taint-tester.c revision f512560e06185f99b156e1a269d7297658768881
1// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,debug.TaintTest -verify %s 2 3#include <stdarg.h> 4 5int scanf(const char *restrict format, ...); 6int getchar(void); 7 8#define BUFSIZE 10 9int Buffer[BUFSIZE]; 10 11struct XYStruct { 12 int x; 13 int y; 14 char z; 15}; 16 17void taintTracking(int x) { 18 int n; 19 int *addr = &Buffer[0]; 20 scanf("%d", &n); 21 addr += n;// expected-warning 2 {{tainted}} 22 *addr = n; // expected-warning 3 {{tainted}} 23 24 double tdiv = n / 30; // expected-warning 3 {{tainted}} 25 char *loc_cast = (char *) n; // expected-warning {{tainted}} 26 char tinc = tdiv++; // expected-warning {{tainted}} 27 int tincdec = (char)tinc--; // expected-warning 2 {{tainted}} 28 29 // Tainted ptr arithmetic/array element address. 30 int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}} 31 32 // Dereference. 33 int *ptr; 34 scanf("%p", &ptr); 35 int ptrDeref = *ptr; // expected-warning 2 {{tainted}} 36 int _ptrDeref = ptrDeref + 13; // expected-warning 2 {{tainted}} 37 38 // Pointer arithmetic + dereferencing. 39 // FIXME: We fail to propagate the taint here because RegionStore does not 40 // handle ElementRegions with symbolic indexes. 41 int addrDeref = *addr; // expected-warning {{tainted}} 42 int _addrDeref = addrDeref; 43 44 // Tainted struct address, casts. 45 struct XYStruct *xyPtr = 0; 46 scanf("%p", &xyPtr); 47 void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}} 48 struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}} 49 int ptrtx = xyPtr->x;// expected-warning 2 {{tainted}} 50 int ptrty = xyPtr->y;// expected-warning 2 {{tainted}} 51 52 // Taint on fields of a struct. 53 struct XYStruct xy = {2, 3, 11}; 54 scanf("%d", &xy.y); 55 scanf("%d", &xy.x); 56 int tx = xy.x; // expected-warning {{tainted}} 57 int ty = xy.y; // FIXME: This should be tainted as well. 58 char ntz = xy.z;// no warning 59 // Now, scanf scans both. 60 scanf("%d %d", &xy.y, &xy.x); 61 int ttx = xy.x; // expected-warning {{tainted}} 62 int tty = xy.y; // expected-warning {{tainted}} 63} 64 65void BitwiseOp(int in, char inn) { 66 // Taint on bitwise operations, integer to integer cast. 67 int m; 68 int x = 0; 69 scanf("%d", &x); 70 int y = (in << (x << in)) * 5;// expected-warning 4 {{tainted}} 71 // The next line tests integer to integer cast. 72 int z = y & inn; // expected-warning 2 {{tainted}} 73 if (y == 5) // expected-warning 2 {{tainted}} 74 m = z | z;// expected-warning 4 {{tainted}} 75 else 76 m = inn; 77 int mm = m; // expected-warning {{tainted}} 78} 79