Static Value-Flow Analysis
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | Friends | List of all members
SVF::BufOverflowDetector Class Reference

Detector for identifying buffer overflow issues. More...

#include <AEDetector.h>

Inheritance diagram for SVF::BufOverflowDetector:
SVF::AEDetector

Public Member Functions

 BufOverflowDetector ()
 Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.
 
 ~BufOverflowDetector ()=default
 Destructor.
 
void updateGepObjOffsetFromBase (const ICFGNode *node, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
 Updates the offset of a GEP object from its base.
 
void detect (const ICFGNode *) override
 Detect buffer overflow issues within a node.
 
void handleStubFunctions (const CallICFGNode *) override
 Handles external API calls related to buffer overflow detection.
 
void addToGepObjOffsetFromBase (const GepObjVar *obj, const IntervalValue &offset)
 Adds an offset to a GEP object.
 
bool hasGepObjOffsetFromBase (const GepObjVar *obj) const
 Checks if a GEP object has an associated offset.
 
IntervalValue getGepObjOffsetFromBase (const GepObjVar *obj) const
 Retrieves the offset of a GEP object from its base.
 
IntervalValue getAccessOffset (NodeID objId, const GepStmt *gep)
 Retrieves the access offset for a given object and GEP statement.
 
void addBugToReporter (const AEException &e, const ICFGNode *node)
 Adds a bug to the reporter based on an exception.
 
void reportBug () override
 Reports all detected buffer overflow bugs.
 
void initExtAPIBufOverflowCheckRules ()
 Initializes external API buffer overflow check rules.
 
void detectExtAPI (const CallICFGNode *call)
 Handles external API calls related to buffer overflow detection.
 
bool canSafelyAccessMemory (const ValVar *value, const IntervalValue &len, const ICFGNode *node)
 Checks if memory can be safely accessed.
 
- Public Member Functions inherited from SVF::AEDetector
 AEDetector ()
 Constructor initializes the detector kind to UNKNOWN.
 
virtual ~AEDetector ()=default
 Virtual destructor for safe polymorphic use.
 
DetectorKind getKind () const
 Get the kind of the detector.
 

Static Public Member Functions

static bool classof (const AEDetector *detector)
 Check if the detector is of the BUF_OVERFLOW kind.
 
- Static Public Member Functions inherited from SVF::AEDetector
static bool classof (const AEDetector *detector)
 Check if the detector is of the UNKNOWN kind.
 

Private Member Functions

bool detectStrcat (const CallICFGNode *call)
 Detects buffer overflow in 'strcat' function calls.
 
bool detectStrcpy (const CallICFGNode *call)
 Detects buffer overflow in 'strcpy' function calls.
 

Private Attributes

Map< const GepObjVar *, IntervalValuegepObjOffsetFromBase
 Maps GEP objects to their offsets from the base.
 
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
 Rules for checking buffer overflows in external APIs.
 
Set< std::string > bugLoc
 Set of locations where bugs have been reported.
 
SVFBugReport recoder
 Recorder for abstract execution bugs.
 
Map< const ICFGNode *, std::string > nodeToBugInfo
 Maps ICFG nodes to bug information.
 

Friends

class AbstractInterpretation
 

Additional Inherited Members

- Public Types inherited from SVF::AEDetector
enum  DetectorKind { BUF_OVERFLOW , NULL_DEREF , UNKNOWN }
 Enumerates the types of detectors available. More...
 
- Protected Attributes inherited from SVF::AEDetector
DetectorKind kind
 The kind of the detector.
 

Detailed Description

Detector for identifying buffer overflow issues.

Definition at line 139 of file AEDetector.h.

Constructor & Destructor Documentation

◆ BufOverflowDetector()

SVF::BufOverflowDetector::BufOverflowDetector ( )
inline

Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.

Definition at line 146 of file AEDetector.h.

147 {
148 kind = BUF_OVERFLOW;
149 initExtAPIBufOverflowCheckRules();
150 }
SVF::AEDetector::BUF_OVERFLOW
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:52
SVF::AEDetector::kind
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:105
SVF::BufOverflowDetector::initExtAPIBufOverflowCheckRules
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
Definition AEDetector.cpp:179

◆ ~BufOverflowDetector()

SVF::BufOverflowDetector::~BufOverflowDetector ( )
default

Destructor.

Member Function Documentation

◆ addBugToReporter()

void SVF::BufOverflowDetector::addBugToReporter ( const AEException e,
const ICFGNode node 
)
inline

Adds a bug to the reporter based on an exception.

Parameters
eThe exception that was thrown.
nodePointer to the ICFG node where the bug was detected.

Definition at line 243 of file AEDetector.h.

244 {
245
246 GenericBug::EventStack eventStack;
247 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
248 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
249
250 if (eventStack.empty())
251 {
252 return; // If the event stack is empty, return early
253 }
254
255 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
256
257 // Check if the bug at this location has already been reported
258 if (bugLoc.find(loc) != bugLoc.end())
259 {
260 return; // If the bug location is already reported, return early
261 }
262 else
263 {
264 bugLoc.insert(loc); // Otherwise, mark this location as reported
265 }
266
267 // Add the bug to the recorder with details from the event stack
268 recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
269 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
270 }
SVF::BufOverflowDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:329
SVF::BufOverflowDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:328
SVF::BufOverflowDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:330
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::SVFBugReport::addAbsExecBug
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:76

◆ addToGepObjOffsetFromBase()

void SVF::BufOverflowDetector::addToGepObjOffsetFromBase ( const GepObjVar obj,
const IntervalValue offset 
)
inline

Adds an offset to a GEP object.

Parameters
objPointer to the GEP object.
offsetThe interval value of the offset.

Definition at line 198 of file AEDetector.h.

199 {
200 gepObjOffsetFromBase[obj] = offset;
201 }
offset
buffer offset
Definition cJSON.cpp:1113
SVF::BufOverflowDetector::gepObjOffsetFromBase
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:326

◆ canSafelyAccessMemory()

bool BufOverflowDetector::canSafelyAccessMemory ( const ValVar value,
const IntervalValue len,
const ICFGNode node 
)

Checks if memory can be safely accessed.

Checks if a memory access is safe given a specific buffer length.

Parameters
valuePointer to the SVF var.
lenThe interval value representing the length of the memory access.
nodeThe ICFG node providing context.
Returns
True if the memory access is safe, false otherwise.

This function ensures that a given memory access, starting at a specific value, does not exceed the allocated size of the buffer.

Parameters
asReference to the abstract state.
valuePointer to the SVF var.
lenThe interval value representing the length of the memory access.
Returns
True if the memory access is safe, false otherwise.

Definition at line 460 of file AEDetector.cpp.

461{
462 SVFIR* svfir = PAG::getPAG();
463 auto& ae = AbstractInterpretation::getAEInstance();
464
465 AbstractValue ptrVal = ae.getAbsValue(value, node);
466 if (!ptrVal.isAddr())
467 {
468 ptrVal = AddressValue(BlackHoleObjAddr);
469 ae.updateAbsValue(value, ptrVal, node);
470 }
471 for (const auto& addr : ptrVal.getAddrs())
472 {
473 NodeID objId = ae.getAbsState(node).getIDFromAddr(addr);
474 u32_t size = 0;
475 // if the object is a constant size object, get the size directly
476 if (svfir->getBaseObject(objId)->isConstantByteSize())
477 {
478 size = svfir->getBaseObject(objId)->getByteSizeOfObj();
479 }
480 else
481 {
482 // if the object is not a constant size object, get the size from the addrStmt
483 const ICFGNode* addrNode = svfir->getBaseObject(objId)->getICFGNode();
484 for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
485 {
486 if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
487 {
488 size = ae.getStateMgr()->getAllocaInstByteSize(addrStmt);
489 }
490 }
491 }
492
493 IntervalValue offset(0);
494 // if the object is a GepObjVar, get the offset from the base object
495 if (SVFUtil::isa<GepObjVar>(svfir->getSVFVar(objId)))
496 {
497 offset = getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(svfir->getSVFVar(objId))) + len;
498 }
499 else if (SVFUtil::isa<BaseObjVar>(svfir->getSVFVar(objId)))
500 {
501 // if the object is a BaseObjVar, get the offset directly
502 offset = len;
503 }
504
505 // if the offset is greater than the size, return false
506 if (offset.ub().getIntNumeral() >= size)
507 {
508 return false;
509 }
510 }
511 return true;
512}
BlackHoleObjAddr
#define BlackHoleObjAddr
Definition AddressValue.h:36
u32_t
unsigned u32_t
Definition CommandLine.h:18
SVF::AbstractInterpretation::getAEInstance
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.h:109
SVF::BaseObjVar::getICFGNode
const ICFGNode * getICFGNode() const
Get the ICFGNode related to the creation of this object.
Definition SVFVariables.h:607
SVF::BaseObjVar::isConstantByteSize
bool isConstantByteSize() const
Check if byte size is a const value.
Definition SVFVariables.h:680
SVF::BaseObjVar::getByteSizeOfObj
u32_t getByteSizeOfObj() const
Get the byte size of this object.
Definition SVFVariables.h:674
SVF::BufOverflowDetector::getGepObjOffsetFromBase
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:218
SVF::SVFIR::getBaseObject
const BaseObjVar * getBaseObject(NodeID id) const
Definition SVFIR.h:496
SVF::SVFIR::getSVFVar
const SVFVar * getSVFVar(NodeID id) const
ObjVar/GepObjVar/BaseObjVar.
Definition SVFIR.h:133
SVF::SVFIR::getPAG
static SVFIR * getPAG(bool buildFromFile=false)
Singleton design here to make sure we only have one instance during any analysis.
Definition SVFIR.h:118
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56

