-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6486 from trailofbits/Henrik/taint-argv
- Loading branch information
Showing
19 changed files
with
209 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#include <string> | ||
|
||
#include "polytracker/early_construct.h" | ||
#include "polytracker/polytracker.h" | ||
#include "taintdag/polytracker.h" | ||
|
||
EARLY_CONSTRUCT_EXTERN_GETTER(taintdag::PolyTracker, polytracker_tdag); | ||
|
||
namespace polytracker { | ||
|
||
void taint_argv(int argc, char *argv[]) { | ||
|
||
// The check could be done in the calling code, for performance reasons. | ||
// However this function should only ever be invoked once (from main). | ||
if (!polytracker_taint_argv) | ||
return; | ||
|
||
if (argc <= 0) { | ||
// Weird. Not much to do though. | ||
return; | ||
} | ||
|
||
auto &polyt = get_polytracker_tdag(); | ||
|
||
for (int i = 0; i < argc; ++i) { | ||
auto name = std::string{"argv["} + std::to_string(i) + "]"; | ||
// NOTE(hbrodin): Currently not tainting terminating null char. | ||
polyt.create_taint_source( | ||
name, {reinterpret_cast<uint8_t *>(argv[i]), strlen(argv[i])}); | ||
} | ||
} | ||
} // namespace polytracker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,4 @@ | ||
|
||
set(CMAKE_CXX_STANDARD 17) | ||
add_subdirectory(test) | ||
|
||
add_library(taintdag STATIC encoding.cpp fdmapping.cpp output.cpp print.cpp) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,3 @@ | ||
set(CMAKE_CXX_STANDARD 17) | ||
|
||
include(CTest) | ||
include(Catch) | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#include <cstring> | ||
#include <cstdio> | ||
|
||
int main(int argc, char *argv[]) { | ||
auto f = fopen("outputfile.txt", "w"); | ||
for (int i=0;i<argc;i++) { | ||
fwrite(argv[i], strlen(argv[i]), 1, f); | ||
} | ||
fclose(f); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
import pytest | ||
|
||
from pathlib import Path | ||
from polytracker import taint_dag, ProgramTrace | ||
|
||
|
||
@pytest.fixture | ||
def set_env_vars(monkeypatch): | ||
monkeypatch.setenv("POLYTRACKER_TAINT_ARGV", "1") | ||
|
||
|
||
@pytest.mark.program_trace("test_argv.cpp", input="any") | ||
def test_argv(set_env_vars, program_trace: ProgramTrace): | ||
assert isinstance(program_trace, taint_dag.TDProgramTrace) | ||
argv0 = Path("argv[0]") | ||
argv1 = Path("argv[1]") | ||
headers = list(program_trace.tdfile.fd_headers) | ||
paths = list(map(lambda h: h[0], headers)) | ||
assert len(paths) == 3 | ||
assert argv0 in paths | ||
assert argv1 in paths | ||
|
||
sinks = list(program_trace.tdfile.sinks) | ||
|
||
with open("outputfile.txt", "r") as f: | ||
output = f.read() | ||
|
||
assert len(output) == len(sinks) | ||
|
||
last_fdidx = 0 | ||
last_offset = 0 | ||
for s in sinks: | ||
sink_fd_idx = s.fdidx | ||
label = s.label | ||
|
||
n = program_trace.tdfile.decode_node(label) | ||
# No transformation/union of argv is made | ||
assert isinstance(n, taint_dag.TDSourceNode) | ||
|
||
# If we just stepped to the next taint source, reset the offset | ||
if last_fdidx != n.idx: | ||
last_offset = 0 | ||
|
||
# First write argv[0], then argv[1], ... | ||
assert last_fdidx <= n.idx | ||
|
||
# Write argv[x], all offsets | ||
assert last_offset <= n.offset | ||
|
||
# Source file indices for argv[x] are opened before output file | ||
assert n.idx < sink_fd_idx | ||
|
||
last_offset = n.offset | ||
last_fdidx = n.idx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters