public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/106007] New: RFE: analyzer should complain about exec/system of tainted args
@ 2022-06-16 17:16 dmalcolm at gcc dot gnu.org
2022-07-28 16:34 ` [Bug analyzer/106007] " dmalcolm at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-06-16 17:16 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
Bug ID: 106007
Summary: RFE: analyzer should complain about exec/system of
tainted args
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
The analyzer should complain if tainted args are passed to any of the following
without sanitization (probably not an exhaustive list):
int execl(const char *pathname, const char *arg, ...
/* (char *) NULL */);
int execlp(const char *file, const char *arg, ...
/* (char *) NULL */);
int execle(const char *pathname, const char *arg, ...
/*, (char *) NULL, char * const envp[] */);
int execv(const char *pathname, char *const argv[]);
int execvp(const char *file, char *const argv[]);
int execvpe(const char *file, char *const argv[],
char *const envp[]);
int execve(const char *pathname, char *const argv[],
char *const envp[]);
int execveat(int dirfd, const char *pathname,
char *const argv[], char *const envp[],
int flags);
int fexecve(int fd, char *const argv[], char *const envp[]);
int system(const char *command);
Could have/reuse an attribute for this, or hardcode it.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/106007] RFE: analyzer should complain about exec/system of tainted args
2022-06-16 17:16 [Bug analyzer/106007] New: RFE: analyzer should complain about exec/system of tainted args dmalcolm at gcc dot gnu.org
@ 2022-07-28 16:34 ` dmalcolm at gcc dot gnu.org
2022-07-28 16:36 ` dmalcolm at gcc dot gnu.org
2022-07-29 13:21 ` [Bug analyzer/106007] RFE: analyzer should complain about exec/system/putenv " tlange at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-28 16:34 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Similarly, putenv should check for tainted string args.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/106007] RFE: analyzer should complain about exec/system of tainted args
2022-06-16 17:16 [Bug analyzer/106007] New: RFE: analyzer should complain about exec/system of tainted args dmalcolm at gcc dot gnu.org
2022-07-28 16:34 ` [Bug analyzer/106007] " dmalcolm at gcc dot gnu.org
@ 2022-07-28 16:36 ` dmalcolm at gcc dot gnu.org
2022-07-29 13:21 ` [Bug analyzer/106007] RFE: analyzer should complain about exec/system/putenv " tlange at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-28 16:36 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Currently the taint analysis only has handling for numeric arguments being
bounds-checked.
How can string arguments transition to a "sanitized" state? Or are string
arguments always tainted once they've acquired taint?
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/106007] RFE: analyzer should complain about exec/system/putenv of tainted args
2022-06-16 17:16 [Bug analyzer/106007] New: RFE: analyzer should complain about exec/system of tainted args dmalcolm at gcc dot gnu.org
2022-07-28 16:34 ` [Bug analyzer/106007] " dmalcolm at gcc dot gnu.org
2022-07-28 16:36 ` dmalcolm at gcc dot gnu.org
@ 2022-07-29 13:21 ` tlange at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: tlange at gcc dot gnu.org @ 2022-07-29 13:21 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106007
Tim Lange <tlange at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tlange at gcc dot gnu.org
--- Comment #3 from Tim Lange <tlange at gcc dot gnu.org> ---
(In reply to David Malcolm from comment #2)
> Currently the taint analysis only has handling for numeric arguments being
> bounds-checked.
>
> How can string arguments transition to a "sanitized" state? Or are string
> arguments always tainted once they've acquired taint?
Many papers introduce sanitizers/taint killers/... besides sources and sinks,
which are also manually-defined methods. Two prime examples in webdev are XSS
and SQL query escaping methods that do replace special characters such that the
user input is not interpreted.
I don't think you can automatically find out that a method is a sanitizer
unless you would track the interesting part of the string on a byte-level.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-07-29 13:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-16 17:16 [Bug analyzer/106007] New: RFE: analyzer should complain about exec/system of tainted args dmalcolm at gcc dot gnu.org
2022-07-28 16:34 ` [Bug analyzer/106007] " dmalcolm at gcc dot gnu.org
2022-07-28 16:36 ` dmalcolm at gcc dot gnu.org
2022-07-29 13:21 ` [Bug analyzer/106007] RFE: analyzer should complain about exec/system/putenv " tlange at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).