◆ classof()

static bool SVF::BufOverflowDetector::classof ( const AEDetector detector)
inlinestatic

Check if the detector is of the BUF_OVERFLOW kind.

Parameters
detectorPointer to the detector.
Returns
True if the detector is of type BUF_OVERFLOW, false otherwise.

Definition at line 162 of file AEDetector.h.

163 {
164 return detector->getKind() == AEDetector::BUF_OVERFLOW;
165 }

◆ detect()

void BufOverflowDetector::detect ( const ICFGNode node)
overridevirtual

Detect buffer overflow issues within a node.

Detects buffer overflow issues within a given ICFG node.

Parameters
asReference to the abstract state.
nodePointer to the ICFG node.

This function handles both non-call nodes, where it analyzes GEP (GetElementPtr) instructions for potential buffer overflows, and call nodes, where it checks for external API calls that may cause overflows.

Parameters
asReference to the abstract state.
nodePointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 45 of file AEDetector.cpp.

46{
47 auto& ae = AbstractInterpretation::getAEInstance();
48 if (!SVFUtil::isa<CallICFGNode>(node))
49 {
50 // Handle non-call nodes by analyzing GEP instructions
51 for (const SVFStmt* stmt : node->getSVFStmts())
52 {
53 if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt))
54 {
55 SVFIR* svfir = PAG::getPAG();
56
57 // Update the GEP object offset from its base
58 const AbstractValue& lhsVal = ae.getAbsValue(gep->getLHSVar(), node);
59 const AbstractValue& rhsVal = ae.getAbsValue(gep->getRHSVar(), node);
60 updateGepObjOffsetFromBase(node, lhsVal.getAddrs(), rhsVal.getAddrs(),
61 ae.getStateMgr()->getGepByteOffset(gep));
62
63 const AddressValue& objAddrs = rhsVal.getAddrs();
64 for (const auto& addr : objAddrs)
65 {
66 NodeID objId = ae.getAbsState(node).getIDFromAddr(addr);
67 u32_t size = 0;
68 // like `int arr[10]` which has constant size before runtime
69 if (svfir->getBaseObject(objId)->isConstantByteSize())
70 {
71 size = svfir->getBaseObject(objId)->getByteSizeOfObj();
72 }
73 else
74 {
75 // like `int len = ***; int arr[len]`, whose size can only be known in runtime
76 const ICFGNode* addrNode = svfir->getBaseObject(objId)->getICFGNode();
77 for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
78 {
79 if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
80 {
81 size = ae.getStateMgr()->getAllocaInstByteSize(addrStmt);
82 }
83 }
84 }
85
86 // Calculate access offset and check for potential overflow
87 IntervalValue accessOffset = getAccessOffset(objId, gep);
88 if (accessOffset.ub().getIntNumeral() >= size)
89 {
90 AEException bug(stmt->toString());
91 addBugToReporter(bug, stmt->getICFGNode());
92 }
93 }
94 }
95 }
96 }
97 else
98 {
99 // Handle call nodes by checking for external API calls
100 const CallICFGNode* callNode = SVFUtil::cast<CallICFGNode>(node);
101 if (SVFUtil::isExtCall(callNode->getCalledFunction()))
102 {
103 detectExtAPI(callNode);
104 }
105 }
106}
SVF::AEException
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:113
SVF::BufOverflowDetector::getAccessOffset
IntervalValue getAccessOffset(NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
Definition AEDetector.cpp:305
SVF::BufOverflowDetector::updateGepObjOffsetFromBase
void updateGepObjOffsetFromBase(const ICFGNode *node, AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
Definition AEDetector.cpp:336
SVF::BufOverflowDetector::detectExtAPI
void detectExtAPI(const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:212
SVF::BufOverflowDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:243
SVF::SVFUtil::isExtCall
bool isExtCall(const FunObjVar *fun)
Definition SVFUtil.cpp:437

