Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / e93c63d468d36e67cb15d183ecc6b8216c87c138 / . / clang / test / Analysis / taint-generic.c
blob: d3ca246b82a8d7348e2c353f9b6bd81a2914cc23 [file] [log] [blame]
Dominic Chen184c6242017-03-03 18:02:02 +0000[diff] [blame]1// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
Anna Zaks20829c92011-11-16 19:58:17 +0000[diff] [blame]2
3int scanf(const char *restrict format, ...);
4int getchar(void);
5
Anna Zaksb3fa8d72012-01-12 02:22:34 +0000[diff] [blame]6typedef struct _FILE FILE;
7extern FILE *stdin;
8int fscanf(FILE *restrict stream, const char *restrict format, ...);
9int sprintf(char *str, const char *format, ...);
10void setproctitle(const char *fmt, ...);
11typedef __typeof(sizeof(int)) size_t;
12
13// Define string functions. Use builtin for some of them. They all default to
14// the processing in the taint checker.
15#define strcpy(dest, src) \
16 ((__builtin_object_size(dest, 0) != -1ULL) \
17 ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
18 : __inline_strcpy_chk(dest, src))
19
20static char *__inline_strcpy_chk (char *dest, const char *src) {
21 return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
22}
23char *stpcpy(char *restrict s1, const char *restrict s2);
24char *strncpy( char * destination, const char * source, size_t num );
Anna Zaks5d324e52012-01-18 02:45:07 +0000[diff] [blame]25char *strndup(const char *s, size_t n);
Anna Zaks560dbe92012-01-18 02:45:11 +0000[diff] [blame]26char *strncat(char *restrict s1, const char *restrict s2, size_t n);
27
28void *malloc(size_t);
29void *calloc(size_t nmemb, size_t size);
30void bcopy(void *s1, void *s2, size_t n);
Anna Zaksb3fa8d72012-01-12 02:22:34 +0000[diff] [blame]31
Anna Zaks20829c92011-11-16 19:58:17 +0000[diff] [blame]32#define BUFSIZE 10
33
34int Buffer[BUFSIZE];
Anna Zaksff029b62011-11-28 20:43:40 +0000[diff] [blame]35void bufferScanfDirect(void)
Anna Zaks20829c92011-11-16 19:58:17 +0000[diff] [blame]36{
37 int n;
38 scanf("%d", &n);
39 Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
40}
Anna Zaks040ddfe2011-11-17 23:07:28 +0000[diff] [blame]41
42void bufferScanfArithmetic1(int x) {
43 int n;
44 scanf("%d", &n);
45 int m = (n - 3);
46 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
47}
48
49void bufferScanfArithmetic2(int x) {
50 int n;
51 scanf("%d", &n);
Anna Zaks8298af82012-01-20 20:28:31 +0000[diff] [blame]52 int m = 100 - (n + 3) * x;
Anna Zaks040ddfe2011-11-17 23:07:28 +0000[diff] [blame]53 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
54}
Anna Zaks457c6872011-11-18 02:26:36 +0000[diff] [blame]55
Anna Zaksff029b62011-11-28 20:43:40 +0000[diff] [blame]56void bufferScanfAssignment(int x) {
57 int n;
58 scanf("%d", &n);
59 int m;
60 if (x > 0) {
61 m = n;
62 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
63 }
64}
65
Anna Zaks457c6872011-11-18 02:26:36 +0000[diff] [blame]66void scanfArg() {
Anna Zaks8298af82012-01-20 20:28:31 +0000[diff] [blame]67 int t = 0;
Ted Kremeneke7b9d432012-01-20 21:52:58 +0000[diff] [blame]68 scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
Anna Zaks457c6872011-11-18 02:26:36 +0000[diff] [blame]69}
Anna Zaksff029b62011-11-28 20:43:40 +0000[diff] [blame]70
71void bufferGetchar(int x) {
72 int m = getchar();
Anna Zaksb7eac9f2012-01-21 05:07:33 +0000[diff] [blame]73 Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
Anna Zaksff029b62011-11-28 20:43:40 +0000[diff] [blame]74}
Anna Zaks126a2ef2012-01-07 02:33:10 +0000[diff] [blame]75
Anna Zaksb3fa8d72012-01-12 02:22:34 +0000[diff] [blame]76void testUncontrolledFormatString(char **p) {
Anna Zaks126a2ef2012-01-07 02:33:10 +0000[diff] [blame]77 char s[80];
78 fscanf(stdin, "%s", s);
79 char buf[128];
80 sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
81 setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
Anna Zaksb3fa8d72012-01-12 02:22:34 +0000[diff] [blame]82
83 // Test taint propagation through strcpy and family.
