taint-generic.c source code [clang_source_code/test/Analysis/taint-generic.c]

1	// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
2	// RUN: %clang_analyze_cc1 -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
3
4	int scanf(const char *restrict format, ...);
5	char gets(char str);
6	int getchar(void);
7
8	typedef struct _FILE FILE;
9	#ifdef FILE_IS_STRUCT
10	extern struct _FILE *stdin;
11	#else
12	extern FILE *stdin;
13	#endif
14
15	int fscanf(FILE restrict stream, const char restrict format, ...);
16	int sprintf(char str, const char format, ...);
17	void setproctitle(const char *fmt, ...);
18	typedef __typeof(sizeof(int)) size_t;
19
20	// Define string functions. Use builtin for some of them. They all default to
21	// the processing in the taint checker.
22	#define strcpy(dest, src) \
23	((__builtin_object_size(dest, 0) != -1ULL) \
24	? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
25	: __inline_strcpy_chk(dest, src))
26
27	static char __inline_strcpy_chk (char dest, const char *src) {
28	return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
29	}
30	char stpcpy(char restrict s1, const char *restrict s2);
31	char strncpy( char destination, const char * source, size_t num );
32	char strndup(const char s, size_t n);
33	char strncat(char restrict s1, const char *restrict s2, size_t n);
34
35	void *malloc(size_t);
36	void *calloc(size_t nmemb, size_t size);
37	void bcopy(void s1, void s2, size_t n);
38
39	#define BUFSIZE 10
40
41	int Buffer[BUFSIZE];
42	void bufferScanfDirect(void)
43	{
44	int n;
45	scanf("%d", &n);
46	Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
47	}
48
49	void bufferScanfArithmetic1(int x) {
50	int n;
51	scanf("%d", &n);
52	int m = (n - 3);
53	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
54	}
55
56	void bufferScanfArithmetic2(int x) {
57	int n;
58	scanf("%d", &n);
59	int m = 100 - (n + 3) * x;
60	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
61	}
62
63	void bufferScanfAssignment(int x) {
64	int n;
65	scanf("%d", &n);
66	int m;
67	if (x > 0) {
68	m = n;
69	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
70	}
71	}
72
73	void scanfArg() {
74	int t = 0;
75	scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
76	}
77
78	void bufferGetchar(int x) {
79	int m = getchar();
80	Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
81	}
82
83	void testUncontrolledFormatString(char **p) {
84	char s[80];
85	fscanf(stdin, "%s", s);
86	char buf[128];
87	sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
88	setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
89
90	// Test taint propagation through strcpy and family.
91	char scpy[80];
92	strcpy(scpy, s);
93	sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
94
95	stpcpy(*(++p), s); // this generates __inline.
96	setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
97
98	char spcpy[80];
99	stpcpy(spcpy, s);
100	setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
101
102	char *spcpyret;
103	spcpyret = stpcpy(spcpy, s);
104	setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
105
106	char sncpy[80];
107	strncpy(sncpy, s, 20);
108	setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
109
110	char *dup;
111	dup = strndup(s, 20);
112	setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
113
114	}
115
116	int system(const char *command);
117	void testTaintSystemCall() {
118	char buffer[156];
119	char addr[128];
120	scanf("%s", addr);
121	system(addr); // expected-warning {{Untrusted data is passed to a system call}}
122
123	// Test that spintf transfers taint.
124	sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
125	system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
126	}
127
128	void testTaintSystemCall2() {
129	// Test that snpintf transfers taint.
130	char buffern[156];
131	char addr[128];
132	scanf("%s", addr);
133	__builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
134	system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
135	}
136
137	void testTaintSystemCall3() {
138	char buffern2[156];
139	int numt;
140	char addr[128];
141	scanf("%s %d", addr, &numt);
142	__builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
143	system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
144	}
145
146	void testGets() {
147	char str[50];
148	gets(str);
149	system(str); // expected-warning {{Untrusted data is passed to a system call}}
150	}
151
152	void testTaintedBufferSize() {
153	size_t ts;
154	scanf("%zd", &ts);
155
156	int buf1 = (int)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
157	char dst = (char)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
158	bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
159	__builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
160
161	// If both buffers are trusted, do not issue a warning.
