-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set annotation for elements in c struct
.
#12
Comments
Hi again! You're right; that's exactly how the checker works. I agree that it's probably not a great implementation of taint tracking—it would probably be a good idea to add a new rule that taints the fields of tainted structs. But just to be clear, that's a design decision: you could also decide that the tainting of struct values is distinct from the tainting of individual fields. We just haven't implemented the more sophisticated strategy yet. |
Hi, many thanks for your response. typedef struct {
int x;
int y;
} Point;
void main(){
TAINTED Point *tp = malloc(sizeof(Point));
TAINTED int *x = malloc(sizeof(int));
tp->x = 10;
*x = 6;
} The generated LLVM IR is:
Check out IR(a) and IR(b) generated. Could you please tell me how I can make the store instruction of p->x annotated, just like the store instruction of *x, please? Many thanks for your time. |
Aha; tricky! I don't have any immediate advice for you (this would take me a little too much time to sort out on my end). But I think that you might need to hack the codegen layer in clang-quala to make this work—I don't currently see a way around that. |
Alright, I see. |
Hi, me again.
The tainting for
struct
types is not working as I expected. I don't know if there's any misunderstanding here.Check the code below:
For my idea, both assignments (1) and (2) are illegal and cause an error assigning a tainted value to a normal variable, while in fact, only (1) causes an error and (2) is fine, because quala doesn't treat
tp->x
as a tainted value.From this test above, I may infer that quala thinks the elements in a tainted struct are not tainted.
Is this how you think the tainting should be like, or, maybe you have implemented it in a wrong way?
The text was updated successfully, but these errors were encountered: