1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2,optin.taint.TaintedAlloc -analyzer-output=text -verify %s
// This file is for testing enhanced diagnostics produced by the GenericTaintChecker
typedef __typeof(sizeof(int)) size_t;
struct _IO_FILE;
typedef struct _IO_FILE FILE;
int scanf(const char *restrict format, ...);
int system(const char *command);
char* getenv( const char* env_var );
size_t strlen( const char* str );
char *strcat( char *dest, const char *src );
char* strcpy( char* dest, const char* src );
void *malloc(size_t size );
void free( void *ptr );
char *fgets(char *str, int n, FILE *stream);
extern FILE *stdin;
void taintDiagnostic(void)
{
char buf[128];
scanf("%s", buf); // expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the 2nd argument}}
system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
}
int taintDiagnosticOutOfBound(void) {
int index;
int Array[] = {1, 2, 3, 4, 5};
scanf("%d", &index); // expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the 2nd argument}}
return Array[index]; // expected-warning {{Potential out of bound access to 'Array' with tainted index}}
// expected-note@-1 {{Access of 'Array' with a tainted index}}
}
int taintDiagnosticDivZero(int operand) {
scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}}
// expected-note@-1 {{Taint originated here}}
// expected-note@-2 {{Taint propagated to the 2nd argument}}
return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}}
// expected-note@-1 {{Division by a tainted value, possibly zero}}
}
void taintDiagnosticVLA(void) {
int x;
scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
// expected-note@-1 {{Taint originated here}}
// expected-note@-2 {{Taint propagated to the 2nd argument}}
int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted}}
// expected-note@-1 {{Declared variable-length array (VLA) has tainted}}
}
// Tests if the originated note is correctly placed even if the path is
// propagating through variables and expressions
int taintDiagnosticPropagation(){
int res;
char *cmd=getenv("CMD"); // expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the return value}}
if (cmd){ // expected-note {{Assuming 'cmd' is non-null}}
// expected-note@-1 {{Taking true branch}}
res = system(cmd); // expected-warning{{Untrusted data is passed to a system call}}
// expected-note@-1{{Untrusted data is passed to a system call}}
return res;
}
return -1;
}
// Taint origin should be marked correctly even if there are multiple taint
// sources in the function
int taintDiagnosticPropagation2(){
int res;
char *user_env2=getenv("USER_ENV_VAR2");//unrelated taint source
char *cmd=getenv("CMD"); // expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the return value}}
char *user_env=getenv("USER_ENV_VAR");//unrelated taint source
if (cmd){ // expected-note {{Assuming 'cmd' is non-null}}
// expected-note@-1 {{Taking true branch}}
res = system(cmd); // expected-warning{{Untrusted data is passed to a system call}}
// expected-note@-1{{Untrusted data is passed to a system call}}
return res;
}
return 0;
}
void testReadStdIn(){
char buf[1024];
fgets(buf, sizeof(buf), stdin);// expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the 1st argument}}
system(buf);// expected-warning {{Untrusted data is passed to a system call}}
// expected-note@-1 {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
}
void multipleTaintSources(void) {
char cmd[2048], file[1024];
scanf ("%1022[^\n] ", cmd); // expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the 2nd argument}}
scanf ("%1023[^\n]", file); // expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the 2nd argument}}
strcat(cmd, file); // expected-note {{Taint propagated to the 1st argument}}
strcat(cmd, " "); // expected-note {{Taint propagated to the 1st argument}}
system(cmd); // expected-warning {{Untrusted data is passed to a system call}}
// expected-note@-1{{Untrusted data is passed to a system call}}
}
void multipleTaintedArgs(void) {
char cmd[1024], file[1024], buf[2048];
scanf("%1022s %1023s", cmd, file); // expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the 2nd argument, 3rd argument}}
strcpy(buf, cmd);// expected-note {{Taint propagated to the 1st argument}}
strcat(buf, " ");// expected-note {{Taint propagated to the 1st argument}}
strcat(buf, file);// expected-note {{Taint propagated to the 1st argument}}
system(buf); // expected-warning {{Untrusted data is passed to a system call}}
// expected-note@-1{{Untrusted data is passed to a system call}}
}
void testTaintedMalloc(){
size_t size = 0;
scanf("%zu", &size); // expected-note {{Taint originated here}}
// expected-note@-1 {{Taint propagated to the 2nd argument}}
int *p = malloc(size);// expected-warning{{malloc is called with a tainted (potentially attacker controlled) value}}
// expected-note@-1{{malloc is called with a tainted (potentially attacker controlled) value}}
free(p);
}
|
