Static Value-Flow Analysis
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes | Friends | List of all members
SVF::BufOverflowDetector Class Reference

Detector for identifying buffer overflow issues. More...

#include <AEDetector.h>

Inheritance diagram for SVF::BufOverflowDetector:
SVF::AEDetector

Public Member Functions

 BufOverflowDetector ()
 Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.
 
 ~BufOverflowDetector ()=default
 Destructor.
 
void updateGepObjOffsetFromBase (AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
 Updates the offset of a GEP object from its base.
 
void detect (AbstractState &as, const ICFGNode *)
 Detect buffer overflow issues within a node.
 
void handleStubFunctions (const CallICFGNode *)
 Handles external API calls related to buffer overflow detection.
 
void addToGepObjOffsetFromBase (const GepObjVar *obj, const IntervalValue &offset)
 Adds an offset to a GEP object.
 
bool hasGepObjOffsetFromBase (const GepObjVar *obj) const
 Checks if a GEP object has an associated offset.
 
IntervalValue getGepObjOffsetFromBase (const GepObjVar *obj) const
 Retrieves the offset of a GEP object from its base.
 
IntervalValue getAccessOffset (AbstractState &as, NodeID objId, const GepStmt *gep)
 Retrieves the access offset for a given object and GEP statement.
 
void addBugToReporter (const AEException &e, const ICFGNode *node)
 Adds a bug to the reporter based on an exception.
 
void reportBug ()
 Reports all detected buffer overflow bugs.
 
void initExtAPIBufOverflowCheckRules ()
 Initializes external API buffer overflow check rules.
 
void detectExtAPI (AbstractState &as, const CallICFGNode *call)
 Handles external API calls related to buffer overflow detection.
 
bool canSafelyAccessMemory (AbstractState &as, const SVFVar *value, const IntervalValue &len)
 Checks if memory can be safely accessed.
 
- Public Member Functions inherited from SVF::AEDetector
 AEDetector ()
 Constructor initializes the detector kind to UNKNOWN.
 
virtual ~AEDetector ()=default
 Virtual destructor for safe polymorphic use.
 
DetectorKind getKind () const
 Get the kind of the detector.
 

Static Public Member Functions

static bool classof (const AEDetector *detector)
 Check if the detector is of the BUF_OVERFLOW kind.
 
- Static Public Member Functions inherited from SVF::AEDetector
static bool classof (const AEDetector *detector)
 Check if the detector is of the UNKNOWN kind.
 

Private Member Functions

bool detectStrcat (AbstractState &as, const CallICFGNode *call)
 Detects buffer overflow in 'strcat' function calls.
 
bool detectStrcpy (AbstractState &as, const CallICFGNode *call)
 Detects buffer overflow in 'strcpy' function calls.
 

Private Attributes

Map< const GepObjVar *, IntervalValuegepObjOffsetFromBase
 Maps GEP objects to their offsets from the base.
 
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
 Rules for checking buffer overflows in external APIs.
 
Set< std::string > bugLoc
 Set of locations where bugs have been reported.
 
SVFBugReport recoder
 Recorder for abstract execution bugs.
 
Map< const ICFGNode *, std::string > nodeToBugInfo
 Maps ICFG nodes to bug information.
 

Friends

class AbstractInterpretation
 

Additional Inherited Members

- Public Types inherited from SVF::AEDetector
enum  DetectorKind { BUF_OVERFLOW , UNKNOWN }
 Enumerates the types of detectors available. More...
 
- Protected Attributes inherited from SVF::AEDetector
DetectorKind kind
 The kind of the detector.
 

Detailed Description

Detector for identifying buffer overflow issues.

Definition at line 133 of file AEDetector.h.

Constructor & Destructor Documentation

◆ BufOverflowDetector()

SVF::BufOverflowDetector::BufOverflowDetector ( )
inline

Constructor initializes the detector kind to BUF_OVERFLOW and sets up external API buffer overflow rules.

Definition at line 140 of file AEDetector.h.

141 {
142 kind = BUF_OVERFLOW;
143 initExtAPIBufOverflowCheckRules();
144 }
SVF::AEDetector::BUF_OVERFLOW
@ BUF_OVERFLOW
Detector for buffer overflow issues.
Definition AEDetector.h:47
SVF::AEDetector::kind
DetectorKind kind
The kind of the detector.
Definition AEDetector.h:99
SVF::BufOverflowDetector::initExtAPIBufOverflowCheckRules
void initExtAPIBufOverflowCheckRules()
Initializes external API buffer overflow check rules.
Definition AEDetector.cpp:185

◆ ~BufOverflowDetector()

SVF::BufOverflowDetector::~BufOverflowDetector ( )
default

Destructor.

Member Function Documentation

◆ addBugToReporter()

void SVF::BufOverflowDetector::addBugToReporter ( const AEException e,
const ICFGNode node 
)
inline

Adds a bug to the reporter based on an exception.

Parameters
eThe exception that was thrown.
nodePointer to the ICFG node where the bug was detected.

Definition at line 232 of file AEDetector.h.

233 {
234
235 GenericBug::EventStack eventStack;
236 SVFBugEvent sourceInstEvent(SVFBugEvent::EventType::SourceInst, node);
237 eventStack.push_back(sourceInstEvent); // Add the source instruction event to the event stack
238
239 if (eventStack.empty())
240 {
241 return; // If the event stack is empty, return early
242 }
243
244 std::string loc = eventStack.back().getEventLoc(); // Get the location of the last event in the stack
245
246 // Check if the bug at this location has already been reported
247 if (bugLoc.find(loc) != bugLoc.end())
248 {
249 return; // If the bug location is already reported, return early
250 }
251 else
252 {
253 bugLoc.insert(loc); // Otherwise, mark this location as reported
254 }
255
256 // Add the bug to the recorder with details from the event stack
257 recoder.addAbsExecBug(GenericBug::FULLBUFOVERFLOW, eventStack, 0, 0, 0, 0);
258 nodeToBugInfo[node] = e.what(); // Record the exception information for the node
259 }
SVF::BufOverflowDetector::recoder
SVFBugReport recoder
Recorder for abstract execution bugs.
Definition AEDetector.h:320
SVF::BufOverflowDetector::bugLoc
Set< std::string > bugLoc
Set of locations where bugs have been reported.
Definition AEDetector.h:319
SVF::BufOverflowDetector::nodeToBugInfo
Map< const ICFGNode *, std::string > nodeToBugInfo
Maps ICFG nodes to bug information.
Definition AEDetector.h:321
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::SVFBugReport::addAbsExecBug
void addAbsExecBug(GenericBug::BugType bugType, const GenericBug::EventStack &eventStack, s64_t allocLowerBound, s64_t allocUpperBound, s64_t accessLowerBound, s64_t accessUpperBound)
Definition SVFBugReport.h:367
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74

◆ addToGepObjOffsetFromBase()

void SVF::BufOverflowDetector::addToGepObjOffsetFromBase ( const GepObjVar obj,
const IntervalValue offset 
)
inline

Adds an offset to a GEP object.

Parameters
objPointer to the GEP object.
offsetThe interval value of the offset.

Definition at line 190 of file AEDetector.h.

191 {
192 gepObjOffsetFromBase[obj] = offset;
193 }
offset
buffer offset
Definition cJSON.cpp:1113
SVF::BufOverflowDetector::gepObjOffsetFromBase
Map< const GepObjVar *, IntervalValue > gepObjOffsetFromBase
Maps GEP objects to their offsets from the base.
Definition AEDetector.h:317

◆ canSafelyAccessMemory()

bool BufOverflowDetector::canSafelyAccessMemory ( AbstractState as,
const SVFVar value,
const IntervalValue len 
)

Checks if memory can be safely accessed.

Checks if a memory access is safe given a specific buffer length.

Parameters
asReference to the abstract state.
valuePointer to the SVF var.
lenThe interval value representing the length of the memory access.
Returns
True if the memory access is safe, false otherwise.

This function ensures that a given memory access, starting at a specific value, does not exceed the allocated size of the buffer.

Parameters
asReference to the abstract state.
valuePointer to the SVF var.
lenThe interval value representing the length of the memory access.
Returns
True if the memory access is safe, false otherwise.

Definition at line 455 of file AEDetector.cpp.

456{
457 SVFIR* svfir = PAG::getPAG();
458 NodeID value_id = value->getId();
459
460 assert(as[value_id].isAddr());
461 for (const auto& addr : as[value_id].getAddrs())
462 {
463 NodeID objId = AbstractState::getInternalID(addr);
464 u32_t size = 0;
465
466 // if the object is a constant size object, get the size directly
467 if (svfir->getBaseObject(objId)->isConstantByteSize())
468 {
469 size = svfir->getBaseObject(objId)->getByteSizeOfObj();
470 }
471 else
472 {
473 // if the object is not a constant size object, get the size from the addrStmt
474 const ICFGNode* addrNode = svfir->getBaseObject(objId)->getICFGNode();
475 for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
476 {
477 if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
478 {
479 size = as.getAllocaInstByteSize(addrStmt);
480 }
481 }
482 }
483
484 IntervalValue offset(0);
485 // if the object is a GepObjVar, get the offset from the base object
486 if (SVFUtil::isa<GepObjVar>(svfir->getGNode(objId)))
487 {
488 offset = getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(svfir->getGNode(objId))) + len;
489 }
490 else
491 {
492 // if the object is a BaseObjVar, get the offset directly
493 offset = len;
494 }
495 // if the offset is greater than the size, return false
496 if (offset.ub().getIntNumeral() >= size)
497 {
498 return false;
499 }
500 }
501 return true;
502}
u32_t
unsigned u32_t
Definition CommandLine.h:18
SVF::AbstractState::getInternalID
static u32_t getInternalID(u32_t idx)
Return the internal index if idx is an address otherwise return the value of idx.
Definition AbstractState.h:114
SVF::BaseObjVar::getICFGNode
const ICFGNode * getICFGNode() const
Get the ICFGNode related to the creation of this object.
Definition SVFVariables.h:573
SVF::BaseObjVar::isConstantByteSize
bool isConstantByteSize() const
Check if byte size is a const value.
Definition SVFVariables.h:646
SVF::BaseObjVar::getByteSizeOfObj
u32_t getByteSizeOfObj() const
Get the byte size of this object.
Definition SVFVariables.h:640
SVF::BufOverflowDetector::getGepObjOffsetFromBase
IntervalValue getGepObjOffsetFromBase(const GepObjVar *obj) const
Retrieves the offset of a GEP object from its base.
Definition AEDetector.h:210
SVF::GenericGraph::getGNode
NodeType * getGNode(NodeID id) const
Get a node.
Definition GenericGraph.h:403
SVF::SVFIR::getBaseObject
const BaseObjVar * getBaseObject(NodeID id) const
Definition SVFIR.h:423
SVF::SVFIR::getPAG
static SVFIR * getPAG(bool buildFromFile=false)
Singleton design here to make sure we only have one instance during any analysis.
Definition SVFIR.h:116
SVF::SVFValue::getId
NodeID getId() const
Get ID.
Definition SVFValue.h:158
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56

◆ classof()

static bool SVF::BufOverflowDetector::classof ( const AEDetector detector)
inlinestatic

Check if the detector is of the BUF_OVERFLOW kind.

Parameters
detectorPointer to the detector.
Returns
True if the detector is of type BUF_OVERFLOW, false otherwise.

Definition at line 156 of file AEDetector.h.

157 {
158 return detector->getKind() == AEDetector::BUF_OVERFLOW;
159 }

◆ detect()

void BufOverflowDetector::detect ( AbstractState as,
const ICFGNode node 
)
virtual

Detect buffer overflow issues within a node.

Detects buffer overflow issues within a given ICFG node.

Parameters
asReference to the abstract state.
nodePointer to the ICFG node.

This function handles both non-call nodes, where it analyzes GEP (GetElementPtr) instructions for potential buffer overflows, and call nodes, where it checks for external API calls that may cause overflows.

Parameters
asReference to the abstract state.
nodePointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 44 of file AEDetector.cpp.