◆ detectExtAPI()

void BufOverflowDetector::detectExtAPI ( const CallICFGNode call)

Handles external API calls related to buffer overflow detection.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.

This function checks the type of external memory API (e.g., memcpy, memset, strcpy, strcat) and applies the corresponding buffer overflow checks based on predefined rules.

Parameters
callPointer to the call ICFG node.

Definition at line 212 of file AEDetector.cpp.

213{
214 assert(call->getCalledFunction() && "FunObjVar* is nullptr");
215 auto& ae = AbstractInterpretation::getAEInstance();
216
217 AbsExtAPI::ExtAPIType extType = AbsExtAPI::UNCLASSIFIED;
218
219 // Determine the type of external memory API
220 for (const std::string &annotation : ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
221 {
222 if (annotation.find("MEMCPY") != std::string::npos)
223 extType = AbsExtAPI::MEMCPY;
224 if (annotation.find("MEMSET") != std::string::npos)
225 extType = AbsExtAPI::MEMSET;
226 if (annotation.find("STRCPY") != std::string::npos)
227 extType = AbsExtAPI::STRCPY;
228 if (annotation.find("STRCAT") != std::string::npos)
229 extType = AbsExtAPI::STRCAT;
230 }
231
232 // Apply buffer overflow checks based on the determined API type
233 if (extType == AbsExtAPI::MEMCPY)
234 {
235 if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
236 {
237 SVFUtil::errs() << "Warning: " << call->getCalledFunction()->getName() << " is not in the rules, please implement it\n";
238 return;
239 }
240 std::vector<std::pair<u32_t, u32_t>> args =
241 extAPIBufOverflowCheckRules.at(call->getCalledFunction()->getName());
242 for (auto arg : args)
243 {
244 IntervalValue offset = ae.getAbsValue(call->getArgument(arg.second), call).getInterval() - IntervalValue(1);
245 const ValVar* argVar = call->getArgument(arg.first);
246 if (!canSafelyAccessMemory(argVar, offset, call))
247 {
248 AEException bug(call->toString());
249 addBugToReporter(bug, call);
250 }
251 }
252 }
253 else if (extType == AbsExtAPI::MEMSET)
254 {
255 if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
256 {
257 SVFUtil::errs() << "Warning: " << call->getCalledFunction()->getName() << " is not in the rules, please implement it\n";
258 return;
259 }
260 std::vector<std::pair<u32_t, u32_t>> args =
261 extAPIBufOverflowCheckRules.at(call->getCalledFunction()->getName());
262 for (auto arg : args)
263 {
264 IntervalValue offset = ae.getAbsValue(call->getArgument(arg.second), call).getInterval() - IntervalValue(1);
265 const ValVar* argVar = call->getArgument(arg.first);
266 if (!canSafelyAccessMemory(argVar, offset, call))
267 {
268 AEException bug(call->toString());
269 addBugToReporter(bug, call);
270 }
271 }
272 }
273 else if (extType == AbsExtAPI::STRCPY)
274 {
275 if (!detectStrcpy(call))
276 {
277 AEException bug(call->toString());
278 addBugToReporter(bug, call);
279 }
280 }
281 else if (extType == AbsExtAPI::STRCAT)
282 {
283 if (!detectStrcat(call))
284 {
285 AEException bug(call->toString());
286 addBugToReporter(bug, call);
287 }
288 }
289 else
290 {
291 // Handle other cases
292 }
293}
SVF::AbsExtAPI::ExtAPIType
ExtAPIType
Enumeration of external API types.
Definition AbsExtAPI.h:50
SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:327
SVF::BufOverflowDetector::canSafelyAccessMemory
bool canSafelyAccessMemory(const ValVar *value, const IntervalValue &len, const ICFGNode *node)
Checks if memory can be safely accessed.
Definition AEDetector.cpp:460
SVF::BufOverflowDetector::detectStrcpy
bool detectStrcpy(const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
Definition AEDetector.cpp:409
SVF::BufOverflowDetector::detectStrcat
bool detectStrcat(const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Definition AEDetector.cpp:418
SVF::CallICFGNode::toString
const std::string toString() const override
Definition ICFG.cpp:128
SVF::CallICFGNode::getArgument
const ValVar * getArgument(u32_t ArgNo) const
Parameter operations.
Definition ICFGNode.h:482
SVF::CallICFGNode::getCalledFunction
const FunObjVar * getCalledFunction() const
Definition ICFGNode.h:500
SVF::SVFValue::getName
virtual const std::string & getName() const
Definition SVFValue.h:189
SVF::SVFUtil::errs
std::ostream & errs()
Overwrite llvm::errs()
Definition SVFUtil.h:58

