cg: fix ALLOCA taint propagation for struct/union member access

When alloca'd memory stores a struct or union, lvalues that represent members in that struct or union should also be marked as pointers to alloca'd memory. Signed-off-by: Kris Van Hees <kris.van.hees@oracle.com> Reviewed-by: Eugene Loh <eugene.loh@oracle.com> Reviewed-by: Nick Alcock <nick.alcock@oracle.com>
oracle · Jul 28, 2023 · 708a2ae · 708a2ae
1 parent 42f15d3
commit 708a2ae
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/libdtrace/dt_parser.c b/libdtrace/dt_parser.c
@@ -4015,6 +4015,10 @@ dt_cook_op2(dt_node_t *dnp, uint_t idflags)
 		if (lp->dn_flags & DT_NF_WRITABLE)
 			dnp->dn_flags |= DT_NF_WRITABLE;
 
+		/* Transfer alloca taint. */
+		if (lp->dn_flags & DT_NF_ALLOCA)
+			dt_cook_taint_alloca(dnp, NULL, lp);
+
 		if (xflags && (kind == CTF_K_POINTER ||
 		    (dnp->dn_flags & DT_NF_REF)))
 			dnp->dn_flags |= DT_NF_USERLAND;

diff --git a/test/unittest/codegen/tst.alloca-taint-sou-access.d b/test/unittest/codegen/tst.alloca-taint-sou-access.d
@@ -0,0 +1,24 @@
+/*
+ * Oracle Linux DTrace.
+ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * Licensed under the Universal Permissive License v 1.0 as shown at
+ * http://oss.oracle.com/licenses/upl.
+ */
+
+/*
+ * Check that ALLOCA annotations are propagated correctly across structure
+ * member dereferences.
+ */
+
+BEGIN
+{
+	ptr = (struct in6_addr *)alloca(sizeof(struct in6_addr));
+	ptr->in6_u.u6_addr8[0] = 0x42;
+
+	exit(0);
+}
+
+ERROR
+{
+	exit(1);
+}