Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / clang / refs/heads/fp2-m-sibon / . / test / Analysis / taint-tester.c
blob: 6287198eda4594e19790fb6c2132755591226d4b [file] [log] [blame]
David Blaikie9b29f4f2012-10-16 18:53:14 +0000[diff] [blame]1// RUN: %clang_cc1 -Wno-int-to-pointer-cast -analyze -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify
Anna Zaksa50b7ab2011-12-05 18:58:01 +0000[diff] [blame]2
Jordan Rose9a0b3c22013-04-15 20:39:37 +0000[diff] [blame]3#include "Inputs/system-header-simulator.h"
Anna Zaksa50b7ab2011-12-05 18:58:01 +0000[diff] [blame]4
5#define BUFSIZE 10
6int Buffer[BUFSIZE];
7
Anna Zaksdcf06fa2011-12-07 01:09:52 +0000[diff] [blame]8struct XYStruct {
9 int x;
Anna Zaks5fc7def2011-12-08 22:38:43 +0000[diff] [blame]10 int y;
11 char z;
Anna Zaksdcf06fa2011-12-07 01:09:52 +0000[diff] [blame]12};
13
14void taintTracking(int x) {
Anna Zaksa50b7ab2011-12-05 18:58:01 +0000[diff] [blame]15 int n;
16 int *addr = &Buffer[0];
17 scanf("%d", &n);
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]18 addr += n;// expected-warning + {{tainted}}
19 *addr = n; // expected-warning + {{tainted}}
Anna Zaksaace9ef2011-12-06 23:12:27 +0000[diff] [blame]20
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]21 double tdiv = n / 30; // expected-warning+ {{tainted}}
22 char *loc_cast = (char *) n; // expected-warning +{{tainted}}
23 char tinc = tdiv++; // expected-warning + {{tainted}}
24 int tincdec = (char)tinc--; // expected-warning+{{tainted}}
Anna Zaksaace9ef2011-12-06 23:12:27 +0000[diff] [blame]25
Anna Zaksdcf06fa2011-12-07 01:09:52 +0000[diff] [blame]26 // Tainted ptr arithmetic/array element address.
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]27 int tprtarithmetic1 = *(addr+1); // expected-warning + {{tainted}}
Anna Zaksaace9ef2011-12-06 23:12:27 +0000[diff] [blame]28
Anna Zaks5fc7def2011-12-08 22:38:43 +0000[diff] [blame]29 // Dereference.
30 int *ptr;
31 scanf("%p", &ptr);
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]32 int ptrDeref = *ptr; // expected-warning + {{tainted}}
33 int _ptrDeref = ptrDeref + 13; // expected-warning + {{tainted}}
Anna Zaks5fc7def2011-12-08 22:38:43 +0000[diff] [blame]34
35 // Pointer arithmetic + dereferencing.
36 // FIXME: We fail to propagate the taint here because RegionStore does not
37 // handle ElementRegions with symbolic indexes.
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]38 int addrDeref = *addr; // expected-warning + {{tainted}}
Ted Kremenek4213e382012-05-08 21:49:54 +0000[diff] [blame]39 int _addrDeref = addrDeref; // expected-warning + {{tainted}}
Anna Zaks5fc7def2011-12-08 22:38:43 +0000[diff] [blame]40
Anna Zaksdcf06fa2011-12-07 01:09:52 +0000[diff] [blame]41 // Tainted struct address, casts.
42 struct XYStruct *xyPtr = 0;
43 scanf("%p", &xyPtr);
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]44 void *tXYStructPtr = xyPtr; // expected-warning + {{tainted}}
45 struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning + {{tainted}}
46 int ptrtx = xyPtr->x;// expected-warning + {{tainted}}
47 int ptrty = xyPtr->y;// expected-warning + {{tainted}}
Anna Zaks5fc7def2011-12-08 22:38:43 +0000[diff] [blame]48
49 // Taint on fields of a struct.
50 struct XYStruct xy = {2, 3, 11};
Hans Wennborg6fcd9322011-12-10 13:20:11 +0000[diff] [blame]51 scanf("%d", &xy.y);
52 scanf("%d", &xy.x);
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]53 int tx = xy.x; // expected-warning + {{tainted}}
Anna Zaks5fc7def2011-12-08 22:38:43 +0000[diff] [blame]54 int ty = xy.y; // FIXME: This should be tainted as well.
55 char ntz = xy.z;// no warning
Anna Zaks1009ac72011-12-14 00:56:02 +0000[diff] [blame]56 // Now, scanf scans both.
57 scanf("%d %d", &xy.y, &xy.x);
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]58 int ttx = xy.x; // expected-warning + {{tainted}}
59 int tty = xy.y; // expected-warning + {{tainted}}
Anna Zaksa50b7ab2011-12-05 18:58:01 +0000[diff] [blame]60}
Anna Zaks432a4552011-12-09 03:34:02 +0000[diff] [blame]61
62void BitwiseOp(int in, char inn) {
63 // Taint on bitwise operations, integer to integer cast.
64 int m;
65 int x = 0;
66 scanf("%d", &x);
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]67 int y = (in << (x << in)) * 5;// expected-warning + {{tainted}}
Anna Zaks432a4552011-12-09 03:34:02 +0000[diff] [blame]68 // The next line tests integer to integer cast.
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]69 int z = y & inn; // expected-warning + {{tainted}}
70 if (y == 5) // expected-warning + {{tainted}}
71 m = z | z;// expected-warning + {{tainted}}
Anna Zaks432a4552011-12-09 03:34:02 +0000[diff] [blame]72 else
73 m = inn;
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]74 int mm = m; // expected-warning + {{tainted}}
Anna Zaks432a4552011-12-09 03:34:02 +0000[diff] [blame]75}
Anna Zaks86277c52011-12-14 18:34:17 +0000[diff] [blame]76
77// Test getenv.
