taint-generic.c revision 8f7bfb40b72f478d83b018a280f99c0386576ae3 
1// RUN: %clang_cc1  -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
2
3int scanf(const char *restrict format, ...);
4int getchar(void);
5
6typedef struct _FILE FILE;
7extern FILE *stdin;
8int fscanf(FILE *restrict stream, const char *restrict format, ...);
9int sprintf(char *str, const char *format, ...);
10void setproctitle(const char *fmt, ...);
11typedef __typeof(sizeof(int)) size_t;
12
13// Define string functions. Use builtin for some of them. They all default to
14// the processing in the taint checker.
15#define strcpy(dest, src) \
16  ((__builtin_object_size(dest, 0) != -1ULL) \
17   ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
18   : __inline_strcpy_chk(dest, src))
19
20static char *__inline_strcpy_chk (char *dest, const char *src) {
21  return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
22}
23char *stpcpy(char *restrict s1, const char *restrict s2);
24char *strncpy( char * destination, const char * source, size_t num );
25char *strndup(const char *s, size_t n);
26char *strncat(char *restrict s1, const char *restrict s2, size_t n);
27
28void *malloc(size_t);
29void *calloc(size_t nmemb, size_t size);
30void bcopy(void *s1, void *s2, size_t n);
31
32#define BUFSIZE 10
33
34int Buffer[BUFSIZE];
35void bufferScanfDirect(void)
36{
37  int n;
38  scanf("%d", &n);
39  Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
40}
41
42void bufferScanfArithmetic1(int x) {
43  int n;
44  scanf("%d", &n);
45  int m = (n - 3);
46  Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
47}
48
49void bufferScanfArithmetic2(int x) {
50  int n;
51  scanf("%d", &n);
52  int m = 100 - (n + 3) * x;
53  Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
54}
55
56void bufferScanfAssignment(int x) {
57  int n;
58  scanf("%d", &n);
59  int m;
60  if (x > 0) {
61    m = n;
62    Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
63  }
64}
65
66void scanfArg() {
67  int t = 0;
68  scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
69}
70
71void bufferGetchar(int x) {
72  int m = getchar();
73  Buffer[m] = 1;  //expected-warning {{Out of bound memory access (index is tainted)}}
74}
75
76void testUncontrolledFormatString(char **p) {
77  char s[80];
78  fscanf(stdin, "%s", s);
79  char buf[128];
80  sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
81  setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
82
83  // Test taint propagation through strcpy and family.
84  char scpy[80];
85  strcpy(scpy, s);
86  sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
87
88  stpcpy(*(++p), s); // this generates __inline.
89  setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
90
91  char spcpy[80];
92  stpcpy(spcpy, s);
93  setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
94
95  char *spcpyret;
96  spcpyret = stpcpy(spcpy, s);
97  setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
98
99  char sncpy[80];
100  strncpy(sncpy, s, 20);
101  setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
102
103  char *dup;
104  dup = strndup(s, 20);
105  setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
106
107}
108
109int system(const char *command);
110void testTaintSystemCall() {
111  char buffer[156];
112  char addr[128];
113  scanf("%s", addr);
114  system(addr); // expected-warning {{Untrusted data is passed to a system call}}
115
116  // Test that spintf transfers taint.
117  sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
118  system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
119}
120
121void testTaintSystemCall2() {
122  // Test that snpintf transfers taint.
123  char buffern[156];
124  char addr[128];
125  scanf("%s", addr);
126  __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
127  system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
128}
129
130void testTaintSystemCall3() {
131  char buffern2[156];
132  int numt;
133  char addr[128];
134  scanf("%s %d", addr, &numt);
135  __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
136  system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
137}
138
139void testTaintedBufferSize() {
140  size_t ts;
141  scanf("%zd", &ts);
142
143  int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
144  char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
145  bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
146  __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
147
148  // If both buffers are trusted, do not issue a warning.
149  char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
150  strncat(dst2, dst, ts); // no-warning
151}
152
153#define AF_UNIX   1   /* local to host (pipes) */
154#define AF_INET   2   /* internetwork: UDP, TCP, etc. */
155#define AF_LOCAL  AF_UNIX   /* backward compatibility */
156#define SOCK_STREAM 1
157int socket(int, int, int);
158size_t read(int, void *, size_t);
159int  execl(const char *, const char *, ...);
160
161void testSocket() {
162  int sock;
163  char buffer[100];
164
165  sock = socket(AF_INET, SOCK_STREAM, 0);
166  read(sock, buffer, 100);
167  execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
168
169  sock = socket(AF_LOCAL, SOCK_STREAM, 0);
170  read(sock, buffer, 100);
171  execl(buffer, "filename", 0); // no-warning
172}
173
174int testDivByZero() {
175  int x;
176  scanf("%d", &x);
177  return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
178}
179
180// Zero-sized VLAs.
181void testTaintedVLASize() {
182  int x;
183  scanf("%d", &x);
184  int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
185}
186
187// This computation used to take a very long time.
188#define longcmp(a,b,c) { \
189  a -= c;  a ^= c;  c += b; b -= a;  b ^= (a<<6) | (a >> (32-b));  a += c; c -= b;  c ^= b;  b += a; \
190  a -= c;  a ^= c;  c += b; b -= a;  b ^= a;  a += c; c -= b;  c ^= b;  b += a; }
191
192unsigned radar11369570_hanging(const unsigned char *arr, int l) {
193  unsigned a, b, c;
194  a = b = c = 0x9899e3 + l;
195  while (l >= 6) {
196    unsigned t;
197    scanf("%d", &t);
198    a += b;
199    a ^= a;
200    a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
201    longcmp(a, t, c);
202    l -= 12;
203  }
204  return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
205}
206
207// Check that we do not assert of the following code.
208int SymSymExprWithDiffTypes(void* p) {
209  int i;
210  scanf("%d", &i);
211  int j = (i % (int)(long)p);
212  return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
213}
214
215
216void constraintManagerShouldTreatAsOpaque(int rhs) {
217  int i;
218  scanf("%d", &i);
219  // This comparison used to hit an assertion in the constraint manager,
220  // which didn't handle NonLoc sym-sym comparisons.
221  if (i < rhs)
222    return;
223  if (i < rhs)
224    *(volatile int *) 0; // no-warning
225}
226