// Model for tainted pointer is to mix all the labels from the pointer and then
// union that mix with each byte of the actual copied data. So if the pointer
// is labeled [1], [2], [3], [4], and the bytes are labeled [5], [6], [7], [8],
// we get [12345], [12346], [12347], [12348] as output taint of the load/store.
void taint_pointer(
FastShad *shad_dest, uint64_t dest,
FastShad *shad_ptr, uint64_t ptr, uint64_t ptr_size,
FastShad *shad_src, uint64_t src, uint64_t size) {
taint_log("ptr: %s[%lx+%lx] <- %s[%lx] @ %s[%lx+%lx]\n",
shad_dest->name(), dest, size,
shad_src->name(), src, shad_ptr->name(), ptr, ptr_size);
if (unlikely(dest + size > shad_dest->get_size())) {
taint_log(" Ignoring IO RW\n");
return;
} else if (unlikely(src + size > shad_src->get_size())) {
taint_log(" Source IO.\n");
src = ones; // ignore source.
}
// this is [1234] in our example
TaintData ptr_td = mixed_labels(shad_ptr, ptr, ptr_size, false);
if (src == ones) {
bulk_set(shad_dest, dest, size, ptr_td);
} else {
for (unsigned i = 0; i < size; i++) {
TaintData byte_td = shad_src->query_full(src + i);
TaintData dest_td = TaintData::make_union(ptr_td, byte_td, false);
// Unions usually destroy controlled bits. Tainted pointer is
// a special case.
dest_td.cb_mask = byte_td.cb_mask;
shad_dest->set_full(dest + i, dest_td);
}
}
}
void taint_pointer(
FastShad *shad_dest, uint64_t dest,
FastShad *shad_ptr, uint64_t ptr, uint64_t ptr_size,
FastShad *shad_src, uint64_t src, uint64_t size) {
taint_log("ptr: %lx[%lx+%lx] <- %lx[%lx] @ %lx[%lx+%lx]\n",
(uint64_t)shad_dest, dest, size,
(uint64_t)shad_src, src, (uint64_t)shad_ptr, ptr, ptr_size);
if (unlikely(dest + size > shad_dest->get_size())) {
taint_log(" Ignoring IO RW\n");
return;
} else if (unlikely(src + size > shad_src->get_size())) {
taint_log(" Source IO.\n");
src = ones; // ignore source.
}
TaintData td = mixed_labels(shad_ptr, ptr, ptr_size);
#ifndef CONFIG_INT_LABEL
if (td.ls) td.tcn++;
#endif
if (src == ones) {
bulk_set(shad_dest, dest, size, td);
} else {
unsigned i;
for (i = 0; i < size; i++) {
shad_dest->set_full(dest + i,
TaintData::copy_union(td, shad_src->query_full(src + i)));
}
}
}
void taint_mix_compute(
FastShad *shad,
uint64_t dest, uint64_t dest_size,
uint64_t src1, uint64_t src2, uint64_t src_size) {
taint_log("mcompute: %lx[%lx+%lx] <- %lx + %lx\n",
(uint64_t)shad, dest, dest_size, src1, src2);
TaintData td = TaintData::comp_union(
mixed_labels(shad, src1, src_size),
mixed_labels(shad, src2, src_size));
bulk_set(shad, dest, dest_size, td);
}
void taint_mix(
FastShad *shad,
uint64_t dest, uint64_t dest_size,
uint64_t src, uint64_t src_size) {
taint_log("mix: %lx[%lx+%lx] <- %lx+%lx\n",
(uint64_t)shad, dest, dest_size, src, src_size);
TaintData td = mixed_labels(shad, src, src_size);
#ifndef CONFIG_INT_LABEL
if (td.ls) td.tcn++;
#endif
bulk_set(shad, dest, dest_size, td);
}
void taint_mix(
FastShad *shad,
uint64_t dest, uint64_t dest_size,
uint64_t src, uint64_t src_size,
llvm::Instruction *I) {
taint_log("mix: %s[%lx+%lx] <- %lx+%lx\n",
shad->name(), dest, dest_size, src, src_size);
TaintData td = mixed_labels(shad, src, src_size, true);
bulk_set(shad, dest, dest_size, td);
if (I) update_cb(shad, dest, shad, src, dest_size, I);
}
void taint_mix_compute(
FastShad *shad,
uint64_t dest, uint64_t dest_size,
uint64_t src1, uint64_t src2, uint64_t src_size,
llvm::Instruction *ignored) {
taint_log("mcompute: %s[%lx+%lx] <- %lx + %lx\n",
shad->name(), dest, dest_size, src1, src2);
TaintData td = TaintData::make_union(
mixed_labels(shad, src1, src_size, false),
mixed_labels(shad, src2, src_size, false),
true);
bulk_set(shad, dest, dest_size, td);
}
void taint_sext(FastShad *shad, uint64_t dest, uint64_t dest_size, uint64_t src, uint64_t src_size) {
taint_log("taint_sext\n");
FastShad::copy(shad, dest, shad, src, src_size);
bulk_set(shad, dest + src_size, dest_size - src_size,
shad->query_full(dest + src_size - 1));
}
void taint_set(
FastShad *shad_dest, uint64_t dest, uint64_t dest_size,
FastShad *shad_src, uint64_t src) {
bulk_set(shad_dest, dest, dest_size, shad_src->query_full(src));
}
