Static Value-Flow Analysis
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | Friends | List of all members
SVF::BufOverflowDetector Class Reference

Detector for identifying buffer overflow issues. More...

#include <AEDetector.h>

Inheritance diagram for SVF::BufOverflowDetector:
SVF::AEDetector

Public Member Functions

 BufOverflowDetector ()
 Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.
 
 ~BufOverflowDetector ()=default
 Destructor.
 
void updateGepObjOffsetFromBase (AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
 Updates the offset of a GEP object from its base.
 
void detect (AbstractState &as, const ICFGNode *)
 Detect buffer overflow issues within a node.
 
void handleStubFunctions (const CallICFGNode *)
 Handles external API calls related to buffer overflow detection.
 
void addToGepObjOffsetFromBase (const GepObjVar *obj, const IntervalValue &offset)
 Adds an offset to a GEP object.
 
bool hasGepObjOffsetFromBase (const GepObjVar *obj) const
 Checks if a GEP object has an associated offset.
 
IntervalValue getGepObjOffsetFromBase (const GepObjVar *obj) const
 Retrieves the offset of a GEP object from its base.
 
IntervalValue getAccessOffset (AbstractState &as, NodeID objId, const GepStmt *gep)
 Retrieves the access offset for a given object and GEP statement.
 
void addBugToReporter (const AEException &e, const ICFGNode *node)
 Adds a bug to the reporter based on an exception.
 
void reportBug ()
 Reports all detected buffer overflow bugs.
 
void initExtAPIBufOverflowCheckRules ()
 Initializes external API buffer overflow check rules.
 
void detectExtAPI (AbstractState &as, const CallICFGNode *call)
 Handles external API calls related to buffer overflow detection.
 
bool canSafelyAccessMemory (AbstractState &as, const SVFVar *value, const IntervalValue &len)
 Checks if memory can be safely accessed.
 
- Public Member Functions inherited from SVF::AEDetector
 AEDetector ()
 Constructor initializes the detector kind to UNKNOWN.
 
virtual ~AEDetector ()=default
 Virtual destructor for safe polymorphic use.
 
DetectorKind getKind () const
 Get the kind of the detector.
 

Static Public Member Functions

static bool classof (const AEDetector *detector)
 Check if the detector is of the BUF_OVERFLOW kind.
 
- Static Public Member Functions inherited from SVF::AEDetector
static bool classof (const AEDetector *detector)
 Check if the detector is of the UNKNOWN kind.
 

Private Member Functions

bool detectStrcat (AbstractState &as, const CallICFGNode *call)
 Detects buffer overflow in 'strcat' function calls.
 
bool detectStrcpy (AbstractState &as, const CallICFGNode *call)
 Detects buffer overflow in 'strcpy' function calls.
 

Private Attributes

Map< const GepObjVar *, IntervalValuegepObjOffsetFromBase
 Maps GEP objects to their offsets from the base.
 
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
 Rules for checking buffer overflows in external APIs.
 
Set< std::string > bugLoc
 Set of locations where bugs have been reported.
 
SVFBugReport recoder
 Recorder for abstract execution bugs.
 
Map< const ICFGNode *, std::string > nodeToBugInfo
 Maps ICFG nodes to bug information.
 

Friends

class AbstractInterpretation
 

Additional Inherited Members

- Public Types inherited from SVF::AEDetector
enum  DetectorKind { BUF_OVERFLOW , UNKNOWN }
 Enumerates the types of detectors available. More...
 
- Protected Attributes inherited from SVF::AEDetector
DetectorKind kind
 The kind of the detector.
 

Detailed Description

Detector for identifying buffer overflow issues.

Definition at line 133 of file AEDetector.h.

Constructor & Destructor Documentation

◆ BufOverflowDetector()

SVF::BufOverflowDetector::BufOverflowDetector ( )
inline

Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.

Definition at line 140 of file AEDetector.h.

