Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 14 | pmbaty | 1 | //=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-// |
| 2 | // |
||
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
||
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
||
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
||
| 6 | // |
||
| 7 | //===----------------------------------------------------------------------===// |
||
| 8 | // |
||
| 9 | // Defines basic, non-domain-specific mechanisms for tracking tainted values. |
||
| 10 | // |
||
| 11 | //===----------------------------------------------------------------------===// |
||
| 12 | |||
| 13 | #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H |
||
| 14 | #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H |
||
| 15 | |||
| 16 | #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" |
||
| 17 | #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" |
||
| 18 | |||
| 19 | namespace clang { |
||
| 20 | namespace ento { |
||
| 21 | namespace taint { |
||
| 22 | |||
| 23 | /// The type of taint, which helps to differentiate between different types of |
||
| 24 | /// taint. |
||
| 25 | using TaintTagType = unsigned; |
||
| 26 | |||
| 27 | static constexpr TaintTagType TaintTagGeneric = 0; |
||
| 28 | |||
| 29 | /// Create a new state in which the value of the statement is marked as tainted. |
||
| 30 | [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S, |
||
| 31 | const LocationContext *LCtx, |
||
| 32 | TaintTagType Kind = TaintTagGeneric); |
||
| 33 | |||
| 34 | /// Create a new state in which the value is marked as tainted. |
||
| 35 | [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SVal V, |
||
| 36 | TaintTagType Kind = TaintTagGeneric); |
||
| 37 | |||
| 38 | /// Create a new state in which the symbol is marked as tainted. |
||
| 39 | [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym, |
||
| 40 | TaintTagType Kind = TaintTagGeneric); |
||
| 41 | |||
| 42 | /// Create a new state in which the pointer represented by the region |
||
| 43 | /// is marked as tainted. |
||
| 44 | [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, |
||
| 45 | const MemRegion *R, |
||
| 46 | TaintTagType Kind = TaintTagGeneric); |
||
| 47 | |||
| 48 | [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SVal V); |
||
| 49 | |||
| 50 | [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, |
||
| 51 | const MemRegion *R); |
||
| 52 | |||
| 53 | [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SymbolRef Sym); |
||
| 54 | |||
| 55 | /// Create a new state in a which a sub-region of a given symbol is tainted. |
||
| 56 | /// This might be necessary when referring to regions that can not have an |
||
| 57 | /// individual symbol, e.g. if they are represented by the default binding of |
||
| 58 | /// a LazyCompoundVal. |
||
| 59 | [[nodiscard]] ProgramStateRef |
||
| 60 | addPartialTaint(ProgramStateRef State, SymbolRef ParentSym, |
||
| 61 | const SubRegion *SubRegion, |
||
| 62 | TaintTagType Kind = TaintTagGeneric); |
||
| 63 | |||
| 64 | /// Check if the statement has a tainted value in the given state. |
||
| 65 | bool isTainted(ProgramStateRef State, const Stmt *S, |
||
| 66 | const LocationContext *LCtx, |
||
| 67 | TaintTagType Kind = TaintTagGeneric); |
||
| 68 | |||
| 69 | /// Check if the value is tainted in the given state. |
||
| 70 | bool isTainted(ProgramStateRef State, SVal V, |
||
| 71 | TaintTagType Kind = TaintTagGeneric); |
||
| 72 | |||
| 73 | /// Check if the symbol is tainted in the given state. |
||
| 74 | bool isTainted(ProgramStateRef State, SymbolRef Sym, |
||
| 75 | TaintTagType Kind = TaintTagGeneric); |
||
| 76 | |||
| 77 | /// Check if the pointer represented by the region is tainted in the given |
||
| 78 | /// state. |
||
| 79 | bool isTainted(ProgramStateRef State, const MemRegion *Reg, |
||
| 80 | TaintTagType Kind = TaintTagGeneric); |
||
| 81 | |||
| 82 | void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n", |
||
| 83 | const char *sep = ""); |
||
| 84 | |||
| 85 | LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State); |
||
| 86 | |||
| 87 | /// The bug visitor prints a diagnostic message at the location where a given |
||
| 88 | /// variable was tainted. |
||
| 89 | class TaintBugVisitor final : public BugReporterVisitor { |
||
| 90 | private: |
||
| 91 | const SVal V; |
||
| 92 | |||
| 93 | public: |
||
| 94 | TaintBugVisitor(const SVal V) : V(V) {} |
||
| 95 | void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); } |
||
| 96 | |||
| 97 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, |
||
| 98 | BugReporterContext &BRC, |
||
| 99 | PathSensitiveBugReport &BR) override; |
||
| 100 | }; |
||
| 101 | |||
| 102 | } // namespace taint |
||
| 103 | } // namespace ento |
||
| 104 | } // namespace clang |
||
| 105 | |||
| 106 | #endif |