llvm-project/clang/test/Analysis/taint-generic.c

// RUN: %clang_cc1  -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -verify %s

int scanf(const char *restrict format, ...);
int getchar(void);

#define BUFSIZE 10

int Buffer[BUFSIZE];
void bufferFoo1(void)
{
  int n;
  scanf("%d", &n);
  Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
}

void bufferScanfArithmetic1(int x) {
  int n;
  scanf("%d", &n);
  int m = (n - 3);
  Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}

void bufferScanfArithmetic2(int x) {
  int n;
  scanf("%d", &n);
  int m = (n + 3) * x;
  Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}

void scanfArg() {
  int t;
  scanf("%d", t); // expected-warning {{Pointer argument is expected}}
}
[analyzer] Catch the first taint propagation implied buffer overflow. Change the ArrayBoundCheckerV2 to be more aggressive in reporting buffer overflows when the offset is tainted. Previously, we did not report bugs when the state was underconstrained (not enough information about the bound to determine if there is an overflow) to avoid false positives. However, if we know that the buffer offset is tainted - comes in from the user space and can be anything, we should report it as a bug. + The very first example of us catching a taint related bug. This is the only example we can currently handle. More to come... llvm-svn: 144826 2011-11-17 03:58:17 +08:00			`// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -verify %s`

			`int scanf(const char *restrict format, ...);`
			`int getchar(void);`

			`#define BUFSIZE 10`

			`int Buffer[BUFSIZE];`
			`void bufferFoo1(void)`
			`{`
			`int n;`
			`scanf("%d", &n);`
			`Buffer[n] = 1; // expected-warning {{Out of bound memory access }}`
			`}`
[analyzer] Do not conjure a symbol when we need to propagate taint. When the solver and SValBuilder cannot reason about symbolic expressions (ex: (x+1)*y ), the analyzer conjures a new symbol with no ties to the past. This helps it to recover some path-sensitivity. However, this breaks the taint propagation. With this commit, we are going to construct the expression even if we cannot reason about it later on if an operand is tainted. Also added some comments and asserts. llvm-svn: 144932 2011-11-18 07:07:28 +08:00
			`void bufferScanfArithmetic1(int x) {`
			`int n;`
			`scanf("%d", &n);`
			`int m = (n - 3);`
			`Buffer[m] = 1; // expected-warning {{Out of bound memory access }}`
			`}`

			`void bufferScanfArithmetic2(int x) {`
			`int n;`
			`scanf("%d", &n);`
			`int m = (n + 3) * x;`
			`Buffer[m] = 1; // expected-warning {{Out of bound memory access }}`
			`}`
[analyzer] Warn when non pointer arguments are passed to scanf (only when running taint checker). There is an open radar to implement better scanf checking as a Sema warning. However, a bit of redundancy is fine in this case. llvm-svn: 144964 2011-11-18 10:26:36 +08:00
			`void scanfArg() {`
			`int t;`
			`scanf("%d", t); // expected-warning {{Pointer argument is expected}}`
			`}`