[analyzer] Mark getenv output as tainted.

Also, allow adding taint to a region (not only a symbolic value).

llvm-svn: 146532

clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

@@ -63,6 +63,7 @@ void GenericTaintChecker::checkPostStmt(const CallExpr *CE,
   FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
     .Case("scanf", &GenericTaintChecker::processScanf)
     .Case("getchar", &GenericTaintChecker::processRetTaint)
+    .Case("getenv", &GenericTaintChecker::processRetTaint)
     .Default(NULL);
 
   // If the callee isn't defined, it is not of security concern.

clang/lib/StaticAnalyzer/Core/ProgramState.cpp

@@ -654,8 +654,15 @@ bool ProgramState::scanReachableSymbols(const MemRegion * const *I,
 const ProgramState* ProgramState::addTaint(const Stmt *S,
                                            TaintTagType Kind) const {
   SymbolRef Sym = getSVal(S).getAsSymbol();
-  assert(Sym && "Cannot add taint to statements whose value is not a symbol");
-  return addTaint(Sym, Kind);
+  if (Sym)
+    return addTaint(Sym, Kind);
+
+  const MemRegion *R = getSVal(S).getAsRegion();
+  if (const SymbolicRegion *SR = dyn_cast_or_null<SymbolicRegion>(R))
+    return addTaint(SR->getSymbol(), Kind);
+
+  // Cannot add taint, so just return the state.
+  return this;
 }
 
 const ProgramState* ProgramState::addTaint(SymbolRef Sym,

clang/test/Analysis/taint-tester.c

@@ -70,3 +70,13 @@ void BitwiseOp(int in, char inn) {
     m = inn;
   int mm = m; // expected-warning   {{tainted}}
 }
+
+// Test getenv.
+char *getenv(const char *name);
+void getenvTest(char *home) {
+  home = getenv("HOME"); // expected-warning 2 {{tainted}}
+  if (home != 0) { // expected-warning 2 {{tainted}}
+      char d = home[0]; // expected-warning 2 {{tainted}}
+    }
+}
+