1 // RUN: %clang_cc1 -Wno-int-to-pointer-cast -analyze -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify
3 #include "Inputs/system-header-simulator.h"
14 void taintTracking(int x) {
16 int *addr = &Buffer[0];
18 addr += n;// expected-warning + {{tainted}}
19 *addr = n; // expected-warning + {{tainted}}
21 double tdiv = n / 30; // expected-warning+ {{tainted}}
22 char *loc_cast = (char *) n; // expected-warning +{{tainted}}
23 char tinc = tdiv++; // expected-warning + {{tainted}}
24 int tincdec = (char)tinc--; // expected-warning+{{tainted}}
26 // Tainted ptr arithmetic/array element address.
27 int tprtarithmetic1 = *(addr+1); // expected-warning + {{tainted}}
32 int ptrDeref = *ptr; // expected-warning + {{tainted}}
33 int _ptrDeref = ptrDeref + 13; // expected-warning + {{tainted}}
35 // Pointer arithmetic + dereferencing.
36 // FIXME: We fail to propagate the taint here because RegionStore does not
37 // handle ElementRegions with symbolic indexes.
38 int addrDeref = *addr; // expected-warning + {{tainted}}
39 int _addrDeref = addrDeref; // expected-warning + {{tainted}}
41 // Tainted struct address, casts.
42 struct XYStruct *xyPtr = 0;
44 void *tXYStructPtr = xyPtr; // expected-warning + {{tainted}}
45 struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning + {{tainted}}
46 int ptrtx = xyPtr->x;// expected-warning + {{tainted}}
47 int ptrty = xyPtr->y;// expected-warning + {{tainted}}
49 // Taint on fields of a struct.
50 struct XYStruct xy = {2, 3, 11};
53 int tx = xy.x; // expected-warning + {{tainted}}
54 int ty = xy.y; // FIXME: This should be tainted as well.
55 char ntz = xy.z;// no warning
56 // Now, scanf scans both.
57 scanf("%d %d", &xy.y, &xy.x);
58 int ttx = xy.x; // expected-warning + {{tainted}}
59 int tty = xy.y; // expected-warning + {{tainted}}
62 void BitwiseOp(int in, char inn) {
63 // Taint on bitwise operations, integer to integer cast.
67 int y = (in << (x << in)) * 5;// expected-warning + {{tainted}}
68 // The next line tests integer to integer cast.
69 int z = y & inn; // expected-warning + {{tainted}}
70 if (y == 5) // expected-warning + {{tainted}}
71 m = z | z;// expected-warning + {{tainted}}
74 int mm = m; // expected-warning + {{tainted}}
78 char *getenv(const char *name);
79 void getenvTest(char *home) {
80 home = getenv("HOME"); // expected-warning + {{tainted}}
81 if (home != 0) { // expected-warning + {{tainted}}
82 char d = home[0]; // expected-warning + {{tainted}}
86 int fscanfTest(void) {
91 // Check if stdin is treated as tainted.
92 fscanf(stdin, "%s %d", s, &t);
93 // Note, here, s is not tainted, but the data s points to is tainted.
95 char tss = s[0]; // expected-warning + {{tainted}}
96 int tt = t; // expected-warning + {{tainted}}
97 if((fp=fopen("test", "w")) == 0) // expected-warning + {{tainted}}
99 fprintf(fp, "%s %d", s, t); // expected-warning + {{tainted}}
100 fclose(fp); // expected-warning + {{tainted}}
102 // Test fscanf and fopen.
103 if((fp=fopen("test","r")) == 0) // expected-warning + {{tainted}}
105 fscanf(fp, "%s%d", s, &t); // expected-warning + {{tainted}}
106 fprintf(stdout, "%s %d", s, t); // expected-warning + {{tainted}}
110 // Check if we propagate taint from stdin when it's used in an assignment.
113 fscanf(stdin, "%d", &i);
114 int j = i; // expected-warning + {{tainted}}
116 void stdinTest2(FILE *pIn) {
121 fscanf(pp, "%d", &ii);
122 int jj = ii;// expected-warning + {{tainted}}
124 fscanf(p, "%d", &ii);
125 int jj2 = ii;// expected-warning + {{tainted}}
128 int jj3 = ii;// no warning
131 fscanf(p, "%d", &ii);
132 int jj4 = ii;// no warning
138 fscanf(*ppp, "%d", &iii);
139 int jjj = iii;// expected-warning + {{tainted}}
142 // Test that stdin does not get invalidated by calls.
146 fscanf(stdin, "%d", &i);
148 int j = i; // expected-warning + {{tainted}}
153 int i = getw(stdin); // expected-warning + {{tainted}}
156 typedef long ssize_t;
157 ssize_t getline(char ** __restrict, size_t * __restrict, FILE * __restrict);
158 int printf(const char * __restrict, ...);
159 void free(void *ptr);
160 void getlineTest(void) {
165 while ((read = getline(&line, &len, stdin)) != -1) {
166 printf("%s", line); // expected-warning + {{tainted}}
168 free(line); // expected-warning + {{tainted}}
171 // Test propagation functions - the ones that propagate taint from arguments to
172 // return value, ptr arguments.
174 int atoi(const char *nptr);
175 long atol(const char *nptr);
176 long long atoll(const char *nptr);
181 int d = atoi(s); // expected-warning + {{tainted}}
182 int td = d; // expected-warning + {{tainted}}
184 long l = atol(s); // expected-warning + {{tainted}}
185 int tl = l; // expected-warning + {{tainted}}
187 long long ll = atoll(s); // expected-warning + {{tainted}}
188 int tll = ll; // expected-warning + {{tainted}}