From: David Malcolm <dmalcolm@redhat.com>
To: gcc-patches@gcc.gnu.org
Cc: David Malcolm <dmalcolm@redhat.com>
Subject: [pushed] analyzer: add SARIF property bags to taint diagnostics
Date: Fri, 22 Mar 2024 11:00:54 -0400 [thread overview]
Message-ID: <20240322150054.1063813-1-dmalcolm@redhat.com> (raw)
Another followup to r14-6057-g12b67d1e13b3cf to make it easier to debug
the analyzer.
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Successful run of analyzer integration tests on x86_64-pc-linux-gnu.
Pushed to trunk as r14-9624-gd475a4571ef310.
gcc/analyzer/ChangeLog:
* sm-taint.cc: Include "diagnostic-format-sarif.h".
(bounds_to_str): New.
(taint_diagnostic::maybe_add_sarif_properties): New.
(tainted_offset::tainted_offset): Add "offset" param.
(tainted_offset::maybe_add_sarif_properties): New.
(tainted_offset::m_offset): New.
(region_model::check_region_for_taint): Pass offset to
tainted_offset ctor.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---
gcc/analyzer/sm-taint.cc | 50 +++++++++++++++++++++++++++++++++++++---
1 file changed, 47 insertions(+), 3 deletions(-)
diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index bbf683f82efc..c873c9ebd333 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -50,6 +50,7 @@ along with GCC; see the file COPYING3. If not see
#include "analyzer/program-state.h"
#include "analyzer/pending-diagnostic.h"
#include "analyzer/constraint-manager.h"
+#include "diagnostic-format-sarif.h"
#if ENABLE_ANALYZER
@@ -71,6 +72,22 @@ enum bounds
BOUNDS_LOWER
};
+static const char *
+bounds_to_str (enum bounds b)
+{
+ switch (b)
+ {
+ default:
+ gcc_unreachable ();
+ case BOUNDS_NONE:
+ return "BOUNDS_NONE";
+ case BOUNDS_UPPER:
+ return "BOUNDS_UPPER";
+ case BOUNDS_LOWER:
+ return "BOUNDS_LOWER";
+ }
+}
+
/* An experimental state machine, for tracking "taint": unsanitized uses
of data potentially under an attacker's control. */
@@ -193,6 +210,17 @@ public:
return diagnostic_event::meaning ();
}
+ void maybe_add_sarif_properties (sarif_object &result_obj)
+ const override
+ {
+ sarif_property_bag &props = result_obj.get_or_create_properties ();
+#define PROPERTY_PREFIX "gcc/analyzer/taint_diagnostic/"
+ props.set (PROPERTY_PREFIX "arg", tree_to_json (m_arg));
+ props.set_string (PROPERTY_PREFIX "has_bounds",
+ bounds_to_str (m_has_bounds));
+#undef PROPERTY_PREFIX
+ }
+
protected:
const taint_state_machine &m_sm;
tree m_arg;
@@ -315,8 +343,10 @@ class tainted_offset : public taint_diagnostic
{
public:
tainted_offset (const taint_state_machine &sm, tree arg,
- enum bounds has_bounds)
- : taint_diagnostic (sm, arg, has_bounds)
+ enum bounds has_bounds,
+ const svalue *offset)
+ : taint_diagnostic (sm, arg, has_bounds),
+ m_offset (offset)
{}
const char *get_kind () const final override { return "tainted_offset"; }
@@ -409,6 +439,19 @@ public:
" checking");
}
}
+
+ void maybe_add_sarif_properties (sarif_object &result_obj)
+ const final override
+ {
+ taint_diagnostic::maybe_add_sarif_properties (result_obj);
+ sarif_property_bag &props = result_obj.get_or_create_properties ();
+#define PROPERTY_PREFIX "gcc/analyzer/tainted_offset/"
+ props.set (PROPERTY_PREFIX "offset", m_offset->to_json ());
+#undef PROPERTY_PREFIX
+ }
+
+private:
+ const svalue *m_offset;
};
/* Concrete taint_diagnostic subclass for reporting attacker-controlled
@@ -1554,7 +1597,8 @@ region_model::check_region_for_taint (const region *reg,
if (taint_sm.get_taint (state, effective_type, &b))
{
tree arg = get_representative_tree (offset);
- ctxt->warn (make_unique<tainted_offset> (taint_sm, arg, b));
+ ctxt->warn (make_unique<tainted_offset> (taint_sm, arg, b,
+ offset));
}
}
break;
--
2.26.3
reply other threads:[~2024-03-22 15:01 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240322150054.1063813-1-dmalcolm@redhat.com \
--to=dmalcolm@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).