This is an archive of the discontinued LLVM Phabricator instance.

Differential D120369

[analyzer] Add more propagations to Taint analysis
ClosedPublic

Authored by gamesh411 on Feb 22 2022, 4:34 PM.

Details

Reviewers
steakhal
Szelethus
NoQ
Commits
rG4fd6c6e65ab5: [analyzer] Add more propagations to Taint analysis
Summary

Add more functions as taint propators to GenericTaintChecker.

Diff Detail

Event Timeline

gamesh411 created this revision.Feb 22 2022, 4:34 PM
Herald added a reviewer: Szelethus. · View Herald TranscriptFeb 22 2022, 4:34 PM
Herald added subscribers: ASDenysPetrov, martong, dkrupp and 7 others. · View Herald Transcript
gamesh411 requested review of this revision.Feb 22 2022, 4:34 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 22 2022, 4:34 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B150961: Diff 410674.Feb 22 2022, 5:11 PM
steakhal added a comment.Feb 23 2022, 8:04 AM

Huh, this was a long one. 😅 🚀

clang/docs/analyzer/checkers.rst
2361

I cannot see the corresponding propagation rule.
That being said, it would be handy to mention that this is for zlib decompression and this should be probably a taint source anyway.

vfscanf occurs two times.

vscanf is not mentioned here; and there are probably a couple others like this.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
586

This function has exactly 3 arguments.
I'm also puzzled how tainting va_list will work out. That should be modeled separately IMO.
This comment applies to all of the similar va_list accepting functions, such as vscanf, vfscanf, and possibly others.

That being said, I think vscanf is more like scanf, so it should be modeled as a taint source instead of a propagator.

598

I'm on board with marking read operations as props/sources.
Let's look at the declaration: ssize_t readv(int fd, const struct iovec *iov, int iovcnt);
I'm not sure how could the pointee of iov be modified by this call, as its const.
Additionally, I doubt the effectiveness of the rule, since I don't think it would be too likely to have a path leading to a taint sink with an iov pointer. That being said, let it be, but don't expect much from this rule :D

600

It's sad that we don't model recvmsg, but it would be quite difficult to model. I can see why you left that out.

602–603

I'm not sure how could these be used as gadgets, but let it be.

605–606

These should be sorted, isn't it?

607

int fnmatch(const char *pattern, const char *string, int flags);
The fnmatch() function checks whether the string argument matches the pattern argument, which is a shell wildcard pattern (see glob(7)).

From this man entry I would think that we should propagate from the second argument.

619

One could say that if memmem was called with a tainted needle and actually finds something in the haystack, that would mean essentially that the value pointed by the return value has the same content as the needle.
However, I still agree with the current propagation rule, depending only on arg 0.
This might reasoning might deserve a comment though.
strstr also shares this property.

629
638–639

IMO these should propagate from {0,1}, similarly how the strncmp does propagate from its last argument.

clang/test/Analysis/taint-generic.c
491–497

This test case definitely needs to be reworked.

  1. We don't have FDs in this context, unlike the comment suggests.
  2. vscanf should be an unconditional taint source, instead of being a propagator.
511–514

For this type of things I can recommend using the clang_analyzer_isTainted(T) debug.ExprInspection introspection function.
It will do the right thing, without sinking the execution path.

I've seen in some other test cases that you used an extra top-level fn parameter for the same.
That's slightly better than using a global, but I would still recommend the debug function.

518–519

Please use single-line comments.
It makes debugging test files easier in some cases.

527

clang_analyzer_isTainted(*iov)

1024

You should group these all into a single test case.
This way the setup code for the test dominates compared to the actual content.

1046–1047

The comparison function must return an integer less than, equal to, or greater than zero if the first argument is considered to be respectively less than, equal to, or greater than the second.

1058–1061

Just use the cmp_less instead.
You can also fuse the qsort test cases into a single function.

gamesh411 updated this revision to Diff 412057.Mar 1 2022, 4:58 AM
gamesh411 marked 17 inline comments as done.
  • remove vscanf and co.
  • use debug.ExprInspection for test cases
  • fix semantic issues for modeled functions
Herald added a subscriber: manas. · View Herald TranscriptMar 1 2022, 4:58 AM
gamesh411 added inline comments.Mar 1 2022, 4:58 AM
clang/docs/analyzer/checkers.rst
2361

Removed vscanf and vfscanf as modeling their taint is not straightforward and should be done in another checker.
The problem with those is that they do not use variadic arguments, but an abstraction of those implemented by the type va_list, which is used to support invocations, where the number of arguments is determined at runtime.
In addition to modeling individual v-variants we will also have to handle the creation of va_list objects, and va_start function calls and try to reason about which parameters will be tainted.

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
586

removed

598

On second thought, this seems pointless indeed, removed.

605–606

swapped, thx

clang/test/Analysis/taint-generic.c
518–519

removed

527

test case removed

steakhal accepted this revision.Mar 1 2022, 5:15 AM
steakhal added a reviewer: NoQ.

Looks good to me. Check the docs if they are still in sync.
Also, postpone this for two days to let others block this if they have objections.
Other than that, land it.

