WIP: Update CWE 476 #459
Draft
WIP: Update CWE 476 #459
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 9 commits
April 11, 2024 17:57
Extend the set of Linux LKM API functions that either return a pointer to a valid object, or a value that indicates an error. This list contains all functions that are exported to modules, i.e., `EXPORT_SYMBOL(|_GPL)`, and return a pointer to a non-pointer type. Signed-off-by: Valentin Obst <[email protected]>
Add more Linux LKM API functions that allocate memory and return a pointer to the new allocation. Signed-off-by: Valentin Obst <[email protected]>
Signed-off-by: Valentin Obst <[email protected]>
By removing the `update_return_callee` implementation we get the default implementation, which implies that we now do an interprocedural analysis. This means we no longer raise a waning when a function may return a NULL pointer, but rather make the caller responsible for checking it. Introduce a new configuration parameter `strict_call_policy` that can be used to enable the current default behavior, where any taint that may be passed as an argument to a function call is causing a warning. This is to prepare for the introduction of a new mode, where a more fine grained policy is used. Remove the `extern_symbol_map` and `current_sub` members from the `Context` type. Those are no longer needed in this version of the check. Include a 'reason' field in the generated CWE warnings s.t. it is easier to check which heuristic triggered the warning. Signed-off-by: Valentin Obst <[email protected]>
Signed-off-by: Valentin Obst <[email protected]>
Add a convenience function to convert an integer into a one-element interval. Signed-off-by: Valentin Obst <[email protected]>
…ke ref There is no need for this function to take ownership of the address value. Change it to take a ref instead. Signed-off-by: Valentin Obst <[email protected]>
Add a method to check if the memory or register location described by an `AbstractLocation` holds a tainted value. Signed-off-by: Valentin Obst <[email protected]>
Currently, we only emit warnings for function calls if `strict_call_policy` is set. However, enabling this can cause many FPs since warnings are emitted as soon as any parameter may contain taint, or point to a tainted, value. For nested parameters it may also lead to FNs since only one level of nesting is considered. Use function summaries to make a more accurate decision whether or not a callee may dereference a potential NULL pointer that is made available to them. Signed-off-by: Valentin Obst <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Warning: While in draft state, this PR will be force pushed without notice!
The recent introduction of the taint analysis abstractions (#450) as well as further enhancements made in the context of the CWE252 check (#451) mean that the other checkers that are based on a taint analysis are not as good as they could be.
This updates the code of CWE476 to make full use of the new taint analysis backend. The main improvement is that the analysis is now interprocedural.
It also includes other enhancements to this check:
strict_call_policy