Hello!
I’m new to LLVM and am trying to build a checker for clang. In a program like
void foo()
{
int a;
int b;
int c;
int d;
doSomeThingWith(c);
doSomeThingWith(a);
}
If doSomeThingWith(c) detects a problem with the value c, I want to taint variables beyond c (aka c, b and a) so that when calling doSomeThingWith(a), the function says “hey, this value is tainted but it shouldn’t”.
I did something like :
const StackLocalsSpaceRegion *stackFrame = R->getMemRegionManager()->getStackLocalsRegion(C.getStackFrame());
state->addTaint(dyn_cast(stackFrame));
state->addTaint(stackFrame);
in checkLocation to say “hey, I want to taint the entire stack frame”. And then, I do the check in checkPreCall with :
if (State->isTainted(dyn_cast(stackFrame)))
// bad
or
if (R && State->isTainted(dyn_cast(R)))
std::cout << “Corrupted stack” << std::endl;
or
State->isTainted(R->getMemRegionManager()->getStackLocalsRegion(C.getStackFrame()))
But when I test my checker on a buggy program, the taint checking doesn’t work. Stack frames are note the same. If I only taint MemRegions, I actually only taint a chunk of a variable. (like a byte of a buffer) I can’t taint adjacent data. I can’t say for example “I can overflow a buffer from up to 12 bytes so I will taint the 12 bytes that follow that buffer aka the 3 4-bytes integers that are above the buffer in the code”.
Could you please give me some help doing that? What is the proper way to taint / checker the taint of the stack frame? How can I find adjacent variables? (didn’t find anything that fits in the doxygene doc)
Thank you in advance!