◆ detectStrcat()

bool BufOverflowDetector::detectStrcat ( const CallICFGNode call)
private

Detects buffer overflow in 'strcat' function calls.

Parameters
callPointer to the call ICFG node.
Returns
True if a buffer overflow is detected, false otherwise.

Definition at line 418 of file AEDetector.cpp.

419{
420 auto& ae = AbstractInterpretation::getAEInstance();
421 const std::vector<std::string> strcatGroup = {"__strcat_chk", "strcat", "__wcscat_chk", "wcscat"};
422 const std::vector<std::string> strncatGroup = {"__strncat_chk", "strncat", "__wcsncat_chk", "wcsncat"};
423
424 if (std::find(strcatGroup.begin(), strcatGroup.end(), call->getCalledFunction()->getName()) != strcatGroup.end())
425 {
426 const ValVar* arg0Val = call->getArgument(0);
427 const ValVar* arg1Val = call->getArgument(1);
428 IntervalValue strLen0 = ae.getUtils()->getStrlen(arg0Val, call);
429 IntervalValue strLen1 = ae.getUtils()->getStrlen(arg1Val, call);
430 IntervalValue totalLen = strLen0 + strLen1;
431 return canSafelyAccessMemory(arg0Val, totalLen, call);
432 }
433 else if (std::find(strncatGroup.begin(), strncatGroup.end(), call->getCalledFunction()->getName()) != strncatGroup.end())
434 {
435 const ValVar* arg0Val = call->getArgument(0);
436 const ValVar* arg2Val = call->getArgument(2);
437 IntervalValue arg2Num = ae.getAbsValue(arg2Val, call).getInterval();
438 IntervalValue strLen0 = ae.getUtils()->getStrlen(arg0Val, call);
439 IntervalValue totalLen = strLen0 + arg2Num;
440 return canSafelyAccessMemory(arg0Val, totalLen, call);
441 }
442 else
443 {
444 assert(false && "Unknown strcat function, please add it to strcatGroup or strncatGroup");
445 abort();
446 }
447}

◆ detectStrcpy()

bool BufOverflowDetector::detectStrcpy ( const CallICFGNode call)
private

Detects buffer overflow in 'strcpy' function calls.

Parameters
callPointer to the call ICFG node.
Returns
True if a buffer overflow is detected, false otherwise.

This function checks if the destination buffer can safely accommodate the source string being copied, accounting for the null terminator.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if the memory access is safe, false otherwise.

Definition at line 409 of file AEDetector.cpp.

410{
411 const ValVar* arg0Val = call->getArgument(0);
412 const ValVar* arg1Val = call->getArgument(1);
413 auto& ae = AbstractInterpretation::getAEInstance();
414 IntervalValue strLen = ae.getUtils()->getStrlen(arg1Val, call);
415 return canSafelyAccessMemory(arg0Val, strLen, call);
416}

◆ getAccessOffset()

IntervalValue BufOverflowDetector::getAccessOffset ( SVF::NodeID  objId,
const GepStmt gep 
)

Retrieves the access offset for a given object and GEP statement.

Parameters
asReference to the abstract state.
objIdThe ID of the object.
gepPointer to the GEP statement.
Returns
The interval value of the access offset.

