Skip to content

Commit cf083b6

Browse files
mamaria-kmamaria-k
committed
Add taint offset and fix
1 parent 84af116 commit cf083b6

File tree

3 files changed

+39
-21
lines changed

3 files changed

+39
-21
lines changed

include/klee/Expr/Expr.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1739,7 +1739,7 @@ class PointerExpr : public NonConstantExpr {
17391739

17401740
bool isKnownValue() const { return getBase()->isZero(); }
17411741

1742-
ref<ConstantExpr> combineTaints(const ref<PointerExpr> &RHS) {
1742+
ref<Expr> combineTaints(const ref<PointerExpr> &RHS) {
17431743
return Expr::combineTaints(getTaint(), RHS->getTaint());
17441744
}
17451745

lib/Core/SpecialFunctionHandler.cpp

Lines changed: 36 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1299,9 +1299,15 @@ void SpecialFunctionHandler::handleAddTaint(klee::ExecutionState &state,
12991299
}
13001300

13011301
uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
1302-
// printf("klee_add_taint source: %zu\n", taintSource);
1303-
executor.executeChangeTaintSource(
1304-
state, target, executor.makePointer(arguments[0]), taintSource, true);
1302+
1303+
ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
1304+
if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
1305+
if (p->isKnownValue()) {
1306+
pointer =
1307+
PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
1308+
}
1309+
}
1310+
executor.executeChangeTaintSource(state, target, pointer, taintSource, true);
13051311
}
13061312

13071313
void SpecialFunctionHandler::handleClearTaint(
@@ -1315,9 +1321,15 @@ void SpecialFunctionHandler::handleClearTaint(
13151321
}
13161322

13171323
uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
1318-
// printf("klee_clear_taint source: %zu\n", taintSource);
1319-
executor.executeChangeTaintSource(
1320-
state, target, executor.makePointer(arguments[0]), taintSource, false);
1324+
1325+
ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
1326+
if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
1327+
if (p->isKnownValue()) {
1328+
pointer =
1329+
PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
1330+
}
1331+
}
1332+
executor.executeChangeTaintSource(state, target, pointer, taintSource, false);
13211333
}
13221334

13231335
void SpecialFunctionHandler::handleCheckTaintSource(
@@ -1331,9 +1343,15 @@ void SpecialFunctionHandler::handleCheckTaintSource(
13311343
}
13321344

13331345
uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
1334-
// printf("klee_check_taint_source source: %zu\n", taintSource);
1335-
executor.executeCheckTaintSource(
1336-
state, target, executor.makePointer(arguments[0]), taintSource);
1346+
1347+
ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
1348+
if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
1349+
if (p->isKnownValue()) {
1350+
pointer =
1351+
PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
1352+
}
1353+
}
1354+
executor.executeCheckTaintSource(state, target, pointer, taintSource);
13371355
}
13381356

13391357
void SpecialFunctionHandler::handleGetTaintHits(
@@ -1347,9 +1365,15 @@ void SpecialFunctionHandler::handleGetTaintHits(
13471365
}
13481366

13491367
uint64_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
1350-
// printf("klee_get_taint_hits sink: %zu\n", taintSink);
1351-
executor.executeGetTaintHits(state, target,
1352-
executor.makePointer(arguments[0]), taintSink);
1368+
1369+
ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
1370+
if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
1371+
if (p->isKnownValue()) {
1372+
pointer =
1373+
PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
1374+
}
1375+
}
1376+
executor.executeGetTaintHits(state, target, pointer, taintSink);
13531377
}
13541378

13551379
void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,
@@ -1364,6 +1388,5 @@ void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,
13641388

13651389
uint64_t taintHits = dyn_cast<ConstantExpr>(arguments[0])->getZExtValue();
13661390
size_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
1367-
// printf("klee_taint_hit hits: %zu sink: %zu\n", taintHits, taintSink);
13681391
executor.terminateStateOnTargetTaintError(state, taintHits, taintSink);
13691392
}

lib/Module/Annotation.cpp

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -140,12 +140,7 @@ Free::Free(const std::string &str) : Unknown(str) {
140140
Kind Free::getKind() const { return Kind::Free; }
141141

142142
Taint::Taint(const std::string &str) : Unknown(str) {
143-
if (!rawOffset.empty()) {
144-
klee_error("Annotation Taint: Incorrect offset format, must be empty");
145-
}
146-
147143
taintType = rawValue.substr(0, rawValue.find(':'));
148-
// TODO: in the future, support typeless annotations (meaning all types)
149144
if (taintType.empty()) {
150145
klee_error("Annotation Taint: Incorrect value format, must has taint type");
151146
}
@@ -166,7 +161,7 @@ TaintOutput::TaintOutput(const std::string &str) : Taint(str) {}
166161
Kind TaintOutput::getKind() const { return Kind::TaintOutput; }
167162

168163
/*
169-
* Format: TaintPropagation::{type}:{data}
164+
* Format: TaintPropagation:{offset}:{type}:{data}
170165
*/
171166

172167
TaintPropagation::TaintPropagation(const std::string &str) : Taint(str) {
@@ -201,7 +196,7 @@ TaintPropagation::TaintPropagation(const std::string &str) : Taint(str) {
201196
Kind TaintPropagation::getKind() const { return Kind::TaintPropagation; }
202197

203198
/*
204-
* Format: TaintSink::{type}
199+
* Format: TaintSink:{offset}:{type}
205200
*/
206201

207202
TaintSink::TaintSink(const std::string &str) : Taint(str) {}

0 commit comments

Comments
 (0)