This revision is now accepted and ready to land.Mar 1 2022, 5:15 AM
Harbormaster completed remote builds in B151925: Diff 412057.Mar 1 2022, 6:12 AM
gamesh411 updated this revision to Diff 413388.Mar 7 2022, 2:10 AM

rebase

Herald added a project: Restricted Project. · View Herald TranscriptMar 7 2022, 2:10 AM
Harbormaster completed remote builds in B152866: Diff 413388.Mar 7 2022, 3:06 AM
Closed by commit rG4fd6c6e65ab5: [analyzer] Add more propagations to Taint analysis (authored by gamesh411). · Explain WhyMar 7 2022, 4:19 AM
This revision was automatically updated to reflect the committed changes.
gamesh411 added a commit: rG4fd6c6e65ab5: [analyzer] Add more propagations to Taint analysis.
gamesh411 mentioned this in rGbfc40b1a1a2c: [analyzer] Fix buildbot failure for D120369.Mar 7 2022, 5:58 AM

Revision Contents

PathSize
clang/
docs/
analyzer/
2 lines
lib/
StaticAnalyzer/
Checkers/
75 lines
test/
Analysis/
533 lines

Diff 413423

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 2,352 Lines▼ Show 20 Lines
There are built-in sources, propagations and sinks defined in code inside ``GenericTaintChecker``. There are built-in sources, propagations and sinks defined in code inside ``GenericTaintChecker``.
These operations are handled even if no external taint configuration is provided. These operations are handled even if no external taint configuration is provided.
Default sources defined by ``GenericTaintChecker``: Default sources defined by ``GenericTaintChecker``:
``_IO_getc``, ``fdopen``, ``fopen``, ``freopen``, ``get_current_dir_name``, ``getch``, ``getchar``, ``getchar_unlocked``, ``getwd``, ``getcwd``, ``getgroups``, ``gethostname``, ``getlogin``, ``getlogin_r``, ``getnameinfo``, ``gets``, ``gets_s``, ``getseuserbyname``, ``readlink``, ``readlinkat``, ``scanf``, ``scanf_s``, ``socket``, ``wgetch`` ``_IO_getc``, ``fdopen``, ``fopen``, ``freopen``, ``get_current_dir_name``, ``getch``, ``getchar``, ``getchar_unlocked``, ``getwd``, ``getcwd``, ``getgroups``, ``gethostname``, ``getlogin``, ``getlogin_r``, ``getnameinfo``, ``gets``, ``gets_s``, ``getseuserbyname``, ``readlink``, ``readlinkat``, ``scanf``, ``scanf_s``, ``socket``, ``wgetch``
Default propagations defined by ``GenericTaintChecker``: Default propagations defined by ``GenericTaintChecker``:
``atoi``, ``atol``, ``atoll``, ``fgetc``, ``fgetln``, ``fgets``, ``fscanf``, ``sscanf``, ``getc``, ``getc_unlocked``, ``getdelim``, ``getline``, ``getw``, ``pread``, ``read``, ``strchr``, ``strrchr``, ``tolower``, ``toupper`` ``atoi``, ``atol``, ``atoll``, ``basename``, ``dirname``, ``fgetc``, ``fgetln``, ``fgets``, ``fnmatch``, ``fread``, ``fscanf``, ``fscanf_s``, ``index``, ``inflate``, ``isalnum``, ``isalpha``, ``isascii``, ``isblank``, ``iscntrl``, ``isdigit``, ``isgraph``, ``islower``, ``isprint``, ``ispunct``, ``isspace``, ``isupper``, ``isxdigit``, ``memchr``, ``memrchr``, ``sscanf``, ``getc``, ``getc_unlocked``, ``getdelim``, ``getline``, ``getw``, ``memcmp``, ``memcpy``, ``memmem``, ``memmove``, ``mbtowc``, ``pread``, ``qsort``, ``qsort_r``, ``rawmemchr``, ``read``, ``recv``, ``recvfrom``, ``rindex``, ``strcasestr``, ``strchr``, ``strchrnul``, ``strcasecmp``, ``strcmp``, ``strcspn``, ``strlen``, ``strncasecmp``, ``strncmp``, ``strndup``, ``strndupa``, ``strnlen``, ``strpbrk``, ``strrchr``, ``strsep``, ``strspn``, ``strstr``, ``strtol``, ``strtoll``, ``strtoul``, ``strtoull``, ``tolower``, ``toupper``, ``ttyname``, ``ttyname_r``, ``wctomb``, ``wcwidth``
steakhalUnsubmitted
Done
ReplyInline Actions

I cannot see the corresponding propagation rule.
That being said, it would be handy to mention that this is for zlib decompression and this should be probably a taint source anyway.

vfscanf occurs two times.

vscanf is not mentioned here; and there are probably a couple others like this.

steakhal: I cannot see the corresponding propagation rule. That being said, it would be handy to mention…
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

Removed vscanf and vfscanf as modeling their taint is not straightforward and should be done in another checker.
The problem with those is that they do not use variadic arguments, but an abstraction of those implemented by the type va_list, which is used to support invocations, where the number of arguments is determined at runtime.
In addition to modeling individual v-variants we will also have to handle the creation of va_list objects, and va_start function calls and try to reason about which parameters will be tainted.