This function calculates the access offset for a base object or a sub-object of an aggregate object (using GEP). If the object is a dummy object, it returns a top interval value.

Parameters
objIdThe ID of the object.
gepPointer to the GEP statement.
Returns
The interval value of the access offset.

Definition at line 305 of file AEDetector.cpp.

306{
307 SVFIR* svfir = PAG::getPAG();
308 auto& ae = AbstractInterpretation::getAEInstance();
309 auto obj = svfir->getSVFVar(objId);
310
311 if (SVFUtil::isa<BaseObjVar>(obj))
312 {
313 return ae.getStateMgr()->getGepByteOffset(gep);
314 }
315 else if (SVFUtil::isa<GepObjVar>(obj))
316 {
317 return getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(obj)) + ae.getStateMgr()->getGepByteOffset(gep);
318 }
319 else
320 {
321 assert(SVFUtil::isa<DummyObjVar>(obj) && "Unknown object type");
322 return IntervalValue::top();
323 }
324}
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition IntervalValue.h:94

◆ getGepObjOffsetFromBase()

IntervalValue SVF::BufOverflowDetector::getGepObjOffsetFromBase ( const GepObjVar obj) const
inline

Retrieves the offset of a GEP object from its base.

Parameters
objPointer to the GEP object.
Returns
The interval value of the offset.

Definition at line 218 of file AEDetector.h.

219 {
220 if (hasGepObjOffsetFromBase(obj))
221 return gepObjOffsetFromBase.at(obj);
222 else
223 {
224 assert(false && "GepObjVar not found in gepObjOffsetFromBase");
225 abort();
226 }
227 }
SVF::BufOverflowDetector::hasGepObjOffsetFromBase
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:208

◆ handleStubFunctions()

void BufOverflowDetector::handleStubFunctions ( const CallICFGNode callNode)
overridevirtual

Handles external API calls related to buffer overflow detection.

Handles stub functions within the ICFG node.

Parameters
callPointer to the call ICFG node.

This function is a placeholder for handling stub functions within the ICFG node.

Parameters
nodePointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 116 of file AEDetector.cpp.

117{
118 // get function name
119 std::string funcName = callNode->getCalledFunction()->getName();
120 auto& ae = AbstractInterpretation::getAEInstance();
121 if (funcName == "SAFE_BUFACCESS")
122 {
123 ae.getUtils()->checkpoints.erase(callNode);
124 if (callNode->arg_size() < 2)
125 return;
126 IntervalValue val = ae.getAbsValue(callNode->getArgument(1), callNode).getInterval();
127 if (val.isBottom())
128 {
129 val = IntervalValue(0);
130 assert(false && "SAFE_BUFACCESS size is bottom");
131 }
132 const ValVar* arg0Val = callNode->getArgument(0);
133 bool isSafe = canSafelyAccessMemory(arg0Val, val, callNode);
134 if (isSafe)
135 {
136 SVFUtil::outs() << SVFUtil::sucMsg("success: expected safe buffer access at SAFE_BUFACCESS")
137 << " — " << callNode->toString() << "\n";
138 return;
139 }
140 else
141 {
142 SVFUtil::outs() << SVFUtil::errMsg("failure: unexpected buffer overflow at SAFE_BUFACCESS")
143 << " — Position: " << callNode->getSourceLoc() << "\n";
144 assert(false);
145 }
146 }
147 else if (funcName == "UNSAFE_BUFACCESS")
148 {
149 ae.getUtils()->checkpoints.erase(callNode);
150 if (callNode->arg_size() < 2) return;
151 IntervalValue val = ae.getAbsValue(callNode->getArgument(1), callNode).getInterval();
152 if (val.isBottom())
153 {
154 assert(false && "UNSAFE_BUFACCESS size is bottom");
155 }
156 const ValVar* arg0Val = callNode->getArgument(0);
157 bool isSafe = canSafelyAccessMemory(arg0Val, val, callNode);
158 if (!isSafe)
159 {
160 SVFUtil::outs() << SVFUtil::sucMsg("success: expected buffer overflow at UNSAFE_BUFACCESS")
161 << " — " << callNode->toString() << "\n";
162 return;
163 }
164 else
165 {
166 SVFUtil::outs() << SVFUtil::errMsg("failure: buffer overflow expected at UNSAFE_BUFACCESS, but none detected")
167 << " — Position: " << callNode->getSourceLoc() << "\n";
168 assert(false);
169 }
170 }
171}
SVF::SVFUtil::sucMsg
std::string sucMsg(const std::string &msg)
Returns successful message by converting a string into green string output.
Definition SVFUtil.cpp:55
SVF::SVFUtil::errMsg
std::string errMsg(const std::string &msg)
Print error message by converting a string into red string output.
Definition SVFUtil.cpp:78
SVF::SVFUtil::outs
std::ostream & outs()
Overwrite llvm::outs()
Definition SVFUtil.h:52