45{
46 if (!SVFUtil::isa<CallICFGNode>(node))
47 {
48 // Handle non-call nodes by analyzing GEP instructions
49 for (const SVFStmt* stmt : node->getSVFStmts())
50 {
51 if (const GepStmt* gep = SVFUtil::dyn_cast<GepStmt>(stmt))
52 {
53 SVFIR* svfir = PAG::getPAG();
54 NodeID lhs = gep->getLHSVarID();
55 NodeID rhs = gep->getRHSVarID();
56
57 // Update the GEP object offset from its base
58 updateGepObjOffsetFromBase(as[lhs].getAddrs(), as[rhs].getAddrs(), as.getByteOffset(gep));
59
60 IntervalValue baseObjSize = IntervalValue::bottom();
61 AddressValue objAddrs = as[gep->getRHSVarID()].getAddrs();
62 for (const auto& addr : objAddrs)
63 {
64 NodeID objId = AbstractState::getInternalID(addr);
65 u32_t size = 0;
66
67 if (svfir->getBaseObject(objId)->isConstantByteSize())
68 {
69 size = svfir->getBaseObject(objId)->getByteSizeOfObj();
70 }
71 else
72 {
73 const ICFGNode* addrNode = svfir->getBaseObject(objId)->getICFGNode();
74 for (const SVFStmt* stmt2 : addrNode->getSVFStmts())
75 {
76 if (const AddrStmt* addrStmt = SVFUtil::dyn_cast<AddrStmt>(stmt2))
77 {
78 size = as.getAllocaInstByteSize(addrStmt);
79 }
80 }
81 }
82
83 // Calculate access offset and check for potential overflow
84 IntervalValue accessOffset = getAccessOffset(as, objId, gep);
85 if (accessOffset.ub().getIntNumeral() >= size)
86 {
87 AEException bug(stmt->toString());
88 addBugToReporter(bug, stmt->getICFGNode());
89 }
90 }
91 }
92 }
93 }
94 else
95 {
96 // Handle call nodes by checking for external API calls
97 const CallICFGNode* callNode = SVFUtil::cast<CallICFGNode>(node);
98 if (SVFUtil::isExtCall(callNode->getCalledFunction()))
99 {
100 detectExtAPI(as, callNode);
101 }
102 }
103}
SVF::AEException
Exception class for handling errors in Abstract Execution.
Definition AEDetector.h:107
SVF::BufOverflowDetector::getAccessOffset
IntervalValue getAccessOffset(AbstractState &as, NodeID objId, const GepStmt *gep)
Retrieves the access offset for a given object and GEP statement.
Definition AEDetector.cpp:313
SVF::BufOverflowDetector::updateGepObjOffsetFromBase
void updateGepObjOffsetFromBase(AddressValue gepAddrs, AddressValue objAddrs, IntervalValue offset)
Updates the offset of a GEP object from its base.
Definition AEDetector.cpp:345
SVF::BufOverflowDetector::detectExtAPI
void detectExtAPI(AbstractState &as, const CallICFGNode *call)
Handles external API calls related to buffer overflow detection.
Definition AEDetector.cpp:219
SVF::BufOverflowDetector::addBugToReporter
void addBugToReporter(const AEException &e, const ICFGNode *node)
Adds a bug to the reporter based on an exception.
Definition AEDetector.h:232
SVF::IntervalValue::bottom
static IntervalValue bottom()
Create the bottom IntervalValue [+inf, -inf].
Definition IntervalValue.h:100
SVF::SVFUtil::isExtCall
bool isExtCall(const FunObjVar *fun)
Definition SVFUtil.cpp:437

◆ detectExtAPI()

void BufOverflowDetector::detectExtAPI ( AbstractState as,
const CallICFGNode call 
)

Handles external API calls related to buffer overflow detection.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.

This function checks the type of external memory API (e.g., memcpy, memset, strcpy, strcat) and applies the corresponding buffer overflow checks based on predefined rules.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.

Definition at line 219 of file AEDetector.cpp.

221{
222 assert(call->getCalledFunction() && "FunObjVar* is nullptr");
223
224 AbsExtAPI::ExtAPIType extType = AbsExtAPI::UNCLASSIFIED;
225
226 // Determine the type of external memory API
227 for (const std::string &annotation : ExtAPI::getExtAPI()->getExtFuncAnnotations(call->getCalledFunction()))
228 {
229 if (annotation.find("MEMCPY") != std::string::npos)
230 extType = AbsExtAPI::MEMCPY;
231 if (annotation.find("MEMSET") != std::string::npos)
232 extType = AbsExtAPI::MEMSET;
233 if (annotation.find("STRCPY") != std::string::npos)
234 extType = AbsExtAPI::STRCPY;
235 if (annotation.find("STRCAT") != std::string::npos)
236 extType = AbsExtAPI::STRCAT;
237 }
238
239 // Apply buffer overflow checks based on the determined API type
240 if (extType == AbsExtAPI::MEMCPY)
241 {
242 if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
243 {
244 SVFUtil::errs() << "Warning: " << call->getCalledFunction()->getName() << " is not in the rules, please implement it\n";
245 return;
246 }
247 std::vector<std::pair<u32_t, u32_t>> args =
248 extAPIBufOverflowCheckRules.at(call->getCalledFunction()->getName());
249 for (auto arg : args)
250 {
251 IntervalValue offset = as[call->getArgument(arg.second)->getId()].getInterval() - IntervalValue(1);
252 const SVFVar* argVar = call->getArgument(arg.first);
253 if (!canSafelyAccessMemory(as, argVar, offset))
254 {
255 AEException bug(call->toString());
256 addBugToReporter(bug, call);
257 }
258 }
259 }
260 else if (extType == AbsExtAPI::MEMSET)
261 {
262 if (extAPIBufOverflowCheckRules.count(call->getCalledFunction()->getName()) == 0)
263 {
264 SVFUtil::errs() << "Warning: " << call->getCalledFunction()->getName() << " is not in the rules, please implement it\n";
265 return;
266 }
267 std::vector<std::pair<u32_t, u32_t>> args =
268 extAPIBufOverflowCheckRules.at(call->getCalledFunction()->getName());
269 for (auto arg : args)
270 {
271 IntervalValue offset = as[call->getArgument(arg.second)->getId()].getInterval() - IntervalValue(1);
272 const SVFVar* argVar = call->getArgument(arg.first);
273 if (!canSafelyAccessMemory(as, argVar, offset))
274 {
275 AEException bug(call->toString());
276 addBugToReporter(bug, call);
277 }
278 }
279 }
280 else if (extType == AbsExtAPI::STRCPY)
281 {
282 if (!detectStrcpy(as, call))
283 {
284 AEException bug(call->toString());
285 addBugToReporter(bug, call);
286 }
287 }
288 else if (extType == AbsExtAPI::STRCAT)
289 {
290 if (!detectStrcat(as, call))
291 {
292 AEException bug(call->toString());
293 addBugToReporter(bug, call);
294 }
295 }
296 else
297 {
298 // Handle other cases
299 }
300}
SVF::AbsExtAPI::ExtAPIType
ExtAPIType
Enumeration of external API types.
Definition AbsExtAPI.h:52
SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
Map< std::string, std::vector< std::pair< u32_t, u32_t > > > extAPIBufOverflowCheckRules
Rules for checking buffer overflows in external APIs.
Definition AEDetector.h:318
SVF::BufOverflowDetector::detectStrcpy
bool detectStrcpy(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcpy' function calls.
Definition AEDetector.cpp:396
SVF::BufOverflowDetector::detectStrcat
bool detectStrcat(AbstractState &as, const CallICFGNode *call)
Detects buffer overflow in 'strcat' function calls.
Definition AEDetector.cpp:414
SVF::BufOverflowDetector::canSafelyAccessMemory
bool canSafelyAccessMemory(AbstractState &as, const SVFVar *value, const IntervalValue &len)
Checks if memory can be safely accessed.
Definition AEDetector.cpp:455
SVF::CallICFGNode::toString
const std::string toString() const override
Definition ICFG.cpp:139
SVF::CallICFGNode::getArgument
const ValVar * getArgument(u32_t ArgNo) const
Parameter operations.
Definition ICFGNode.h:494
SVF::CallICFGNode::getCalledFunction
const FunObjVar * getCalledFunction() const
Definition ICFGNode.h:512
SVF::SVFValue::getName
virtual const std::string & getName() const
Definition SVFValue.h:184
SVF::SVFUtil::errs
std::ostream & errs()
Overwrite llvm::errs()
Definition SVFUtil.h:58

◆ detectStrcat()

bool BufOverflowDetector::detectStrcat ( AbstractState as,
const CallICFGNode call 
)
private

Detects buffer overflow in 'strcat' function calls.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if a buffer overflow is detected, false otherwise.

This function checks if the destination buffer can safely accommodate both the existing string and the concatenated string from the source.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if the memory access is safe, false otherwise.

Definition at line 414 of file AEDetector.cpp.

415{
416 const std::vector<std::string> strcatGroup = {"__strcat_chk", "strcat", "__wcscat_chk", "wcscat"};
417 const std::vector<std::string> strncatGroup = {"__strncat_chk", "strncat", "__wcsncat_chk", "wcsncat"};
418
419 if (std::find(strcatGroup.begin(), strcatGroup.end(), call->getCalledFunction()->getName()) != strcatGroup.end())
420 {
421 const SVFVar* arg0Val = call->getArgument(0);
422 const SVFVar* arg1Val = call->getArgument(1);
423 IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg0Val);
424 IntervalValue strLen1 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg1Val);
425 IntervalValue totalLen = strLen0 + strLen1;
426 return canSafelyAccessMemory(as, arg0Val, totalLen);
427 }
428 else if (std::find(strncatGroup.begin(), strncatGroup.end(), call->getCalledFunction()->getName()) != strncatGroup.end())
429 {
430 const SVFVar* arg0Val = call->getArgument(0);
431 const SVFVar* arg2Val = call->getArgument(2);
432 IntervalValue arg2Num = as[arg2Val->getId()].getInterval();
433 IntervalValue strLen0 = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg0Val);
434 IntervalValue totalLen = strLen0 + arg2Num;
435 return canSafelyAccessMemory(as, arg0Val, totalLen);
436 }
437 else
438 {
439 assert(false && "Unknown strcat function, please add it to strcatGroup or strncatGroup");
440 abort();
441 }
442}
SVF::AbsExtAPI::getStrlen
IntervalValue getStrlen(AbstractState &as, const SVF::SVFVar *strValue)
Calculates the length of a string.
Definition AbsExtAPI.cpp:468
SVF::AbstractInterpretation::getAEInstance
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.h:121

◆ detectStrcpy()

bool BufOverflowDetector::detectStrcpy ( AbstractState as,
const CallICFGNode call 
)
private

Detects buffer overflow in 'strcpy' function calls.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if a buffer overflow is detected, false otherwise.

