVariadic ? JustVarIndex : None);
17f74240SEndre Fülöp  ArgSet DstDesc(std::move(P.DstArgs), IsDstVariadic ? JustVarIndex : None);
17f74240SEndre Fülöp
17f74240SEndre Fülöp  consumeRulesFromConfig(
17f74240SEndre Fülöp      P, GenericTaintRule::Prop(std::move(SrcDesc), std::move(DstDesc)), Rules);
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre FülöpGenericTaintRuleParser::RulesContTy
17f74240SEndre FülöpGenericTaintRuleParser::parseConfiguration(const std::string &Option,
17f74240SEndre Fülöp                                           TaintConfiguration &&Config) const {
17f74240SEndre Fülöp
17f74240SEndre Fülöp  RulesContTy Rules;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  for (auto &F : Config.Filters)
17f74240SEndre Fülöp    parseConfig(Option, std::move(F), Rules);
17f74240SEndre Fülöp
17f74240SEndre Fülöp  for (auto &S : Config.Sinks)
17f74240SEndre Fülöp    parseConfig(Option, std::move(S), Rules);
17f74240SEndre Fülöp
17f74240SEndre Fülöp  for (auto &P : Config.Propagations)
17f74240SEndre Fülöp    parseConfig(Option, std::move(P), Rules);
17f74240SEndre Fülöp
17f74240SEndre Fülöp  return Rules;
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
17f74240SEndre Fülöpvoid GenericTaintChecker::initTaintRules(CheckerContext &C) const {
5d324e50SAnna Zaks  // Check for exact name match for functions without builtin substitutes.
273e6742SBorsik Gabor  // Use qualified name, because these are C functions without namespace.
5d324e50SAnna Zaks
17f74240SEndre Fülöp  if (StaticTaintRules || DynamicTaintRules)
17f74240SEndre Fülöp    return;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  using RulesConstructionTy =
17f74240SEndre Fülöp      std::vector<std::pair<CallDescription, GenericTaintRule>>;
17f74240SEndre Fülöp  using TR = GenericTaintRule;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  const Builtin::Context &BI = C.getASTContext().BuiltinInfo;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  RulesConstructionTy GlobalCRules{
17f74240SEndre Fülöp      // Sources
17f74240SEndre Fülöp      {{"fdopen"}, TR::Source({{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"fopen"}, TR::Source({{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"freopen"}, TR::Source({{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"getch"}, TR::Source({{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"getchar"}, TR::Source({{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"getchar_unlocked"}, TR::Source({{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"gets"}, TR::Source({{0}, ReturnValueIndex})},
34a73879SEndre Fülöp      {{"gets_s"}, TR::Source({{0}, ReturnValueIndex})},
17f74240SEndre Fülöp      {{"scanf"}, TR::Source({{}, 1})},
34a73879SEndre Fülöp      {{"scanf_s"}, TR::Source({{}, {1}})},
17f74240SEndre Fülöp      {{"wgetch"}, TR::Source({{}, ReturnValueIndex})},
34a73879SEndre Fülöp      // Sometimes the line between taint sources and propagators is blurry.
34a73879SEndre Fülöp      // _IO_getc is choosen to be a source, but could also be a propagator.
34a73879SEndre Fülöp      // This way it is simpler, as modeling it as a propagator would require
34a73879SEndre Fülöp      // to model the possible sources of _IO_FILE * values, which the _IO_getc
34a73879SEndre Fülöp      // function takes as parameters.
