Static Value-Flow Analysis
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | Friends | List of all members
SVF::BufOverflowDetector Class Reference

Detector for identifying buffer overflow issues. More...

#include <AEDetector.h>

Inheritance diagram for SVF::BufOverflowDetector:
SVF::AEDetector

Public Member Functions

 BufOverflowDetector ()
 Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.
 
 ~BufOverflowDetector ()=default
 Destructor.
 
void updateGepObjOffsetFromBase (AbstractState &as, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
 Updates the offset of a GEP object from its base.
 
void detect (AbstractState &as, const ICFGNode *)
 Detect buffer overflow issues within a node.
 
void handleStubFunctions (const CallICFGNode *)
 Handles external API calls related to buffer overflow detection.
 
void addToGepObjOffsetFromBase (const GepObjVar *obj, const IntervalValue &offset)
 Adds an offset to a GEP object.
 
bool hasGepObjOffsetFromBase (const GepObjVar *obj) const
 Checks if a GEP object has an associated offset.
 
IntervalValue getGepObjOffsetFromBase (const GepObjVar *obj) const
 Retrieves the offset of a GEP object from its base.
 
IntervalValue getAccessOffset (AbstractState &as, NodeID objId, const GepStmt *gep)
 Retrieves the access offset for a given object and GEP statement.
 
void addBugToReporter (const AEException &e, const ICFGNode *node)
 Adds a bug to the reporter based on an exception.
 
void reportBug ()
 Reports all detected buffer overflow bugs.
 
void initExtAPIBufOverflowCheckRules ()
 Initializes external API buffer overflow check rules.
 
void detectExtAPI (AbstractState &as, const CallICFGNode *call)
 Handles external API calls related to buffer overflow detection.
 
bool canSafelyAccessMemory (AbstractState &as, const SVFVar *value, const IntervalValue &len)
 Checks if memory can be safely accessed.
 
- Public Member Functions inherited from SVF::AEDetector
 AEDetector ()
 Constructor initializes the detector kind to UNKNOWN.
 
virtual ~AEDetector ()=default
 Virtual destructor for safe polymorphic use.
 
DetectorKind getKind () const
 Get the kind of the detector.
 

Static Public Member Functions

static bool classof (const AEDetector *detector)
 Check if the detector is of the BUF_OVERFLOW kind.
 
- Static Public Member Functions inherited from SVF::AEDetector
static bool classof (const AEDetector *detector)
 Check if the detector is of the UNKNOWN kind.
 

Private Member Functions

bool detectStrcat (AbstractState &as, const CallICFGNode *call)
 Detects buffer overflow in 'strcat' function calls.
 
bool detectStrcpy (AbstractState &as, const CallICFGNode *call)
 Detects buffer overflow in 'strcpy' function calls.
 

Private Attributes

Map< const GepObjVar *, IntervalValuegepObjOffsetFromBase
 Maps GEP objects to their offsets from the base.
 
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
 Rules for checking buffer overflows in external APIs.
 
Set< std::string > bugLoc
 Set of locations where bugs have been reported.
 
SVFBugReport recoder
 Recorder for abstract execution bugs.
 
Map< const ICFGNode *, std::string > nodeToBugInfo
 Maps ICFG nodes to bug information.
 

Friends

class AbstractInterpretation
 

Additional Inherited Members

- Public Types inherited from SVF::AEDetector
enum  DetectorKind { BUF_OVERFLOW , NULL_DEREF , UNKNOWN }
 Enumerates the types of detectors available. More...
 
- Protected Attributes inherited from SVF::AEDetector
DetectorKind kind
 The kind of the detector.
 

Detailed Description

Detector for identifying buffer overflow issues.

Definition at line 135 of file AEDetector.h.

Constructor & Destructor Documentation

◆ BufOverflowDetector()

SVF::BufOverflowDetector::BufOverflowDetector ( )
inline

Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.

Definition at line 142 of file AEDetector.h.

143 {
144 kind = BUF_OVERFLOW;
145 initExtAPIBufOverflowCheckRules();
146 }
SVF::AEDetector::BUF_OVERFLOW
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:48
SVF::AEDetector::kind
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:101
SVF::BufOverflowDetector::initExtAPIBufOverflowCheckRules
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
Definition AEDetector.cpp:185

◆ ~BufOverflowDetector()

SVF::BufOverflowDetector::~BufOverflowDetector ( )
default

Destructor.