gamesh411: Removed `vscanf` and `vfscanf` as modeling their taint is not straightforward and should be…
Default sinks defined in ``GenericTaintChecker``: Default sinks defined in ``GenericTaintChecker``:
``printf``, ``setproctitle``, ``system``, ``popen``, ``execl``, ``execle``, ``execlp``, ``execv``, ``execvp``, ``execvP``, ``execve``, ``dlopen``, ``memcpy``, ``memmove``, ``strncpy``, ``strndup``, ``malloc``, ``calloc``, ``alloca``, ``memccpy``, ``realloc``, ``bcopy`` ``printf``, ``setproctitle``, ``system``, ``popen``, ``execl``, ``execle``, ``execlp``, ``execv``, ``execvp``, ``execvP``, ``execve``, ``dlopen``, ``memcpy``, ``memmove``, ``strncpy``, ``strndup``, ``malloc``, ``calloc``, ``alloca``, ``memccpy``, ``realloc``, ``bcopy``
The user can configure taint sources, sinks, and propagation rules by providing a configuration file via checker option ``alpha.security.taint.TaintPropagation:Config``. The user can configure taint sources, sinks, and propagation rules by providing a configuration file via checker option ``alpha.security.taint.TaintPropagation:Config``.
External taint configuration is in `YAML <http://llvm.org/docs/YamlIO.html#introduction-to-yaml>`_ format. The taint-related options defined in the config file extend but do not override the built-in sources, rules, sinks. External taint configuration is in `YAML <http://llvm.org/docs/YamlIO.html#introduction-to-yaml>`_ format. The taint-related options defined in the config file extend but do not override the built-in sources, rules, sinks.
The format of the external taint configuration file is not stable, and could change without any notice even in a non-backward compatible way. The format of the external taint configuration file is not stable, and could change without any notice even in a non-backward compatible way.
▲ Show 20 LinesShow All 565 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 LinesShow All 574 Lines▼ Show 20 Lines RulesConstructionTy GlobalCRules{
// Props // Props
{{"atoi"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"atoi"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"atol"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"atol"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"atoll"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"atoll"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"fgetc"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"fgetc"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"fgetln"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"fgetln"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"fgets"}, TR::Prop({{2}}, {{0, ReturnValueIndex}})}, {{"fgets"}, TR::Prop({{2}}, {{0, ReturnValueIndex}})},
{{"fscanf"}, TR::Prop({{0}}, {{}, 2})}, {{"fscanf"}, TR::Prop({{0}}, {{}, 2})},
{{"fscanf_s"}, TR::Prop({{0}}, {{}, {2}})},
{{"sscanf"}, TR::Prop({{0}}, {{}, 2})}, {{"sscanf"}, TR::Prop({{0}}, {{}, 2})},
{{"getc"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"getc"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
steakhalUnsubmitted
Done
ReplyInline Actions
{{"vscanf"}, TR::Prop({{0}}, {{}, 1})},
- {{"vfscanf"}, TR::Prop({{0}}, {{}, 2})},
+ {{"vfscanf"}, TR::Prop({{0}}, {{2}})},
{{"getc"}, TR::Prop({{0}}, {{ReturnValueIndex}})},

This function has exactly 3 arguments.
I'm also puzzled how tainting va_list will work out. That should be modeled separately IMO.
This comment applies to all of the similar va_list accepting functions, such as vscanf, vfscanf, and possibly others.

That being said, I think vscanf is more like scanf, so it should be modeled as a taint source instead of a propagator.

steakhal: This function has exactly 3 arguments. I'm also puzzled how tainting `va_list` will work out.
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

removed

gamesh411: removed
{{"getc_unlocked"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"getc_unlocked"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"getdelim"}, TR::Prop({{3}}, {{0}})}, {{"getdelim"}, TR::Prop({{3}}, {{0}})},
{{"getline"}, TR::Prop({{2}}, {{0}})}, {{"getline"}, TR::Prop({{2}}, {{0}})},
{{"getw"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"getw"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"pread"}, TR::Prop({{0, 1, 2, 3}}, {{1, ReturnValueIndex}})}, {{"pread"}, TR::Prop({{0, 1, 2, 3}}, {{1, ReturnValueIndex}})},
{{"read"}, TR::Prop({{0, 2}}, {{1, ReturnValueIndex}})}, {{"read"}, TR::Prop({{0, 2}}, {{1, ReturnValueIndex}})},
{{"strchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"strchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"strrchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"strrchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"tolower"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"tolower"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"toupper"}, TR::Prop({{0}}, {{ReturnValueIndex}})}, {{"toupper"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"fread"}, TR::Prop({{3}}, {{0, ReturnValueIndex}})},
{{"recv"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
steakhalUnsubmitted
Done
ReplyInline Actions

I'm on board with marking read operations as props/sources.
Let's look at the declaration: ssize_t readv(int fd, const struct iovec *iov, int iovcnt);
I'm not sure how could the pointee of iov be modified by this call, as its const.
Additionally, I doubt the effectiveness of the rule, since I don't think it would be too likely to have a path leading to a taint sink with an iov pointer. That being said, let it be, but don't expect much from this rule :D

steakhal: I'm on board with marking read operations as props/sources. Let's look at the declaration…
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

On second thought, this seems pointless indeed, removed.

gamesh411: On second thought, this seems pointless indeed, removed.
{{"recvfrom"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
steakhalUnsubmitted
Done
ReplyInline Actions

It's sad that we don't model recvmsg, but it would be quite difficult to model. I can see why you left that out.

steakhal: It's sad that we don't model `recvmsg`, but it would be quite difficult to model. I can see why…
{{"ttyname"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"ttyname_r"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
steakhalUnsubmitted
Done
ReplyInline Actions

I'm not sure how could these be used as gadgets, but let it be.

steakhal: I'm not sure how could these be used as gadgets, but let it be.
{{"basename"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"dirname"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"fnmatch"}, TR::Prop({{1}}, {{ReturnValueIndex}})},
steakhalUnsubmitted
Done
ReplyInline Actions

These should be sorted, isn't it?

steakhal: These should be sorted, isn't it?
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

swapped, thx

gamesh411: swapped, thx
{{"memchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
steakhalUnsubmitted
Done
ReplyInline Actions
{{"basename"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
- {{"fnmatch"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+ {{"fnmatch"}, TR::Prop({{1}}, {{ReturnValueIndex}})},
{{"memchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},

int fnmatch(const char *pattern, const char *string, int flags);
The fnmatch() function checks whether the string argument matches the pattern argument, which is a shell wildcard pattern (see glob(7)).