34a73879SEndre Fülöp      {{"_IO_getc"}, TR::Source({{ReturnValueIndex}})},
34a73879SEndre Fülöp      {{"getcwd"}, TR::Source({{0, ReturnValueIndex}})},
34a73879SEndre Fülöp      {{"getwd"}, TR::Source({{0, ReturnValueIndex}})},
34a73879SEndre Fülöp      {{"readlink"}, TR::Source({{1, ReturnValueIndex}})},
34a73879SEndre Fülöp      {{"readlinkat"}, TR::Source({{2, ReturnValueIndex}})},
34a73879SEndre Fülöp      {{"get_current_dir_name"}, TR::Source({{ReturnValueIndex}})},
34a73879SEndre Fülöp      {{"gethostname"}, TR::Source({{0}})},
34a73879SEndre Fülöp      {{"getnameinfo"}, TR::Source({{2, 4}})},
34a73879SEndre Fülöp      {{"getseuserbyname"}, TR::Source({{1, 2}})},
34a73879SEndre Fülöp      {{"getgroups"}, TR::Source({{1, ReturnValueIndex}})},
34a73879SEndre Fülöp      {{"getlogin"}, TR::Source({{ReturnValueIndex}})},
34a73879SEndre Fülöp      {{"getlogin_r"}, TR::Source({{0}})},
17f74240SEndre Fülöp
17f74240SEndre Fülöp      // Props
17f74240SEndre Fülöp      {{"atoi"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"atol"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"atoll"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"fgetc"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"fgetln"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
7036413dSBalazs Benics      {{"fgets"}, TR::Prop({{2}}, {{0, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"fscanf"}, TR::Prop({{0}}, {{}, 2})},
4fd6c6e6SEndre Fülöp      {{"fscanf_s"}, TR::Prop({{0}}, {{}, {2}})},
17f74240SEndre Fülöp      {{"sscanf"}, TR::Prop({{0}}, {{}, 2})},
4fd6c6e6SEndre Fülöp
17f74240SEndre Fülöp      {{"getc"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"getc_unlocked"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"getdelim"}, TR::Prop({{3}}, {{0}})},
17f74240SEndre Fülöp      {{"getline"}, TR::Prop({{2}}, {{0}})},
17f74240SEndre Fülöp      {{"getw"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"pread"}, TR::Prop({{0, 1, 2, 3}}, {{1, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"read"}, TR::Prop({{0, 2}}, {{1, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"strchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"strrchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"tolower"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{"toupper"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"fread"}, TR::Prop({{3}}, {{0, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"recv"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"recvfrom"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      {{"ttyname"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"ttyname_r"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      {{"basename"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"dirname"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"fnmatch"}, TR::Prop({{1}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"memchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"memrchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"rawmemchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      {{"mbtowc"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"wctomb"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"wcwidth"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      {{"memcmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"memcpy"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"memmove"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      // If memmem was called with a tainted needle and the search was
4fd6c6e6SEndre Fülöp      // successful, that would mean that the value pointed by the return value
4fd6c6e6SEndre Fülöp      // has the same content as the needle. If we choose to go by the policy of
4fd6c6e6SEndre Fülöp      // content equivalence implies taintedness equivalence, that would mean
4fd6c6e6SEndre Fülöp      // haystack should be considered a propagation source argument.
4fd6c6e6SEndre Fülöp      {{"memmem"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      // The comment for memmem above also applies to strstr.
4fd6c6e6SEndre Fülöp      {{"strstr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strcasestr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      {{"strchrnul"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      {{"index"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"rindex"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      // FIXME: In case of arrays, only the first element of the array gets
4fd6c6e6SEndre Fülöp      // tainted.