Member Function Documentation

◆ addBugToReporter()

void SVF::BufOverflowDetector::addBugToReporter ( const AEException e,
const ICFGNode node 
)
inline

Adds a bug to the reporter based on an exception.

Parameters
eThe exception that was thrown.
nodePointer to the ICFG node where the bug was detected.

Definition at line 239 of file AEDetector.h.

240 {
241
242 GenericBug::EventStack eventStack;
243 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
244 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
245
246 if (eventStack.empty())
247 {
248 return; // If the event stack is empty, return early
249 }
250
251 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
252
253 // Check if the bug at this location has already been reported
254 if (bugLoc.find(loc) != bugLoc.end())
255 {
256 return; // If the bug location is already reported, return early
257 }
258 else
259 {
260 bugLoc.insert(loc); // Otherwise, mark this location as reported
261 }
262
263 // Add the bug to the recorder with details from the event stack
264 recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
265 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
266 }
SVF::BufOverflowDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:327
SVF::BufOverflowDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:326
SVF::BufOverflowDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:328
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::SVFBugReport::addAbsExecBug
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74

◆ addToGepObjOffsetFromBase()

void SVF::BufOverflowDetector::addToGepObjOffsetFromBase ( const GepObjVar obj,
const IntervalValue offset 
)
inline

Adds an offset to a GEP object.

Parameters
objPointer to the GEP object.
offsetThe interval value of the offset.

Definition at line 194 of file AEDetector.h.

195 {
196 gepObjOffsetFromBase[obj] = offset;
197 }
offset
buffer offset
Definition cJSON.cpp:1113
SVF::BufOverflowDetector::gepObjOffsetFromBase
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:324

◆ canSafelyAccessMemory()

bool BufOverflowDetector::canSafelyAccessMemory ( AbstractState as,
const SVFVar value,
const IntervalValue len 
)

Checks if memory can be safely accessed.

Checks if a memory access is safe given a specific buffer length.

Parameters
asReference to the abstract state.
valuePointer to the SVF var.
lenThe interval value representing the length of the memory access.
Returns
True if the memory access is safe, false otherwise.

This function ensures that a given memory access, starting at a specific value, does not exceed the allocated size of the buffer.

Parameters
asReference to the abstract state.
valuePointer to the SVF var.
lenThe interval value representing the length of the memory access.
Returns
True if the memory access is safe, false otherwise.

Definition at line 477 of file AEDetector.cpp.

478{
479 SVFIR* svfir = PAG::getPAG();
480 NodeID value_id = value->getId();
481
482 assert(as[value_id].isAddr());
483 for (const auto& addr : as[value_id].getAddrs())
484 {
485 NodeID objId = as.getIDFromAddr(addr);
486 u32_t size = 0;
487 // if the object is a constant size object, get the size directly
488 if (svfir->getBaseObject(objId)->isConstantByteSize())
489 {
490 size = svfir->getBaseObject(objId)->getByteSizeOfObj();
491 }
492 else
493 {
494 // if the object is not a constant size object, get the size from the addrStmt
495 const ICFGNode* addrNode = svfir->getBaseObject(objId)->getICFGNode();
496 for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
497 {
498 if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
499 {
500 size = as.getAllocaInstByteSize(addrStmt);
501 }
502 }
503 }
504
505 IntervalValue offset(0);
506 // if the object is a GepObjVar, get the offset from the base object
507 if (SVFUtil::isa<GepObjVar>(svfir->getGNode(objId)))
508 {
509 offset = getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(svfir->getGNode(objId))) + len;
510 }
511 else if (SVFUtil::isa<BaseObjVar>(svfir->getGNode(objId)))
512 {
513 // if the object is a BaseObjVar, get the offset directly
514 offset = len;
515 }
516
517 // if the offset is greater than the size, return false
518 if (offset.ub().getIntNumeral() >= size)
519 {
520 return false;
521 }
522 }
523 return true;
524}
u32_t
unsigned u32_t
Definition CommandLine.h:18
SVF::BaseObjVar::getICFGNode
const ICFGNode * getICFGNode() const
Get the ICFGNode related to the creation of this object.
Definition SVFVariables.h:575
SVF::BaseObjVar::isConstantByteSize
bool isConstantByteSize() const
Check if byte size is a const value.
Definition SVFVariables.h:648
SVF::BaseObjVar::getByteSizeOfObj
u32_t getByteSizeOfObj() const
Get the byte size of this object.
Definition SVFVariables.h:642
SVF::BufOverflowDetector::getGepObjOffsetFromBase
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:214
SVF::GenericGraph::getGNode
NodeType * getGNode(NodeID id) const
Get a node.
Definition GenericGraph.h:403
SVF::SVFIR::getBaseObject
const BaseObjVar * getBaseObject(NodeID id) const
Definition SVFIR.h:419
SVF::SVFIR::getPAG
static SVFIR * getPAG(bool buildFromFile=false)
Singleton design here to make sure we only have one instance during any analysis.
Definition SVFIR.h:116
SVF::SVFValue::getId
NodeID getId() const
Get ID.
Definition SVFValue.h:160
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56

◆ classof()

static bool SVF::BufOverflowDetector::classof ( const AEDetector detector)
inlinestatic

Check if the detector is of the BUF_OVERFLOW kind.

Parameters
detectorPointer to the detector.
Returns
True if the detector is of type BUF_OVERFLOW, false otherwise.

Definition at line 158 of file AEDetector.h.

159 {
160 return detector->getKind() == AEDetector::BUF_OVERFLOW;
161 }

◆ detect()

void BufOverflowDetector::detect ( AbstractState as,
const ICFGNode node 
)
virtual

Detect buffer overflow issues within a node.

Detects buffer overflow issues within a given ICFG node.

Parameters
asReference to the abstract state.
nodePointer to the ICFG node.

This function handles both non-call nodes, where it analyzes GEP (GetElementPtr) instructions for potential buffer overflows, and call nodes, where it checks for external API calls that may cause overflows.

Parameters
asReference to the abstract state.
nodePointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 45 of file AEDetector.cpp.

46{
47 if (!SVFUtil::isa<CallICFGNode>(node))
48 {
49 // Handle non-call nodes by analyzing GEP instructions
50 for (const SVFStmt* stmt : node->getSVFStmts())
51 {
52 if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt))
53 {
54 SVFIR* svfir = PAG::getPAG();
55 NodeID lhs = gep->getLHSVarID();
56 NodeID rhs = gep->getRHSVarID();
57
58 // Update the GEP object offset from its base
59 updateGepObjOffsetFromBase(as, as[lhs].getAddrs(), as[rhs].getAddrs(), as.getByteOffset(gep));
60
61 IntervalValue baseObjSize = IntervalValue::bottom();
62 AddressValue objAddrs = as[gep->getRHSVarID()].getAddrs();
63 for (const auto& addr : objAddrs)
64 {
65 NodeID objId = as.getIDFromAddr(addr);
66 u32_t size = 0;
67 // like `int arr[10]` which has constant size before runtime
68 if (svfir->getBaseObject(objId)->isConstantByteSize())
69 {
70 size = svfir->getBaseObject(objId)->getByteSizeOfObj();
71 }
72 else
73 {
74 // like `int len = ***; int arr[len]`, whose size can only be known in runtime
75 const ICFGNode* addrNode = svfir->getBaseObject(objId)->getICFGNode();
76 for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
77 {
78 if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
79 {
80 size = as.getAllocaInstByteSize(addrStmt);
81 }
82 }
83 }
84
85 // Calculate access offset and check for potential overflow
86 IntervalValue accessOffset = getAccessOffset(as, objId, gep);
87 if (accessOffset.ub().getIntNumeral() >= size)
88 {
89 AEException bug(stmt->toString());
90 addBugToReporter(bug, stmt->getICFGNode());
91 }
92 }
93 }
94 }
95 }
96 else
97 {
98 // Handle call nodes by checking for external API calls
99 const CallICFGNode* callNode = SVFUtil::cast<CallICFGNode>(node);
100 if (SVFUtil::isExtCall(callNode->getCalledFunction()))
101 {
102 detectExtAPI(as, callNode);
103 }
104 }
105}
SVF::AEException
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:109
SVF::BufOverflowDetector::getAccessOffset
IntervalValue getAccessOffset(AbstractState &as, NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
Definition AEDetector.cpp:313
SVF::BufOverflowDetector::detectExtAPI
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:219
SVF::BufOverflowDetector::updateGepObjOffsetFromBase
void updateGepObjOffsetFromBase(AbstractState &as, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
Definition AEDetector.cpp:347
SVF::BufOverflowDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:239
SVF::IntervalValue::bottom
static IntervalValue bottom()
Create the bottom IntervalValue [+inf, -inf].
Definition IntervalValue.h:100
SVF::SVFUtil::isExtCall
bool isExtCall(const FunObjVar *fun)
Definition SVFUtil.cpp:437

◆ detectExtAPI()

void BufOverflowDetector::detectExtAPI ( AbstractState as,
const CallICFGNode call 
)

Handles external API calls related to buffer overflow detection.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.

This function checks the type of external memory API (e.g., memcpy, memset, strcpy, strcat) and applies the corresponding buffer overflow checks based on predefined rules.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.

Definition at line 219 of file AEDetector.cpp.

221{
222 assert(call->getCalledFunction() && "FunObjVar* is nullptr");
223
224 AbsExtAPI::ExtAPIType extType = AbsExtAPI::UNCLASSIFIED;
225
226 // Determine the type of external memory API
227 for (const std::string &annotation : ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
228 {
229 if (annotation.find("MEMCPY") != std::string::npos)
230 extType = AbsExtAPI::MEMCPY;
231 if (annotation.find("MEMSET") != std::string::npos)
232 extType = AbsExtAPI::MEMSET;
233 if (annotation.find("STRCPY") != std::string::npos)
234 extType = AbsExtAPI::STRCPY;
235 if (annotation.find("STRCAT") != std::string::npos)
236 extType = AbsExtAPI::STRCAT;
237 }
238
239 // Apply buffer overflow checks based on the determined API type
240 if (extType == AbsExtAPI::MEMCPY)
241 {
242 if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
243 {
244 SVFUtil::errs() << "Warning: " << call->getCalledFunction()->getName() << " is not in the rules, please implement it\n";
245 return;
246 }
247 std::vector<std::pair<u32_t, u32_t>> args =
248 extAPIBufOverflowCheckRules.at(call->getCalledFunction()->getName());
249 for (auto arg : args)
250 {
251 IntervalValue offset = as[call->getArgument(arg.second)->getId()].getInterval() - IntervalValue(1);
252 const SVFVar* argVar = call->getArgument(arg.first);
253 if (!canSafelyAccessMemory(as, argVar, offset))
254 {
255 AEException bug(call->toString());
256 addBugToReporter(bug, call);
257 }
258 }
259 }
260 else if (extType == AbsExtAPI::MEMSET)
261 {
262 if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
263 {
264 SVFUtil::errs() << "Warning: " << call->getCalledFunction()->getName() << " is not in the rules, please implement it\n";
265 return;
266 }
267 std::vector<std::pair<u32_t, u32_t>> args =
268 extAPIBufOverflowCheckRules.at(call->getCalledFunction()->getName());
269 for (auto arg : args)
270 {
271 IntervalValue offset = as[call->getArgument(arg.second)->getId()].getInterval() - IntervalValue(1);
272 const SVFVar* argVar = call->getArgument(arg.first);
273 if (!canSafelyAccessMemory(as, argVar, offset))
274 {
275 AEException bug(call->toString());
276 addBugToReporter(bug, call);
277 }
278 }
279 }
280 else if (extType == AbsExtAPI::STRCPY)
281 {
282 if (!detectStrcpy(as, call))
283 {
284 AEException bug(call->toString());
285 addBugToReporter(bug, call);
286 }
287 }
288 else if (extType == AbsExtAPI::STRCAT)
289 {
290 if (!detectStrcat(as, call))
291 {
292 AEException bug(call->toString());
293 addBugToReporter(bug, call);
294 }
295 }
296 else
297 {
298 // Handle other cases
299 }
300}
SVF::AbsExtAPI::ExtAPIType
ExtAPIType
Enumeration of external API types.
Definition AbsExtAPI.h:50
SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:325
SVF::BufOverflowDetector::detectStrcpy
bool detectStrcpy(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
Definition AEDetector.cpp:418
SVF::BufOverflowDetector::detectStrcat
bool detectStrcat(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Definition AEDetector.cpp:436
SVF::BufOverflowDetector::canSafelyAccessMemory
bool canSafelyAccessMemory(AbstractState &as, const SVFVar *value, const IntervalValue &len)
Checks if memory can be safely accessed.
Definition AEDetector.cpp:477
SVF::CallICFGNode::toString
const std::string toString() const override
Definition ICFG.cpp:139
SVF::CallICFGNode::getArgument
const ValVar * getArgument(u32_t ArgNo) const
Parameter operations.
Definition ICFGNode.h:494
SVF::CallICFGNode::getCalledFunction
const FunObjVar * getCalledFunction() const
Definition ICFGNode.h:512
SVF::SVFValue::getName
virtual const std::string & getName() const
Definition SVFValue.h:186
SVF::SVFUtil::errs
std::ostream & errs()
Overwrite llvm::errs()
Definition SVFUtil.h:58