162	char dst2 = (char)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
163	strncat(dst2, dst, ts); // no-warning
164	}
165
166	#define AF_UNIX 1 /* local to host (pipes) */
167	#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
168	#define AF_LOCAL AF_UNIX /* backward compatibility */
169	#define SOCK_STREAM 1
170	int socket(int, int, int);
171	size_t read(int, void *, size_t);
172	int execl(const char , const char , ...);
173
174	void testSocket() {
175	int sock;
176	char buffer[100];
177
178	sock = socket(AF_INET, SOCK_STREAM, 0);
179	read(sock, buffer, 100);
180	execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
181
182	sock = socket(AF_LOCAL, SOCK_STREAM, 0);
183	read(sock, buffer, 100);
184	execl(buffer, "filename", 0); // no-warning
185
186	sock = socket(AF_INET, SOCK_STREAM, 0);
187	// References to both buffer and &buffer as an argument should taint the argument
188	read(sock, &buffer, 100);
189	execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
190	}
191
192	void testStruct() {
193	struct {
194	char buf[16];
195	int length;
196	} tainted;
197
198	char buffer[16];
199	int sock;
200
201	sock = socket(AF_INET, SOCK_STREAM, 0);
202	read(sock, &tainted, sizeof(tainted));
203	__builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
204	}
205
206	void testStructArray() {
207	struct {
208	int length;
209	} tainted[4];
210
211	char dstbuf[16], srcbuf[16];
212	int sock;
213
214	sock = socket(AF_INET, SOCK_STREAM, 0);
215	__builtin_memset(srcbuf, 0, sizeof(srcbuf));
216
217	read(sock, &tainted[0], sizeof(tainted));
218	__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
219
220	__builtin_memset(&tainted, 0, sizeof(tainted));
221	read(sock, &tainted, sizeof(tainted));
222	__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
223
224	__builtin_memset(&tainted, 0, sizeof(tainted));
225	// If we taint element 1, we should not raise an alert on taint for element 0 or element 2
226	read(sock, &tainted[1], sizeof(tainted));
227	__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
228	__builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
229	}
230
231	void testUnion() {
232	union {
233	int x;
234	char y[4];
235	} tainted;
236
237	char buffer[4];
238
239	int sock = socket(AF_INET, SOCK_STREAM, 0);
240	read(sock, &tainted.y, sizeof(tainted.y));
241	tainted.x = 0;
242	// FIXME: overlapping regions aren't detected by isTainted yet
243	__builtin_memcpy(buffer, tainted.y, tainted.x);
244	}
245
246	int testDivByZero() {
247	int x;
248	scanf("%d", &x);
249	return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
250	}
251
252	// Zero-sized VLAs.
253	void testTaintedVLASize() {
254	int x;
255	scanf("%d", &x);
256	int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
257	}
258
259	// This computation used to take a very long time.
260	#define longcmp(a,b,c) { \
261	a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) \| (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
262	a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
263
264	unsigned radar11369570_hanging(const unsigned char *arr, int l) {
265	unsigned a, b, c;
266	a = b = c = 0x9899e3 + l;
267	while (l >= 6) {
268	unsigned t;
269	scanf("%d", &t);
270	a += b;
271	a ^= a;
272	a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
273	longcmp(a, t, c);
274	l -= 12;
275	}
276	return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
277	}
278
279	// Check that we do not assert of the following code.
280	int SymSymExprWithDiffTypes(void* p) {
281	int i;
282	scanf("%d", &i);
283	int j = (i % (int)(long)p);
284	return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
285	}
286
287
288	void constraintManagerShouldTreatAsOpaque(int rhs) {
289	int i;
290	scanf("%d", &i);
291	// This comparison used to hit an assertion in the constraint manager,
292	// which didn't handle NonLoc sym-sym comparisons.
293	if (i < rhs)
294	return;
295	if (i < rhs)
296	(volatile int ) 0; // no-warning
297	}
298

Clang Project