4fd6c6e6SEndre Fülöp      {{"qsort"}, TR::Prop({{0}}, {{0}})},
4fd6c6e6SEndre Fülöp      {{"qsort_r"}, TR::Prop({{0}}, {{0}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      {{"strcmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strcasecmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strncmp"}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strncasecmp"}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strspn"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strcspn"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strpbrk"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strndup"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strndupa"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strlen"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strnlen"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strtol"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strtoll"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strtoul"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"strtoull"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
4fd6c6e6SEndre Fülöp      {{"isalnum"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isalpha"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isascii"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isblank"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"iscntrl"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isdigit"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isgraph"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"islower"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isprint"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"ispunct"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isspace"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isupper"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp      {{"isxdigit"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
4fd6c6e6SEndre Fülöp
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncat)}},
17f74240SEndre Fülöp       TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcpy)}},
17f74240SEndre Fülöp       TR::Prop({{1, 2}}, {{0}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcat)}},
17f74240SEndre Fülöp       TR::Prop({{1, 2}}, {{0}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"snprintf"}},
17f74240SEndre Fülöp       TR::Prop({{1}, 3}, {{0, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"sprintf"}},
17f74240SEndre Fülöp       TR::Prop({{1}, 2}, {{0, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"strcpy"}},
17f74240SEndre Fülöp       TR::Prop({{1}}, {{0, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"stpcpy"}},
17f74240SEndre Fülöp       TR::Prop({{1}}, {{0, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"strcat"}},
17f74240SEndre Fülöp       TR::Prop({{1}}, {{0, ReturnValueIndex}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"strdup"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"strdupa"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"wcsdup"}}, TR::Prop({{0}}, {{ReturnValueIndex}})},
17f74240SEndre Fülöp
17f74240SEndre Fülöp      // Sinks
17f74240SEndre Fülöp      {{"system"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{"popen"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{"execl"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{"execle"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{"execlp"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{"execvp"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{"execvP"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{"execve"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{"dlopen"}, TR::Sink({{0}}, MsgSanitizeSystemArgs)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"malloc"}}, TR::Sink({{0}}, MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"calloc"}}, TR::Sink({{0}}, MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"alloca"}}, TR::Sink({{0}}, MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"memccpy"}}, TR::Sink({{3}}, MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"realloc"}}, TR::Sink({{1}}, MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{{"setproctitle"}}, TR::Sink({{0}, 1}, MsgUncontrolledFormatString)},
17f74240SEndre Fülöp      {{{"setproctitle_fast"}},
17f74240SEndre Fülöp       TR::Sink({{0}, 1}, MsgUncontrolledFormatString)},
17f74240SEndre Fülöp
17f74240SEndre Fülöp      // SinkProps
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, BI.getName(Builtin::BImemcpy)},
17f74240SEndre Fülöp       TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}},
17f74240SEndre Fülöp                    MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {BI.getName(Builtin::BImemmove)}},
17f74240SEndre Fülöp       TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}},
17f74240SEndre Fülöp                    MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncpy)}},
17f74240SEndre Fülöp       TR::SinkProp({{2}}, {{1, 2}}, {{0, ReturnValueIndex}},
17f74240SEndre Fülöp                    MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrndup)}},
17f74240SEndre Fülöp       TR::SinkProp({{1}}, {{0, 1}}, {{ReturnValueIndex}},
17f74240SEndre Fülöp                    MsgTaintedBufferSize)},
17f74240SEndre Fülöp      {{CDF_MaybeBuiltin, {"bcopy"}},
17f74240SEndre Fülöp       TR::SinkProp({{2}}, {{0, 2}}, {{1}}, MsgTaintedBufferSize)}};
edde4efcSBalazs Benics
edde4efcSBalazs Benics  // `getenv` returns taint only in untrusted environments.
17f74240SEndre Fülöp  if (TR::UntrustedEnv(C)) {
17f74240SEndre Fülöp    // void setproctitle_init(int argc, char *argv[], char *envp[])
17f74240SEndre Fülöp    GlobalCRules.push_back(
7036413dSBalazs Benics        {{{"setproctitle_init"}}, TR::Sink({{1, 2}}, MsgCustomSink)});
17f74240SEndre Fülöp    GlobalCRules.push_back({{"getenv"}, TR::Source({{ReturnValueIndex}})});
edde4efcSBalazs Benics  }
edde4efcSBalazs Benics
17f74240SEndre Fülöp  StaticTaintRules.emplace(std::make_move_iterator(GlobalCRules.begin()),
17f74240SEndre Fülöp                           std::make_move_iterator(GlobalCRules.end()));
5d324e50SAnna Zaks
17f74240SEndre Fülöp  // User-provided taint configuration.