◆ detectStrcat()

bool BufOverflowDetector::detectStrcat ( AbstractState as,
const CallICFGNode call 
)
private

Detects buffer overflow in 'strcat' function calls.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if a buffer overflow is detected, false otherwise.

This function checks if the destination buffer can safely accommodate both the existing string and the concatenated string from the source.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if the memory access is safe, false otherwise.

Definition at line 436 of file AEDetector.cpp.

437{
438 const std::vector<std::string> strcatGroup = {"__strcat_chk", "strcat", "__wcscat_chk", "wcscat"};
439 const std::vector<std::string> strncatGroup = {"__strncat_chk", "strncat", "__wcsncat_chk", "wcsncat"};
440
441 if (std::find(strcatGroup.begin(), strcatGroup.end(), call->getCalledFunction()->getName()) != strcatGroup.end())
442 {
443 const SVFVar* arg0Val = call->getArgument(0);
444 const SVFVar* arg1Val = call->getArgument(1);
445 IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg0Val);
446 IntervalValue strLen1 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg1Val);
447 IntervalValue totalLen = strLen0 + strLen1;
448 return canSafelyAccessMemory(as, arg0Val, totalLen);
449 }
450 else if (std::find(strncatGroup.begin(), strncatGroup.end(), call->getCalledFunction()->getName()) != strncatGroup.end())
451 {
452 const SVFVar* arg0Val = call->getArgument(0);
453 const SVFVar* arg2Val = call->getArgument(2);
454 IntervalValue arg2Num = as[arg2Val->getId()].getInterval();
455 IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg0Val);
456 IntervalValue totalLen = strLen0 + arg2Num;
457 return canSafelyAccessMemory(as, arg0Val, totalLen);
458 }
459 else
460 {
461 assert(false && "Unknown strcat function, please add it to strcatGroup or strncatGroup");
462 abort();
463 }
464}
SVF::AbsExtAPI::getStrlen
IntervalValue getStrlen(AbstractState &as, const SVF::SVFVar *strValue)
Calculates the length of a string.
Definition AbsExtAPI.cpp:504
SVF::AbstractInterpretation::getAEInstance
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.h:147

◆ detectStrcpy()

bool BufOverflowDetector::detectStrcpy ( AbstractState as,
const CallICFGNode call 
)
private

Detects buffer overflow in 'strcpy' function calls.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if a buffer overflow is detected, false otherwise.

This function checks if the destination buffer can safely accommodate the source string being copied, accounting for the null terminator.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if the memory access is safe, false otherwise.

Definition at line 418 of file AEDetector.cpp.

419{
420 const SVFVar* arg0Val = call->getArgument(0);
421 const SVFVar* arg1Val = call->getArgument(1);
422 IntervalValue strLen = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg1Val);
423 return canSafelyAccessMemory(as, arg0Val, strLen);
424}

◆ getAccessOffset()

IntervalValue BufOverflowDetector::getAccessOffset ( SVF::AbstractState as,
SVF::NodeID  objId,
const GepStmt gep 
)

Retrieves the access offset for a given object and GEP statement.

Parameters
asReference to the abstract state.
objIdThe ID of the object.
gepPointer to the GEP statement.
Returns
The interval value of the access offset.

This function calculates the access offset for a base object or a sub-object of an aggregate object (using GEP). If the object is a dummy object, it returns a top interval value.

Parameters
asReference to the abstract state.
objIdThe ID of the object.
gepPointer to the GEP statement.
Returns
The interval value of the access offset.

Definition at line 313 of file AEDetector.cpp.