141 {
142 kind = BUF_OVERFLOW;
143 initExtAPIBufOverflowCheckRules();
144 }
SVF::AEDetector::BUF_OVERFLOW
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:47
SVF::AEDetector::kind
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:99
SVF::BufOverflowDetector::initExtAPIBufOverflowCheckRules
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
Definition AEDetector.cpp:186

◆ ~BufOverflowDetector()

SVF::BufOverflowDetector::~BufOverflowDetector ( )
default

Destructor.

Member Function Documentation

◆ addBugToReporter()

void SVF::BufOverflowDetector::addBugToReporter ( const AEException e,
const ICFGNode node 
)
inline

Adds a bug to the reporter based on an exception.

Parameters
eThe exception that was thrown.
nodePointer to the ICFG node where the bug was detected.

Definition at line 232 of file AEDetector.h.

233 {
234
235 GenericBug::EventStack eventStack;
236 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
237 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
238
239 if (eventStack.empty())
240 {
241 return; // If the event stack is empty, return early
242 }
243
244 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
245
246 // Check if the bug at this location has already been reported
247 if (bugLoc.find(loc) != bugLoc.end())
248 {
249 return; // If the bug location is already reported, return early
250 }
251 else
252 {
253 bugLoc.insert(loc); // Otherwise, mark this location as reported
254 }
255
256 // Add the bug to the recorder with details from the event stack
257 recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
258 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
259 }
SVF::BufOverflowDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:320
SVF::BufOverflowDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:319
SVF::BufOverflowDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:321
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::SVFBugReport::addAbsExecBug
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74

◆ addToGepObjOffsetFromBase()

void SVF::BufOverflowDetector::addToGepObjOffsetFromBase ( const GepObjVar obj,
const IntervalValue offset 
)
inline

Adds an offset to a GEP object.

Parameters
objPointer to the GEP object.
offsetThe interval value of the offset.

Definition at line 190 of file AEDetector.h.

191 {
192 gepObjOffsetFromBase[obj] = offset;
193 }
offset
buffer offset
Definition cJSON.cpp:1113
SVF::BufOverflowDetector::gepObjOffsetFromBase
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:317

◆ canSafelyAccessMemory()

bool BufOverflowDetector::canSafelyAccessMemory ( AbstractState as,
const SVFVar value,
const IntervalValue len 
)

Checks if memory can be safely accessed.

Checks if a memory access is safe given a specific buffer length.

Parameters
asReference to the abstract state.
valuePointer to the SVF var.
lenThe interval value representing the length of the memory access.
Returns
True if the memory access is safe, false otherwise.

This function ensures that a given memory access, starting at a specific value, does not exceed the allocated size of the buffer.

Parameters
asReference to the abstract state.
valuePointer to the SVF var.
lenThe interval value representing the length of the memory access.
Returns
True if the memory access is safe, false otherwise.

Definition at line 456 of file AEDetector.cpp.

457{
458 SVFIR* svfir = PAG::getPAG();
459 NodeID value_id = value->getId();
460
461 assert(as[value_id].isAddr());
462 for (const auto& addr : as[value_id].getAddrs())
463 {
464 NodeID objId = AbstractState::getInternalID(addr);
465 u32_t size = 0;
466
467 // if the object is a constant size object, get the size directly
468 if (svfir->getBaseObj(objId)->isConstantByteSize())
469 {
470 size = svfir->getBaseObj(objId)->getByteSizeOfObj();
471 }
472 else
473 {
474 // if the object is not a constant size object, get the size from the addrStmt
475 const ICFGNode* addrNode = SVFUtil::cast<ICFGNode>(
476 svfir->getBaseObj(objId)->getGNode());
477 for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
478 {
479 if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
480 {
481 size = as.getAllocaInstByteSize(addrStmt);
482 }
483 }
484 }
485
486 IntervalValue offset(0);
487 // if the object is a GepObjVar, get the offset from the base object
488 if (SVFUtil::isa<GepObjVar>(svfir->getGNode(objId)))
489 {
490 offset = getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(svfir->getGNode(objId))) + len;
491 }
492 else
493 {
494 // if the object is a BaseObjVar, get the offset directly
495 offset = len;
496 }
497 // if the offset is greater than the size, return false
498 if (offset.ub().getIntNumeral() >= size)
499 {
500 return false;
501 }
502 }
503 return true;
504}
u32_t
unsigned u32_t
Definition CommandLine.h:18
SVF::AbstractState::getInternalID
static u32_t getInternalID(u32_t idx)
Return the internal index if idx is an address otherwise return the value of idx.
Definition AbstractState.h:114
SVF::BufOverflowDetector::getGepObjOffsetFromBase
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:210
SVF::GenericGraph::getGNode
NodeType * getGNode(NodeID id) const
Get a node.
Definition GenericGraph.h:654
SVF::MemObj::getGNode
const SVFBaseNode * getGNode() const
Get the reference value to this object.
Definition SymbolTableInfo.h:416
SVF::MemObj::getByteSizeOfObj
u32_t getByteSizeOfObj() const
Get the byte size of this object.
Definition SymbolTableInfo.cpp:397
SVF::MemObj::isConstantByteSize
bool isConstantByteSize() const
Check if byte size is a const value.
Definition SymbolTableInfo.cpp:403
SVF::SVFBaseNode::getId
NodeID getId() const
Get ID.
Definition GenericGraph.h:236
SVF::SVFIR::getBaseObj
const MemObj * getBaseObj(NodeID id) const
Definition SVFIR.h:481
SVF::SVFIR::getPAG
static SVFIR * getPAG(bool buildFromFile=false)
Singleton design here to make sure we only have one instance during any analysis.
Definition SVFIR.h:116
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:55

