1 // RUN: %clang_analyze_cc1 -Wno-format-security -verify %s \
2 // RUN: -analyzer-checker=alpha.security.taint \
3 // RUN: -analyzer-checker=core \
4 // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
5 // RUN: -analyzer-config \
6 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
7
8 // RUN: %clang_analyze_cc1 -Wno-format-security -verify %s \
9 // RUN: -DFILE_IS_STRUCT \
10 // RUN: -analyzer-checker=alpha.security.taint \
11 // RUN: -analyzer-checker=core \
12 // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
13 // RUN: -analyzer-config \
14 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
15
16 // RUN: not %clang_analyze_cc1 -verify %s \
17 // RUN: -analyzer-checker=alpha.security.taint \
18 // RUN: -analyzer-config \
19 // RUN: alpha.security.taint.TaintPropagation:Config=justguessit \
20 // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE
21
22 // CHECK-INVALID-FILE: (frontend): invalid input for checker option
23 // CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config',
24 // CHECK-INVALID-FILE-SAME: that expects a valid filename instead of
25 // CHECK-INVALID-FILE-SAME: 'justguessit'
26
27 // RUN: not %clang_analyze_cc1 -verify %s \
28 // RUN: -analyzer-checker=alpha.security.taint \
29 // RUN: -analyzer-config \
30 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \
31 // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-ILL-FORMED
32
33 // CHECK-ILL-FORMED: (frontend): invalid input for checker option
34 // CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config',
35 // CHECK-ILL-FORMED-SAME: that expects a valid yaml file: {{[Ii]}}nvalid argument
36
37 // RUN: not %clang_analyze_cc1 -verify %s \
38 // RUN: -analyzer-checker=alpha.security.taint \
39 // RUN: -analyzer-config \
40 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \
41 // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG
42
43 // CHECK-INVALID-ARG: (frontend): invalid input for checker option
44 // CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config',
45 // CHECK-INVALID-ARG-SAME: that expects an argument number for propagation
46 // CHECK-INVALID-ARG-SAME: rules greater or equal to -1
47
48 int scanf(const char *restrict format, ...);
49 char *gets(char *str);
50 int getchar(void);
51
52 typedef struct _FILE FILE;
53 #ifdef FILE_IS_STRUCT
54 extern struct _FILE *stdin;
55 #else
56 extern FILE *stdin;
57 #endif
58
59 #define bool _Bool
60
61 int fscanf(FILE *restrict stream, const char *restrict format, ...);
62 int sprintf(char *str, const char *format, ...);
63 void setproctitle(const char *fmt, ...);
64 typedef __typeof(sizeof(int)) size_t;
65
66 // Define string functions. Use builtin for some of them. They all default to
67 // the processing in the taint checker.
68 #define strcpy(dest, src) \
69 ((__builtin_object_size(dest, 0) != -1ULL) \
70 ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
71 : __inline_strcpy_chk(dest, src))
72
__inline_strcpy_chk(char * dest,const char * src)73 static char *__inline_strcpy_chk (char *dest, const char *src) {
74 return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
75 }
76 char *stpcpy(char *restrict s1, const char *restrict s2);
77 char *strncpy( char * destination, const char * source, size_t num );
78 char *strndup(const char *s, size_t n);
79 char *strncat(char *restrict s1, const char *restrict s2, size_t n);
80
81 void *malloc(size_t);
82 void *calloc(size_t nmemb, size_t size);
83 void bcopy(void *s1, void *s2, size_t n);
84
85 #define BUFSIZE 10
86
87 int Buffer[BUFSIZE];
bufferScanfDirect(void)88 void bufferScanfDirect(void)
89 {
90 int n;
91 scanf("%d", &n);
92 Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
93 }
94
bufferScanfArithmetic1(int x)95 void bufferScanfArithmetic1(int x) {
96 int n;
97 scanf("%d", &n);
98 int m = (n - 3);
99 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
100 }
101
bufferScanfArithmetic2(int x)102 void bufferScanfArithmetic2(int x) {
103 int n;
104 scanf("%d", &n);
105 int m = 100 - (n + 3) * x;
106 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
107 }
108
bufferScanfAssignment(int x)109 void bufferScanfAssignment(int x) {
110 int n;
111 scanf("%d", &n);
112 int m;
113 if (x > 0) {
114 m = n;
115 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
116 }
117 }
118
scanfArg()119 void scanfArg() {
120 int t = 0;
121 scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
122 }
123
bufferGetchar(int x)124 void bufferGetchar(int x) {
125 int m = getchar();
126 Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
127 }
128
testUncontrolledFormatString(char ** p)129 void testUncontrolledFormatString(char **p) {
130 char s[80];
131 fscanf(stdin, "%s", s);
132 char buf[128];
133 sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
134 setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
135
136 // Test taint propagation through strcpy and family.
137 char scpy[80];
138 strcpy(scpy, s);
139 sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
140
141 stpcpy(*(++p), s); // this generates __inline.
142 setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
143
144 char spcpy[80];
145 stpcpy(spcpy, s);
146 setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
147
148 char *spcpyret;
149 spcpyret = stpcpy(spcpy, s);
150 setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
151
152 char sncpy[80];
153 strncpy(sncpy, s, 20);
154 setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
155
156 char *dup;
157 dup = strndup(s, 20);
158 setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
159
160 }
161
162 int system(const char *command);
testTaintSystemCall()163 void testTaintSystemCall() {
164 char buffer[156];
165 char addr[128];
166 scanf("%s", addr);
167 system(addr); // expected-warning {{Untrusted data is passed to a system call}}
168
169 // Test that spintf transfers taint.
170 sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
171 system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
172 }
173
testTaintSystemCall2()174 void testTaintSystemCall2() {
175 // Test that snpintf transfers taint.
176 char buffern[156];
177 char addr[128];
178 scanf("%s", addr);
179 __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
180 system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
181 }
182
testTaintSystemCall3()183 void testTaintSystemCall3() {
184 char buffern2[156];
185 int numt;
186 char addr[128];
187 scanf("%s %d", addr, &numt);
188 __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
189 system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
190 }
191
testGets()192 void testGets() {
193 char str[50];
194 gets(str);
195 system(str); // expected-warning {{Untrusted data is passed to a system call}}
196 }
197
testTaintedBufferSize()198 void testTaintedBufferSize() {
199 size_t ts;
200 scanf("%zd", &ts);
201
202 int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
203 char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
204 bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
205 __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
206
207 // If both buffers are trusted, do not issue a warning.
208 char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
209 strncat(dst2, dst, ts); // no-warning
210 }
211
212 #define AF_UNIX 1 /* local to host (pipes) */
213 #define AF_INET 2 /* internetwork: UDP, TCP, etc. */
214 #define AF_LOCAL AF_UNIX /* backward compatibility */
215 #define SOCK_STREAM 1
216 int socket(int, int, int);
217 size_t read(int, void *, size_t);
218 int execl(const char *, const char *, ...);
219
testSocket()220 void testSocket() {
221 int sock;
222 char buffer[100];
223
224 sock = socket(AF_INET, SOCK_STREAM, 0);
225 read(sock, buffer, 100);
226 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
227
228 sock = socket(AF_LOCAL, SOCK_STREAM, 0);
229 read(sock, buffer, 100);
230 execl(buffer, "filename", 0); // no-warning
231
232 sock = socket(AF_INET, SOCK_STREAM, 0);
233 // References to both buffer and &buffer as an argument should taint the argument
234 read(sock, &buffer, 100);
235 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
236 }
237
testStruct()238 void testStruct() {
239 struct {
240 char buf[16];
241 int length;
242 } tainted;
243
244 char buffer[16];
245 int sock;
246
247 sock = socket(AF_INET, SOCK_STREAM, 0);
248 read(sock, &tainted, sizeof(tainted));
249 __builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
250 }
251
testStructArray()252 void testStructArray() {
253 struct {
254 int length;
255 } tainted[4];
256
257 char dstbuf[16], srcbuf[16];
258 int sock;
259
260 sock = socket(AF_INET, SOCK_STREAM, 0);
261 __builtin_memset(srcbuf, 0, sizeof(srcbuf));
262
263 read(sock, &tainted[0], sizeof(tainted));
264 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
