Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for the detection of CWE-562 #1243

Open
mrstanb opened this issue Nov 8, 2023 · 4 comments
Open

Add support for the detection of CWE-562 #1243

mrstanb opened this issue Nov 8, 2023 · 4 comments
Assignees
@mrstanb
Labels
feature

Comments

@mrstanb
Copy link
Member

mrstanb commented Nov 8, 2023

CWE-562 is concerned with the issue of returning an address of a stack variable.

Here's a minimal example of a program that has a CWE-562 weakness:

char *cwe562() {
  char *str;
  return str;
}

I'm not sure if there are any SV-COMP Memory Safety cases for this CWE number (most likely not, at least from what I recall). Nonetheless, I think it'd be useful to have a detection mechanism in Goblint for this type of weakness. In addition, it could potentially be even brought into SV-COMP's Memory Safety category if it'd make sense.

I'll make sure to open a separate PR for this soon.
@mrstanb mrstanb added the feature label Nov 8, 2023
@mrstanb mrstanb self-assigned this Nov 8, 2023
@sim642
Copy link
Member

sim642 commented Nov 9, 2023

In terms of SV-COMP, I think the act of returning such address wouldn't be considered a violation, but if it is then dereferenced, it would be an invalid dereference.

@mrstanb
Copy link
Member Author

mrstanb commented Nov 11, 2023

In terms of SV-COMP, I think the act of returning such address wouldn't be considered a violation, but if it is then dereferenced, it would be an invalid dereference.

Yes, absolutely. I think in relation to this, we could try to flag such returned memory in some way, so that whenever it's used we could directly flag the use as an invalid one. (Although, thinking about it, we might not need an extra flag, because we could just check if the memory has an address that is not pointing to something local or global and be done with it)

@mrstanb mrstanb mentioned this issue Nov 20, 2023
Closed
@mrstanb
Copy link
Member Author

mrstanb commented Dec 1, 2023

Yes, absolutely. I think in relation to this, we could try to flag such returned memory in some way, so that whenever it's used we could directly flag the use as an invalid one. (Although, thinking about it, we might not need an extra flag, because we could just check if the memory has an address that is not pointing to something local or global and be done with it)

We already have a check for such invalid dereferences which was implemented back during my thesis. So even in terms of SV-COMP, we should be safe here.

@jerhard
Copy link
Member

jerhard commented Jul 23, 2024

Following a dicussion at Gobcon, I closed the PR #1256. We might look again at implementing this when having a look at the escaping of variables, for this see #1544, #1491.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrstanb mrstanb

Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sim642 @jerhard @mrstanb