◆ classof()

static bool SVF::BufOverflowDetector::classof ( const AEDetector detector)
inlinestatic

Check if the detector is of the BUF_OVERFLOW kind.

Parameters
detectorPointer to the detector.
Returns
True if the detector is of type BUF_OVERFLOW, false otherwise.

Definition at line 156 of file AEDetector.h.

157 {
158 return detector->getKind() == AEDetector::BUF_OVERFLOW;
159 }

◆ detect()

void BufOverflowDetector::detect ( AbstractState as,
const ICFGNode node 
)
virtual

Detect buffer overflow issues within a node.

Detects buffer overflow issues within a given ICFG node.

Parameters
asReference to the abstract state.
nodePointer to the ICFG node.

This function handles both non-call nodes, where it analyzes GEP (GetElementPtr) instructions for potential buffer overflows, and call nodes, where it checks for external API calls that may cause overflows.

Parameters
asReference to the abstract state.
nodePointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 44 of file AEDetector.cpp.

45{
46 if (!SVFUtil::isa<CallICFGNode>(node))
47 {
48 // Handle non-call nodes by analyzing GEP instructions
49 for (const SVFStmt* stmt : node->getSVFStmts())
50 {
51 if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt))
52 {
53 SVFIR* svfir = PAG::getPAG();
54 NodeID lhs = gep->getLHSVarID();
55 NodeID rhs = gep->getRHSVarID();
56
57 // Update the GEP object offset from its base
58 updateGepObjOffsetFromBase(as[lhs].getAddrs(), as[rhs].getAddrs(), as.getByteOffset(gep));
59
60 IntervalValue baseObjSize = IntervalValue::bottom();
61 AddressValue objAddrs = as[gep->getRHSVarID()].getAddrs();
62 for (const auto& addr : objAddrs)
63 {
64 NodeID objId = AbstractState::getInternalID(addr);
65 u32_t size = 0;
66
67 if (svfir->getBaseObj(objId)->isConstantByteSize())
68 {
69 size = svfir->getBaseObj(objId)->getByteSizeOfObj();
70 }
71 else
72 {
73 const ICFGNode* addrNode = SVFUtil::cast<ICFGNode>(
74 svfir->getBaseObj(objId)->getGNode());
75 for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
76 {
77 if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
78 {
79 size = as.getAllocaInstByteSize(addrStmt);
80 }
81 }
82 }
83
84 // Calculate access offset and check for potential overflow
85 IntervalValue accessOffset = getAccessOffset(as, objId, gep);
86 if (accessOffset.ub().getIntNumeral() >= size)
87 {
88 AEException bug(stmt->toString());
89 addBugToReporter(bug, stmt->getICFGNode());
90 }
91 }
92 }
93 }
94 }
95 else
96 {
97 // Handle call nodes by checking for external API calls
98 const CallICFGNode* callNode = SVFUtil::cast<CallICFGNode>(node);
99 if (SVFUtil::isExtCall(callNode->getCalledFunction()))
100 {
101 detectExtAPI(as, callNode);
102 }
103 }
104}
SVF::AEException
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:107
SVF::BufOverflowDetector::getAccessOffset
IntervalValue getAccessOffset(AbstractState &as, NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
Definition AEDetector.cpp:314
SVF::BufOverflowDetector::updateGepObjOffsetFromBase
void updateGepObjOffsetFromBase(AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
Definition AEDetector.cpp:346
SVF::BufOverflowDetector::detectExtAPI
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:220
SVF::BufOverflowDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:232
SVF::IntervalValue::bottom
static IntervalValue bottom()
Create the bottom IntervalValue [+inf, -inf].
Definition IntervalValue.h:100
SVF::SVFUtil::isExtCall
bool isExtCall(const SVFFunction *fun)
Definition SVFUtil.h:278