17f74240SEndre Fülöp  CheckerManager *Mgr = C.getAnalysisManager().getCheckerManager();
17f74240SEndre Fülöp  assert(Mgr);
17f74240SEndre Fülöp  GenericTaintRuleParser ConfigParser{*Mgr};
17f74240SEndre Fülöp  std::string Option{"Config"};
17f74240SEndre Fülöp  StringRef ConfigFile =
17f74240SEndre Fülöp      Mgr->getAnalyzerOptions().getCheckerStringOption(this, Option);
17f74240SEndre Fülöp  llvm::Optional<TaintConfiguration> Config =
17f74240SEndre Fülöp      getConfiguration<TaintConfiguration>(*Mgr, this, Option, ConfigFile);
17f74240SEndre Fülöp  if (!Config) {
17f74240SEndre Fülöp    // We don't have external taint config, no parsing required.
17f74240SEndre Fülöp    DynamicTaintRules = RuleLookupTy{};
17f74240SEndre Fülöp    return;
95a94df5SBalazs Benics  }
5d324e50SAnna Zaks
17f74240SEndre Fülöp  GenericTaintRuleParser::RulesContTy Rules{
*ca4af13eSKazu Hirata      ConfigParser.parseConfiguration(Option, std::move(*Config))};
5d324e50SAnna Zaks
17f74240SEndre Fülöp  DynamicTaintRules.emplace(std::make_move_iterator(Rules.begin()),
17f74240SEndre Fülöp                            std::make_move_iterator(Rules.end()));
273e6742SBorsik Gabor}
080ecafdSGabor Borsik
95a94df5SBalazs Benicsvoid GenericTaintChecker::checkPreCall(const CallEvent &Call,
5c5bf9b6SAnna Zaks                                       CheckerContext &C) const {
17f74240SEndre Fülöp  initTaintRules(C);
89bc4c66SBorsik Gabor
17f74240SEndre Fülöp  // FIXME: this should be much simpler.
17f74240SEndre Fülöp  if (const auto *Rule =
17f74240SEndre Fülöp          Call.isGlobalCFunction() ? StaticTaintRules->lookup(Call) : nullptr)
17f74240SEndre Fülöp    Rule->process(*this, Call, C);
17f74240SEndre Fülöp  else if (const auto *Rule = DynamicTaintRules->lookup(Call))
17f74240SEndre Fülöp    Rule->process(*this, Call, C);
3b0ab206SAnna Zaks
17f74240SEndre Fülöp  // FIXME: These edge cases are to be eliminated from here eventually.
17f74240SEndre Fülöp  //
17f74240SEndre Fülöp  // Additional check that is not supported by CallDescription.
17f74240SEndre Fülöp  // TODO: Make CallDescription be able to match attributes such as printf-like
17f74240SEndre Fülöp  // arguments.
17f74240SEndre Fülöp  checkUncontrolledFormatString(Call, C);
89bc4c66SBorsik Gabor
17f74240SEndre Fülöp  // TODO: Modeling sockets should be done in a specific checker.
17f74240SEndre Fülöp  // Socket is a source, which taints the return value.
17f74240SEndre Fülöp  taintUnsafeSocketProtocol(Call, C);
126a2ef9SAnna Zaks}
126a2ef9SAnna Zaks
95a94df5SBalazs Benicsvoid GenericTaintChecker::checkPostCall(const CallEvent &Call,
126a2ef9SAnna Zaks                                        CheckerContext &C) const {
2827349cSKristof Umann  // Set the marked values as tainted. The return value only accessible from
2827349cSKristof Umann  // checkPostStmt.
49b1e38eSTed Kremenek  ProgramStateRef State = C.getState();
a848a5cfSBalazs Benics  const StackFrameContext *CurrentFrame = C.getStackFrame();
b3fa8d7dSAnna Zaks
b3fa8d7dSAnna Zaks  // Depending on what was tainted at pre-visit, we determined a set of
b3fa8d7dSAnna Zaks  // arguments which should be tainted after the function returns. These are
b3fa8d7dSAnna Zaks  // stored in the state as TaintArgsOnPostVisit set.
