Support variadic function calls in checked scope #1174
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We add support for calling variadic functions in checked scope. These are functions like printf, scanf, etc that take a format string and have a variable number of arguments. We implement checking of arguments to these functions. Following is a list of some important checks that we implement in checked scope for these functions: - check that the argument corresponding to the %s format specifier is a null-terminated array. - all warnings emitted by the -Wformat family of flags have been converted to errors in checked scope.
mgrang
pushed a commit
to checkedc/checkedc
that referenced
this pull request
Sep 2, 2021
checkedc/checkedc-clang#1174 added support to call variadic functions like printf/scanf, etc within checked scope. As a result, tests that check for errors if such functions are invoked in checked scope started failing. We fix one such test in this PR.
|
I realize I may have waited a little too late to post this, but I tested this PR and found several holes in the new checking. If you save the code below as #pragma CHECKED_SCOPE on
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#define TEST(_name) else if (strcmp(test_name, #_name) == 0)
int main(int argc, _Nt_array_ptr<_Nt_array_ptr<char>> argv : count(argc)) {
_Nt_array_ptr<char> test_name = argv[1];
if (!test_name) {
fprintf(stderr, "No test name specified\n");
return 1;
}
if (0) {}
TEST(percent_n) {
// Missing check that %n argument is a _Ptr.
int arr _Checked[1];
printf("hello\n%n", arr + 123456789);
}
TEST(scanf_scalar) {
// Missing check that _any_ scalar scanf argument is a _Ptr.
int arr _Checked[1];
sscanf("42", "%d", arr + 123456789);
}
TEST(printf_s_count) {
// Missing check that printf %s argument has at least count(0).
char buf _Nt_checked[1];
printf("%s", buf + 123456789);
}
TEST(scanf_p) {
// scanf reads an arbitrary _Ptr<void> via %p. The right solution here may
// be to disallow _Ptr<void>
// (https://github.com/microsoft/checkedc/issues/335). I couldn't find any
// other way to exploit %p, but that doesn't mean there isn't any.
_Ptr<void> q = 0;
sscanf("0x1", "%p", &q);
_Ptr<char> p = (_Ptr<char>)q;
(*p)++;
}
TEST(scanf_s_overflow) {
// scanf %s overflows the output buffer. I guess the compiler should require
// the format string to specify a maximum width and check it against the
// bounds of the argument?
char field _Nt_checked[10];
char input _Nt_checked[1000];
memset(input, 'x', sizeof input - 1);
sscanf(input, "%s", field);
}
else {
fprintf(stderr, "Unknown test name\n");
return 1;
}
return 0;
} |
This was referenced Sep 2, 2021
|
Thanks @mattmccutchen-cci for identifying these issues. I have filed #1178 to track these. |
mgrang
pushed a commit
to checkedc/checkedc
that referenced
this pull request
Sep 2, 2021
checkedc/checkedc-clang#1174 added support to call variadic functions like printf/scanf, etc within checked scope. As a result, tests that check for errors if such functions are invoked in checked scope started failing. We fix one such test in this PR.
This was referenced Sep 8, 2021
This was referenced Jan 15, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We add support for calling variadic functions in checked scope. These are
functions like printf, scanf, etc that take a format string and have a variable
number of arguments. We implement checking of arguments to these functions.
Following is a list of some important checks that we implement in checked scope
for these functions:
null-terminated array.
errors in checked scope.