1 // RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
3 int scanf(const char *restrict format, ...);
6 typedef struct _FILE FILE;
8 int fscanf(FILE *restrict stream, const char *restrict format, ...);
9 int sprintf(char *str, const char *format, ...);
10 void setproctitle(const char *fmt, ...);
11 typedef __typeof(sizeof(int)) size_t;
13 // Define string functions. Use builtin for some of them. They all default to
14 // the processing in the taint checker.
15 #define strcpy(dest, src) \
16 ((__builtin_object_size(dest, 0) != -1ULL) \
17 ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
18 : __inline_strcpy_chk(dest, src))
20 static char *__inline_strcpy_chk (char *dest, const char *src) {
21 return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
23 char *stpcpy(char *restrict s1, const char *restrict s2);
24 char *strncpy( char * destination, const char * source, size_t num );
25 char *strndup(const char *s, size_t n);
26 char *strncat(char *restrict s1, const char *restrict s2, size_t n);
29 void *calloc(size_t nmemb, size_t size);
30 void bcopy(void *s1, void *s2, size_t n);
35 void bufferScanfDirect(void)
39 Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
42 void bufferScanfArithmetic1(int x) {
46 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
49 void bufferScanfArithmetic2(int x) {
52 int m = 100 - (n + 3) * x;
53 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
56 void bufferScanfAssignment(int x) {
62 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
68 scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
71 void bufferGetchar(int x) {
73 Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
76 void testUncontrolledFormatString(char **p) {
78 fscanf(stdin, "%s", s);
80 sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
81 setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
83 // Test taint propagation through strcpy and family.
86 sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
88 stpcpy(*(++p), s); // this generates __inline.
89 setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
93 setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
96 spcpyret = stpcpy(spcpy, s);
97 setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
100 strncpy(sncpy, s, 20);
101 setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
104 dup = strndup(s, 20);
105 setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
109 int system(const char *command);
110 void testTaintSystemCall() {
114 system(addr); // expected-warning {{Untrusted data is passed to a system call}}
116 // Test that spintf transfers taint.
117 sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
118 system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
121 void testTaintSystemCall2() {
122 // Test that snpintf transfers taint.
126 __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
127 system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
130 void testTaintSystemCall3() {
134 scanf("%s %d", addr, &numt);
135 __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
136 system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
139 void testTaintedBufferSize() {
143 int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
144 char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
145 bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
146 __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
148 // If both buffers are trusted, do not issue a warning.
149 char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
150 strncat(dst2, dst, ts); // no-warning
153 #define AF_UNIX 1 /* local to host (pipes) */
154 #define AF_INET 2 /* internetwork: UDP, TCP, etc. */
155 #define AF_LOCAL AF_UNIX /* backward compatibility */
156 #define SOCK_STREAM 1
157 int socket(int, int, int);
158 size_t read(int, void *, size_t);
159 int execl(const char *, const char *, ...);
165 sock = socket(AF_INET, SOCK_STREAM, 0);
166 read(sock, buffer, 100);
167 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
169 sock = socket(AF_LOCAL, SOCK_STREAM, 0);
170 read(sock, buffer, 100);
171 execl(buffer, "filename", 0); // no-warning
173 sock = socket(AF_INET, SOCK_STREAM, 0);
174 // References to both buffer and &buffer as an argument should taint the argument
175 read(sock, &buffer, 100);
176 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
188 sock = socket(AF_INET, SOCK_STREAM, 0);
189 read(sock, &tainted, sizeof(tainted));
190 __builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
193 void testStructArray() {
204 sock = socket(AF_INET, SOCK_STREAM, 0);
205 read(sock, &tainted.buf[0], sizeof(tainted.buf));
206 read(sock, &tainted.st[0], sizeof(tainted.st));
207 // FIXME: tainted.st[0].length should be marked tainted
208 __builtin_memcpy(buffer, tainted.buf, tainted.st[0].length); // no-warning
211 int testDivByZero() {
214 return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
218 void testTaintedVLASize() {
221 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
224 // This computation used to take a very long time.
225 #define longcmp(a,b,c) { \
226 a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
227 a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
229 unsigned radar11369570_hanging(const unsigned char *arr, int l) {
231 a = b = c = 0x9899e3 + l;
237 a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
241 return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
244 // Check that we do not assert of the following code.
245 int SymSymExprWithDiffTypes(void* p) {
248 int j = (i % (int)(long)p);
249 return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
253 void constraintManagerShouldTreatAsOpaque(int rhs) {
256 // This comparison used to hit an assertion in the constraint manager,
257 // which didn't handle NonLoc sym-sym comparisons.
261 *(volatile int *) 0; // no-warning