a848a5cfSBalazs Benics  TaintArgsOnPostVisitTy TaintArgsMap = State->get<TaintArgsOnPostVisit>();
a848a5cfSBalazs Benics
a848a5cfSBalazs Benics  const ImmutableSet<ArgIdxTy> *TaintArgs = TaintArgsMap.lookup(CurrentFrame);
a848a5cfSBalazs Benics  if (!TaintArgs)
17f74240SEndre Fülöp    return;
a848a5cfSBalazs Benics  assert(!TaintArgs->isEmpty());
bf740512SAnna Zaks
fa0a80e0SBalazs Benics  LLVM_DEBUG(for (ArgIdxTy I
a848a5cfSBalazs Benics                  : *TaintArgs) {
fa0a80e0SBalazs Benics    llvm::dbgs() << "PostCall<";
fa0a80e0SBalazs Benics    Call.dump(llvm::dbgs());
fa0a80e0SBalazs Benics    llvm::dbgs() << "> actually wants to taint arg index: " << I << '\n';
fa0a80e0SBalazs Benics  });
fa0a80e0SBalazs Benics
a848a5cfSBalazs Benics  for (ArgIdxTy ArgNum : *TaintArgs) {
b3fa8d7dSAnna Zaks    // Special handling for the tainted return value.
b3fa8d7dSAnna Zaks    if (ArgNum == ReturnValueIndex) {
95a94df5SBalazs Benics      State = addTaint(State, Call.getReturnValue());
b3fa8d7dSAnna Zaks      continue;
b3fa8d7dSAnna Zaks    }
b3fa8d7dSAnna Zaks
b3fa8d7dSAnna Zaks    // The arguments are pointer arguments. The data they are pointing at is
b3fa8d7dSAnna Zaks    // tainted after the call.
17f74240SEndre Fülöp    if (auto V = getPointeeOf(C, Call.getArgSVal(ArgNum)))
44551cf6SArtem Dergachev      State = addTaint(State, *V);
b3fa8d7dSAnna Zaks  }
b3fa8d7dSAnna Zaks
b3fa8d7dSAnna Zaks  // Clear up the taint info from the state.
a848a5cfSBalazs Benics  State = State->remove<TaintArgsOnPostVisit>(CurrentFrame);
b3fa8d7dSAnna Zaks  C.addTransition(State);
b3fa8d7dSAnna Zaks}
b3fa8d7dSAnna Zaks
17f74240SEndre Fülöpvoid GenericTaintChecker::printState(raw_ostream &Out, ProgramStateRef State,
17f74240SEndre Fülöp                                     const char *NL, const char *Sep) const {
17f74240SEndre Fülöp  printTaint(State, Out, NL, Sep);
126a2ef9SAnna Zaks}
126a2ef9SAnna Zaks
17f74240SEndre Fülöpvoid GenericTaintRule::process(const GenericTaintChecker &Checker,
17f74240SEndre Fülöp                               const CallEvent &Call, CheckerContext &C) const {
49b1e38eSTed Kremenek  ProgramStateRef State = C.getState();
17f74240SEndre Fülöp  const ArgIdxTy CallNumArgs = fromArgumentCount(Call.getNumArgs());
7c96b7dbSAnna Zaks
17f74240SEndre Fülöp  /// Iterate every call argument, and get their corresponding Expr and SVal.
17f74240SEndre Fülöp  const auto ForEachCallArg = [&C, &Call, CallNumArgs](auto &&Fun) {
17f74240SEndre Fülöp    for (ArgIdxTy I = ReturnValueIndex; I < CallNumArgs; ++I) {
17f74240SEndre Fülöp      const Expr *E = GetArgExpr(I, Call);
17f74240SEndre Fülöp      Fun(I, E, C.getSVal(E));
5c5bf9b6SAnna Zaks    }
17f74240SEndre Fülöp  };
5c5bf9b6SAnna Zaks
17f74240SEndre Fülöp  /// Check for taint sinks.
17f74240SEndre Fülöp  ForEachCallArg([this, &Checker, &C, &State](ArgIdxTy I, const Expr *E, SVal) {
17f74240SEndre Fülöp    if (SinkArgs.contains(I) && isTaintedOrPointsToTainted(E, State, C))
06decd0bSKazu Hirata      Checker.generateReportIfTainted(E, SinkMsg.value_or(MsgCustomSink), C);
17f74240SEndre Fülöp  });
3666d2c1SAnna Zaks
17f74240SEndre Fülöp  /// Check for taint filters.
17f74240SEndre Fülöp  ForEachCallArg([this, &C, &State](ArgIdxTy I, const Expr *E, SVal S) {
17f74240SEndre Fülöp    if (FilterArgs.contains(I)) {
17f74240SEndre Fülöp      State = removeTaint(State, S);
17f74240SEndre Fülöp      if (auto P = getPointeeOf(C, S))
17f74240SEndre Fülöp        State = removeTaint(State, *P);
3666d2c1SAnna Zaks    }
17f74240SEndre Fülöp  });
2a5fb125SArtem Dergachev
17f74240SEndre Fülöp  /// Check for taint propagation sources.
17f74240SEndre Fülöp  /// A rule is relevant if PropSrcArgs is empty, or if any of its signified
17f74240SEndre Fülöp  /// args are tainted in context of the current CallEvent.
17f74240SEndre Fülöp  bool IsMatching = PropSrcArgs.isEmpty();
17f74240SEndre Fülöp  ForEachCallArg(
17f74240SEndre Fülöp      [this, &C, &IsMatching, &State](ArgIdxTy I, const Expr *E, SVal) {
17f74240SEndre Fülöp        IsMatching = IsMatching || (PropSrcArgs.contains(I) &&
17f74240SEndre Fülöp                                    isTaintedOrPointsToTainted(E, State, C));
17f74240SEndre Fülöp      });
2a5fb125SArtem Dergachev
17f74240SEndre Fülöp  if (!IsMatching)
17f74240SEndre Fülöp    return;
2827349cSKristof Umann
17f74240SEndre Fülöp  const auto WouldEscape = [](SVal V, QualType Ty) -> bool {
96ccb690SBalazs Benics    if (!isa<Loc>(V))
099fe3fbSAnna Zaks      return false;
099fe3fbSAnna Zaks
17f74240SEndre Fülöp    const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified();
17f74240SEndre Fülöp    const bool IsNonConstPtr =
17f74240SEndre Fülöp        Ty->isPointerType() && !Ty->getPointeeType().isConstQualified();
e48ee503SAnna Zaks
17f74240SEndre Fülöp    return IsNonConstRef || IsNonConstPtr;
17f74240SEndre Fülöp  };
17f74240SEndre Fülöp
17f74240SEndre Fülöp  /// Propagate taint where it is necessary.
a848a5cfSBalazs Benics  auto &F = State->getStateManager().get_context<ArgIdxFactory>();
a848a5cfSBalazs Benics  ImmutableSet<ArgIdxTy> Result = F.getEmptySet();
17f74240SEndre Fülöp  ForEachCallArg(
ecff9b65SFangrui Song      [&](ArgIdxTy I, const Expr *E, SVal V) {
fa0a80e0SBalazs Benics        if (PropDstArgs.contains(I)) {
fa0a80e0SBalazs Benics          LLVM_DEBUG(llvm::dbgs() << "PreCall<"; Call.dump(llvm::dbgs());
fa0a80e0SBalazs Benics                     llvm::dbgs()
fa0a80e0SBalazs Benics                     << "> prepares tainting arg index: " << I << '\n';);
a848a5cfSBalazs Benics          Result = F.add(Result, I);
fa0a80e0SBalazs Benics        }
17f74240SEndre Fülöp
17f74240SEndre Fülöp        // TODO: We should traverse all reachable memory regions via the
17f74240SEndre Fülöp        // escaping parameter. Instead of doing that we simply mark only the
17f74240SEndre Fülöp        // referred memory region as tainted.