265
266 __builtin_memset(&tainted, 0, sizeof(tainted));
267 read(sock, &tainted, sizeof(tainted));
268 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
269
270 __builtin_memset(&tainted, 0, sizeof(tainted));
271 // If we taint element 1, we should not raise an alert on taint for element 0 or element 2
272 read(sock, &tainted[1], sizeof(tainted));
273 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
274 __builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
275 }
276
testUnion()277 void testUnion() {
278 union {
279 int x;
280 char y[4];
281 } tainted;
282
283 char buffer[4];
284
285 int sock = socket(AF_INET, SOCK_STREAM, 0);
286 read(sock, &tainted.y, sizeof(tainted.y));
287 // FIXME: overlapping regions aren't detected by isTainted yet
288 __builtin_memcpy(buffer, tainted.y, tainted.x);
289 }
290
testDivByZero()291 int testDivByZero() {
292 int x;
293 scanf("%d", &x);
294 return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
295 }
296
297 // Zero-sized VLAs.
testTaintedVLASize()298 void testTaintedVLASize() {
299 int x;
300 scanf("%d", &x);
301 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
302 }
303
304 // This computation used to take a very long time.
305 #define longcmp(a,b,c) { \
306 a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
307 a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
308
radar11369570_hanging(const unsigned char * arr,int l)309 unsigned radar11369570_hanging(const unsigned char *arr, int l) {
310 unsigned a, b, c;
311 a = b = c = 0x9899e3 + l;
312 while (l >= 6) {
313 unsigned t;
314 scanf("%d", &t);
315 a += b;
316 a ^= a;
317 a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
318 longcmp(a, t, c);
319 l -= 12;
320 }
321 return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
322 }
323
324 // Check that we do not assert of the following code.
SymSymExprWithDiffTypes(void * p)325 int SymSymExprWithDiffTypes(void* p) {
326 int i;
327 scanf("%d", &i);
328 int j = (i % (int)(long)p);
329 return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
330 }
331
332
constraintManagerShouldTreatAsOpaque(int rhs)333 void constraintManagerShouldTreatAsOpaque(int rhs) {
334 int i;
335 scanf("%d", &i);
336 // This comparison used to hit an assertion in the constraint manager,
337 // which didn't handle NonLoc sym-sym comparisons.
338 if (i < rhs)
339 return;
340 if (i < rhs)
341 *(volatile int *) 0; // no-warning
342 }
343
344
345 // Test configuration
346 int mySource1();
347 void mySource2(int*);
348 void myScanf(const char*, ...);
349 int myPropagator(int, int*);
350 int mySnprintf(char*, size_t, const char*, ...);
351 bool isOutOfRange(const int*);
352 void mySink(int, int, int);
353
testConfigurationSources1()354 void testConfigurationSources1() {
355 int x = mySource1();
356 Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
357 }
358
testConfigurationSources2()359 void testConfigurationSources2() {
360 int x;
361 mySource2(&x);
362 Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
363 }
364
testConfigurationSources3()365 void testConfigurationSources3() {
366 int x, y;
367 myScanf("%d %d", &x, &y);
368 Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
369 }
370
testConfigurationPropagation()371 void testConfigurationPropagation() {
372 int x = mySource1();
373 int y;
374 myPropagator(x, &y);
375 Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
376 }
377
testConfigurationFilter()378 void testConfigurationFilter() {
379 int x = mySource1();
380 if (isOutOfRange(&x)) // the filter function
381 return;
382 Buffer[x] = 1; // no-warning
383 }
384
testConfigurationSinks()385 void testConfigurationSinks() {
386 int x = mySource1();
387 mySink(x, 1, 2);
388 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
389 mySink(1, x, 2); // no-warning
390 mySink(1, 2, x);
391 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
392 }
393