clang/test/Analysis/taint-tester.c

   1 // RUN: %clang_analyze_cc1 -Wno-int-to-pointer-cast -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify
   2
   3 #include "Inputs/system-header-simulator.h"
   4
   5 #define BUFSIZE 10
   6 int Buffer[BUFSIZE];
   7
   8 struct XYStruct {
   9   int x;
  10   int y;
  11   char z;
  12 };
  13
  14 void taintTracking(int x) {
  15   int n;
  16   int *addr = &Buffer[0];
  17   scanf("%d", &n);
  18   addr += n;// expected-warning + {{tainted}}
  19   *addr = n; // expected-warning + {{tainted}}
  20
  21   double tdiv = n / 30; // expected-warning+ {{tainted}}
  22   char *loc_cast = (char *) n; // expected-warning +{{tainted}}
  23   char tinc = tdiv++; // expected-warning + {{tainted}}
  24   int tincdec = (char)tinc--; // expected-warning+{{tainted}}
  25
  26   // Tainted ptr arithmetic/array element address.
  27   int tprtarithmetic1 = *(addr+1); // expected-warning + {{tainted}}
  28
  29   // Dereference.
  30   int *ptr;
  31   scanf("%p", &ptr);
  32   int ptrDeref = *ptr; // expected-warning + {{tainted}}
  33   int _ptrDeref = ptrDeref + 13; // expected-warning + {{tainted}}
  34
  35   // Pointer arithmetic + dereferencing.
  36   // FIXME: We fail to propagate the taint here because RegionStore does not
  37   // handle ElementRegions with symbolic indexes.
  38   int addrDeref = *addr; // expected-warning + {{tainted}}
  39   int _addrDeref = addrDeref; // expected-warning + {{tainted}}
  40
  41   // Tainted struct address, casts.
  42   struct XYStruct *xyPtr = 0;
  43   scanf("%p", &xyPtr);
  44   void *tXYStructPtr = xyPtr; // expected-warning + {{tainted}}
  45   struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning + {{tainted}}
  46   int ptrtx = xyPtr->x;// expected-warning + {{tainted}}
  47   int ptrty = xyPtr->y;// expected-warning + {{tainted}}
  48
  49   // Taint on fields of a struct.
  50   struct XYStruct xy = {2, 3, 11};
  51   scanf("%d", &xy.y);
  52   scanf("%d", &xy.x);
  53   int tx = xy.x; // expected-warning + {{tainted}}
  54   int ty = xy.y; // FIXME: This should be tainted as well.
  55   char ntz = xy.z;// no warning
  56   // Now, scanf scans both.
  57   scanf("%d %d", &xy.y, &xy.x);
  58   int ttx = xy.x; // expected-warning + {{tainted}}
  59   int tty = xy.y; // expected-warning + {{tainted}}
  60 }
  61
  62 void BitwiseOp(int in, char inn, int zz) {
  63   // Taint on bitwise operations, integer to integer cast.
  64   int m;
  65   int x = 0;
  66   scanf("%d", &x);
  67   int y = (in << (x << in)) * 5;// expected-warning + {{tainted}}
  68   // The next line tests integer to integer cast.
  69   int z = y & inn; // expected-warning + {{tainted}}
  70   if (y == zz) { // expected-warning + {{tainted}}
  71     m = z | z;// expected-warning + {{tainted}}
  72   }
  73   else
  74     m = inn;
  75   int mm = m; // expected-warning 1 {{tainted}}
  76 }
  77
  78 // Test getenv.
  79 char *getenv(const char *name);
  80 void getenvTest(char *home) {
  81   home = getenv("HOME"); // expected-warning + {{tainted}}
  82   if (home != 0) { // expected-warning + {{tainted}}
  83       char d = home[0]; // expected-warning + {{tainted}}
  84     }
  85 }
  86
  87 int fscanfTest(void) {
  88   FILE *fp;
  89   char s[80];
  90   int t;
  91
  92   // Check if stdin is treated as tainted.
