181ad6265SDimitry Andric //=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-// 281ad6265SDimitry Andric // 381ad6265SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 481ad6265SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 581ad6265SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 681ad6265SDimitry Andric // 781ad6265SDimitry Andric //===----------------------------------------------------------------------===// 881ad6265SDimitry Andric // 981ad6265SDimitry Andric // Defines basic, non-domain-specific mechanisms for tracking tainted values. 1081ad6265SDimitry Andric // 1181ad6265SDimitry Andric //===----------------------------------------------------------------------===// 1281ad6265SDimitry Andric 1381ad6265SDimitry Andric #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H 1481ad6265SDimitry Andric #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H 1581ad6265SDimitry Andric 1681ad6265SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 1781ad6265SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 1881ad6265SDimitry Andric 1981ad6265SDimitry Andric namespace clang { 2081ad6265SDimitry Andric namespace ento { 2181ad6265SDimitry Andric namespace taint { 2281ad6265SDimitry Andric 2381ad6265SDimitry Andric /// The type of taint, which helps to differentiate between different types of 2481ad6265SDimitry Andric /// taint. 2581ad6265SDimitry Andric using TaintTagType = unsigned; 2681ad6265SDimitry Andric 2781ad6265SDimitry Andric static constexpr TaintTagType TaintTagGeneric = 0; 2881ad6265SDimitry Andric 2981ad6265SDimitry Andric /// Create a new state in which the value of the statement is marked as tainted. 30bdd1243dSDimitry Andric [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S, 3181ad6265SDimitry Andric const LocationContext *LCtx, 3281ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 3381ad6265SDimitry Andric 3481ad6265SDimitry Andric /// Create a new state in which the value is marked as tainted. 35bdd1243dSDimitry Andric [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SVal V, 3681ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 3781ad6265SDimitry Andric 3881ad6265SDimitry Andric /// Create a new state in which the symbol is marked as tainted. 39bdd1243dSDimitry Andric [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym, 4081ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 4181ad6265SDimitry Andric 4281ad6265SDimitry Andric /// Create a new state in which the pointer represented by the region 4381ad6265SDimitry Andric /// is marked as tainted. 44bdd1243dSDimitry Andric [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, 4581ad6265SDimitry Andric const MemRegion *R, 4681ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 4781ad6265SDimitry Andric 48bdd1243dSDimitry Andric [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SVal V); 4981ad6265SDimitry Andric 50bdd1243dSDimitry Andric [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, 5181ad6265SDimitry Andric const MemRegion *R); 5281ad6265SDimitry Andric 53bdd1243dSDimitry Andric [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SymbolRef Sym); 5481ad6265SDimitry Andric 5581ad6265SDimitry Andric /// Create a new state in a which a sub-region of a given symbol is tainted. 5681ad6265SDimitry Andric /// This might be necessary when referring to regions that can not have an 5781ad6265SDimitry Andric /// individual symbol, e.g. if they are represented by the default binding of 5881ad6265SDimitry Andric /// a LazyCompoundVal. 59bdd1243dSDimitry Andric [[nodiscard]] ProgramStateRef 60bdd1243dSDimitry Andric addPartialTaint(ProgramStateRef State, SymbolRef ParentSym, 61bdd1243dSDimitry Andric const SubRegion *SubRegion, 6281ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 6381ad6265SDimitry Andric 6481ad6265SDimitry Andric /// Check if the statement has a tainted value in the given state. 6581ad6265SDimitry Andric bool isTainted(ProgramStateRef State, const Stmt *S, 6681ad6265SDimitry Andric const LocationContext *LCtx, 6781ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 6881ad6265SDimitry Andric 6981ad6265SDimitry Andric /// Check if the value is tainted in the given state. 7081ad6265SDimitry Andric bool isTainted(ProgramStateRef State, SVal V, 7181ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 7281ad6265SDimitry Andric 7381ad6265SDimitry Andric /// Check if the symbol is tainted in the given state. 7481ad6265SDimitry Andric bool isTainted(ProgramStateRef State, SymbolRef Sym, 7581ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 7681ad6265SDimitry Andric 7781ad6265SDimitry Andric /// Check if the pointer represented by the region is tainted in the given 7881ad6265SDimitry Andric /// state. 7981ad6265SDimitry Andric bool isTainted(ProgramStateRef State, const MemRegion *Reg, 8081ad6265SDimitry Andric TaintTagType Kind = TaintTagGeneric); 8181ad6265SDimitry Andric 82*06c3fb27SDimitry Andric /// Returns the tainted Symbols for a given Statement and state. 83*06c3fb27SDimitry Andric std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, const Stmt *S, 84*06c3fb27SDimitry Andric const LocationContext *LCtx, 85*06c3fb27SDimitry Andric TaintTagType Kind = TaintTagGeneric); 86*06c3fb27SDimitry Andric 87*06c3fb27SDimitry Andric /// Returns the tainted Symbols for a given SVal and state. 88*06c3fb27SDimitry Andric std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SVal V, 89*06c3fb27SDimitry Andric TaintTagType Kind = TaintTagGeneric); 90*06c3fb27SDimitry Andric 91*06c3fb27SDimitry Andric /// Returns the tainted Symbols for a SymbolRef and state. 92*06c3fb27SDimitry Andric std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SymbolRef Sym, 93*06c3fb27SDimitry Andric TaintTagType Kind = TaintTagGeneric); 94*06c3fb27SDimitry Andric 95*06c3fb27SDimitry Andric /// Returns the tainted (index, super/sub region, symbolic region) symbols 96*06c3fb27SDimitry Andric /// for a given memory region. 97*06c3fb27SDimitry Andric std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, 98*06c3fb27SDimitry Andric const MemRegion *Reg, 99*06c3fb27SDimitry Andric TaintTagType Kind = TaintTagGeneric); 100*06c3fb27SDimitry Andric 101*06c3fb27SDimitry Andric std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, 102*06c3fb27SDimitry Andric const Stmt *S, 103*06c3fb27SDimitry Andric const LocationContext *LCtx, 104*06c3fb27SDimitry Andric TaintTagType Kind, 105*06c3fb27SDimitry Andric bool returnFirstOnly); 106*06c3fb27SDimitry Andric 107*06c3fb27SDimitry Andric std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, SVal V, 108*06c3fb27SDimitry Andric TaintTagType Kind, 109*06c3fb27SDimitry Andric bool returnFirstOnly); 110*06c3fb27SDimitry Andric 111*06c3fb27SDimitry Andric std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, 112*06c3fb27SDimitry Andric SymbolRef Sym, TaintTagType Kind, 113*06c3fb27SDimitry Andric bool returnFirstOnly); 114*06c3fb27SDimitry Andric 115*06c3fb27SDimitry Andric std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, 116*06c3fb27SDimitry Andric const MemRegion *Reg, 117*06c3fb27SDimitry Andric TaintTagType Kind, 118*06c3fb27SDimitry Andric bool returnFirstOnly); 119*06c3fb27SDimitry Andric 12081ad6265SDimitry Andric void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n", 12181ad6265SDimitry Andric const char *sep = ""); 12281ad6265SDimitry Andric 12381ad6265SDimitry Andric LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State); 12481ad6265SDimitry Andric } // namespace taint 12581ad6265SDimitry Andric } // namespace ento 12681ad6265SDimitry Andric } // namespace clang 12781ad6265SDimitry Andric 12881ad6265SDimitry Andric #endif 129