fa0a80e0SBalazs Benics        if (WouldEscape(V, E->getType())) {
a848a5cfSBalazs Benics          LLVM_DEBUG(if (!Result.contains(I)) {
fa0a80e0SBalazs Benics            llvm::dbgs() << "PreCall<";
fa0a80e0SBalazs Benics            Call.dump(llvm::dbgs());
fa0a80e0SBalazs Benics            llvm::dbgs() << "> prepares tainting arg index: " << I << '\n';
fa0a80e0SBalazs Benics          });
a848a5cfSBalazs Benics          Result = F.add(Result, I);
fa0a80e0SBalazs Benics        }
17f74240SEndre Fülöp      });
17f74240SEndre Fülöp
a848a5cfSBalazs Benics  if (!Result.isEmpty())
a848a5cfSBalazs Benics    State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
17f74240SEndre Fülöp  C.addTransition(State);
099fe3fbSAnna Zaks}
099fe3fbSAnna Zaks
17f74240SEndre Fülöpbool GenericTaintRule::UntrustedEnv(CheckerContext &C) {
17f74240SEndre Fülöp  return !C.getAnalysisManager()
17f74240SEndre Fülöp              .getAnalyzerOptions()
17f74240SEndre Fülöp              .ShouldAssumeControlledEnvironment;
126a2ef9SAnna Zaks}
126a2ef9SAnna Zaks
080ecafdSGabor Borsikbool GenericTaintChecker::generateReportIfTainted(const Expr *E, StringRef Msg,
0244cd74SAnna Zaks                                                  CheckerContext &C) const {
0244cd74SAnna Zaks  assert(E);
17f74240SEndre Fülöp  Optional<SVal> TaintedSVal{getTaintedPointeeOrPointer(C, C.getSVal(E))};
0244cd74SAnna Zaks
17f74240SEndre Fülöp  if (!TaintedSVal)
0244cd74SAnna Zaks    return false;
0244cd74SAnna Zaks
0244cd74SAnna Zaks  // Generate diagnostic.
e39bd407SDevin Coughlin  if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
17f74240SEndre Fülöp    auto report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);
0244cd74SAnna Zaks    report->addRange(E->getSourceRange());
17f74240SEndre Fülöp    report->addVisitor(std::make_unique<TaintBugVisitor>(*TaintedSVal));
8d3a7a56SAaron Ballman    C.emitReport(std::move(report));
0244cd74SAnna Zaks    return true;
0244cd74SAnna Zaks  }
0244cd74SAnna Zaks  return false;
0244cd74SAnna Zaks}
0244cd74SAnna Zaks
17f74240SEndre Fülöp/// TODO: remove checking for printf format attributes and socket whitelisting
17f74240SEndre Fülöp/// from GenericTaintChecker, and that means the following functions:
17f74240SEndre Fülöp/// getPrintfFormatArgumentNum,
17f74240SEndre Fülöp/// GenericTaintChecker::checkUncontrolledFormatString,
17f74240SEndre Fülöp/// GenericTaintChecker::taintUnsafeSocketProtocol
17f74240SEndre Fülöp
17f74240SEndre Fülöpstatic bool getPrintfFormatArgumentNum(const CallEvent &Call,
17f74240SEndre Fülöp                                       const CheckerContext &C,
17f74240SEndre Fülöp                                       ArgIdxTy &ArgNum) {
17f74240SEndre Fülöp  // Find if the function contains a format string argument.
17f74240SEndre Fülöp  // Handles: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf,
17f74240SEndre Fülöp  // vsnprintf, syslog, custom annotated functions.