◆ hasGepObjOffsetFromBase()

bool SVF::BufOverflowDetector::hasGepObjOffsetFromBase ( const GepObjVar obj) const
inline

Checks if a GEP object has an associated offset.

Parameters
objPointer to the GEP object.
Returns
True if the GEP object has an offset, false otherwise.

Definition at line 208 of file AEDetector.h.

209 {
210 return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
211 }

◆ initExtAPIBufOverflowCheckRules()

void BufOverflowDetector::initExtAPIBufOverflowCheckRules ( )

Initializes external API buffer overflow check rules.

This function sets up rules for various memory-related functions like memcpy, memset, etc., defining which arguments should be checked for buffer overflows.

Definition at line 179 of file AEDetector.cpp.

180{
181 extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
182 extAPIBufOverflowCheckRules["llvm_memcpy_p0_p0_i64"] = {{0, 2}, {1, 2}};
183 extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
184 extAPIBufOverflowCheckRules["llvm_memcpy"] = {{0, 2}, {1, 2}};
185 extAPIBufOverflowCheckRules["llvm_memmove"] = {{0, 2}, {1, 2}};
186 extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
187 extAPIBufOverflowCheckRules["llvm_memmove_p0_p0_i64"] = {{0, 2}, {1, 2}};
188 extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
189 extAPIBufOverflowCheckRules["__memcpy_chk"] = {{0, 2}, {1, 2}};
190 extAPIBufOverflowCheckRules["memmove"] = {{0, 2}, {1, 2}};
191 extAPIBufOverflowCheckRules["bcopy"] = {{0, 2}, {1, 2}};
192 extAPIBufOverflowCheckRules["memccpy"] = {{0, 3}, {1, 3}};
193 extAPIBufOverflowCheckRules["__memmove_chk"] = {{0, 2}, {1, 2}};
194 extAPIBufOverflowCheckRules["llvm_memset"] = {{0, 2}};
195 extAPIBufOverflowCheckRules["llvm_memset_p0i8_i32"] = {{0, 2}};
196 extAPIBufOverflowCheckRules["llvm_memset_p0i8_i64"] = {{0, 2}};
197 extAPIBufOverflowCheckRules["llvm_memset_p0_i64"] = {{0, 2}};
198 extAPIBufOverflowCheckRules["__memset_chk"] = {{0, 2}};
199 extAPIBufOverflowCheckRules["wmemset"] = {{0, 2}};
200 extAPIBufOverflowCheckRules["strncpy"] = {{0, 2}, {1, 2}};
201 extAPIBufOverflowCheckRules["iconv"] = {{1, 2}, {3, 4}};
202}

◆ reportBug()

void SVF::BufOverflowDetector::reportBug ( )
inlineoverridevirtual

Reports all detected buffer overflow bugs.

Implements SVF::AEDetector.

Definition at line 275 of file AEDetector.h.

276 {
277 if (!nodeToBugInfo.empty())
278 {
279 std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
280 + " found)######################\n";
281 std::cerr << "---------------------------------------------\n";
282 for (const auto& it : nodeToBugInfo)
283 {
284 std::cerr << it.second << "\n---------------------------------------------\n";
285 }
286 }
287 }

◆ updateGepObjOffsetFromBase()

void BufOverflowDetector::updateGepObjOffsetFromBase ( const ICFGNode node,
SVF::AddressValue  gepAddrs,
SVF::AddressValue  objAddrs,
SVF::IntervalValue  offset 
)

Updates the offset of a GEP object from its base.

Parameters
asReference to the abstract state.
gepAddrsAddress value for GEP.
objAddrsAddress value for the object.
offsetThe interval value of the offset.

This function calculates and stores the offset of a GEP object from its base object using the addresses and offsets provided.

Parameters
gepAddrsThe addresses of the GEP objects.
objAddrsThe addresses of the base objects.
offsetThe interval value of the offset.

Definition at line 336 of file AEDetector.cpp.

337{
338 SVFIR* svfir = PAG::getPAG();
339 auto& ae = AbstractInterpretation::getAEInstance();
340 const AbstractState& as = ae.getAbsState(node);
341
342 for (const auto& objAddr : objAddrs)
343 {
344 NodeID objId = as.getIDFromAddr(objAddr);
345 auto obj = svfir->getSVFVar(objId);
346
347 if (SVFUtil::isa<BaseObjVar>(obj))
348 {
349 // if the object is a BaseObjVar, add the offset directly
350 // like llvm bc `arr = alloc i8 12; p = gep arr, 4`
351 // we write key value pair {gep, 4}
352 for (const auto& gepAddr : gepAddrs)
353 {
354 NodeID gepObj = as.getIDFromAddr(gepAddr);
355 if (const GepObjVar* gepObjVar = SVFUtil::dyn_cast<GepObjVar>(svfir->getSVFVar(gepObj)))
356 {
357 addToGepObjOffsetFromBase(gepObjVar, offset);
358 }
359 else
360 {
361 assert(AbstractState::isBlackHoleObjAddr(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
362 }
363 }
364 }
365 else if (SVFUtil::isa<GepObjVar>(obj))
366 {
367 // if the object is a GepObjVar, add the offset from the base object
368 // like llvm bc `arr = alloc i8 12; p = gep arr, 4; q = gep p, 6`
369 // we retreive {p, 4} and write {q, 4+6}
370 const GepObjVar* objVar = SVFUtil::cast<GepObjVar>(obj);
371 for (const auto& gepAddr : gepAddrs)
372 {
373 NodeID gepObj = as.getIDFromAddr(gepAddr);
374 if (const GepObjVar* gepObjVar = SVFUtil::dyn_cast<GepObjVar>(svfir->getSVFVar(gepObj)))
375 {
376 if (hasGepObjOffsetFromBase(objVar))
377 {
378 IntervalValue objOffsetFromBase =
379 getGepObjOffsetFromBase(objVar);
380 if (!hasGepObjOffsetFromBase(gepObjVar))
381 addToGepObjOffsetFromBase(
382 gepObjVar, objOffsetFromBase + offset);
383 }
384 else
385 {
386 assert(false &&
387 "GEP RHS object has no offset from base");
388 }
389 }
390 else
391 {
392 assert(AbstractState::isBlackHoleObjAddr(gepAddr) && "GEP object is neither a GepObjVar nor an invalid memory address");
393 }
394 }
395 }
396 }
397}
SVF::AbstractState::getIDFromAddr
u32_t getIDFromAddr(u32_t addr) const
Return the internal index if addr is an address otherwise return the value of idx.
Definition AbstractState.h:94
SVF::AbstractState::isBlackHoleObjAddr
static bool isBlackHoleObjAddr(u32_t addr)
Definition AbstractState.h:145
SVF::BufOverflowDetector::addToGepObjOffsetFromBase
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:198

Friends And Related Symbol Documentation

◆ AbstractInterpretation

friend class AbstractInterpretation
friend

Definition at line 141 of file AEDetector.h.

Member Data Documentation

◆ bugLoc

Set<std::string> SVF::BufOverflowDetector::bugLoc
private

Set of locations where bugs have been reported.

Definition at line 328 of file AEDetector.h.

◆ extAPIBufOverflowCheckRules

Map<std::string, std::vector<std::pair<u32_t, u32_t> > > SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
private

Rules for checking buffer overflows in external APIs.

Definition at line 327 of file AEDetector.h.

◆ gepObjOffsetFromBase

Map<const GepObjVar*, IntervalValue> SVF::BufOverflowDetector::gepObjOffsetFromBase
private

Maps GEP objects to their offsets from the base.

Definition at line 326 of file AEDetector.h.

◆ nodeToBugInfo

Map<const ICFGNode*, std::string> SVF::BufOverflowDetector::nodeToBugInfo
private

Maps ICFG nodes to bug information.

Definition at line 330 of file AEDetector.h.

◆ recoder

SVFBugReport SVF::BufOverflowDetector::recoder
private

Recorder for abstract execution bugs.

Definition at line 329 of file AEDetector.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.9.8