transfer taint on memcpy and memmove

Daniel Kroening · Daniel Kroening · commit 758ebb324340 · 2017-11-10T14:23:31.000Z
diff --git a/regression/goto-analyzer-taint-ansi-c/taint-memcpy1/main.c b/regression/goto-analyzer-taint-ansi-c/taint-memcpy1/main.c
@@ -0,0 +1,15 @@
+#include <string.h>
+
+void my_f(void *) { }
+void my_h(void *) { }
+
+void my_function()
+{
+  void *o1;
+  my_f(o1); // T1 source
+
+  void *o2;
+  memcpy(o2, o1, 100);
+
+  my_h(o2); // T1 sink
+}
diff --git a/regression/goto-analyzer-taint-ansi-c/taint-memcpy1/main.o b/regression/goto-analyzer-taint-ansi-c/taint-memcpy1/main.o
diff --git a/regression/goto-analyzer-taint-ansi-c/taint-memcpy1/taint.json b/regression/goto-analyzer-taint-ansi-c/taint-memcpy1/taint.json
@@ -0,0 +1,4 @@
+[
+{ "id": "my_f", "kind": "source", "where": "parameter1", "taint": "T1", "function": "my_f" },
+{ "id": "my_h", "kind": "sink",   "where": "parameter1", "taint": "T1", "function": "my_h", "message": "There is a T1 flow" }
+]
diff --git a/regression/goto-analyzer-taint-ansi-c/taint-memcpy1/test.desc b/regression/goto-analyzer-taint-ansi-c/taint-memcpy1/test.desc
@@ -0,0 +1,7 @@
+CORE
+main.o
+--taint taint.json
+^EXIT=0$
+^SIGNAL=0$
+^file main.c line 12( function .*)?: There is a T1 flow \(taint rule my_h\)$
+--
diff --git a/src/analyses/custom_bitvector_analysis.cpp b/src/analyses/custom_bitvector_analysis.cpp
@@ -380,6 +380,19 @@ void custom_bitvector_domaint::transform(
             }
           }
         }
+        else if(identifier=="memcpy" ||
+                identifier=="memmove")
+        {
+          if(code_function_call.arguments().size()==3)
+          {
+            // we copy all tracked bits from op1 to op0
+            // we do not consider any bits attached to the size op2
+            dereference_exprt lhs_deref(code_function_call.arguments()[0]);
+            dereference_exprt rhs_deref(code_function_call.arguments()[1]);
+
+            assign_struct_rec(from, lhs_deref, rhs_deref, cba, ns);
+          }
+        }
         else
         {
           goto_programt::const_targett next=from;

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +[
 +{ "id": "my_f", "kind": "source", "where": "parameter1", "taint": "T1", "function": "my_f" },
 +{ "id": "my_h", "kind": "sink",   "where": "parameter1", "taint": "T1", "function": "my_h", "message": "There is a T1 flow" }
 +]
Original file line number	Diff line number	Diff line change
`@@ -380,6 +380,19 @@ void custom_bitvector_domaint::transform(`
`380`	`380`	`}`
`381`	`381`	`}`
`382`	`382`	`}`
	`383`	`+ else if(identifier=="memcpy" \|\|`
	`384`	`+ identifier=="memmove")`
	`385`	`+ {`
	`386`	`+ if(code_function_call.arguments().size()==3)`
	`387`	`+ {`
	`388`	`+ // we copy all tracked bits from op1 to op0`
	`389`	`+ // we do not consider any bits attached to the size op2`
	`390`	`+ dereference_exprt lhs_deref(code_function_call.arguments()[0]);`
	`391`	`+ dereference_exprt rhs_deref(code_function_call.arguments()[1]);`
	`392`	`+`
	`393`	`+ assign_struct_rec(from, lhs_deref, rhs_deref, cba, ns);`
	`394`	`+ }`
	`395`	`+ }`
`383`	`396`	`else`
`384`	`397`	`{`
`385`	`398`	`goto_programt::const_targett next=from;`