314{
315 SVFIR* svfir = PAG::getPAG();
316 auto obj = svfir->getGNode(objId);
317
318 if (SVFUtil::isa<BaseObjVar>(obj))
319 {
320 // if the object is a BaseObjVar, return the byte offset directly
321 // like `int arr[10]; arr[5] = 1;` arr is the baseObjVar
322 return as.getByteOffset(gep);
323 }
324 else if (SVFUtil::isa<GepObjVar>(obj))
325 {
326 // if the object is a GepObjVar, return the offset from the base object
327 // like `int arr[10]; int* p=arr+5; p[3] = 1`, p is the GepObjVar from arr.
328 return getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(obj)) + as.getByteOffset(gep);
329 }
330 else
331 {
332 assert(SVFUtil::isa<DummyObjVar>(obj) && "Unknown object type");
333 return IntervalValue::top();
334 }
335}
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition IntervalValue.h:94

◆ getGepObjOffsetFromBase()

IntervalValue SVF::BufOverflowDetector::getGepObjOffsetFromBase ( const GepObjVar obj) const
inline

Retrieves the offset of a GEP object from its base.

Parameters
objPointer to the GEP object.
Returns
The interval value of the offset.

Definition at line 214 of file AEDetector.h.

215 {
216 if (hasGepObjOffsetFromBase(obj))
217 return gepObjOffsetFromBase.at(obj);
218 else
219 {
220 assert(false && "GepObjVar not found in gepObjOffsetFromBase");
221 abort();
222 }
223 }
SVF::BufOverflowDetector::hasGepObjOffsetFromBase
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:204

◆ handleStubFunctions()

void BufOverflowDetector::handleStubFunctions ( const CallICFGNode callNode)
virtual

Handles external API calls related to buffer overflow detection.

Handles stub functions within the ICFG node.

Parameters
callPointer to the call ICFG node.

This function is a placeholder for handling stub functions within the ICFG node.

Parameters
nodePointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 115 of file AEDetector.cpp.

116{
117 // get function name
118 std::string funcName = callNode->getCalledFunction()->getName();
119 if (funcName == "SAFE_BUFACCESS")
120 {
121 // void SAFE_BUFACCESS(void* data, int size);
122 AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
123 if (callNode->arg_size() < 2)
124 return;
125 AbstractState& as =
126 AbstractInterpretation::getAEInstance().getAbsStateFromTrace(
127 callNode);
128 u32_t size_id = callNode->getArgument(1)->getId();
129 IntervalValue val = as[size_id].getInterval();
130 if (val.isBottom())
131 {
132 val = IntervalValue(0);
133 assert(false && "SAFE_BUFACCESS size is bottom");
134 }
135 const SVFVar* arg0Val = callNode->getArgument(0);
136 bool isSafe = canSafelyAccessMemory(as, arg0Val, val);
137 if (isSafe)
138 {
139 SVFUtil::outs() << SVFUtil::sucMsg("success: expected safe buffer access at SAFE_BUFACCESS")
140 << " — " << callNode->toString() << "\n";
141 return;
142 }
143 else
144 {
145 SVFUtil::outs() << SVFUtil::errMsg("failure: unexpected buffer overflow at SAFE_BUFACCESS")
146 << " — Position: " << callNode->getSourceLoc() << "\n";
147 assert(false);
148 }
149 }
150 else if (funcName == "UNSAFE_BUFACCESS")
151 {
152 // void UNSAFE_BUFACCESS(void* data, int size);
153 AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
154 if (callNode->arg_size() < 2) return;
155 AbstractState&as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
156 u32_t size_id = callNode->getArgument(1)->getId();
157 IntervalValue val = as[size_id].getInterval();
158 if (val.isBottom())
159 {
160 assert(false && "UNSAFE_BUFACCESS size is bottom");
161 }
162 const SVFVar* arg0Val = callNode->getArgument(0);
163 bool isSafe = canSafelyAccessMemory(as, arg0Val, val);
164 if (!isSafe)
165 {
166 SVFUtil::outs() << SVFUtil::sucMsg("success: expected buffer overflow at UNSAFE_BUFACCESS")
167 << " — " << callNode->toString() << "\n";
168 return;
169 }
170 else
171 {
172 SVFUtil::outs() << SVFUtil::errMsg("failure: buffer overflow expected at UNSAFE_BUFACCESS, but none detected")
173 << " — Position: " << callNode->getSourceLoc() << "\n";
174 assert(false);
175 }
176 }
177}
SVF::AbstractInterpretation::getAbsStateFromTrace
AbstractState & getAbsStateFromTrace(const ICFGNode *node)
Retrieves the abstract state from the trace for a given ICFG node.
Definition AbstractInterpretation.h:166
SVF::AbstractInterpretation::checkpoints
Set< const CallICFGNode * > checkpoints
Definition AbstractInterpretation.h:158
SVF::SVFUtil::sucMsg
std::string sucMsg(const std::string &msg)
Returns successful message by converting a string into green string output.
Definition SVFUtil.cpp:55
SVF::SVFUtil::errMsg
std::string errMsg(const std::string &msg)
Print error message by converting a string into red string output.
Definition SVFUtil.cpp:78
SVF::SVFUtil::outs
std::ostream & outs()
Overwrite llvm::outs()
Definition SVFUtil.h:52