From this man entry I would think that we should propagate from the second argument.

steakhal: > `int fnmatch(const char *pattern, const char *string, int flags);` >The `fnmatch()` function…
{{"memrchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"rawmemchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"mbtowc"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
{{"wctomb"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
{{"wcwidth"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"memcmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
{{"memcpy"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
{{"memmove"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
// If memmem was called with a tainted needle and the search was
// successful, that would mean that the value pointed by the return value
steakhalUnsubmitted
Done
ReplyInline Actions

One could say that if memmem was called with a tainted needle and actually finds something in the haystack, that would mean essentially that the value pointed by the return value has the same content as the needle.
However, I still agree with the current propagation rule, depending only on arg 0.
This might reasoning might deserve a comment though.
strstr also shares this property.

steakhal: One could say that if `memmem` was called with a tainted //needle// and actually finds…
// has the same content as the needle. If we choose to go by the policy of
// content equivalence implies taintedness equivalence, that would mean
// haystack should be considered a propagation source argument.
{{"memmem"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
// The comment for memmem above also applies to strstr.
{{"strstr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"strcasestr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"strchrnul"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
steakhalUnsubmitted
Done
ReplyInline Actions
{{"rindex"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
- // FIXME: in case of arrays ,only the first element of the array gets
+ // FIXME: In case of arrays, only the first element of the array gets
// tainted.
steakhal:
{{"index"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"rindex"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
// FIXME: In case of arrays, only the first element of the array gets
// tainted.
{{"qsort"}, TR::Prop({{0}}, {{0}})},
{{"qsort_r"}, TR::Prop({{0}}, {{0}})},
{{"strcmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
steakhalUnsubmitted
Done
ReplyInline Actions

IMO these should propagate from {0,1}, similarly how the strncmp does propagate from its last argument.

steakhal: IMO these should propagate from `{0,1}`, similarly how the `strncmp` does propagate from its…
{{"strcasecmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
{{"strncmp"}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})},
{{"strncasecmp"}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})},
{{"strspn"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
{{"strcspn"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
{{"strpbrk"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"strndup"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"strndupa"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"strlen"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"strnlen"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"strtol"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
{{"strtoll"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
{{"strtoul"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
{{"strtoull"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
{{"isalnum"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isalpha"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isascii"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isblank"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"iscntrl"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isdigit"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isgraph"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"islower"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isprint"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"ispunct"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isspace"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isupper"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{"isxdigit"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
{{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncat)}}, {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncat)}},
TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})}, TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})},
{{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcpy)}}, {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcpy)}},
TR::Prop({{1, 2}}, {{0}})}, TR::Prop({{1, 2}}, {{0}})},
{{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcat)}}, {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcat)}},
TR::Prop({{1, 2}}, {{0}})}, TR::Prop({{1, 2}}, {{0}})},
{{CDF_MaybeBuiltin, {"snprintf"}}, {{CDF_MaybeBuiltin, {"snprintf"}},
TR::Prop({{1}, 3}, {{0, ReturnValueIndex}})}, TR::Prop({{1}, 3}, {{0, ReturnValueIndex}})},
▲ Show 20 LinesShow All 319 Lines▼ Show 20 Linesvoid GenericTaintChecker::taintUnsafeSocketProtocol(const CallEvent &Call,
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
auto &F = State->getStateManager().get_context<ArgIdxFactory>(); auto &F = State->getStateManager().get_context<ArgIdxFactory>();
ImmutableSet<ArgIdxTy> Result = F.add(F.getEmptySet(), ReturnValueIndex); ImmutableSet<ArgIdxTy> Result = F.add(F.getEmptySet(), ReturnValueIndex);
State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result); State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result);
C.addTransition(State); C.addTransition(State);
} }
/// Checker registration /// Checker registration
void ento::registerGenericTaintChecker(CheckerManager &Mgr) { void ento::registerGenericTaintChecker(CheckerManager &Mgr) {
Mgr.registerChecker<GenericTaintChecker>(); Mgr.registerChecker<GenericTaintChecker>();
} }
bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) { bool ento::shouldRegisterGenericTaintChecker(const CheckerManager &mgr) {
return true; return true;
} }

