Klocwork 2016.2 released this week, kicking off a series of planned upgrades to our C/C++ analysis engine to improve accuracy, performance, and reduce false positives. The Klocwork team upgraded the engine’s internal representation of numeric ranges, how those ranges are affected by mathematical and logical operators, and added support for 64-bit integers and calculations.
These changes help you find more defects – let me explain how with a defect that Klocwork found in glibc as part of our QA testing (we run performance tests against many open source projects, including Boost, Postgres, and Python).
Getting wise to bits
Take the following piece of code, from glibc, where a potential buffer overflow condition is now caught by our improved engine.
Starting at line 130, the buffer
namebuf is allocated with size 256. On line 148, its length is used a parameter to the
RNDUP() macro which returns 256 – a value that’s stored in
ad->ad_fullnamelen. On the next line, this is used to allocate 257 bytes (
ad->ad_fullnamelen + 1) for
The problem occurs on line 163, where
ad->ad_fullnamelen + 1 bytes are copied from
ad->ad_fullname. We get a buffer overflow condition because there’s an attempt to copy 257 bytes from
namebuf that’s only 256 bytes long.
This type of defect is caught in Klocwork 2016.2 due to the improved tracking of numeric value ranges when processing bitwise operators, such as the bitwise and (
&) and complement (
~) on line 97. In previous versions, without the ability to track the entire range of possible values through operators, Klocwork wasn’t able to detect that the
memcpy() operation on line 163 could access an out-of-range index to the
Now, you get an ABV.GENERAL defect like this:
As you can see, finding and reporting overflow conditions like this can be tricky as you not only have to account for data ranges but also inputs, conditional execution, macros, compiler directives, and many other constructs that make up an application. More importantly, buffer overflows are a large security risk and appear in many secure coding guidelines, including the CWE/SANS Top 25 Most Dangerous Software Errors, CERT, and DISA STIG – all of which we help achieve compliance for (learn more here).
There are other improvements like this in Klocwork 2016.2, improving detection performance for memory leaks, MISRA defects, unreachable code, uninitialized variables, tainted data, and more. For a complete list of updates, including the expansion of our industry-leading MISRA coverage, read our what’s new documentation.
Also check out Klocwork static code analysis on Twitter: #CodeAnalysisLife