  93   fscanf(stdin, "%s %d", s, &t);
  94   // Note, here, s is not tainted, but the data s points to is tainted.
  95   char *ts = s;
  96   char tss = s[0]; // expected-warning + {{tainted}}
  97   int tt = t; // expected-warning + {{tainted}}
  98   if((fp=fopen("test", "w")) == 0) // expected-warning + {{tainted}}
  99     return 1;
 100   fprintf(fp, "%s %d", s, t); // expected-warning + {{tainted}}
 101   fclose(fp); // expected-warning + {{tainted}}
 102
 103   // Test fscanf and fopen.
 104   if((fp=fopen("test","r")) == 0) // expected-warning + {{tainted}}
 105     return 1;
 106   fscanf(fp, "%s%d", s, &t); // expected-warning + {{tainted}}
 107   fprintf(stdout, "%s %d", s, t); // expected-warning + {{tainted}}
 108   return 0;
 109 }
 110
 111 // Check if we propagate taint from stdin when it's used in an assignment.
 112 void stdinTest1(void) {
 113   int i;
 114   fscanf(stdin, "%d", &i);
 115   int j = i; // expected-warning + {{tainted}}
 116 }
 117 void stdinTest2(FILE *pIn) {
 118   FILE *p = stdin;
 119   FILE *pp = p;
 120   int ii;
 121
 122   fscanf(pp, "%d", &ii);
 123   int jj = ii;// expected-warning + {{tainted}}
 124
 125   fscanf(p, "%d", &ii);
 126   int jj2 = ii;// expected-warning + {{tainted}}
 127
 128   ii = 3;
 129   int jj3 = ii;// no warning
 130
 131   p = pIn;
 132   fscanf(p, "%d", &ii);
 133   int jj4 = ii;// no warning
 134 }
 135
 136 void stdinTest3(void) {
 137   FILE **ppp = &stdin;
 138   int iii;
 139   fscanf(*ppp, "%d", &iii);
 140   int jjj = iii;// expected-warning + {{tainted}}
 141 }
 142
 143 // Test that stdin does not get invalidated by calls.
 144 void foo(void);
 145 void stdinTest4(void) {
 146   int i;
 147   fscanf(stdin, "%d", &i);
 148   foo();
 149   int j = i; // expected-warning + {{tainted}}
 150 }
 151
 152 int getw(FILE *);
 153 void getwTest(void) {
 154   int i = getw(stdin); // expected-warning + {{tainted}}
 155 }
 156
 157 typedef long ssize_t;
 158 ssize_t getline(char ** __restrict, size_t * __restrict, FILE * __restrict);
 159 int  printf(const char * __restrict, ...);
 160 void free(void *ptr);
 161 void getlineTest(void) {
 162   FILE *fp;
 163   char *line = 0;
 164   size_t len = 0;
 165   ssize_t read;
 166   while ((read = getline(&line, &len, stdin)) != -1) {
 167     printf("%s", line); // expected-warning + {{tainted}}
 168   }
 169   free(line); // expected-warning + {{tainted}}
 170 }
 171
 172 // Test propagation functions - the ones that propagate taint from arguments to
 173 // return value, ptr arguments.
 174
 175 int atoi(const char *nptr);
 176 long atol(const char *nptr);
 177 long long atoll(const char *nptr);
 178
 179 void atoiTest(void) {
 180   char s[80];
 181   scanf("%s", s);
 182   int d = atoi(s); // expected-warning + {{tainted}}
 183   int td = d; // expected-warning + {{tainted}}
 184
 185   long l = atol(s); // expected-warning + {{tainted}}
 186   int tl = l; // expected-warning + {{tainted}}
 187
 188   long long ll = atoll(s); // expected-warning + {{tainted}}
 189   int tll = ll; // expected-warning + {{tainted}}
 190
 191 }
 192
 193 char *pointer1;
 194 void *pointer2;
 195 void noCrashTest(void) {
 196   if (!*pointer1) {
 197     __builtin___memcpy_chk(pointer2, pointer1, 0, 0); // no-crash
 198   }
 199 }