◆ hasGepObjOffsetFromBase()

bool SVF::BufOverflowDetector::hasGepObjOffsetFromBase ( const GepObjVar obj) const
inline

Checks if a GEP object has an associated offset.

Parameters
objPointer to the GEP object.
Returns
True if the GEP object has an offset, false otherwise.

Definition at line 204 of file AEDetector.h.

205 {
206 return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
207 }

◆ initExtAPIBufOverflowCheckRules()

void BufOverflowDetector::initExtAPIBufOverflowCheckRules ( )

Initializes external API buffer overflow check rules.

This function sets up rules for various memory-related functions like memcpy, memset, etc., defining which arguments should be checked for buffer overflows.

Definition at line 185 of file AEDetector.cpp.

186{
187 extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
188 extAPIBufOverflowCheckRules["llvm_memcpy_p0_p0_i64"] = {{0, 2}, {1, 2}};
189 extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
190 extAPIBufOverflowCheckRules["llvm_memcpy"] = {{0, 2}, {1, 2}};
191 extAPIBufOverflowCheckRules["llvm_memmove"] = {{0, 2}, {1, 2}};
192 extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
193 extAPIBufOverflowCheckRules["llvm_memmove_p0_p0_i64"] = {{0, 2}, {1, 2}};
194 extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
195 extAPIBufOverflowCheckRules["__memcpy_chk"] = {{0, 2}, {1, 2}};
196 extAPIBufOverflowCheckRules["memmove"] = {{0, 2}, {1, 2}};
197 extAPIBufOverflowCheckRules["bcopy"] = {{0, 2}, {1, 2}};
198 extAPIBufOverflowCheckRules["memccpy"] = {{0, 3}, {1, 3}};
199 extAPIBufOverflowCheckRules["__memmove_chk"] = {{0, 2}, {1, 2}};
200 extAPIBufOverflowCheckRules["llvm_memset"] = {{0, 2}};
201 extAPIBufOverflowCheckRules["llvm_memset_p0i8_i32"] = {{0, 2}};
202 extAPIBufOverflowCheckRules["llvm_memset_p0i8_i64"] = {{0, 2}};
203 extAPIBufOverflowCheckRules["llvm_memset_p0_i64"] = {{0, 2}};
204 extAPIBufOverflowCheckRules["__memset_chk"] = {{0, 2}};
205 extAPIBufOverflowCheckRules["wmemset"] = {{0, 2}};
206 extAPIBufOverflowCheckRules["strncpy"] = {{0, 2}, {1, 2}};
207 extAPIBufOverflowCheckRules["iconv"] = {{1, 2}, {3, 4}};
208}

◆ reportBug()

void SVF::BufOverflowDetector::reportBug ( )
inlinevirtual

Reports all detected buffer overflow bugs.

Implements SVF::AEDetector.

Definition at line 271 of file AEDetector.h.

272 {
273 if (!nodeToBugInfo.empty())
274 {
275 std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
276 + " found)######################\n";
277 std::cerr << "---------------------------------------------\n";
278 for (const auto& it : nodeToBugInfo)
279 {
280 std::cerr << it.second << "\n---------------------------------------------\n";
281 }
282 }
283 }

◆ updateGepObjOffsetFromBase()

void BufOverflowDetector::updateGepObjOffsetFromBase ( AbstractState as,
SVF::AddressValue  gepAddrs,
SVF::AddressValue  objAddrs,
SVF::IntervalValue  offset 
)

Updates the offset of a GEP object from its base.

