Add taint offset and fix

mamaria-k · mamaria-k · commit 6f84441b47ca · 2024-06-10T15:02:23.000+03:00
diff --git a/configs/annotations.json b/configs/annotations.json
@@ -268,9 +268,6 @@
       [
         "TaintSink::FormatString",
         "TaintSink::SensitiveDataLeak"
-      ],
-      [
-        "TaintSink::SensitiveDataLeak"
       ]
     ],
     "properties": []
@@ -2337,5 +2334,16 @@
       ]
     ],
     "properties": []
+  },
+  "vprintf_s": {
+    "name": "vprintf_s",
+    "annotation": [
+      [],
+      [],
+      [
+        "TaintSink::FormatString"
+      ]
+    ],
+    "properties": []
   }
 }
diff --git a/include/klee/Expr/Expr.h b/include/klee/Expr/Expr.h
@@ -1739,7 +1739,7 @@ class PointerExpr : public NonConstantExpr {
 
   bool isKnownValue() const { return getBase()->isZero(); }
 
-  ref<ConstantExpr> combineTaints(const ref<PointerExpr> &RHS) {
+  ref<Expr> combineTaints(const ref<PointerExpr> &RHS) {
     return Expr::combineTaints(getTaint(), RHS->getTaint());
   }
 
diff --git a/lib/Core/SpecialFunctionHandler.cpp b/lib/Core/SpecialFunctionHandler.cpp
@@ -1300,8 +1300,15 @@ void SpecialFunctionHandler::handleAddTaint(klee::ExecutionState &state,
 
   uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
 //  printf("klee_add_taint source: %zu\n", taintSource);
-  executor.executeChangeTaintSource(
-      state, target, executor.makePointer(arguments[0]), taintSource, true);
+
+  ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
+  if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
+    if (p->isKnownValue()) {
+      pointer =
+          PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
+    }
+  }
+  executor.executeChangeTaintSource(state, target, pointer, taintSource, true);
 }
 
 void SpecialFunctionHandler::handleClearTaint(
@@ -1316,8 +1323,15 @@ void SpecialFunctionHandler::handleClearTaint(
 
   uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
 //  printf("klee_clear_taint source: %zu\n", taintSource);
-  executor.executeChangeTaintSource(
-      state, target, executor.makePointer(arguments[0]), taintSource, false);
+
+  ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
+  if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
+    if (p->isKnownValue()) {
+      pointer =
+          PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
+    }
+  }
+  executor.executeChangeTaintSource(state, target, pointer, taintSource, false);
 }
 
 void SpecialFunctionHandler::handleCheckTaintSource(
@@ -1332,8 +1346,15 @@ void SpecialFunctionHandler::handleCheckTaintSource(
 
   uint64_t taintSource = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
 //  printf("klee_check_taint_source source: %zu\n", taintSource);
-  executor.executeCheckTaintSource(
-      state, target, executor.makePointer(arguments[0]), taintSource);
+
+  ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
+  if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
+    if (p->isKnownValue()) {
+      pointer =
+          PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
+    }
+  }
+  executor.executeCheckTaintSource(state, target, pointer, taintSource);
 }
 
 void SpecialFunctionHandler::handleGetTaintHits(
@@ -1348,8 +1369,15 @@ void SpecialFunctionHandler::handleGetTaintHits(
 
   uint64_t taintSink = dyn_cast<ConstantExpr>(arguments[1])->getZExtValue();
 //  printf("klee_get_taint_hits sink: %zu\n", taintSink);
-  executor.executeGetTaintHits(state, target,
-                               executor.makePointer(arguments[0]), taintSink);
+
+  ref<PointerExpr> pointer = executor.makePointer(arguments[0]);
+  if (auto *p = dyn_cast<PointerExpr>(arguments[0])) {
+    if (p->isKnownValue()) {
+      pointer =
+          PointerExpr::create(p->getValue(), p->getValue(), p->getTaint());
+    }
+  }
+  executor.executeGetTaintHits(state, target, pointer, taintSink);
 }
 
 void SpecialFunctionHandler::handleTaintHit(klee::ExecutionState &state,
diff --git a/lib/Module/Annotation.cpp b/lib/Module/Annotation.cpp
@@ -140,10 +140,6 @@ Free::Free(const std::string &str) : Unknown(str) {
 Kind Free::getKind() const { return Kind::Free; }
 
 Taint::Taint(const std::string &str) : Unknown(str) {
-  if (!rawOffset.empty()) {
-    klee_error("Annotation Taint: Incorrect offset format, must be empty");
-  }
-
   taintType = rawValue.substr(0, rawValue.find(':'));
   // TODO: in the future, support typeless annotations (meaning all types)
   if (taintType.empty()) {
@@ -166,7 +162,7 @@ TaintOutput::TaintOutput(const std::string &str) : Taint(str) {}
 Kind TaintOutput::getKind() const { return Kind::TaintOutput; }
 
 /*
- * Format: TaintPropagation::{type}:{data}
+ * Format: TaintPropagation:{offset}:{type}:{data}
  */
 
 TaintPropagation::TaintPropagation(const std::string &str) : Taint(str) {
@@ -201,7 +197,7 @@ TaintPropagation::TaintPropagation(const std::string &str) : Taint(str) {
 Kind TaintPropagation::getKind() const { return Kind::TaintPropagation; }
 
 /*
- * Format: TaintSink::{type}
+ * Format: TaintSink:{offset}:{type}
  */
 
 TaintSink::TaintSink(const std::string &str) : Taint(str) {}

Original file line number	Diff line number	Diff line change
`@@ -268,9 +268,6 @@`
`268`	`268`	`[`
`269`	`269`	`"TaintSink::FormatString",`
`270`	`270`	`"TaintSink::SensitiveDataLeak"`
`271`		`- ],`
`272`		`- [`
`273`		`- "TaintSink::SensitiveDataLeak"`
`274`	`271`	`]`
`275`	`272`	`],`
`276`	`273`	`"properties": []`
`@@ -2337,5 +2334,16 @@`
`2337`	`2334`	`]`
`2338`	`2335`	`],`
`2339`	`2336`	`"properties": []`
	`2337`	`+ },`
	`2338`	`+ "vprintf_s": {`
	`2339`	`+ "name": "vprintf_s",`
	`2340`	`+ "annotation": [`
	`2341`	`+ [],`
	`2342`	`+ [],`
	`2343`	`+ [`
	`2344`	`+ "TaintSink::FormatString"`
	`2345`	`+ ]`
	`2346`	`+ ],`
	`2347`	`+ "properties": []`
`2340`	`2348`	`}`
`2341`	`2349`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1739,7 +1739,7 @@ class PointerExpr : public NonConstantExpr {`
`1739`	`1739`
`1740`	`1740`	`bool isKnownValue() const { return getBase()->isZero(); }`
`1741`	`1741`
`1742`		`- ref<ConstantExpr> combineTaints(const ref<PointerExpr> &RHS) {`
	`1742`	`+ ref<Expr> combineTaints(const ref<PointerExpr> &RHS) {`
`1743`	`1743`	`return Expr::combineTaints(getTaint(), RHS->getTaint());`
`1744`	`1744`	`}`
`1745`	`1745`