[DTrace-devel] [PATCH] cg: fix ALLOCA taint propagation for struct/union member access
Kris Van Hees
kris.van.hees at oracle.com
Mon Jul 10 15:06:06 UTC 2023
When alloca'd memory stores a struct, lvalues that represent members in
that struct should also be marked as pointers to alloca'd memory.
Signed-off-by: Kris Van Hees <kris.van.hees at oracle.com>
---
libdtrace/dt_parser.c | 4 ++++
.../codegen/tst.alloca-taint-sou-access.d | 24 +++++++++++++++++++
2 files changed, 28 insertions(+)
create mode 100644 test/unittest/codegen/tst.alloca-taint-sou-access.d
diff --git a/libdtrace/dt_parser.c b/libdtrace/dt_parser.c
index 870faaa9..beb94676 100644
--- a/libdtrace/dt_parser.c
+++ b/libdtrace/dt_parser.c
@@ -4015,6 +4015,10 @@ asgn_common:
if (lp->dn_flags & DT_NF_WRITABLE)
dnp->dn_flags |= DT_NF_WRITABLE;
+ /* Transfer alloca taint. */
+ if (lp->dn_flags & DT_NF_ALLOCA)
+ dt_cook_taint_alloca(dnp, NULL, lp);
+
if (xflags && (kind == CTF_K_POINTER ||
(dnp->dn_flags & DT_NF_REF)))
dnp->dn_flags |= DT_NF_USERLAND;
diff --git a/test/unittest/codegen/tst.alloca-taint-sou-access.d b/test/unittest/codegen/tst.alloca-taint-sou-access.d
new file mode 100644
index 00000000..2a390a9d
--- /dev/null
+++ b/test/unittest/codegen/tst.alloca-taint-sou-access.d
@@ -0,0 +1,24 @@
+/*
+ * Oracle Linux DTrace.
+ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * Licensed under the Universal Permissive License v 1.0 as shown at
+ * http://oss.oracle.com/licenses/upl.
+ */
+
+/*
+ * Check that ALLOCA annotations are propagated correctly across structure
+ * member dereferences.
+ */
+
+BEGIN
+{
+ ptr = (struct in6_addr *)alloca(sizeof(struct in6_addr));
+ ptr->in6_u.u6_addr8[0] = 0x42;
+
+ exit(0);
+}
+
+ERROR
+{
+ exit(1);
+}
--
2.40.1
More information about the DTrace-devel
mailing list