c - 如何启用 clang 静态分析器的 "alpha.security.taint check"检查器

Question

我正在尝试对其文档 ( https://clang-analyzer.llvm.org/alpha_checks.html#security_alpha_checkers ) 中显示的一些示例执行 clang 静态分析器(版本 3.8)。

我创建了一个小C程序，如下:

// note: requires alpha.security.taint check turned on.
void test() {
    char s[] = "abc";
    int x = getchar();
    char c = s[x]; // warn: index is tainted
}

我正在执行以下命令来分析上面的代码:

/usr/lib/llvm-3.8/bin/scan-build -enable-checker alpha.security.taint.TaintPropagation clang -c example.c

上述命令生成以下错误报告:

scan-build: Using '/usr/lib/llvm-3.8/bin/clang' for static analysis
example.c:5:8: warning: Value stored to 'c' during its initialization is never read
char c = s[x]; // warn: index is tainted
   ^   ~~~~
1 warning generated.
scan-build: 1 bug found.
scan-build: Run 'scan-view /tmp/scan-build-2018-04-09-143549-15413-1' to examine bug reports.

我原以为 clang SA 会在第 5 行提示可能的缓冲区溢出和缓冲区下溢，但似乎没有执行污点分析。

有人可以建议如何启用“alpha.security.tai​​nt”检查吗？

Answer 1

要在使用受污染的数组索引时收到警告，您必须启用 alpha.security.ArrayBoundV2 和 alpha.security.taint.TaintPropagation :

$ ~/bld/llvm-project/build/bin/scan-build -enable-checker \
    alpha.security.taint.TaintPropagation,alpha.security.ArrayBoundV2 \
    gcc -c taint2.c
scan-build: Using '/home/scott/bld/llvm-project/build/bin/clang-9' for static analysis
taint2.c:6:10: warning: Value stored to 'c' during its initialization is never read
    char c = s[x]; // warn: index is tainted
         ^   ~~~~
taint2.c:6:14: warning: Out of bound memory access (index is tainted)
    char c = s[x]; // warn: index is tainted
             ^~~~
2 warnings generated.
scan-build: 2 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2019-09-11-204837-97704-1' to examine bug reports.

TaintPropagation检查器会自行报告一些事情，例如，将受污染的数据传递给 system() 。它还导出污染信息供其他检查器使用。

(我主要通过查看 source code 发现此信息，其次通过反复试验。 documentation 没有太大帮助。)