◆ detectExtAPI()

void BufOverflowDetector::detectExtAPI ( AbstractState as,
const CallICFGNode call 
)

Handles external API calls related to buffer overflow detection.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.

This function checks the type of external memory API (e.g., memcpy, memset, strcpy, strcat) and applies the corresponding buffer overflow checks based on predefined rules.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.

Definition at line 220 of file AEDetector.cpp.

222{
223 assert(call->getCalledFunction() && "SVFFunction* is nullptr");
224
225 AbsExtAPI::ExtAPIType extType = AbsExtAPI::UNCLASSIFIED;
226
227 // Determine the type of external memory API
228 for (const std::string &annotation : ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
229 {
230 if (annotation.find("MEMCPY") != std::string::npos)
231 extType = AbsExtAPI::MEMCPY;
232 if (annotation.find("MEMSET") != std::string::npos)
233 extType = AbsExtAPI::MEMSET;
234 if (annotation.find("STRCPY") != std::string::npos)
235 extType = AbsExtAPI::STRCPY;
236 if (annotation.find("STRCAT") != std::string::npos)
237 extType = AbsExtAPI::STRCAT;
238 }
239
240 // Apply buffer overflow checks based on the determined API type
241 if (extType == AbsExtAPI::MEMCPY)
242 {
243 if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
244 {
245 SVFUtil::errs() << "Warning: " << call->getCalledFunction()->getName() << " is not in the rules, please implement it\n";
246 return;
247 }
248 std::vector<std::pair<u32_t, u32_t>> args =
249 extAPIBufOverflowCheckRules.at(call->getCalledFunction()->getName());
250 for (auto arg : args)
251 {
252 IntervalValue offset = as[call->getArgument(arg.second)->getId()].getInterval() - IntervalValue(1);
253 const SVFVar* argVar = call->getArgument(arg.first);
254 if (!canSafelyAccessMemory(as, argVar, offset))
255 {
256 AEException bug(call->toString());
257 addBugToReporter(bug, call);
258 }
259 }
260 }
261 else if (extType == AbsExtAPI::MEMSET)
262 {
263 if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
264 {
265 SVFUtil::errs() << "Warning: " << call->getCalledFunction()->getName() << " is not in the rules, please implement it\n";
266 return;
267 }
268 std::vector<std::pair<u32_t, u32_t>> args =
269 extAPIBufOverflowCheckRules.at(call->getCalledFunction()->getName());
270 for (auto arg : args)
271 {
272 IntervalValue offset = as[call->getArgument(arg.second)->getId()].getInterval() - IntervalValue(1);
273 const SVFVar* argVar = call->getArgument(arg.first);
274 if (!canSafelyAccessMemory(as, argVar, offset))
275 {
276 AEException bug(call->toString());
277 addBugToReporter(bug, call);
278 }
279 }
280 }
281 else if (extType == AbsExtAPI::STRCPY)
282 {
283 if (!detectStrcpy(as, call))
284 {
285 AEException bug(call->toString());
286 addBugToReporter(bug, call);
287 }
288 }
289 else if (extType == AbsExtAPI::STRCAT)
290 {
291 if (!detectStrcat(as, call))
292 {
293 AEException bug(call->toString());
294 addBugToReporter(bug, call);
295 }
296 }
297 else
298 {
299 // Handle other cases
300 }
301}
SVF::AbsExtAPI::ExtAPIType
ExtAPIType
Enumeration of external API types.
Definition AbsExtAPI.h:52
SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:318
SVF::BufOverflowDetector::detectStrcpy
bool detectStrcpy(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
Definition AEDetector.cpp:397
SVF::BufOverflowDetector::detectStrcat
bool detectStrcat(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Definition AEDetector.cpp:415
SVF::BufOverflowDetector::canSafelyAccessMemory
bool canSafelyAccessMemory(AbstractState &as, const SVFVar *value, const IntervalValue &len)
Checks if memory can be safely accessed.
Definition AEDetector.cpp:456
SVF::CallICFGNode::toString
const std::string toString() const override
Definition ICFG.cpp:131
SVF::CallICFGNode::getArgument
const ValVar * getArgument(u32_t ArgNo) const
Parameter operations.
Definition ICFGNode.h:500
SVF::CallICFGNode::getCalledFunction
const SVFFunction * getCalledFunction() const
Definition ICFGNode.h:518
SVF::SVFValue::getName
const std::string & getName() const
Definition SVFValue.h:243
SVF::SVFUtil::errs
std::ostream & errs()
Overwrite llvm::errs()
Definition SVFUtil.h:56