78char *getenv(const char *name);
79void getenvTest(char *home) {
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]80 home = getenv("HOME"); // expected-warning + {{tainted}}
81 if (home != 0) { // expected-warning + {{tainted}}
82 char d = home[0]; // expected-warning + {{tainted}}
Anna Zaks86277c52011-12-14 18:34:17 +0000[diff] [blame]83 }
84}
85
Anna Zaks86277c52011-12-14 18:34:17 +0000[diff] [blame]86int fscanfTest(void) {
87 FILE *fp;
88 char s[80];
89 int t;
90
91 // Check if stdin is treated as tainted.
92 fscanf(stdin, "%s %d", s, &t);
93 // Note, here, s is not tainted, but the data s points to is tainted.
94 char *ts = s;
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]95 char tss = s[0]; // expected-warning + {{tainted}}
96 int tt = t; // expected-warning + {{tainted}}
97 if((fp=fopen("test", "w")) == 0) // expected-warning + {{tainted}}
Anna Zaks86277c52011-12-14 18:34:17 +0000[diff] [blame]98 return 1;
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]99 fprintf(fp, "%s %d", s, t); // expected-warning + {{tainted}}
100 fclose(fp); // expected-warning + {{tainted}}
Anna Zaks86277c52011-12-14 18:34:17 +0000[diff] [blame]101
Anna Zaks86277c52011-12-14 18:34:17 +0000[diff] [blame]102 // Test fscanf and fopen.
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]103 if((fp=fopen("test","r")) == 0) // expected-warning + {{tainted}}
Anna Zaks86277c52011-12-14 18:34:17 +0000[diff] [blame]104 return 1;
Anna Zaks2135ebb2011-12-15 02:28:16 +0000[diff] [blame]105 fscanf(fp, "%s%d", s, &t); // expected-warning + {{tainted}}
106 fprintf(stdout, "%s %d", s, t); // expected-warning + {{tainted}}
Anna Zaks86277c52011-12-14 18:34:17 +0000[diff] [blame]107 return 0;
108}
Anna Zaksd3d85482011-12-16 18:28:50 +0000[diff] [blame]109
110// Check if we propagate taint from stdin when it's used in an assignment.
111void stdinTest1() {
112 int i;
113 fscanf(stdin, "%d", &i);
114 int j = i; // expected-warning + {{tainted}}
115}
116void stdinTest2(FILE *pIn) {
117 FILE *p = stdin;
118 FILE *pp = p;
119 int ii;
120
121 fscanf(pp, "%d", &ii);
122 int jj = ii;// expected-warning + {{tainted}}
123
124 fscanf(p, "%d", &ii);
125 int jj2 = ii;// expected-warning + {{tainted}}
126
127 ii = 3;
128 int jj3 = ii;// no warning
129
130 p = pIn;
131 fscanf(p, "%d", &ii);
132 int jj4 = ii;// no warning
133}
134
135void stdinTest3() {
136 FILE **ppp = &stdin;
137 int iii;
138 fscanf(*ppp, "%d", &iii);
139 int jjj = iii;// expected-warning + {{tainted}}
140}
Anna Zaks9ffbe242011-12-17 00:26:34 +0000[diff] [blame]141
Anna Zaks273c3a32012-01-04 23:54:04 +0000[diff] [blame]142// Test that stdin does not get invalidated by calls.
143void foo();
144void stdinTest4() {
145 int i;
146 fscanf(stdin, "%d", &i);
147 foo();
148 int j = i; // expected-warning + {{tainted}}
149}
150
Anna Zaksb9ac30c2012-01-24 19:32:25 +0000[diff] [blame]151int getw(FILE *);
152void getwTest() {
153 int i = getw(stdin); // expected-warning + {{tainted}}
154}
155
156typedef long ssize_t;
157ssize_t getline(char ** __restrict, size_t * __restrict, FILE * __restrict);
158int printf(const char * __restrict, ...);
159void free(void *ptr);
160void getlineTest(void) {
161 FILE *fp;
162 char *line = 0;
163 size_t len = 0;
164 ssize_t read;
165 while ((read = getline(&line, &len, stdin)) != -1) {
166 printf("%s", line); // expected-warning + {{tainted}}
167 }
168 free(line); // expected-warning + {{tainted}}
169}
170
Anna Zaks9ffbe242011-12-17 00:26:34 +0000[diff] [blame]171// Test propagation functions - the ones that propagate taint from arguments to
172// return value, ptr arguments.
173
174int atoi(const char *nptr);
Anna Zaks9ffbe242011-12-17 00:26:34 +0000[diff] [blame]175long atol(const char *nptr);
176long long atoll(const char *nptr);
177
178void atoiTest() {
179 char s[80];
180 scanf("%s", s);
181 int d = atoi(s); // expected-warning + {{tainted}}
182 int td = d; // expected-warning + {{tainted}}
Anna Zaks52384742011-12-17 00:30:16 +0000[diff] [blame]183
Anna Zaks2cbe7912011-12-20 22:35:30 +0000[diff] [blame]184 long l = atol(s); // expected-warning + {{tainted}}
Anna Zaks52384742011-12-17 00:30:16 +0000[diff] [blame]185 int tl = l; // expected-warning + {{tainted}}
186
Anna Zaks2cbe7912011-12-20 22:35:30 +0000[diff] [blame]187 long long ll = atoll(s); // expected-warning + {{tainted}}
Anna Zaks52384742011-12-17 00:30:16 +0000[diff] [blame]188 int tll = ll; // expected-warning + {{tainted}}
189
Anna Zaks9ffbe242011-12-17 00:26:34 +0000[diff] [blame]190}
191