clang/test/Analysis/taint-generic.c

// RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast -verify %s \ // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
// RUN: -Wno-incompatible-library-redeclaration -verify %s \
// RUN: -analyzer-checker=alpha.security.taint \ // RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \ // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \ // RUN: -analyzer-config \
// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
// RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast -verify %s \ // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
// RUN: -Wno-incompatible-library-redeclaration -verify %s \
// RUN: -DFILE_IS_STRUCT \ // RUN: -DFILE_IS_STRUCT \
// RUN: -analyzer-checker=alpha.security.taint \ // RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \ // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \ // RUN: -analyzer-config \
// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
// RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast -verify %s \ // RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast \
// RUN: -Wno-incompatible-library-redeclaration -verify %s \
// RUN: -analyzer-checker=alpha.security.taint \ // RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \ // RUN: -analyzer-config \
// RUN: alpha.security.taint.TaintPropagation:Config=justguessit \ // RUN: alpha.security.taint.TaintPropagation:Config=justguessit \
// RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE
// CHECK-INVALID-FILE: (frontend): invalid input for checker option // CHECK-INVALID-FILE: (frontend): invalid input for checker option
// CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config', // CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config',
// CHECK-INVALID-FILE-SAME: that expects a valid filename instead of // CHECK-INVALID-FILE-SAME: that expects a valid filename instead of
// CHECK-INVALID-FILE-SAME: 'justguessit' // CHECK-INVALID-FILE-SAME: 'justguessit'
// RUN: not %clang_analyze_cc1 -verify %s \ // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
// RUN: -verify %s \
// RUN: -analyzer-checker=alpha.security.taint \ // RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \ // RUN: -analyzer-config \
// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \ // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \
// RUN: 2>&1 | FileCheck -DMSG=%errc_EINVAL %s -check-prefix=CHECK-ILL-FORMED // RUN: 2>&1 | FileCheck -DMSG=%errc_EINVAL %s -check-prefix=CHECK-ILL-FORMED
// CHECK-ILL-FORMED: (frontend): invalid input for checker option // CHECK-ILL-FORMED: (frontend): invalid input for checker option
// CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config', // CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config',
// CHECK-ILL-FORMED-SAME: that expects a valid yaml file: [[MSG]] // CHECK-ILL-FORMED-SAME: that expects a valid yaml file: [[MSG]]
// RUN: not %clang_analyze_cc1 -verify %s \ // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
// RUN: -verify %s \
// RUN: -analyzer-checker=alpha.security.taint \ // RUN: -analyzer-checker=alpha.security.taint \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \ // RUN: -analyzer-config \
// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \ // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \
// RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG
// CHECK-INVALID-ARG: (frontend): invalid input for checker option // CHECK-INVALID-ARG: (frontend): invalid input for checker option
// CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config', // CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config',
// CHECK-INVALID-ARG-SAME: that expects an argument number for propagation // CHECK-INVALID-ARG-SAME: that expects an argument number for propagation
// CHECK-INVALID-ARG-SAME: rules greater or equal to -1 // CHECK-INVALID-ARG-SAME: rules greater or equal to -1
typedef long long rsize_t; typedef long long rsize_t;
void clang_analyzer_isTainted_char(char);
void clang_analyzer_isTainted_charp(char*);
void clang_analyzer_isTainted_int(int);
int scanf(const char *restrict format, ...); int scanf(const char *restrict format, ...);
char *gets(char *str); char *gets(char *str);
char *gets_s(char *str, rsize_t n); char *gets_s(char *str, rsize_t n);
int getchar(void); int getchar(void);
typedef struct _FILE FILE; typedef struct _FILE FILE;
#ifdef FILE_IS_STRUCT #ifdef FILE_IS_STRUCT
extern struct _FILE *stdin; extern struct _FILE *stdin;
#else #else
extern FILE *stdin; extern FILE *stdin;
#endif #endif
#define bool _Bool #define bool _Bool
#define NULL (void*)0
char *getenv(const char *name); char *getenv(const char *name);
FILE *fopen(const char *name, const char *mode);
int fscanf(FILE *restrict stream, const char *restrict format, ...); int fscanf(FILE *restrict stream, const char *restrict format, ...);
int sprintf(char *str, const char *format, ...); int sprintf(char *str, const char *format, ...);
void setproctitle(const char *fmt, ...); void setproctitle(const char *fmt, ...);
void setproctitle_init(int argc, char *argv[], char *envp[]); void setproctitle_init(int argc, char *argv[], char *envp[]);
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
typedef signed long long ssize_t;
// Define string functions. Use builtin for some of them. They all default to // Define string functions. Use builtin for some of them. They all default to
// the processing in the taint checker. // the processing in the taint checker.
#define strcpy(dest, src) \ #define strcpy(dest, src) \
((__builtin_object_size(dest, 0) != -1ULL) \ ((__builtin_object_size(dest, 0) != -1ULL) \
? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \ ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
: __inline_strcpy_chk(dest, src)) : __inline_strcpy_chk(dest, src))
▲ Show 20 LinesShow All 305 Lines▼ Show 20 Lines
} }
char *getwd(char *buf); char *getwd(char *buf);
int testGetwd(char *buf) { int testGetwd(char *buf) {
char *c = getwd(buf); char *c = getwd(buf);
return system(c); // expected-warning {{Untrusted data is passed to a system call}} return system(c); // expected-warning {{Untrusted data is passed to a system call}}
} }
typedef signed long long ssize_t;
ssize_t readlink(const char *path, char *buf, size_t bufsiz); ssize_t readlink(const char *path, char *buf, size_t bufsiz);
int testReadlink(char *path, char *buf, size_t bufsiz) { int testReadlink(char *path, char *buf, size_t bufsiz) {
ssize_t s = readlink(path, buf, bufsiz); ssize_t s = readlink(path, buf, bufsiz);
system(buf); // expected-warning {{Untrusted data is passed to a system call}} system(buf); // expected-warning {{Untrusted data is passed to a system call}}
// readlink never returns 0 // readlink never returns 0
return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}} return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}}
} }
▲ Show 20 LinesShow All 58 Lines▼ Show 20 Lines
} }
int getlogin_r(char *buf, size_t bufsize); int getlogin_r(char *buf, size_t bufsize);
int testGetlogin_r(char *buf, size_t bufsize) { int testGetlogin_r(char *buf, size_t bufsize) {
getlogin_r(buf, bufsize); getlogin_r(buf, bufsize);
return system(buf); // expected-warning {{Untrusted data is passed to a system call}} return system(buf); // expected-warning {{Untrusted data is passed to a system call}}
} }
int fscanf_s(FILE *stream, const char *format, ...);
void testFscanf_s(const char *fname, int *d) {
FILE *f = fopen(fname, "r");
fscanf_s(f, "%d", d);
clang_analyzer_isTainted_int(*d); // expected-warning {{YES}}
}
int fread(void *buffer, size_t size, size_t count, FILE *stream);
void testFread(const char *fname, int *buffer, size_t size, size_t count) {
FILE *f = fopen(fname, "r");
size_t read = fread(buffer, size, count, f);
clang_analyzer_isTainted_int(*buffer); // expected-warning {{YES}}
clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
}
steakhalUnsubmitted
Done
ReplyInline Actions

This test case definitely needs to be reworked.