This function checks if the destination buffer can safely accommodate the source string being copied, accounting for the null terminator.

Parameters
asReference to the abstract state.
callPointer to the call ICFG node.
Returns
True if the memory access is safe, false otherwise.

Definition at line 396 of file AEDetector.cpp.

397{
398 const SVFVar* arg0Val = call->getArgument(0);
399 const SVFVar* arg1Val = call->getArgument(1);
400 IntervalValue strLen = AbstractInterpretation::getAEInstance().getUtils()->getStrlen(as, arg1Val);
401 return canSafelyAccessMemory(as, arg0Val, strLen);
402}

◆ getAccessOffset()

IntervalValue BufOverflowDetector::getAccessOffset ( SVF::AbstractState as,
SVF::NodeID  objId,
const GepStmt gep 
)

Retrieves the access offset for a given object and GEP statement.

Parameters
asReference to the abstract state.
objIdThe ID of the object.
gepPointer to the GEP statement.
Returns
The interval value of the access offset.

This function calculates the access offset for a base object or a sub-object of an aggregate object (using GEP). If the object is a dummy object, it returns a top interval value.

Parameters
asReference to the abstract state.
objIdThe ID of the object.
gepPointer to the GEP statement.
Returns
The interval value of the access offset.

Definition at line 313 of file AEDetector.cpp.

314{
315 SVFIR* svfir = PAG::getPAG();
316 auto obj = svfir->getGNode(objId);
317
318 // if the object is a BaseObjVar, return the byte offset directly
319 if (SVFUtil::isa<BaseObjVar>(obj))
320 {
321 return as.getByteOffset(gep);
322 }
323 else if (SVFUtil::isa<GepObjVar>(obj))
324 {
325 // if the object is a GepObjVar, return the offset from the base object
326 return getGepObjOffsetFromBase(SVFUtil::cast<GepObjVar>(obj)) + as.getByteOffset(gep);
327 }
328 else
329 {
330 assert(SVFUtil::isa<DummyObjVar>(obj) && "Unknown object type");
331 return IntervalValue::top();
332 }
333}
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition IntervalValue.h:94

◆ getGepObjOffsetFromBase()

IntervalValue SVF::BufOverflowDetector::getGepObjOffsetFromBase ( const GepObjVar obj) const
inline

Retrieves the offset of a GEP object from its base.

Parameters
objPointer to the GEP object.
Returns
The interval value of the offset.

Definition at line 210 of file AEDetector.h.

211 {
212 if (hasGepObjOffsetFromBase(obj))
213 return gepObjOffsetFromBase.at(obj);
214 else
215 assert(false && "GepObjVar not found in gepObjOffsetFromBase");
216 }
SVF::BufOverflowDetector::hasGepObjOffsetFromBase
bool hasGepObjOffsetFromBase(const GepObjVar *obj) const
Checks if a GEP object has an associated offset.
Definition AEDetector.h:200

◆ handleStubFunctions()

void BufOverflowDetector::handleStubFunctions ( const CallICFGNode callNode)
virtual

Handles external API calls related to buffer overflow detection.

Handles stub functions within the ICFG node.

Parameters
callPointer to the call ICFG node.

This function is a placeholder for handling stub functions within the ICFG node.

Parameters
nodePointer to the ICFG node.

Implements SVF::AEDetector.

Definition at line 113 of file AEDetector.cpp.