84 char scpy[80];
85 strcpy(scpy, s);
86 sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
87
Anna Zakscb6d4ee2012-01-13 00:56:55 +0000[diff] [blame]88 stpcpy(*(++p), s); // this generates __inline.
89 setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
90
Anna Zaksb3fa8d72012-01-12 02:22:34 +0000[diff] [blame]91 char spcpy[80];
92 stpcpy(spcpy, s);
93 setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
94
Anna Zaks5d324e52012-01-18 02:45:07 +0000[diff] [blame]95 char *spcpyret;
96 spcpyret = stpcpy(spcpy, s);
97 setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
98
Anna Zaksb3fa8d72012-01-12 02:22:34 +0000[diff] [blame]99 char sncpy[80];
100 strncpy(sncpy, s, 20);
101 setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
Anna Zaks5d324e52012-01-18 02:45:07 +0000[diff] [blame]102
103 char *dup;
104 dup = strndup(s, 20);
105 setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
106
Anna Zaks126a2ef2012-01-07 02:33:10 +0000[diff] [blame]107}
Anna Zaks0244cd72012-01-14 02:48:40 +0000[diff] [blame]108
109int system(const char *command);
110void testTaintSystemCall() {
111 char buffer[156];
112 char addr[128];
113 scanf("%s", addr);
Anna Zaks3705a1e2012-02-22 02:35:58 +0000[diff] [blame]114 system(addr); // expected-warning {{Untrusted data is passed to a system call}}
Anna Zaks5d324e52012-01-18 02:45:07 +0000[diff] [blame]115
116 // Test that spintf transfers taint.
117 sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
Anna Zaks3705a1e2012-02-22 02:35:58 +0000[diff] [blame]118 system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
Anna Zaks5d324e52012-01-18 02:45:07 +0000[diff] [blame]119}
Anna Zaks560dbe92012-01-18 02:45:11 +0000[diff] [blame]120
Anna Zaks5d324e52012-01-18 02:45:07 +0000[diff] [blame]121void testTaintSystemCall2() {
122 // Test that snpintf transfers taint.
123 char buffern[156];
124 char addr[128];
125 scanf("%s", addr);
126 __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
Anna Zaks3705a1e2012-02-22 02:35:58 +0000[diff] [blame]127 system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
Anna Zaks5d324e52012-01-18 02:45:07 +0000[diff] [blame]128}
Anna Zaks560dbe92012-01-18 02:45:11 +0000[diff] [blame]129
Anna Zaks5d324e52012-01-18 02:45:07 +0000[diff] [blame]130void testTaintSystemCall3() {
131 char buffern2[156];
132 int numt;
133 char addr[128];
134 scanf("%s %d", addr, &numt);
135 __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
Anna Zaks3705a1e2012-02-22 02:35:58 +0000[diff] [blame]136 system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
Anna Zaks0244cd72012-01-14 02:48:40 +0000[diff] [blame]137}
Anna Zaks560dbe92012-01-18 02:45:11 +0000[diff] [blame]138
139void testTaintedBufferSize() {
140 size_t ts;
141 scanf("%zd", &ts);
142
Anna Zaks3705a1e2012-02-22 02:35:58 +0000[diff] [blame]143 int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
144 char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
145 bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
146 __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
Anna Zaks560dbe92012-01-18 02:45:11 +0000[diff] [blame]147
148 // If both buffers are trusted, do not issue a warning.
