Anna Zaks | 02019f7 | 2012-01-20 20:28:31 +0000 | [diff] [blame^] | 1 | // RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,core,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s |
Anna Zaks | 9b0970f | 2011-11-16 19:58:17 +0000 | [diff] [blame] | 2 | |
| 3 | int scanf(const char *restrict format, ...); |
| 4 | int getchar(void); |
| 5 | |
Anna Zaks | 1fb826a | 2012-01-12 02:22:34 +0000 | [diff] [blame] | 6 | typedef struct _FILE FILE; |
| 7 | extern FILE *stdin; |
| 8 | int fscanf(FILE *restrict stream, const char *restrict format, ...); |
| 9 | int sprintf(char *str, const char *format, ...); |
| 10 | void setproctitle(const char *fmt, ...); |
| 11 | typedef __typeof(sizeof(int)) size_t; |
| 12 | |
| 13 | // Define string functions. Use builtin for some of them. They all default to |
| 14 | // the processing in the taint checker. |
| 15 | #define strcpy(dest, src) \ |
| 16 | ((__builtin_object_size(dest, 0) != -1ULL) \ |
| 17 | ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \ |
| 18 | : __inline_strcpy_chk(dest, src)) |
| 19 | |
| 20 | static char *__inline_strcpy_chk (char *dest, const char *src) { |
| 21 | return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1)); |
| 22 | } |
| 23 | char *stpcpy(char *restrict s1, const char *restrict s2); |
| 24 | char *strncpy( char * destination, const char * source, size_t num ); |
Anna Zaks | 9b0c749 | 2012-01-18 02:45:07 +0000 | [diff] [blame] | 25 | char *strndup(const char *s, size_t n); |
Anna Zaks | 4e46221 | 2012-01-18 02:45:11 +0000 | [diff] [blame] | 26 | char *strncat(char *restrict s1, const char *restrict s2, size_t n); |
| 27 | |
| 28 | void *malloc(size_t); |
| 29 | void *calloc(size_t nmemb, size_t size); |
| 30 | void bcopy(void *s1, void *s2, size_t n); |
Anna Zaks | 1fb826a | 2012-01-12 02:22:34 +0000 | [diff] [blame] | 31 | |
Anna Zaks | 9b0970f | 2011-11-16 19:58:17 +0000 | [diff] [blame] | 32 | #define BUFSIZE 10 |
| 33 | |
| 34 | int Buffer[BUFSIZE]; |
Anna Zaks | 3881c69 | 2011-11-28 20:43:40 +0000 | [diff] [blame] | 35 | void bufferScanfDirect(void) |
Anna Zaks | 9b0970f | 2011-11-16 19:58:17 +0000 | [diff] [blame] | 36 | { |
| 37 | int n; |
| 38 | scanf("%d", &n); |
| 39 | Buffer[n] = 1; // expected-warning {{Out of bound memory access }} |
| 40 | } |
Anna Zaks | 0d339d0 | 2011-11-17 23:07:28 +0000 | [diff] [blame] | 41 | |
| 42 | void bufferScanfArithmetic1(int x) { |
| 43 | int n; |
| 44 | scanf("%d", &n); |
| 45 | int m = (n - 3); |
| 46 | Buffer[m] = 1; // expected-warning {{Out of bound memory access }} |
| 47 | } |
| 48 | |
| 49 | void bufferScanfArithmetic2(int x) { |
| 50 | int n; |
| 51 | scanf("%d", &n); |
Anna Zaks | 02019f7 | 2012-01-20 20:28:31 +0000 | [diff] [blame^] | 52 | int m = 100 - (n + 3) * x; |
Anna Zaks | 0d339d0 | 2011-11-17 23:07:28 +0000 | [diff] [blame] | 53 | Buffer[m] = 1; // expected-warning {{Out of bound memory access }} |
| 54 | } |
Anna Zaks | 8f4caf5 | 2011-11-18 02:26:36 +0000 | [diff] [blame] | 55 | |
Anna Zaks | 3881c69 | 2011-11-28 20:43:40 +0000 | [diff] [blame] | 56 | void bufferScanfAssignment(int x) { |
| 57 | int n; |
| 58 | scanf("%d", &n); |
