[clang] [analyzer] Adding taint analysis capability to unix.Malloc checker (PR #92420)

Fri, 17 May 2024 05:12:28 -0700 

================
@@ -1779,18 +1790,79 @@ ProgramStateRef 
MallocChecker::MallocMemAux(CheckerContext &C,
                                             const CallEvent &Call,
                                             const Expr *SizeEx, SVal Init,
                                             ProgramStateRef State,
-                                            AllocationFamily Family) {
+                                            AllocationFamily Family) const {
   if (!State)
     return nullptr;
 
   assert(SizeEx);
   return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family);
 }
 
+void MallocChecker::reportTaintBug(StringRef Msg, ProgramStateRef State,
+                                   CheckerContext &C,
+                                   llvm::ArrayRef<SymbolRef> TaintedSyms,
+                                   AllocationFamily Family,
+                                   const Expr *SizeEx) const {
+  if (ExplodedNode *N = C.generateErrorNode(State)) {
+
+    std::optional<MallocChecker::CheckKind> CheckKind =
+        getCheckIfTracked(Family);
+    if (!CheckKind)
+      return;
+    if (!BT_TaintedAlloc[*CheckKind])
+      BT_TaintedAlloc[*CheckKind].reset(new BugType(CheckNames[*CheckKind],
+                                                    "Tainted Memory 
Allocation",
+                                                    categories::MemoryError));
+    auto R = std::make_unique<PathSensitiveBugReport>(
+        *BT_TaintedAlloc[*CheckKind], Msg, N);
+
+    bugreporter::trackExpressionValue(N, SizeEx, *R);
+    for (auto Sym : TaintedSyms)
+      R->markInteresting(Sym);
+    C.emitReport(std::move(R));
+  }
+}
+
+void MallocChecker::CheckTaintedness(CheckerContext &C, const CallEvent &Call,
+                                     const SVal SizeSVal, ProgramStateRef 
State,
+                                     AllocationFamily Family) const {
+  std::vector<SymbolRef> TaintedSyms =
+      clang::ento::taint::getTaintedSymbols(State, SizeSVal);
----------------
steakhal wrote:

```suggestion
      taint::getTaintedSymbols(State, SizeSVal);
```

https://github.com/llvm/llvm-project/pull/92420
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to