17f74240SEndre Fülöp  const Decl *CallDecl = Call.getDecl();
17f74240SEndre Fülöp  if (!CallDecl)
17f74240SEndre Fülöp    return false;
17f74240SEndre Fülöp  const FunctionDecl *FDecl = CallDecl->getAsFunction();
17f74240SEndre Fülöp  if (!FDecl)
17f74240SEndre Fülöp    return false;
17f74240SEndre Fülöp
17f74240SEndre Fülöp  const ArgIdxTy CallNumArgs = fromArgumentCount(Call.getNumArgs());
17f74240SEndre Fülöp
17f74240SEndre Fülöp  for (const auto *Format : FDecl->specific_attrs<FormatAttr>()) {
17f74240SEndre Fülöp    ArgNum = Format->getFormatIdx() - 1;
17f74240SEndre Fülöp    if ((Format->getType()->getName() == "printf") && CallNumArgs > ArgNum)
17f74240SEndre Fülöp      return true;
17f74240SEndre Fülöp  }
17f74240SEndre Fülöp
17f74240SEndre Fülöp  return false;
17f74240SEndre Fülöp}
17f74240SEndre Fülöp
b68cb549SArtem Dergachevbool GenericTaintChecker::checkUncontrolledFormatString(
95a94df5SBalazs Benics    const CallEvent &Call, CheckerContext &C) const {
126a2ef9SAnna Zaks  // Check if the function contains a format string argument.
17f74240SEndre Fülöp  ArgIdxTy ArgNum = 0;
95a94df5SBalazs Benics  if (!getPrintfFormatArgumentNum(Call, C, ArgNum))
126a2ef9SAnna Zaks    return false;
126a2ef9SAnna Zaks
b68cb549SArtem Dergachev  // If either the format string content or the pointer itself are tainted,
b68cb549SArtem Dergachev  // warn.
95a94df5SBalazs Benics  return generateReportIfTainted(Call.getArgExpr(ArgNum),
9c10490eSAlexander Kornienko                                 MsgUncontrolledFormatString, C);
126a2ef9SAnna Zaks}
0244cd74SAnna Zaks
17f74240SEndre Fülöpvoid GenericTaintChecker::taintUnsafeSocketProtocol(const CallEvent &Call,
0244cd74SAnna Zaks                                                    CheckerContext &C) const {
17f74240SEndre Fülöp  if (Call.getNumArgs() < 1)
17f74240SEndre Fülöp    return;
17f74240SEndre Fülöp  const IdentifierInfo *ID = Call.getCalleeIdentifier();
17f74240SEndre Fülöp  if (!ID)
17f74240SEndre Fülöp    return;
17f74240SEndre Fülöp  if (!ID->getName().equals("socket"))
17f74240SEndre Fülöp    return;
0244cd74SAnna Zaks
17f74240SEndre Fülöp  SourceLocation DomLoc = Call.getArgExpr(0)->getExprLoc();
17f74240SEndre Fülöp  StringRef DomName = C.getMacroNameOrSpelling(DomLoc);
17f74240SEndre Fülöp  // Allow internal communication protocols.
17f74240SEndre Fülöp  bool SafeProtocol = DomName.equals("AF_SYSTEM") ||
17f74240SEndre Fülöp                      DomName.equals("AF_LOCAL") || DomName.equals("AF_UNIX") ||
17f74240SEndre Fülöp                      DomName.equals("AF_RESERVED_36");
17f74240SEndre Fülöp  if (SafeProtocol)
17f74240SEndre Fülöp    return;
0244cd74SAnna Zaks
a848a5cfSBalazs Benics  ProgramStateRef State = C.getState();
a848a5cfSBalazs Benics  auto &F = State->getStateManager().get_context<ArgIdxFactory>();
a848a5cfSBalazs Benics  ImmutableSet<ArgIdxTy> Result = F.add(F.getEmptySet(), ReturnValueIndex);
a848a5cfSBalazs Benics  State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
a848a5cfSBalazs Benics  C.addTransition(State);
126a2ef9SAnna Zaks}
126a2ef9SAnna Zaks
17f74240SEndre Fülöp/// Checker registration
4bde15feSGabor Borsikvoid ento::registerGenericTaintChecker(CheckerManager &Mgr) {
17f74240SEndre Fülöp  Mgr.registerChecker<GenericTaintChecker>();
5c5bf9b6SAnna Zaks}
058a7a45SKristof Umann
bda3dd0dSKirstóf Umannbool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) {
058a7a45SKristof Umann  return true;
058a7a45SKristof Umann}