◆ detectStrcat()

bool BufOverflowDetector::detectStrcat ( AbstractState as,
const CallICFGNode call 
)
private

Detects buffer overflow in 'strcat' function calls.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if a buffer overflow is detected, false otherwise.

This function checks if the destination buffer can safely accommodate both the existing string and the concatenated string from the source.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if the memory access is safe, false otherwise.

Definition at line 415 of file AEDetector.cpp.

416{
417 const std::vector<std::string> strcatGroup = {"__strcat_chk", "strcat", "__wcscat_chk", "wcscat"};
418 const std::vector<std::string> strncatGroup = {"__strncat_chk", "strncat", "__wcsncat_chk", "wcsncat"};
419
420 if (std::find(strcatGroup.begin(), strcatGroup.end(), call->getCalledFunction()->getName()) != strcatGroup.end())
421 {
422 const SVFVar* arg0Val = call->getArgument(0);
423 const SVFVar* arg1Val = call->getArgument(1);
424 IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg0Val);
425 IntervalValue strLen1 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg1Val);
426 IntervalValue totalLen = strLen0 + strLen1;
427 return canSafelyAccessMemory(as, arg0Val, totalLen);
428 }
429 else if (std::find(strncatGroup.begin(), strncatGroup.end(), call->getCalledFunction()->getName()) != strncatGroup.end())
430 {
431 const SVFVar* arg0Val = call->getArgument(0);
432 const SVFVar* arg2Val = call->getArgument(2);
433 IntervalValue arg2Num = as[arg2Val->getId()].getInterval();
434 IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg0Val);
435 IntervalValue totalLen = strLen0 + arg2Num;
436 return canSafelyAccessMemory(as, arg0Val, totalLen);
437 }
438 else
439 {
440 assert(false && "Unknown strcat function, please add it to strcatGroup or strncatGroup");
441 abort();
442 }
443}
SVF::AbsExtAPI::getStrlen
IntervalValue getStrlen(AbstractState &as, const SVF::SVFVar *strValue)
Calculates the length of a string.
Definition AbsExtAPI.cpp:468
SVF::AbstractInterpretation::getAEInstance
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.h:121

◆ detectStrcpy()

bool BufOverflowDetector::detectStrcpy ( AbstractState as,
const CallICFGNode call 
)
private

Detects buffer overflow in 'strcpy' function calls.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if a buffer overflow is detected, false otherwise.

This function checks if the destination buffer can safely accommodate the source string being copied, accounting for the null terminator.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if the memory access is safe, false otherwise.

Definition at line 397 of file AEDetector.cpp.

398{
399 const SVFVar* arg0Val = call->getArgument(0);
400 const SVFVar* arg1Val = call->getArgument(1);
401 IntervalValue strLen = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg1Val);
402 return canSafelyAccessMemory(as, arg0Val, strLen);
403}

◆ getAccessOffset()

IntervalValue BufOverflowDetector::getAccessOffset ( SVF::AbstractState as,
SVF::NodeID  objId,
const GepStmt gep 
)

Retrieves the access offset for a given object and GEP statement.

Parameters
asReference to the abstract state.
objIdThe ID of the object.
gepPointer to the GEP statement.
Returns
The interval value of the access offset.

This function calculates the access offset for a base object or a sub-object of an aggregate object (using GEP). If the object is a dummy object, it returns a top interval value.

Parameters
asReference to the abstract state.
objIdThe ID of the object.
gepPointer to the GEP statement.
Returns
The interval value of the access offset.

Definition at line 314 of file AEDetector.cpp.

315{
316 SVFIR* svfir = PAG::getPAG();
317 auto obj = svfir->getGNode(objId);
318
319 // if the object is a BaseObjVar, return the byte offset directly
320 if (SVFUtil::isa<BaseObjVar>(obj))
321 {
322 return as.getByteOffset(gep);
323 }
324 else if (SVFUtil::isa<GepObjVar>(obj))
325 {
326 // if the object is a GepObjVar, return the offset from the base object
327 return getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(obj)) + as.getByteOffset(gep);
328 }
329 else
330 {
331 assert(SVFUtil::isa<DummyObjVar>(obj) && "Unknown object type");
332 return IntervalValue::top();
333 }
334}
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition IntervalValue.h:94

◆ getGepObjOffsetFromBase()

IntervalValue SVF::BufOverflowDetector::getGepObjOffsetFromBase ( const GepObjVar obj) const
inline

Retrieves the offset of a GEP object from its base.

Parameters
objPointer to the GEP object.
Returns
The interval value of the offset.

Definition at line 210 of file AEDetector.h.

211 {
212 if (hasGepObjOffsetFromBase(obj))
213 return gepObjOffsetFromBase.at(obj);
214 else
215 assert(false && "GepObjVar not found in gepObjOffsetFromBase");
216 }
SVF::BufOverflowDetector::hasGepObjOffsetFromBase
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:200

◆ handleStubFunctions()

void BufOverflowDetector::handleStubFunctions ( const CallICFGNode callNode)
virtual

Handles external API calls related to buffer overflow detection.

Handles stub functions within the ICFG node.

Parameters
callPointer to the call ICFG node.

This function is a placeholder for handling stub functions within the ICFG node.

Parameters
nodePointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 114 of file AEDetector.cpp.

115{
116 // get function name
117 std::string funcName = callNode->getCalledFunction()->getName();
118 if (funcName == "SAFE_BUFACCESS")
119 {
120 // void SAFE_BUFACCESS(void* data, int size);
121 AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
122 if (callNode->arg_size() < 2)
123 return;
124 AbstractState& as =
125 AbstractInterpretation::getAEInstance().getAbsStateFromTrace(
126 callNode);
127 u32_t size_id = callNode->getArgument(1)->getId();
128 IntervalValue val = as[size_id].getInterval();
129 if (val.isBottom())
130 {
131 val = IntervalValue(0);
132 assert(false && "SAFE_BUFACCESS size is bottom");
133 }
134 const SVFVar* arg0Val = callNode->getArgument(0);
135 bool isSafe = canSafelyAccessMemory(as, arg0Val, val);
136 if (isSafe)
137 {
138 std::cout << "safe buffer access success: " << callNode->toString()
139 << std::endl;
140 return;
141 }
142 else
143 {
144 std::string err_msg = "this SAFE_BUFACCESS should be a safe access but detected buffer overflow. Pos: ";
145 err_msg += callNode->getSourceLoc();
146 std::cerr << err_msg << std::endl;
147 assert(false);
148 }
149 }
150 else if (funcName == "UNSAFE_BUFACCESS")
151 {
152 // handle other stub functions
153 //void UNSAFE_BUFACCESS(void* data, int size);
154 AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
155 if (callNode->arg_size() < 2) return;
156 AbstractState&as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
157 u32_t size_id = callNode->getArgument(1)->getId();
158 IntervalValue val = as[size_id].getInterval();
159 if (val.isBottom())
160 {
161 assert(false && "UNSAFE_BUFACCESS size is bottom");
162 }
163 const SVFVar* arg0Val = callNode->getArgument(0);
164 bool isSafe = canSafelyAccessMemory(as, arg0Val, val);
165 if (!isSafe)
166 {
167 std::cout << "detect buffer overflow success: " << callNode->toString() << std::endl;
168 return;
169 }
170 else
171 {
172 std::string err_msg = "this UNSAFE_BUFACCESS should be a buffer overflow but not detected. Pos: ";
173 err_msg += callNode->getSourceLoc();
174 std::cerr << err_msg << std::endl;
175 assert(false);
176 }
177 }
178}
SVF::AbstractInterpretation::getAbsStateFromTrace
AbstractState & getAbsStateFromTrace(const ICFGNode *node)
Definition AbstractInterpretation.h:258
SVF::AbstractInterpretation::checkpoints
Set< const CallICFGNode * > checkpoints
Definition AbstractInterpretation.h:132

