// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
// RUN: %clang_analyze_cc1 -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
int scanf(const char *restrict format, ...);
int getchar(void);
typedef struct _FILE FILE;
#ifdef FILE_IS_STRUCT
extern struct _FILE *stdin;
#else
extern FILE *stdin;
#endif
int fscanf(FILE *restrict stream, const char *restrict format, ...);
int sprintf(char *str, const char *format, ...);
void setproctitle(const char *fmt, ...);
typedef __typeof(sizeof(int)) size_t;
// Define string functions. Use builtin for some of them. They all default to
// the processing in the taint checker.
#define strcpy(dest, src) \
((__builtin_object_size(dest, 0) != -1ULL) \
? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
: __inline_strcpy_chk(dest, src))
static char *__inline_strcpy_chk (char *dest, const char *src) {
return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
}
char *stpcpy(char *restrict s1, const char *restrict s2);
char *strncpy( char * destination, const char * source, size_t num );
char *strndup(const char *s, size_t n);
char *strncat(char *restrict s1, const char *restrict s2, size_t n);
void *malloc(size_t);
void *calloc(size_t nmemb, size_t size);
void bcopy(void *s1, void *s2, size_t n);
#define BUFSIZE 10
int Buffer[BUFSIZE];
void bufferScanfDirect(void)
{
int n;
scanf("%d", &n);
Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
}
void bufferScanfArithmetic1(int x) {
int n;
scanf("%d", &n);
int m = (n - 3);
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}
void bufferScanfArithmetic2(int x) {
int n;
scanf("%d", &n);
int m = 100 - (n + 3) * x;
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}
void bufferScanfAssignment(int x) {
int n;
scanf("%d", &n);
int m;
if (x > 0) {
m = n;
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}
}
void scanfArg() {
int t = 0;
scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
}
void bufferGetchar(int x) {
int m = getchar();
Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
}
void testUncontrolledFormatString(char **p) {
char s[80];
fscanf(stdin, "%s", s);
char buf[128];
sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
// Test taint propagation through strcpy and family.
char scpy[80];
strcpy(scpy, s);
sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
stpcpy(*(++p), s); // this generates __inline.
setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
char spcpy[80];
stpcpy(spcpy, s);
setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
char *spcpyret;
spcpyret = stpcpy(spcpy, s);
setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
char sncpy[80];
strncpy(sncpy, s, 20);
setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
char *dup;
dup = strndup(s, 20);
setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
}
int system(const char *command);
void testTaintSystemCall() {
char buffer[156];
char addr[128];
scanf("%s", addr);
system(addr); // expected-warning {{Untrusted data is passed to a system call}}
// Test that spintf transfers taint.
sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
}
void testTaintSystemCall2() {
// Test that snpintf transfers taint.
char buffern[156];
char addr[128];
scanf("%s", addr);
__builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
}
void testTaintSystemCall3() {
char buffern2[156];
int numt;
char addr[128];
scanf("%s %d", addr, &numt);
__builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
}
void testTaintedBufferSize() {
size_t ts;
scanf("%zd", &ts);
int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
__builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
// If both buffers are trusted, do not issue a warning.
char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
strncat(dst2, dst, ts); // no-warning
}
#define AF_UNIX 1 /* local to host (pipes) */
#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
#define AF_LOCAL AF_UNIX /* backward compatibility */
#define SOCK_STREAM 1
int socket(int, int, int);
size_t read(int, void *, size_t);
int execl(const char *, const char *, ...);
void testSocket() {
int sock;
char buffer[100];
sock = socket(AF_INET, SOCK_STREAM, 0);
read(sock, buffer, 100);
execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
sock = socket(AF_LOCAL, SOCK_STREAM, 0);
read(sock, buffer, 100);
execl(buffer, "filename", 0); // no-warning
sock = socket(AF_INET, SOCK_STREAM, 0);
// References to both buffer and &buffer as an argument should taint the argument
read(sock, &buffer, 100);
execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
}
void testStruct() {
struct {
char buf[16];
int length;
} tainted;
char buffer[16];
int sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
read(sock, &tainted, sizeof(tainted));
__builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
}
void testStructArray() {
struct {
int length;
} tainted[4];
char dstbuf[16], srcbuf[16];
int sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
__builtin_memset(srcbuf, 0, sizeof(srcbuf));
read(sock, &tainted[0], sizeof(tainted));
__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
__builtin_memset(&tainted, 0, sizeof(tainted));
read(sock, &tainted, sizeof(tainted));
__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
__builtin_memset(&tainted, 0, sizeof(tainted));
// If we taint element 1, we should not raise an alert on taint for element 0 or element 2
read(sock, &tainted[1], sizeof(tainted));
__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
__builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
}
void testUnion() {
union {
int x;
char y[4];
} tainted;
char buffer[4];
int sock = socket(AF_INET, SOCK_STREAM, 0);
read(sock, &tainted.y, sizeof(tainted.y));
// FIXME: overlapping regions aren't detected by isTainted yet
__builtin_memcpy(buffer, tainted.y, tainted.x);
}
int testDivByZero() {
int x;
scanf("%d", &x);
return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
}
// Zero-sized VLAs.
void testTaintedVLASize() {
int x;
scanf("%d", &x);
int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
}
// This computation used to take a very long time.
#define longcmp(a,b,c) { \
a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
unsigned radar11369570_hanging(const unsigned char *arr, int l) {
unsigned a, b, c;
a = b = c = 0x9899e3 + l;
while (l >= 6) {
unsigned t;
scanf("%d", &t);
a += b;
a ^= a;
a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
longcmp(a, t, c);
l -= 12;
}
return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
}
// Check that we do not assert of the following code.
int SymSymExprWithDiffTypes(void* p) {
int i;
scanf("%d", &i);
int j = (i % (int)(long)p);
return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
}
void constraintManagerShouldTreatAsOpaque(int rhs) {
int i;
scanf("%d", &i);
// This comparison used to hit an assertion in the constraint manager,
// which didn't handle NonLoc sym-sym comparisons.
if (i < rhs)
return;
if (i < rhs)
*(volatile int *) 0; // no-warning
}