  1. We don't have FDs in this context, unlike the comment suggests.
  2. vscanf should be an unconditional taint source, instead of being a propagator.
steakhal: This test case definitely needs to be reworked. 1) We don't have FDs in this context, unlike…
ssize_t recv(int sockfd, void *buf, size_t len, int flags);
void testRecv(int *buf, size_t len, int flags) {
int fd;
scanf("%d", &fd); // fake a tainted a file descriptor
size_t read = recv(fd, buf, len, flags);
clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}}
clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
}
typedef size_t socklen_t;
struct sockaddr {
unsigned short sa_family;
char sa_data[14];
};
steakhalUnsubmitted
Done
ReplyInline Actions

For this type of things I can recommend using the clang_analyzer_isTainted(T) debug.ExprInspection introspection function.
It will do the right thing, without sinking the execution path.

I've seen in some other test cases that you used an extra top-level fn parameter for the same.
That's slightly better than using a global, but I would still recommend the debug function.

steakhal: For this type of things I can recommend using the `clang_analyzer_isTainted(T)` `debug.
ssize_t recvfrom(int sockfd, void *restrict buf, size_t len, int flags,
struct sockaddr *restrict src_addr,
socklen_t *restrict addrlen);
void testRecvfrom(int *restrict buf, size_t len, int flags,
steakhalUnsubmitted
Done
ReplyInline Actions

Please use single-line comments.
It makes debugging test files easier in some cases.

steakhal: Please use single-line comments. It makes debugging test files easier in some cases.
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

removed

gamesh411: removed
struct sockaddr *restrict src_addr,
socklen_t *restrict addrlen) {
int fd;
scanf("%d", &fd); // fake a tainted a file descriptor
size_t read = recvfrom(fd, buf, len, flags, src_addr, addrlen);
clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}}
clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
steakhalUnsubmitted
Done
ReplyInline Actions

clang_analyzer_isTainted(*iov)

steakhal: `clang_analyzer_isTainted(*iov)`
gamesh411AuthorUnsubmitted
Done
ReplyInline Actions

