llvm_ir_taint

Enum TaintedType

Source 
pub enum TaintedType {
    UntaintedValue,
    TaintedValue,
    UntaintedPointer(Pointee),
    TaintedPointer(Pointee),
    ArrayOrVector(Pointee),
    Struct(Vec<Pointee>),
    NamedStruct(String),
    UntaintedFnPtr,
    TaintedFnPtr,
}
Expand description

The type system which we use for taint-tracking

Variants§

§

UntaintedValue

An untainted value which is not a pointer, struct, array, or vector.

§

TaintedValue

A tainted value which is not a pointer, struct, array, or vector.

§

UntaintedPointer(Pointee)

An untainted pointer to either a scalar or an (implicit) array. By implicit we mean that this represents LLVM i8*, not LLVM [300 x i8]*.

§

TaintedPointer(Pointee)

A tainted pointer to either a scalar or an (implicit) array. By implicit we mean that this represents LLVM i8*, not LLVM [300 x i8]*.

§

ArrayOrVector(Pointee)

An array or vector, with the given element type (and any number of elements). All elements are assumed to have the same type, which means that if any of them is tainted, all of them are tainted.

§

Struct(Vec<Pointee>)

A struct, with the given element types

§

NamedStruct(String)

A named struct, with the given name. To get the actual type of the named struct’s contents, use get_named_struct_type in the TaintState or TaintResult. (This avoids infinite recursion in TaintedType.)

§

UntaintedFnPtr

An untainted function pointer

§

TaintedFnPtr

A tainted function pointer

Implementations§

Source§

impl TaintedType

Source

pub fn untainted_ptr_to(pointee: TaintedType) -> Self

Create a (fresh, unaliased) pointer to the given TaintedType

Source

pub fn tainted_ptr_to(pointee: TaintedType) -> Self

Create a (fresh, unaliased) tainted pointer to the given TaintedType

Source

pub fn untainted_ptr_to_pointee(pointee: Pointee) -> Self

Create a pointer to the given Pointee

Source

pub fn tainted_ptr_to_pointee(pointee: Pointee) -> Self

Create a tainted pointer to the given Pointee

Source

pub fn array_or_vec_of(element_ty: TaintedType) -> Self

Create an array or vector with the given element type, assuming that no pointers to the elements already exist

Source

pub fn array_or_vec_of_pointee(pointee: Pointee) -> Self

Create an array or vector with the given Pointee as its element type

Source

pub fn struct_of(elements: impl IntoIterator<Item = TaintedType>) -> Self

Create a struct of the given elements, assuming that no pointers to those elements already exist

Source

pub fn struct_of_pointees(elements: impl IntoIterator<Item = Pointee>) -> Self

Create a struct of the given Pointees

Source

pub fn from_llvm_type(llvm_ty: &Type) -> Self

Produce the equivalent (untainted) TaintedType for a given LLVM type. Pointers will point to fresh TaintedTypes to represent their element types; they will be assumed not to point to existing variables.

Source

pub fn is_tainted_nonamedstruct(&self) -> bool

Is this type tainted?

This function panics on named struct types. (It does work on array, vector, and anonymous struct types, as long as the element type isn’t a named struct type.)

For a more generic function that works on all types, use TaintedType::is_tainted() (below), TaintState::is_type_tainted(), or TaintResult::is_type_tainted().

Source

pub fn is_tainted<'m>( &self, named_structs: Rc<RefCell<NamedStructs<'m>>>, cur_fn: &'m str, ) -> bool

Is this type tainted?

This function handles all types, including named struct types.

Alternately you can also use TaintState::is_type_tainted() or TaintResult::is_type_tainted().

Source

pub fn taint_contents<'m>(&self, named_structs: &mut NamedStructs<'m>)

Mark everything pointed to by this pointer as tainted.

Recurses into structs/arrays/vectors, but not pointers:

  • if this pointer points to a struct/array/vector, we will taint all elements of that struct/array/vector
  • if this pointer points to another pointer P, we will taint P, but not things pointed to by P. Of course, if config.dereferencing_tainted_ptr_gives_tainted is true, then things pointed to by P will also become tainted if they are ever loaded through P.

Trait Implementations§

Source§

impl Clone for TaintedType

Source§

fn clone(&self) -> TaintedType

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for TaintedType

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for TaintedType

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl PartialEq for TaintedType

Source§

fn eq(&self, other: &TaintedType) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Eq for TaintedType

Source§

impl StructuralPartialEq for TaintedType

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.