114{
115 // get function name
116 std::string funcName = callNode->getCalledFunction()->getName();
117 if (funcName == "SAFE_BUFACCESS")
118 {
119 // void SAFE_BUFACCESS(void* data, int size);
120 AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
121 if (callNode->arg_size() < 2)
122 return;
123 AbstractState& as =
124 AbstractInterpretation::getAEInstance().getAbsStateFromTrace(
125 callNode);
126 u32_t size_id = callNode->getArgument(1)->getId();
127 IntervalValue val = as[size_id].getInterval();
128 if (val.isBottom())
129 {
130 val = IntervalValue(0);
131 assert(false && "SAFE_BUFACCESS size is bottom");
132 }
133 const SVFVar* arg0Val = callNode->getArgument(0);
134 bool isSafe = canSafelyAccessMemory(as, arg0Val, val);
135 if (isSafe)
136 {
137 std::cout << "safe buffer access success: " << callNode->toString()
138 << std::endl;
139 return;
140 }
141 else
142 {
143 std::string err_msg = "this SAFE_BUFACCESS should be a safe access but detected buffer overflow. Pos: ";
144 err_msg += callNode->getSourceLoc();
145 std::cerr << err_msg << std::endl;
146 assert(false);
147 }
148 }
149 else if (funcName == "UNSAFE_BUFACCESS")
150 {
151 // handle other stub functions
152 //void UNSAFE_BUFACCESS(void* data, int size);
153 AbstractInterpretation::getAEInstance().checkpoints.erase(callNode);
154 if (callNode->arg_size() < 2) return;
155 AbstractState&as = AbstractInterpretation::getAEInstance().getAbsStateFromTrace(callNode);
156 u32_t size_id = callNode->getArgument(1)->getId();
157 IntervalValue val = as[size_id].getInterval();
158 if (val.isBottom())
159 {
160 assert(false && "UNSAFE_BUFACCESS size is bottom");
161 }
162 const SVFVar* arg0Val = callNode->getArgument(0);
163 bool isSafe = canSafelyAccessMemory(as, arg0Val, val);
164 if (!isSafe)
165 {
166 std::cout << "detect buffer overflow success: " << callNode->toString() << std::endl;
167 return;
168 }
169 else
170 {
171 std::string err_msg = "this UNSAFE_BUFACCESS should be a buffer overflow but not detected. Pos: ";
172 err_msg += callNode->getSourceLoc();
173 std::cerr << err_msg << std::endl;
174 assert(false);
175 }
176 }
177}
SVF::AbstractInterpretation::getAbsStateFromTrace
AbstractState & getAbsStateFromTrace(const ICFGNode *node)
Definition AbstractInterpretation.h:258
SVF::AbstractInterpretation::checkpoints
Set< const CallICFGNode * > checkpoints
Definition AbstractInterpretation.h:132

◆ hasGepObjOffsetFromBase()

bool SVF::BufOverflowDetector::hasGepObjOffsetFromBase ( const GepObjVar obj) const
inline

Checks if a GEP object has an associated offset.

Parameters
objPointer to the GEP object.
Returns
True if the GEP object has an offset, false otherwise.

Definition at line 200 of file AEDetector.h.

201 {
202 return gepObjOffsetFromBase.find(obj) != gepObjOffsetFromBase.end();
203 }

◆ initExtAPIBufOverflowCheckRules()

void BufOverflowDetector::initExtAPIBufOverflowCheckRules ( )

Initializes external API buffer overflow check rules.

This function sets up rules for various memory-related functions like memcpy, memset, etc., defining which arguments should be checked for buffer overflows.

Definition at line 185 of file AEDetector.cpp.

186{
187 extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
188 extAPIBufOverflowCheckRules["llvm_memcpy_p0_p0_i64"] = {{0, 2}, {1, 2}};
189 extAPIBufOverflowCheckRules["llvm_memcpy_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
190 extAPIBufOverflowCheckRules["llvm_memcpy"] = {{0, 2}, {1, 2}};
191 extAPIBufOverflowCheckRules["llvm_memmove"] = {{0, 2}, {1, 2}};
192 extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i64"] = {{0, 2}, {1, 2}};
193 extAPIBufOverflowCheckRules["llvm_memmove_p0_p0_i64"] = {{0, 2}, {1, 2}};
194 extAPIBufOverflowCheckRules["llvm_memmove_p0i8_p0i8_i32"] = {{0, 2}, {1, 2}};
195 extAPIBufOverflowCheckRules["__memcpy_chk"] = {{0, 2}, {1, 2}};
196 extAPIBufOverflowCheckRules["memmove"] = {{0, 2}, {1, 2}};
197 extAPIBufOverflowCheckRules["bcopy"] = {{0, 2}, {1, 2}};
198 extAPIBufOverflowCheckRules["memccpy"] = {{0, 3}, {1, 3}};
199 extAPIBufOverflowCheckRules["__memmove_chk"] = {{0, 2}, {1, 2}};
200 extAPIBufOverflowCheckRules["llvm_memset"] = {{0, 2}};
201 extAPIBufOverflowCheckRules["llvm_memset_p0i8_i32"] = {{0, 2}};
202 extAPIBufOverflowCheckRules["llvm_memset_p0i8_i64"] = {{0, 2}};
203 extAPIBufOverflowCheckRules["llvm_memset_p0_i64"] = {{0, 2}};
204 extAPIBufOverflowCheckRules["__memset_chk"] = {{0, 2}};
205 extAPIBufOverflowCheckRules["wmemset"] = {{0, 2}};
206 extAPIBufOverflowCheckRules["strncpy"] = {{0, 2}, {1, 2}};
207 extAPIBufOverflowCheckRules["iconv"] = {{1, 2}, {3, 4}};
208}

◆ reportBug()

void SVF::BufOverflowDetector::reportBug ( )
inlinevirtual

Reports all detected buffer overflow bugs.