Parameters
asReference to the abstract state.
gepAddrsAddress value for GEP.
objAddrsAddress value for the object.
offsetThe interval value of the offset.

This function calculates and stores the offset of a GEP object from its base object using the addresses and offsets provided.

Parameters
gepAddrsThe addresses of the GEP objects.
objAddrsThe addresses of the base objects.
offsetThe interval value of the offset.

Definition at line 347 of file AEDetector.cpp.

348{
349 SVFIR* svfir = PAG::getPAG();
350
351 for (const auto& objAddr : objAddrs)
352 {
353 NodeID objId = as.getIDFromAddr(objAddr);
354 auto obj = svfir->getGNode(objId);
355
356 if (SVFUtil::isa<BaseObjVar>(obj))
357 {
358 // if the object is a BaseObjVar, add the offset directly
359 // like llvm bc `arr = alloc i8 12; p = gep arr, 4`
360 // we write key value pair {gep, 4}
361 for (const auto& gepAddr : gepAddrs)
362 {
363 NodeID gepObj = as.getIDFromAddr(gepAddr);
364 if (const GepObjVar* gepObjVar = SVFUtil::dyn_cast<GepObjVar>(svfir->getGNode(gepObj)))
365 {
366 addToGepObjOffsetFromBase(gepObjVar, offset);
367 }
368 else
369 {
370 assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
371 }
372 }
373 }
374 else if (SVFUtil::isa<GepObjVar>(obj))
375 {
376 // if the object is a GepObjVar, add the offset from the base object
377 // like llvm bc `arr = alloc i8 12; p = gep arr, 4; q = gep p, 6`
378 // we retreive {p, 4} and write {q, 4+6}
379 const GepObjVar* objVar = SVFUtil::cast<GepObjVar>(obj);
380 for (const auto& gepAddr : gepAddrs)
381 {
382 NodeID gepObj = as.getIDFromAddr(gepAddr);
383 if (const GepObjVar* gepObjVar = SVFUtil::dyn_cast<GepObjVar>(svfir->getGNode(gepObj)))
384 {
385 if (hasGepObjOffsetFromBase(objVar))
386 {
387 IntervalValue objOffsetFromBase =
388 getGepObjOffsetFromBase(objVar);
389 if (!hasGepObjOffsetFromBase(gepObjVar))
390 addToGepObjOffsetFromBase(
391 gepObjVar, objOffsetFromBase + offset);
392 }
393 else
394 {
395 assert(false &&
396 "GEP RHS object has no offset from base");
397 }
398 }
399 else
400 {
401 assert(AbstractState::isInvalidMem(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
402 }
403 }
404 }
405 }
406}
SVF::AbstractState::isInvalidMem
static bool isInvalidMem(u32_t addr)
Definition AbstractState.h:190
SVF::BufOverflowDetector::addToGepObjOffsetFromBase
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:194

Friends And Related Symbol Documentation

◆ AbstractInterpretation

friend class AbstractInterpretation
friend

Definition at line 137 of file AEDetector.h.

Member Data Documentation

◆ bugLoc

Set<std::string> SVF::BufOverflowDetector::bugLoc
private

Set of locations where bugs have been reported.

Definition at line 326 of file AEDetector.h.

◆ extAPIBufOverflowCheckRules

Map<std::string, std::vector<std::pair<u32_t, u32_t> > > SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
private

Rules for checking buffer overflows in external APIs.

Definition at line 325 of file AEDetector.h.

◆ gepObjOffsetFromBase

Map<const GepObjVar*, IntervalValue> SVF::BufOverflowDetector::gepObjOffsetFromBase
private

Maps GEP objects to their offsets from the base.

Definition at line 324 of file AEDetector.h.

◆ nodeToBugInfo

Map<const ICFGNode*, std::string> SVF::BufOverflowDetector::nodeToBugInfo
private

Maps ICFG nodes to bug information.

Definition at line 328 of file AEDetector.h.

◆ recoder

SVFBugReport SVF::BufOverflowDetector::recoder
private

Recorder for abstract execution bugs.

Definition at line 327 of file AEDetector.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.9.8