1 // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s 2 3 int scanf(const char *restrict format, ...); 4 int getchar(void); 5 6 typedef struct _FILE FILE; 7 extern FILE *stdin; 8 int fscanf(FILE *restrict stream, const char *restrict format, ...); 9 int sprintf(char *str, const char *format, ...); 10 void setproctitle(const char *fmt, ...); 11 typedef __typeof(sizeof(int)) size_t; 12 13 // Define string functions. Use builtin for some of them. They all default to 14 // the processing in the taint checker. 15 #define strcpy(dest, src) \ 16 ((__builtin_object_size(dest, 0) != -1ULL) \ 17 ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \ 18 : __inline_strcpy_chk(dest, src)) 19 20 static char *__inline_strcpy_chk (char *dest, const char *src) { 21 return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1)); 22 } 23 char *stpcpy(char *restrict s1, const char *restrict s2); 24 char *strncpy( char * destination, const char * source, size_t num ); 25 char *strndup(const char *s, size_t n); 26 char *strncat(char *restrict s1, const char *restrict s2, size_t n); 27 28 void *malloc(size_t); 29 void *calloc(size_t nmemb, size_t size); 30 void bcopy(void *s1, void *s2, size_t n); 31 32 #define BUFSIZE 10 33 34 int Buffer[BUFSIZE]; 35 void bufferScanfDirect(void) 36 { 37 int n; 38 scanf("%d", &n); 39 Buffer[n] = 1; // expected-warning {{Out of bound memory access }} 40 } 41 42 void bufferScanfArithmetic1(int x) { 43 int n; 44 scanf("%d", &n); 45 int m = (n - 3); 46 Buffer[m] = 1; // expected-warning {{Out of bound memory access }} 47 } 48 49 void bufferScanfArithmetic2(int x) { 50 int n; 51 scanf("%d", &n); 52 int m = 100 - (n + 3) * x; 53 Buffer[m] = 1; // expected-warning {{Out of bound memory access }} 54 } 55 56 void bufferScanfAssignment(int x) { 57 int n; 58 scanf("%d", &n); 59 int m; 60 if (x > 0) { 61 m = n; 62 Buffer[m] = 1; // expected-warning {{Out of bound memory access }} 63 } 64 } 65 66 void scanfArg() { 67 int t = 0; 68 scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}} 69 } 70 71 void bufferGetchar(int x) { 72 int m = getchar(); 73 Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}} 74 } 75 76 void testUncontrolledFormatString(char **p) { 77 char s[80]; 78 fscanf(stdin, "%s", s); 79 char buf[128]; 80 sprintf(buf,s); // expected-warning {{Uncontrolled Format String}} 81 setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}} 82 83 // Test taint propagation through strcpy and family. 84 char scpy[80]; 85 strcpy(scpy, s); 86 sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}} 87 88 stpcpy(*(++p), s); // this generates __inline. 89 setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}} 90 91 char spcpy[80]; 92 stpcpy(spcpy, s); 93 setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}} 94 95 char *spcpyret; 96 spcpyret = stpcpy(spcpy, s); 97 setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}} 98 99 char sncpy[80]; 100 strncpy(sncpy, s, 20); 101 setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}} 102 103 char *dup; 104 dup = strndup(s, 20); 105 setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}} 106 107 } 108 109 int system(const char *command); 110 void testTaintSystemCall() { 111 char buffer[156]; 112 char addr[128]; 113 scanf("%s", addr); 114 system(addr); // expected-warning {{Untrusted data is passed to a system call}} 115 116 // Test that spintf transfers taint. 117 sprintf(buffer, "/bin/mail %s < /tmp/email", addr); 118 system(buffer); // expected-warning {{Untrusted data is passed to a system call}} 119 } 120 121 void testTaintSystemCall2() { 122 // Test that snpintf transfers taint. 123 char buffern[156]; 124 char addr[128]; 125 scanf("%s", addr); 126 __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr); 127 system(buffern); // expected-warning {{Untrusted data is passed to a system call}} 128 } 129 130 void testTaintSystemCall3() { 131 char buffern2[156]; 132 int numt; 133 char addr[128]; 134 scanf("%s %d", addr, &numt); 135 __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd"); 136 system(buffern2); // expected-warning {{Untrusted data is passed to a system call}} 137 } 138 139 void testTaintedBufferSize() { 140 size_t ts; 141 scanf("%zd", &ts); 142 143 int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}} 144 char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}} 145 bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}} 146 __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}} 147 148 // If both buffers are trusted, do not issue a warning. 149 char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}} 150 strncat(dst2, dst, ts); // no-warning 151 } 152 153 #define AF_UNIX 1 /* local to host (pipes) */ 154 #define AF_INET 2 /* internetwork: UDP, TCP, etc. */ 155 #define AF_LOCAL AF_UNIX /* backward compatibility */ 156 #define SOCK_STREAM 1 157 int socket(int, int, int); 158 size_t read(int, void *, size_t); 159 int execl(const char *, const char *, ...); 160 161 void testSocket() { 162 int sock; 163 char buffer[100]; 164 165 sock = socket(AF_INET, SOCK_STREAM, 0); 166 read(sock, buffer, 100); 167 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}} 168 169 sock = socket(AF_LOCAL, SOCK_STREAM, 0); 170 read(sock, buffer, 100); 171 execl(buffer, "filename", 0); // no-warning 172 } 173 174 int testDivByZero() { 175 int x; 176 scanf("%d", &x); 177 return 5/x; // expected-warning {{Division by a tainted value, possibly zero}} 178 } 179 180 // Zero-sized VLAs. 181 void testTaintedVLASize() { 182 int x; 183 scanf("%d", &x); 184 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}} 185 } 186 187 // This computation used to take a very long time. 188 #define longcmp(a,b,c) { \ 189 a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \ 190 a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; } 191 192 unsigned radar11369570_hanging(const unsigned char *arr, int l) { 193 unsigned a, b, c; 194 a = b = c = 0x9899e3 + l; 195 while (l >= 6) { 196 unsigned t; 197 scanf("%d", &t); 198 a += b; 199 a ^= a; 200 a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24)); 201 longcmp(a, t, c); 202 l -= 12; 203 } 204 return 5/a; // expected-warning {{Division by a tainted value, possibly zero}} 205 } 206 207 // Check that we do not assert of the following code. 208 int SymSymExprWithDiffTypes(void* p) { 209 int i; 210 scanf("%d", &i); 211 int j = (i % (int)(long)p); 212 return 5/j; // expected-warning {{Division by a tainted value, possibly zero}} 213 } 214 215 216 void constraintManagerShouldTreatAsOpaque(int rhs) { 217 int i; 218 scanf("%d", &i); 219 // This comparison used to hit an assertion in the constraint manager, 220 // which didn't handle NonLoc sym-sym comparisons. 221 if (i < rhs) 222 return; 223 if (i < rhs) 224 *(volatile int *) 0; // no-warning 225 } 226
