Skip to content

Commit 6f84441

Browse files
mamaria-kmamaria-k
committed
Add taint offset and fix
1 parent 84af116 commit 6f84441

File tree

4 files changed

+50
-18
lines changed

4 files changed

+50
-18
lines changed

configs/annotations.json

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -268,9 +268,6 @@
268268
[
269269
"TaintSink::FormatString",
270270
"TaintSink::SensitiveDataLeak"
271-
],
272-
[
273-
"TaintSink::SensitiveDataLeak"
274271
]
275272
],
276273
"properties": []
@@ -2337,5 +2334,16 @@
23372334
]
23382335
],
23392336
"properties": []
2337+
},
2338+
"vprintf_s": {
2339+
"name": "vprintf_s",
2340+
"annotation": [
2341+
[],
2342+
[],
2343+
[
2344+
"TaintSink::FormatString"
2345+
]
2346+
],
2347+
"properties": []
23402348
}
23412349
}

include/klee/Expr/Expr.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1739,7 +1739,7 @@ class PointerExpr : public NonConstantExpr {
17391739

17401740
bool isKnownValue() const { return getBase()->isZero(); }
17411741

1742-
ref<ConstantExpr> combineTaints(const ref<PointerExpr> &RHS) {
1742+
ref<Expr> combineTaints(const ref<PointerExpr> &RHS) {
17431743
return Expr::combineTaints(getTaint(), RHS->getTaint());
17441744
}
17451745

lib/Core/SpecialFunctionHandler.cpp

Lines changed: 36 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1300,8 +1300,15 @@ void SpecialFunctionHandler::handleAddTaint(klee::ExecutionState &state,
13001300

13011301
uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
13021302
// printf("klee_add_taint source: %zu\n", taintSource);
1303-
executor.executeChangeTaintSource(
1304-
state, target, executor.makePointer(arguments[0]), taintSource, true);
1303+
1304+
ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
1305+
if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
1306+
if (p->isKnownValue()) {
1307+
pointer =
1308+
PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
1309+
}
1310+
}
1311+
executor.executeChangeTaintSource(state, target, pointer, taintSource, true);
13051312
}
13061313

13071314
void SpecialFunctionHandler::handleClearTaint(
@@ -1316,8 +1323,15 @@ void SpecialFunctionHandler::handleClearTaint(
13161323

13171324
uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
13181325
// printf("klee_clear_taint source: %zu\n", taintSource);
1319-
executor.executeChangeTaintSource(
1320-
state, target, executor.makePointer(arguments[0]), taintSource, false);
1326+
1327+
ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
1328+
if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
1329+
if (p->isKnownValue()) {
1330+
pointer =
1331+
PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
1332+
}
1333+
}
1334+
executor.executeChangeTaintSource(state, target, pointer, taintSource, false);
13211335
}
13221336

13231337
void SpecialFunctionHandler::handleCheckTaintSource(
@@ -1332,8 +1346,15 @@ void SpecialFunctionHandler::handleCheckTaintSource(
13321346

13331347
uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
13341348
// printf("klee_check_taint_source source: %zu\n", taintSource);
1335-
executor.executeCheckTaintSource(
1336-
state, target, executor.makePointer(arguments[0]), taintSource);
1349+
1350+
ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
1351+
if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
1352+
if (p->isKnownValue()) {
1353+
pointer =
1354+
PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
1355+
}
1356+
}
1357+
executor.executeCheckTaintSource(state, target, pointer, taintSource);
13371358
}
13381359

13391360
void SpecialFunctionHandler::handleGetTaintHits(
@@ -1348,8 +1369,15 @@ void SpecialFunctionHandler::handleGetTaintHits(
13481369

13491370
uint64_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
13501371
// printf("klee_get_taint_hits sink: %zu\n", taintSink);
1351-
executor.executeGetTaintHits(state, target,
1352-
executor.makePointer(arguments[0]), taintSink);
1372+
1373+
ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
1374+
if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
1375+
if (p->isKnownValue()) {
1376+
pointer =
1377+
PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
1378+
}
1379+
}
1380+
executor.executeGetTaintHits(state, target, pointer, taintSink);
13531381
}
13541382

13551383
void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,

lib/Module/Annotation.cpp

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -140,10 +140,6 @@ Free::Free(const std::string &str) : Unknown(str) {
140140
Kind Free::getKind() const { return Kind::Free; }
141141

142142
Taint::Taint(const std::string &str) : Unknown(str) {
143-
if (!rawOffset.empty()) {
144-
klee_error("Annotation Taint: Incorrect offset format, must be empty");
145-
}
146-
147143
taintType = rawValue.substr(0, rawValue.find(':'));
148144
// TODO: in the future, support typeless annotations (meaning all types)
149145
if (taintType.empty()) {
@@ -166,7 +162,7 @@ TaintOutput::TaintOutput(const std::string &str) : Taint(str) {}
166162
Kind TaintOutput::getKind() const { return Kind::TaintOutput; }
167163

168164
/*
169-
* Format: TaintPropagation::{type}:{data}
165+
* Format: TaintPropagation:{offset}:{type}:{data}
170166
*/
171167

172168
TaintPropagation::TaintPropagation(const std::string &str) : Taint(str) {
@@ -201,7 +197,7 @@ TaintPropagation::TaintPropagation(const std::string &str) : Taint(str) {
201197
Kind TaintPropagation::getKind() const { return Kind::TaintPropagation; }
202198

203199
/*
204-
* Format: TaintSink::{type}
200+
* Format: TaintSink:{offset}:{type}
205201
*/
206202

207203
TaintSink::TaintSink(const std::string &str) : Taint(str) {}

0 commit comments

Comments
 (0)