maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity
llvm-project/clang/test/Analysis/taint-generic.c

101 lines
2.9 KiB
C
Raw Normal View History

[analyzer] Add basic format string vulnerability checking. We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
2012-01-07 10:33:10 +08:00
// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s
[analyzer] Catch the first taint propagation implied buffer overflow. Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows when the offset is tainted. Previously, we did not report bugs when the state was underconstrained (not enough information about the bound to determine if there is an overflow) to avoid false positives. However, if we know that the buffer offset is tainted - comes in from the user space and can be anything, we should report it as a bug. + The very first example of us catching a taint related bug. This is the only example we can currently handle. More to come... llvm-svn: 144826
2011-11-17 03:58:17 +08:00
int scanf(const char *restrict format, ...);
int getchar(void);
[analyzer] Add taint transfer by strcpy & others (part 1). To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
2012-01-12 10:22:34 +08:00
typedef struct _FILE FILE;
extern FILE *stdin;
int fscanf(FILE *restrict stream, const char *restrict format, ...);
int sprintf(char *str, const char *format, ...);
void setproctitle(const char *fmt, ...);
typedef __typeof(sizeof(int)) size_t;
// Define string functions. Use builtin for some of them. They all default to
// the processing in the taint checker.
#define strcpy(dest, src) \
((__builtin_object_size(dest, 0) != -1ULL) \
? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
: __inline_strcpy_chk(dest, src))
static char *__inline_strcpy_chk (char *dest, const char *src) {
return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
}
char *stpcpy(char *restrict s1, const char *restrict s2);
char *strncpy( char * destination, const char * source, size_t num );
[analyzer] Catch the first taint propagation implied buffer overflow. Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows when the offset is tainted. Previously, we did not report bugs when the state was underconstrained (not enough information about the bound to determine if there is an overflow) to avoid false positives. However, if we know that the buffer offset is tainted - comes in from the user space and can be anything, we should report it as a bug. + The very first example of us catching a taint related bug. This is the only example we can currently handle. More to come... llvm-svn: 144826
2011-11-17 03:58:17 +08:00
#define BUFSIZE 10
int Buffer[BUFSIZE];
[analyzer] Add more simple taint tests. llvm-svn: 145275
2011-11-29 04:43:40 +08:00
void bufferScanfDirect(void)
[analyzer] Catch the first taint propagation implied buffer overflow. Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows when the offset is tainted. Previously, we did not report bugs when the state was underconstrained (not enough information about the bound to determine if there is an overflow) to avoid false positives. However, if we know that the buffer offset is tainted - comes in from the user space and can be anything, we should report it as a bug. + The very first example of us catching a taint related bug. This is the only example we can currently handle. More to come... llvm-svn: 144826
2011-11-17 03:58:17 +08:00
{
int n;
scanf("%d", &n);
Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
}
[analyzer] Do not conjure a symbol when we need to propagate taint. When the solver and SValBuilder cannot reason about symbolic expressions (ex: (x+1)*y ), the analyzer conjures a new symbol with no ties to the past. This helps it to recover some path-sensitivity. However, this breaks the taint propagation. With this commit, we are going to construct the expression even if we cannot reason about it later on if an operand is tainted. Also added some comments and asserts. llvm-svn: 144932
2011-11-18 07:07:28 +08:00
void bufferScanfArithmetic1(int x) {
int n;
scanf("%d", &n);
int m = (n - 3);
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}
void bufferScanfArithmetic2(int x) {
int n;
scanf("%d", &n);
[analyzer] Add more simple taint tests. llvm-svn: 145275
2011-11-29 04:43:40 +08:00
int m = 100 / (n + 3) * x;
[analyzer] Do not conjure a symbol when we need to propagate taint. When the solver and SValBuilder cannot reason about symbolic expressions (ex: (x+1)*y ), the analyzer conjures a new symbol with no ties to the past. This helps it to recover some path-sensitivity. However, this breaks the taint propagation. With this commit, we are going to construct the expression even if we cannot reason about it later on if an operand is tainted. Also added some comments and asserts. llvm-svn: 144932
2011-11-18 07:07:28 +08:00
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}
[analyzer] Warn when non pointer arguments are passed to scanf (only when running taint checker). There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case. llvm-svn: 144964
2011-11-18 10:26:36 +08:00
[analyzer] Add more simple taint tests. llvm-svn: 145275
2011-11-29 04:43:40 +08:00
void bufferScanfAssignment(int x) {
int n;
scanf("%d", &n);
int m;
if (x > 0) {
m = n;
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}
}
[analyzer] Warn when non pointer arguments are passed to scanf (only when running taint checker). There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case. llvm-svn: 144964
2011-11-18 10:26:36 +08:00
void scanfArg() {
int t;
[analyzer] CStringChecker should not rely on the analyzer generating UndefOrUnknown value when it cannot reason about the expression. We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.) This patch also contains 2 small bug fixes: - swap the order of operators inside SValBuilder::makeGenericVal. - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol. llvm-svn: 146343
2011-12-12 02:43:40 +08:00
scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}}
[analyzer] Warn when non pointer arguments are passed to scanf (only when running taint checker). There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case. llvm-svn: 144964
2011-11-18 10:26:36 +08:00
}
[analyzer] Add more simple taint tests. llvm-svn: 145275
2011-11-29 04:43:40 +08:00
void bufferGetchar(int x) {
int m = getchar();
Buffer[m] = 1; //expected-warning {{Out of bound memory access }}
}
[analyzer] Add basic format string vulnerability checking. We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
2012-01-07 10:33:10 +08:00
[analyzer] Add taint transfer by strcpy & others (part 1). To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
2012-01-12 10:22:34 +08:00
void testUncontrolledFormatString(char **p) {
[analyzer] Add basic format string vulnerability checking. We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
2012-01-07 10:33:10 +08:00
char s[80];
fscanf(stdin, "%s", s);
char buf[128];
sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
[analyzer] Add taint transfer by strcpy & others (part 1). To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
2012-01-12 10:22:34 +08:00
// Test taint propagation through strcpy and family.
char scpy[80];
strcpy(scpy, s);
sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
[analyzer] Unwrap the pointers when ignoring the const cast. radar://10686991 llvm-svn: 148081
2012-01-13 08:56:55 +08:00
stpcpy(*(++p), s); // this generates __inline.
setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
[analyzer] Add taint transfer by strcpy & others (part 1). To simplify the process: Refactor taint generation checker to simplify passing the information on which arguments need to be tainted from pre to post visit. Todo: We need to factor out the code that sema is using to identify the string and memcpy functions and use it here and in the CString checker. llvm-svn: 148010
2012-01-12 10:22:34 +08:00
char spcpy[80];
stpcpy(spcpy, s);
setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
char sncpy[80];
strncpy(sncpy, s, 20);
setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
[analyzer] Add basic format string vulnerability checking. We already have a more conservative check in the compiler (if the format string is not a literal, we warn). Still adding it here for completeness and since this check is stronger - only triggered if the format string is tainted. llvm-svn: 147714
2012-01-07 10:33:10 +08:00
}
[analyzer] Taint: add system and popen as undesirable sinks for taint data. llvm-svn: 148176
2012-01-14 10:48:40 +08:00
int system(const char *command);
void testTaintSystemCall() {
char buffer[156];
char addr[128];
scanf("%s", addr);
system(addr); // expected-warning {{Tainted data passed to a system call}}
}