File: taint-size-access-attr-1.c

package info (click to toggle)
gcc-arm-none-eabi 15%3A12.2.rel1-1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 959,712 kB
  • sloc: cpp: 3,275,382; ansic: 2,061,766; ada: 840,956; f90: 208,513; makefile: 76,132; asm: 73,433; xml: 50,448; exp: 34,146; sh: 32,436; objc: 15,637; fortran: 14,012; python: 11,991; pascal: 6,787; awk: 4,779; perl: 3,054; yacc: 338; ml: 285; lex: 201; haskell: 122
file content (64 lines) | stat: -rw-r--r-- 2,256 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
/* Passing tainted sizes to external functions with attribute ((access)) with
   a size-index.  */

// TODO: remove need for the explicit taint option:
/* { dg-additional-options "-fanalyzer-checker=taint -fanalyzer-show-duplicate-count" } */

#include "analyzer-decls.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct foo
{
  size_t sz;
};

char buf[100];

extern void extern_fn_read_only (void *p, size_t sz) /* { dg-message "parameter 2 of 'extern_fn_read_only' marked as a size via attribute 'access \\(read_only, 1, 2\\)'" } */
  __attribute__ ((access (read_only, 1, 2)));

void test_fn_read_only (FILE *f, void *p)
{
  struct foo tmp;
  if (1 == fread(&tmp, sizeof(tmp), 1, f)) { /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
                                             /* { dg-message "\\(\[0-9\]+\\) following 'true' branch\\.\\.\\." "event: following true branch" { target *-*-* } .-1 } */
    __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */
    /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */

    extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" "warning" } */
    /* { dg-bogus "duplicate" "duplicate" { target *-*-* } .-1 } */
  }
}

/* We shouldn't complain if the value has been sanitized.  */

void test_fn_sanitized (FILE *f, void *p)
{
  struct foo tmp;
  if (1 == fread(&tmp, sizeof(tmp), 1, f)) {
    __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */

    if (tmp.sz > 100)
      return;

    __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'has_ub'" } */
    
    extern_fn_read_only (p, tmp.sz); /* { dg-bogus "use of attacker-controlled value" } */
  }
}

/* We shouldn't complain if there was no size annotation.  */

extern void extern_fn_no_size (void *p)
  __attribute__ ((access (read_only, 1)));

void test_fn_no_size (FILE *f, void *p)
{
  struct foo tmp;
  if (1 == fread(&tmp, sizeof(tmp), 1, f)) {
    __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */
    extern_fn_no_size (p);
  }
}