◆ hasGepObjOffsetFromBase()

bool SVF::BufOverflowDetector::hasGepObjOffsetFromBase ( const GepObjVar obj) const
inline

Checks if a GEP object has an associated offset.

Parameters
objPointer to the GEP object.
Returns
True if the GEP object has an offset, false otherwise.

Definition at line 200 of file AEDetector.h.

201 {
202 return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
203 }

◆ initExtAPIBufOverflowCheckRules()

void BufOverflowDetector::initExtAPIBufOverflowCheckRules ( )

Initializes external API buffer overflow check rules.

This function sets up rules for various memory-related functions like memcpy, memset, etc., defining which arguments should be checked for buffer overflows.

Definition at line 186 of file AEDetector.cpp.

187{
188 extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
189 extAPIBufOverflowCheckRules["llvm_memcpy_p0_p0_i64"] = {{0, 2}, {1, 2}};
190 extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
191 extAPIBufOverflowCheckRules["llvm_memcpy"] = {{0, 2}, {1, 2}};
192 extAPIBufOverflowCheckRules["llvm_memmove"] = {{0, 2}, {1, 2}};
193 extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
194 extAPIBufOverflowCheckRules["llvm_memmove_p0_p0_i64"] = {{0, 2}, {1, 2}};
195 extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
196 extAPIBufOverflowCheckRules["__memcpy_chk"] = {{0, 2}, {1, 2}};
197 extAPIBufOverflowCheckRules["memmove"] = {{0, 2}, {1, 2}};
198 extAPIBufOverflowCheckRules["bcopy"] = {{0, 2}, {1, 2}};
199 extAPIBufOverflowCheckRules["memccpy"] = {{0, 3}, {1, 3}};
200 extAPIBufOverflowCheckRules["__memmove_chk"] = {{0, 2}, {1, 2}};
201 extAPIBufOverflowCheckRules["llvm_memset"] = {{0, 2}};
202 extAPIBufOverflowCheckRules["llvm_memset_p0i8_i32"] = {{0, 2}};
203 extAPIBufOverflowCheckRules["llvm_memset_p0i8_i64"] = {{0, 2}};
204 extAPIBufOverflowCheckRules["llvm_memset_p0_i64"] = {{0, 2}};
205 extAPIBufOverflowCheckRules["__memset_chk"] = {{0, 2}};
206 extAPIBufOverflowCheckRules["wmemset"] = {{0, 2}};
207 extAPIBufOverflowCheckRules["strncpy"] = {{0, 2}, {1, 2}};
208 extAPIBufOverflowCheckRules["iconv"] = {{1, 2}, {3, 4}};
209}

◆ reportBug()

void SVF::BufOverflowDetector::reportBug ( )
inlinevirtual

Reports all detected buffer overflow bugs.

Implements SVF::AEDetector.

