1 //=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // Defines basic, non-domain-specific mechanisms for tracking tainted values. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H 14 #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H 15 16 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 18 19 namespace clang { 20 namespace ento { 21 namespace taint { 22 23 /// The type of taint, which helps to differentiate between different types of 24 /// taint. 25 using TaintTagType = unsigned; 26 27 static constexpr TaintTagType TaintTagGeneric = 0; 28 29 /// Create a new state in which the value of the statement is marked as tainted. 30 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S, 31 const LocationContext *LCtx, 32 TaintTagType Kind = TaintTagGeneric); 33 34 /// Create a new state in which the value is marked as tainted. 35 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SVal V, 36 TaintTagType Kind = TaintTagGeneric); 37 38 /// Create a new state in which the symbol is marked as tainted. 39 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym, 40 TaintTagType Kind = TaintTagGeneric); 41 42 /// Create a new state in which the pointer represented by the region 43 /// is marked as tainted. 44 [[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, 45 const MemRegion *R, 46 TaintTagType Kind = TaintTagGeneric); 47 48 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SVal V); 49 50 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, 51 const MemRegion *R); 52 53 [[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SymbolRef Sym); 54 55 /// Create a new state in a which a sub-region of a given symbol is tainted. 56 /// This might be necessary when referring to regions that can not have an 57 /// individual symbol, e.g. if they are represented by the default binding of 58 /// a LazyCompoundVal. 59 [[nodiscard]] ProgramStateRef 60 addPartialTaint(ProgramStateRef State, SymbolRef ParentSym, 61 const SubRegion *SubRegion, 62 TaintTagType Kind = TaintTagGeneric); 63 64 /// Check if the statement has a tainted value in the given state. 65 bool isTainted(ProgramStateRef State, const Stmt *S, 66 const LocationContext *LCtx, 67 TaintTagType Kind = TaintTagGeneric); 68 69 /// Check if the value is tainted in the given state. 70 bool isTainted(ProgramStateRef State, SVal V, 71 TaintTagType Kind = TaintTagGeneric); 72 73 /// Check if the symbol is tainted in the given state. 74 bool isTainted(ProgramStateRef State, SymbolRef Sym, 75 TaintTagType Kind = TaintTagGeneric); 76 77 /// Check if the pointer represented by the region is tainted in the given 78 /// state. 79 bool isTainted(ProgramStateRef State, const MemRegion *Reg, 80 TaintTagType Kind = TaintTagGeneric); 81 82 /// Returns the tainted Symbols for a given Statement and state. 83 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, const Stmt *S, 84 const LocationContext *LCtx, 85 TaintTagType Kind = TaintTagGeneric); 86 87 /// Returns the tainted Symbols for a given SVal and state. 88 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SVal V, 89 TaintTagType Kind = TaintTagGeneric); 90 91 /// Returns the tainted Symbols for a SymbolRef and state. 92 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SymbolRef Sym, 93 TaintTagType Kind = TaintTagGeneric); 94 95 /// Returns the tainted (index, super/sub region, symbolic region) symbols 96 /// for a given memory region. 97 std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, 98 const MemRegion *Reg, 99 TaintTagType Kind = TaintTagGeneric); 100 101 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, 102 const Stmt *S, 103 const LocationContext *LCtx, 104 TaintTagType Kind, 105 bool returnFirstOnly); 106 107 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, SVal V, 108 TaintTagType Kind, 109 bool returnFirstOnly); 110 111 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, 112 SymbolRef Sym, TaintTagType Kind, 113 bool returnFirstOnly); 114 115 std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, 116 const MemRegion *Reg, 117 TaintTagType Kind, 118 bool returnFirstOnly); 119 120 void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n", 121 const char *sep = ""); 122 123 LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State); 124 } // namespace taint 125 } // namespace ento 126 } // namespace clang 127 128 #endif 129