Anna Zaks3705a1e2012-02-22 02:35:58 +0000[diff] [blame]149 char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
Anna Zaks560dbe92012-01-18 02:45:11 +0000[diff] [blame]150 strncat(dst2, dst, ts); // no-warning
Anna Zaks560dbe92012-01-18 02:45:11 +0000[diff] [blame]151}
Anna Zaks3b754b22012-01-20 00:11:19 +0000[diff] [blame]152
153#define AF_UNIX 1 /* local to host (pipes) */
154#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
155#define AF_LOCAL AF_UNIX /* backward compatibility */
156#define SOCK_STREAM 1
157int socket(int, int, int);
158size_t read(int, void *, size_t);
159int execl(const char *, const char *, ...);
160
161void testSocket() {
162 int sock;
163 char buffer[100];
164
165 sock = socket(AF_INET, SOCK_STREAM, 0);
166 read(sock, buffer, 100);
Anna Zaks3705a1e2012-02-22 02:35:58 +0000[diff] [blame]167 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
Anna Zaks3b754b22012-01-20 00:11:19 +0000[diff] [blame]168
169 sock = socket(AF_LOCAL, SOCK_STREAM, 0);
170 read(sock, buffer, 100);
171 execl(buffer, "filename", 0); // no-warning
Anna Zaks12d0c8d2017-03-09 00:01:16 +0000[diff] [blame]172
173 sock = socket(AF_INET, SOCK_STREAM, 0);
174 // References to both buffer and &buffer as an argument should taint the argument
175 read(sock, &buffer, 100);
176 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
177}
178
179void testStruct() {
180 struct {
181 char buf[16];
182 int length;
183 } tainted;
184
185 char buffer[16];
186 int sock;
187
188 sock = socket(AF_INET, SOCK_STREAM, 0);
189 read(sock, &tainted, sizeof(tainted));
190 __builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
191}
192
193void testStructArray() {
194 struct {
Artem Dergacheveed7a312017-05-29 15:42:56 +0000[diff] [blame]195 int length;
196 } tainted[4];
Anna Zaks12d0c8d2017-03-09 00:01:16 +0000[diff] [blame]197
Artem Dergacheveed7a312017-05-29 15:42:56 +0000[diff] [blame]198 char dstbuf[16], srcbuf[16];
Anna Zaks12d0c8d2017-03-09 00:01:16 +0000[diff] [blame]199 int sock;
200
201 sock = socket(AF_INET, SOCK_STREAM, 0);
Artem Dergacheveed7a312017-05-29 15:42:56 +0000[diff] [blame]202 __builtin_memset(srcbuf, 0, sizeof(srcbuf));
203
204 read(sock, &tainted[0], sizeof(tainted));
205 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
206
207 __builtin_memset(&tainted, 0, sizeof(tainted));
208 read(sock, &tainted, sizeof(tainted));
209 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
210
211 __builtin_memset(&tainted, 0, sizeof(tainted));
212 // If we taint element 1, we should not raise an alert on taint for element 0 or element 2
213 read(sock, &tainted[1], sizeof(tainted));
214 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
215 __builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
216}
217
218void testUnion() {
219 union {
220 int x;
221 char y[4];
222 } tainted;
223
224 char buffer[4];
225
226 int sock = socket(AF_INET, SOCK_STREAM, 0);
227 read(sock, &tainted.y, sizeof(tainted.y));
228 // FIXME: overlapping regions aren't detected by isTainted yet
229 __builtin_memcpy(buffer, tainted.y, tainted.x);
Anna Zaks3b754b22012-01-20 00:11:19 +0000[diff] [blame]230}
231
Anna Zaks8298af82012-01-20 20:28:31 +0000[diff] [blame]232int testDivByZero() {
233 int x;
234 scanf("%d", &x);
235 return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
236}
Anna Zaksb7eac9f2012-01-21 05:07:33 +0000[diff] [blame]237
238// Zero-sized VLAs.
239void testTaintedVLASize() {
240 int x;
241 scanf("%d", &x);
242 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
243}
Anna Zaks1d3d51a2012-05-03 02:13:50 +0000[diff] [blame]244
245// This computation used to take a very long time.
246#define longcmp(a,b,c) { \
247 a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
248 a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
249
250unsigned radar11369570_hanging(const unsigned char *arr, int l) {
251 unsigned a, b, c;
252 a = b = c = 0x9899e3 + l;
253 while (l >= 6) {
254 unsigned t;
255 scanf("%d", &t);
256 a += b;
257 a ^= a;
258 a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
259 longcmp(a, t, c);
260 l -= 12;
261 }
262 return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
263}
Anna Zaksf0e9ca82012-05-03 02:13:53 +0000[diff] [blame]264
265// Check that we do not assert of the following code.
266int SymSymExprWithDiffTypes(void* p) {
267 int i;
268 scanf("%d", &i);
269 int j = (i % (int)(long)p);
270 return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
271}
272
Jordan Rosed1d89292013-03-24 20:25:22 +0000[diff] [blame]273
274void constraintManagerShouldTreatAsOpaque(int rhs) {
275 int i;
276 scanf("%d", &i);
277 // This comparison used to hit an assertion in the constraint manager,
278 // which didn't handle NonLoc sym-sym comparisons.
279 if (i < rhs)
280 return;
281 if (i < rhs)
282 *(volatile int *) 0; // no-warning
283}