test case removed

gamesh411: test case removed
}
char *ttyname(int fd);
void testTtyname() {
int fd;
scanf("%d", &fd); // fake a tainted a file descriptor
char *name = ttyname(fd);
clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
}
int ttyname_r(int fd, char *buf, size_t buflen);
void testTtyname_r(char *buf, size_t buflen) {
int fd;
scanf("%d", &fd); // fake a tainted a file descriptor
int result = ttyname_r(fd, buf, buflen);
clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}}
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
char *dirname(char *path);
void testDirname() {
char buf[10];
scanf("%9s", buf);
char *name = dirname(buf);
clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
}
char *basename(char *path);
void testBasename() {
char buf[10];
scanf("%9s", buf);
char *name = basename(buf);
clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
}
int fnmatch(const char *pattern, const char *string, int flags);
void testFnmatch(const char *pattern, int flags) {
char string[10];
scanf("%9s", string);
int result = fnmatch(pattern, string, flags);
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
void *memchr(const void *s, int c, size_t n);
void testMemchr(int c, size_t n) {
char buf[10];
scanf("%9s", buf);
char *result = memchr(buf, c, n);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
void *memrchr(const void *s, int c, size_t n);
void testMemrchr(int c, size_t n) {
char buf[10];
scanf("%9s", buf);
char *result = memrchr(buf, c, n);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
void *rawmemchr(const void *s, int c);
void testRawmemchr(int c) {
char buf[10];
scanf("%9s", buf);
char *result = rawmemchr(buf, c);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
typedef char wchar_t;
int mbtowc(wchar_t *pwc, const char *s, size_t n);
void testMbtowc(wchar_t *pwc, size_t n) {
char buf[10];
scanf("%9s", buf);
int result = mbtowc(pwc, buf, n);
clang_analyzer_isTainted_char(*pwc); // expected-warning {{YES}}
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
int wctomb(char *s, wchar_t wc);
void testWctomb(char *buf) {
wchar_t wc;
scanf("%c", &wc);
int result = wctomb(buf, wc);
clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}}
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
int wcwidth(wchar_t c);
void testWcwidth() {
wchar_t wc;
scanf("%c", &wc);
int width = wcwidth(wc);
clang_analyzer_isTainted_int(width); // expected-warning {{YES}}
}
int memcmp(const void *s1, const void *s2, size_t n);
void testMemcmpWithLHSTainted(size_t n, char *rhs) {
char lhs[10];
scanf("%9s", lhs);
int cmp_result = memcmp(lhs, rhs, n);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
void testMemcmpWithRHSTainted(size_t n, char *lhs) {
char rhs[10];
scanf("%9s", rhs);
int cmp_result = memcmp(lhs, rhs, n);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
void *memcpy(void *restrict dest, const void *restrict src, size_t n);
void testMemcpy(char *dst, size_t n) {
char src[10];
scanf("%9s", src);
char *result = memcpy(dst, src, n);
clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}}
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
void *memmove(void *dest, const void *src, size_t n);
void testMemmove(char *dst, size_t n) {
char src[10];
scanf("%9s", src);
char *result = memmove(dst, src, n);
clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}}
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen);
void testMemmem(const void *needle, size_t needlelen) {
char haystack[10];
scanf("%9s", haystack);
char *result = memmem(haystack, 9, needle, needlelen);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
char *strstr(const char *haystack, const char *needle);
void testStrstr(const char *needle) {
char haystack[10];
scanf("%9s", haystack);
char *result = strstr(haystack, needle);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
char *strcasestr(const char *haystack, const char *needle);
void testStrcasestr(const char *needle) {
char haystack[10];
scanf("%9s", haystack);
char *result = strcasestr(haystack, needle);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
char *strchrnul(const char *s, int c);
void testStrchrnul() {
char s[10];
scanf("%9s", s);
char *result = strchrnul(s, 9);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
char *index(const char *s, int c);
void testIndex() {
char s[10];
scanf("%9s", s);
char *result = index(s, 9);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
char *rindex(const char *s, int c);
void testRindex() {
char s[10];
scanf("%9s", s);
char *result = rindex(s, 9);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
int strcmp(const char *s1, const char *s2);
void testStrcmpWithLHSTainted(char *rhs) {
char lhs[10];
scanf("%9s", lhs);
int cmp_result = strcmp(lhs, rhs);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
void testStrcmpWithRHSTainted(char *lhs) {
char rhs[10];
scanf("%9s", rhs);
int cmp_result = strcmp(lhs, rhs);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
int strcasecmp(const char *s1, const char *s2);
void testStrcasecmpWithLHSTainted(char *rhs) {
char lhs[10];
scanf("%9s", lhs);
int cmp_result = strcasecmp(lhs, rhs);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
void testStrcasecmpWithRHSTainted(char *lhs) {
char rhs[10];
scanf("%9s", rhs);
int cmp_result = strcasecmp(lhs, rhs);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
int strncmp(const char *s1, const char *s2, size_t n);
void testStrncmpWithLHSTainted(char *rhs, size_t n) {
char lhs[10];
scanf("%9s", lhs);
int cmp_result = strncmp(lhs, rhs, n);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
void testStrncmpWithRHSTainted(char *lhs, size_t n) {
char rhs[10];
scanf("%9s", rhs);
int cmp_result = strncmp(lhs, rhs, n);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
void testStrncmpWithNTainted(char *lhs, char *rhs) {
int n;
scanf("%d", &n);
int cmp_result = strncmp(lhs, rhs, n);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
int strncasecmp(const char *s1, const char *s2, size_t n);
void testStrncasecmpWithLHSTainted(char *rhs, size_t n) {
char lhs[10];
scanf("%9s", lhs);
int cmp_result = strncmp(lhs, rhs, n);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
void testStrncasecmpWithRHSTainted(char *lhs, size_t n) {
char rhs[10];
scanf("%9s", rhs);
int cmp_result = strncmp(lhs, rhs, n);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
void testStrncasecmpWithNTainted(char *lhs, char *rhs) {
int n;
scanf("%d", &n);
int cmp_result = strncmp(lhs, rhs, n);
clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
}
size_t strspn(const char *s, const char *accept);
void testStrspnFirstArgTainted(const char *accept) {
char s[10];
scanf("%9s", s);
size_t result = strspn(s, accept);
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
void testStrspnSecondArgTainted(const char *s) {
char accept[10];
scanf("%9s", accept);
size_t result = strspn(s, accept);
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
size_t strcspn(const char *s, const char *reject);
void testStrcspnFirstArgTainted(const char *reject) {
char s[10];
scanf("%9s", s);
size_t result = strcspn(s, reject);
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
void testStrcspnSecondArgTainted(const char *s) {
char reject[10];
scanf("%9s", reject);
size_t result = strcspn(s, reject);
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
char *strpbrk(const char *s, const char *accept);
void testStrpbrk(const char *accept) {
char s[10];
scanf("%9s", s);
char *result = strpbrk(s, accept);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
char *strndup(const char *s, size_t n);
void testStrndup(size_t n) {
char s[10];
scanf("%9s", s);
char *result = strndup(s, n);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
char *strdupa(const char *s);
void testStrdupa() {
char s[10];
scanf("%9s", s);
char *result = strdupa(s);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
char *strndupa(const char *s, size_t n);
void testStrndupa(size_t n) {
char s[10];
scanf("%9s", s);
char *result = strndupa(s, n);
clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
}
size_t strlen(const char *s);
void testStrlen() {
char s[10];
scanf("%9s", s);
size_t result = strlen(s);
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
size_t strnlen(const char *s, size_t maxlen);
void testStrnlen(size_t maxlen) {
char s[10];
scanf("%9s", s);
size_t result = strnlen(s, maxlen);
clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
}
long strtol(const char *restrict nptr, char **restrict endptr, int base);
long long strtoll(const char *restrict nptr, char **restrict endptr, int base);
unsigned long int strtoul(const char *nptr, char **endptr, int base);
unsigned long long int strtoull(const char *nptr, char **endptr, int base);
void testStrtolVariants(char **restrict endptr, int base) {
char s[10];
scanf("%9s", s);
long result_l = strtol(s, endptr, base);
clang_analyzer_isTainted_int(result_l); // expected-warning {{YES}}
long long result_ll = strtoll(s, endptr, base);
clang_analyzer_isTainted_int(result_ll); // expected-warning {{YES}}
unsigned long result_ul = strtoul(s, endptr, base);
clang_analyzer_isTainted_int(result_ul); // expected-warning {{YES}}
unsigned long long result_ull = strtoull(s, endptr, base);
clang_analyzer_isTainted_int(result_ull); // expected-warning {{YES}}
}
int isalnum(int c);
int isalpha(int c);
int isascii(int c);
int isblank(int c);
int iscntrl(int c);
int isdigit(int c);
int isgraph(int c);
int islower(int c);
int isprint(int c);
int ispunct(int c);
int isspace(int c);
int isupper(int c);
int isxdigit(int c);
void testIsFunctions() {
char c;
scanf("%c", &c);
int alnum = isalnum(c);
clang_analyzer_isTainted_int(alnum); // expected-warning {{YES}}
int alpha = isalpha(c);
clang_analyzer_isTainted_int(alpha); // expected-warning {{YES}}
int ascii = isascii(c);
clang_analyzer_isTainted_int(ascii); // expected-warning {{YES}}
int blank = isblank(c);
clang_analyzer_isTainted_int(blank); // expected-warning {{YES}}
int cntrl = iscntrl(c);
clang_analyzer_isTainted_int(cntrl); // expected-warning {{YES}}
int digit = isdigit(c);
clang_analyzer_isTainted_int(digit); // expected-warning {{YES}}
int graph = isgraph(c);
clang_analyzer_isTainted_int(graph); // expected-warning {{YES}}
int lower = islower(c);
clang_analyzer_isTainted_int(lower); // expected-warning {{YES}}
int print = isprint(c);
clang_analyzer_isTainted_int(print); // expected-warning {{YES}}
int punct = ispunct(c);
clang_analyzer_isTainted_int(punct); // expected-warning {{YES}}
int space = isspace(c);
clang_analyzer_isTainted_int(space); // expected-warning {{YES}}
int upper = isupper(c);
clang_analyzer_isTainted_int(upper); // expected-warning {{YES}}
int xdigit = isxdigit(c);
clang_analyzer_isTainted_int(xdigit); // expected-warning {{YES}}
}
void qsort(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *));
void qsort_r(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *, void *), void *arg);
void testQsort() {
int data[1];
scanf("%d", data);
qsort(data, sizeof(data), sizeof(data[0]), NULL);
clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}}
qsort_r(data, sizeof(data), sizeof(data[0]), NULL, NULL);
clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}}
}
// Test configuration // Test configuration
int mySource1(void); int mySource1(void);
void mySource2(int*); void mySource2(int*);
void myScanf(const char*, ...); void myScanf(const char*, ...);
int myPropagator(int, int*); int myPropagator(int, int*);
int mySnprintf(char*, size_t, const char*, ...); int mySnprintf(char*, size_t, const char*, ...);
bool isOutOfRange(const int*); bool isOutOfRange(const int*);
void mySink(int, int, int); void mySink(int, int, int);
Show All 21 Linesvoid testConfigurationPropagation(void) {
myPropagator(x, &y); myPropagator(x, &y);
Buffer[y] = 1; // expected-warning {{Out of bound memory access }} Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
} }
void testConfigurationFilter(void) { void testConfigurationFilter(void) {
int x = mySource1(); int x = mySource1();
if (isOutOfRange(&x)) // the filter function if (isOutOfRange(&x)) // the filter function
return; return;
Buffer[x] = 1; // no-warning Buffer[x] = 1; // no-warning
steakhalUnsubmitted
Done
ReplyInline Actions