| 59 | int m; |
| 60 | if (x > 0) { |
| 61 | m = n; |
| 62 | Buffer[m] = 1; // expected-warning {{Out of bound memory access }} |
| 63 | } |
| 64 | } |
| 65 | |
Anna Zaks | 8f4caf5 | 2011-11-18 02:26:36 +0000 | [diff] [blame] | 66 | void scanfArg() { |
Anna Zaks | 02019f7 | 2012-01-20 20:28:31 +0000 | [diff] [blame^] | 67 | int t = 0; |
Anna Zaks | e3d250e | 2011-12-11 18:43:40 +0000 | [diff] [blame] | 68 | scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}} |
Anna Zaks | 8f4caf5 | 2011-11-18 02:26:36 +0000 | [diff] [blame] | 69 | } |
Anna Zaks | 3881c69 | 2011-11-28 20:43:40 +0000 | [diff] [blame] | 70 | |
| 71 | void bufferGetchar(int x) { |
| 72 | int m = getchar(); |
| 73 | Buffer[m] = 1; //expected-warning {{Out of bound memory access }} |
| 74 | } |
Anna Zaks | 9f03b62 | 2012-01-07 02:33:10 +0000 | [diff] [blame] | 75 | |
Anna Zaks | 1fb826a | 2012-01-12 02:22:34 +0000 | [diff] [blame] | 76 | void testUncontrolledFormatString(char **p) { |
Anna Zaks | 9f03b62 | 2012-01-07 02:33:10 +0000 | [diff] [blame] | 77 | char s[80]; |
| 78 | fscanf(stdin, "%s", s); |
| 79 | char buf[128]; |
| 80 | sprintf(buf,s); // expected-warning {{Uncontrolled Format String}} |
| 81 | setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}} |
Anna Zaks | 1fb826a | 2012-01-12 02:22:34 +0000 | [diff] [blame] | 82 | |
| 83 | // Test taint propagation through strcpy and family. |
| 84 | char scpy[80]; |
| 85 | strcpy(scpy, s); |
| 86 | sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}} |
| 87 | |
Anna Zaks | b71d157 | 2012-01-13 00:56:55 +0000 | [diff] [blame] | 88 | stpcpy(*(++p), s); // this generates __inline. |
| 89 | setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}} |
| 90 | |
Anna Zaks | 1fb826a | 2012-01-12 02:22:34 +0000 | [diff] [blame] | 91 | char spcpy[80]; |
| 92 | stpcpy(spcpy, s); |
| 93 | setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}} |
| 94 | |
Anna Zaks | 9b0c749 | 2012-01-18 02:45:07 +0000 | [diff] [blame] | 95 | char *spcpyret; |
| 96 | spcpyret = stpcpy(spcpy, s); |
| 97 | setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}} |
| 98 | |
Anna Zaks | 1fb826a | 2012-01-12 02:22:34 +0000 | [diff] [blame] | 99 | char sncpy[80]; |
| 100 | strncpy(sncpy, s, 20); |
| 101 | setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}} |
Anna Zaks | 9b0c749 | 2012-01-18 02:45:07 +0000 | [diff] [blame] | 102 | |
| 103 | char *dup; |
| 104 | dup = strndup(s, 20); |
| 105 | setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}} |
| 106 | |
Anna Zaks | 9f03b62 | 2012-01-07 02:33:10 +0000 | [diff] [blame] | 107 | } |
Anna Zaks | 8568ee7 | 2012-01-14 02:48:40 +0000 | [diff] [blame] | 108 | |
| 109 | int system(const char *command); |
| 110 | void testTaintSystemCall() { |
| 111 | char buffer[156]; |
| 112 | char addr[128]; |
| 113 | scanf("%s", addr); |
| 114 | system(addr); // expected-warning {{Tainted data passed to a system call}} |
Anna Zaks | 9b0c749 | 2012-01-18 02:45:07 +0000 | [diff] [blame] | 115 | |
| 116 | // Test that spintf transfers taint. |
| 117 | sprintf(buffer, "/bin/mail %s < /tmp/email", addr); |
| 118 | system(buffer); // expected-warning {{Tainted data passed to a system call}} |