Implements SVF::AEDetector.

Definition at line 264 of file AEDetector.h.

265 {
266 if (!nodeToBugInfo.empty())
267 {
268 std::cerr << "######################Buffer Overflow (" + std::to_string(nodeToBugInfo.size())
269 + " found)######################\n";
270 std::cerr << "---------------------------------------------\n";
271 for (const auto& it : nodeToBugInfo)
272 {
273 std::cerr << it.second << "\n---------------------------------------------\n";
274 }
275 }
276 }

◆ updateGepObjOffsetFromBase()

void BufOverflowDetector::updateGepObjOffsetFromBase ( SVF::AddressValue  gepAddrs,
SVF::AddressValue  objAddrs,
SVF::IntervalValue  offset 
)

Updates the offset of a GEP object from its base.

Parameters
gepAddrsAddress value for GEP.
objAddrsAddress value for the object.
offsetThe interval value of the offset.

This function calculates and stores the offset of a GEP object from its base object using the addresses and offsets provided.

Parameters
gepAddrsThe addresses of the GEP objects.
objAddrsThe addresses of the base objects.
offsetThe interval value of the offset.

Definition at line 345 of file AEDetector.cpp.

346{
347 SVFIR* svfir = PAG::getPAG();
348
349 for (const auto& objAddr : objAddrs)
350 {
351 NodeID objId = AbstractState::getInternalID(objAddr);
352 auto obj = svfir->getGNode(objId);
353 // if the object is a BaseObjVar, add the offset directly
354 if (SVFUtil::isa<BaseObjVar>(obj))
355 {
356 for (const auto& gepAddr : gepAddrs)
357 {
358 NodeID gepObj = AbstractState::getInternalID(gepAddr);
359 const GepObjVar* gepObjVar = SVFUtil::cast<GepObjVar>(svfir->getGNode(gepObj));
360 addToGepObjOffsetFromBase(gepObjVar, offset);
361 }
362 }
363 else if (SVFUtil::isa<GepObjVar>(obj))
364 {
365 // if the object is a GepObjVar, add the offset from the base object
366 const GepObjVar* objVar = SVFUtil::cast<GepObjVar>(obj);
367 for (const auto& gepAddr : gepAddrs)
368 {
369 NodeID gepObj = AbstractState::getInternalID(gepAddr);
370 const GepObjVar* gepObjVar = SVFUtil::cast<GepObjVar>(svfir->getGNode(gepObj));
371 if (hasGepObjOffsetFromBase(objVar))
372 {
373 IntervalValue objOffsetFromBase = getGepObjOffsetFromBase(objVar);
374 if (!hasGepObjOffsetFromBase(gepObjVar))
375 addToGepObjOffsetFromBase(gepObjVar, objOffsetFromBase + offset);
376 }
377 else
378 {
379 assert(false && "GEP RHS object has no offset from base");
380 }
381 }
382 }
383 }
384}
SVF::BufOverflowDetector::addToGepObjOffsetFromBase
void addToGepObjOffsetFromBase(const GepObjVar *obj, const IntervalValue &offset)
Adds an offset to a GEP object.
Definition AEDetector.h:190

Friends And Related Symbol Documentation

◆ AbstractInterpretation

friend class AbstractInterpretation
friend

Definition at line 135 of file AEDetector.h.

Member Data Documentation

◆ bugLoc

Set<std::string> SVF::BufOverflowDetector::bugLoc
private

Set of locations where bugs have been reported.

Definition at line 319 of file AEDetector.h.

◆ extAPIBufOverflowCheckRules

Map<std::string, std::vector<std::pair<u32_t, u32_t> > > SVF::BufOverflowDetector::extAPIBufOverflowCheckRules
private

Rules for checking buffer overflows in external APIs.

Definition at line 318 of file AEDetector.h.

◆ gepObjOffsetFromBase

Map<const GepObjVar*, IntervalValue> SVF::BufOverflowDetector::gepObjOffsetFromBase
private

Maps GEP objects to their offsets from the base.

Definition at line 317 of file AEDetector.h.

◆ nodeToBugInfo

Map<const ICFGNode*, std::string> SVF::BufOverflowDetector::nodeToBugInfo
private

Maps ICFG nodes to bug information.

Definition at line 321 of file AEDetector.h.

◆ recoder

SVFBugReport SVF::BufOverflowDetector::recoder
private

Recorder for abstract execution bugs.

Definition at line 320 of file AEDetector.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.9.8