You should group these all into a single test case.
This way the setup code for the test dominates compared to the actual content.

steakhal: You should group these all into a single test case. This way the setup code for the test…
} }
void testConfigurationSinks(void) { void testConfigurationSinks(void) {
int x = mySource1(); int x = mySource1();
mySink(x, 1, 2); mySink(x, 1, 2);
// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}} // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
mySink(1, x, 2); // no-warning mySink(1, x, 2); // no-warning
mySink(1, 2, x); mySink(1, 2, x);
// expected-warning@-1 {{Untrusted data is passed to a user-defined sink}} // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
} }
void testUnknownFunction(void (*foo)(void)) { void testUnknownFunction(void (*foo)(void)) {
foo(); // no-crash foo(); // no-crash
} }
void testProctitleFalseNegative(void) { void testProctitleFalseNegative(void) {
char flag[80]; char flag[80];
fscanf(stdin, "%79s", flag); fscanf(stdin, "%79s", flag);
char *argv[] = {"myapp", flag}; char *argv[] = {"myapp", flag};
// FIXME: We should have a warning below: Untrusted data passed to sink. // FIXME: We should have a warning below: Untrusted data passed to sink.
setproctitle_init(1, argv, 0); setproctitle_init(1, argv, 0);
} }
steakhalUnsubmitted
Done
ReplyInline Actions
int cmp_less(const void *lhs, const void *rhs) {
- return *(int *)lhs < *(int *)rhs ? -1 : *(int *)lhs > *(int *)rhs ? 1
- : 0;
+ return *(int *)lhs < *(int *)rhs;
}
void qsort(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *));

The comparison function must return an integer less than, equal to, or greater than zero if the first argument is considered to be respectively less than, equal to, or greater than the second.

steakhal: >The comparison function must return an integer less than, equal to, or greater than zero if…
void testProctitle2(char *real_argv[]) { void testProctitle2(char *real_argv[]) {
char *app = getenv("APP_NAME"); char *app = getenv("APP_NAME");
if (!app) if (!app)
return; return;
char *argv[] = {app, "--foobar"}; char *argv[] = {app, "--foobar"};
setproctitle_init(1, argv, 0); // expected-warning {{Untrusted data is passed to a user-defined sink}} setproctitle_init(1, argv, 0); // expected-warning {{Untrusted data is passed to a user-defined sink}}
setproctitle_init(1, real_argv, argv); // expected-warning {{Untrusted data is passed to a user-defined sink}} setproctitle_init(1, real_argv, argv); // expected-warning {{Untrusted data is passed to a user-defined sink}}
} }
steakhalUnsubmitted
Done
ReplyInline Actions

Just use the cmp_less instead.
You can also fuse the qsort test cases into a single function.

steakhal: Just use the `cmp_less` instead. You can also fuse the qsort test cases into a single function.