| 119 | } |
Anna Zaks | 4e46221 | 2012-01-18 02:45:11 +0000 | [diff] [blame] | 120 | |
Anna Zaks | 9b0c749 | 2012-01-18 02:45:07 +0000 | [diff] [blame] | 121 | void testTaintSystemCall2() { |
| 122 | // Test that snpintf transfers taint. |
| 123 | char buffern[156]; |
| 124 | char addr[128]; |
| 125 | scanf("%s", addr); |
| 126 | __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr); |
| 127 | system(buffern); // expected-warning {{Tainted data passed to a system call}} |
| 128 | } |
Anna Zaks | 4e46221 | 2012-01-18 02:45:11 +0000 | [diff] [blame] | 129 | |
Anna Zaks | 9b0c749 | 2012-01-18 02:45:07 +0000 | [diff] [blame] | 130 | void testTaintSystemCall3() { |
| 131 | char buffern2[156]; |
| 132 | int numt; |
| 133 | char addr[128]; |
| 134 | scanf("%s %d", addr, &numt); |
| 135 | __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd"); |
| 136 | system(buffern2); // expected-warning {{Tainted data passed to a system call}} |
Anna Zaks | 8568ee7 | 2012-01-14 02:48:40 +0000 | [diff] [blame] | 137 | } |
Anna Zaks | 4e46221 | 2012-01-18 02:45:11 +0000 | [diff] [blame] | 138 | |
| 139 | void testTaintedBufferSize() { |
| 140 | size_t ts; |
| 141 | scanf("%zd", &ts); |
| 142 | |
| 143 | int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Tainted data is used to specify the buffer size}} |
| 144 | char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Tainted data is used to specify the buffer size}} |
| 145 | bcopy(buf1, dst, ts); // expected-warning {{Tainted data is used to specify the buffer size}} |
| 146 | __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Tainted data is used to specify the buffer size}} |
| 147 | |
| 148 | // If both buffers are trusted, do not issue a warning. |
| 149 | char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Tainted data is used to specify the buffer size}} |
| 150 | strncat(dst2, dst, ts); // no-warning |
Anna Zaks | 4e46221 | 2012-01-18 02:45:11 +0000 | [diff] [blame] | 151 | } |
Anna Zaks | 2bf8fd8 | 2012-01-20 00:11:19 +0000 | [diff] [blame] | 152 | |
| 153 | #define AF_UNIX 1 /* local to host (pipes) */ |
| 154 | #define AF_INET 2 /* internetwork: UDP, TCP, etc. */ |
| 155 | #define AF_LOCAL AF_UNIX /* backward compatibility */ |
| 156 | #define SOCK_STREAM 1 |
| 157 | int socket(int, int, int); |
| 158 | size_t read(int, void *, size_t); |
| 159 | int execl(const char *, const char *, ...); |
| 160 | |
| 161 | void testSocket() { |
| 162 | int sock; |
| 163 | char buffer[100]; |
| 164 | |
| 165 | sock = socket(AF_INET, SOCK_STREAM, 0); |
| 166 | read(sock, buffer, 100); |
| 167 | execl(buffer, "filename", 0); // expected-warning {{Tainted data passed to a system call}} |
| 168 | |
| 169 | sock = socket(AF_LOCAL, SOCK_STREAM, 0); |
| 170 | read(sock, buffer, 100); |
| 171 | execl(buffer, "filename", 0); // no-warning |
| 172 | } |
| 173 | |
Anna Zaks | 02019f7 | 2012-01-20 20:28:31 +0000 | [diff] [blame^] | 174 | int testDivByZero() { |
| 175 | int x; |
| 176 | scanf("%d", &x); |
| 177 | return 5/x; // expected-warning {{Division by a tainted value, possibly zero}} |
| 178 | } |