Definition at line 264 of file AEDetector.h.

265 {
266 if (!nodeToBugInfo.empty())
267 {
268 std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
269 + " found)######################\n";
270 std::cerr << "---------------------------------------------\n";
271 for (const auto& it : nodeToBugInfo)
272 {
273 std::cerr << it.second << "\n---------------------------------------------\n";
274 }
275 }
276 }

◆ updateGepObjOffsetFromBase()

void BufOverflowDetector::updateGepObjOffsetFromBase ( SVF::AddressValue  gepAddrs,
SVF::AddressValue  objAddrs,
SVF::IntervalValue  offset 
)

Updates the offset of a GEP object from its base.

Parameters
gepAddrsAddress value for GEP.
objAddrsAddress value for the object.
offsetThe interval value of the offset.

This function calculates and stores the offset of a GEP object from its base object using the addresses and offsets provided.

Parameters
gepAddrsThe addresses of the GEP objects.
objAddrsThe addresses of the base objects.
offsetThe interval value of the offset.

Definition at line 346 of file AEDetector.cpp.

347{
348 SVFIR* svfir = PAG::getPAG();
349
350 for (const auto& objAddr : objAddrs)
351 {
352 NodeID objId = AbstractState::getInternalID(objAddr);
353 auto obj = svfir->getGNode(objId);
354 // if the object is a BaseObjVar, add the offset directly
355 if (SVFUtil::isa<BaseObjVar>(obj))
356 {
357 for (const auto& gepAddr : gepAddrs)
358 {
359 NodeID gepObj = AbstractState::getInternalID(gepAddr);
360 const GepObjVar* gepObjVar = SVFUtil::cast<GepObjVar>(svfir->getGNode(gepObj));
361 addToGepObjOffsetFromBase(gepObjVar, offset);
362 }
363 }
364 else if (SVFUtil::isa<GepObjVar>(obj))
365 {
366 // if the object is a GepObjVar, add the offset from the base object
367 const GepObjVar* objVar = SVFUtil::cast<GepObjVar>(obj);
368 for (const auto& gepAddr : gepAddrs)
369 {
370 NodeID gepObj = AbstractState::getInternalID(gepAddr);
371 const GepObjVar* gepObjVar = SVFUtil::cast<GepObjVar>(svfir->getGNode(gepObj));
372 if (hasGepObjOffsetFromBase(objVar))
373 {
374 IntervalValue objOffsetFromBase = getGepObjOffsetFromBase(objVar);
375 if (!hasGepObjOffsetFromBase(gepObjVar))
376 addToGepObjOffsetFromBase(gepObjVar, objOffsetFromBase + offset);
377 }
378 else
379 {
380 assert(false && "GEP RHS object has no offset from base");
381 }
382 }
383 }
384 }
385}
SVF::BufOverflowDetector::addToGepObjOffsetFromBase
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:190

Friends And Related Symbol Documentation

◆ AbstractInterpretation

friend class AbstractInterpretation
friend

Definition at line 135 of file AEDetector.h.

Member Data Documentation

◆ bugLoc

Set<std::string> SVF::BufOverflowDetector::bugLoc
private

Set of locations where bugs have been reported.

Definition at line 319 of file AEDetector.h.

◆ extAPIBufOverflowCheckRules

Map<std::string, std::vector<std::pair<u32_t, u32_t> > > SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
private

Rules for checking buffer overflows in external APIs.

Definition at line 318 of file AEDetector.h.

◆ gepObjOffsetFromBase

Map<const GepObjVar*, IntervalValue> SVF::BufOverflowDetector::gepObjOffsetFromBase
private

Maps GEP objects to their offsets from the base.

Definition at line 317 of file AEDetector.h.

◆ nodeToBugInfo

Map<const ICFGNode*, std::string> SVF::BufOverflowDetector::nodeToBugInfo
private

Maps ICFG nodes to bug information.

Definition at line 321 of file AEDetector.h.

◆ recoder

SVFBugReport SVF::BufOverflowDetector::recoder
private

Recorder for abstract execution bugs.

Definition at line 320 of file AEDetector.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.9.8