1 // RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
2 // RUN: %clang_analyze_cc1 -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
3
4 int scanf(const char *restrict format, ...);
5 int getchar(void);
6
7 typedef struct _FILE FILE;
8 #ifdef FILE_IS_STRUCT
9 extern struct _FILE *stdin;
10 #else
11 extern FILE *stdin;
12 #endif
13
14 int fscanf(FILE *restrict stream, const char *restrict format, ...);
15 int sprintf(char *str, const char *format, ...);
16 void setproctitle(const char *fmt, ...);
17 typedef __typeof(sizeof(int)) size_t;
18
19 // Define string functions. Use builtin for some of them. They all default to
20 // the processing in the taint checker.
21 #define strcpy(dest, src) \
22 ((__builtin_object_size(dest, 0) != -1ULL) \
23 ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
24 : __inline_strcpy_chk(dest, src))
25
__inline_strcpy_chk(char * dest,const char * src)26 static char *__inline_strcpy_chk (char *dest, const char *src) {
27 return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
28 }
29 char *stpcpy(char *restrict s1, const char *restrict s2);
30 char *strncpy( char * destination, const char * source, size_t num );
31 char *strndup(const char *s, size_t n);
32 char *strncat(char *restrict s1, const char *restrict s2, size_t n);
33
34 void *malloc(size_t);
35 void *calloc(size_t nmemb, size_t size);
36 void bcopy(void *s1, void *s2, size_t n);
37
38 #define BUFSIZE 10
39
40 int Buffer[BUFSIZE];
bufferScanfDirect(void)41 void bufferScanfDirect(void)
42 {
43 int n;
44 scanf("%d", &n);
45 Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
46 }
47
bufferScanfArithmetic1(int x)48 void bufferScanfArithmetic1(int x) {
49 int n;
50 scanf("%d", &n);
51 int m = (n - 3);
52 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
53 }
54
bufferScanfArithmetic2(int x)55 void bufferScanfArithmetic2(int x) {
56 int n;
57 scanf("%d", &n);
58 int m = 100 - (n + 3) * x;
59 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
60 }
61
bufferScanfAssignment(int x)62 void bufferScanfAssignment(int x) {
63 int n;
64 scanf("%d", &n);
65 int m;
66 if (x > 0) {
67 m = n;
68 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
69 }
70 }
71
scanfArg()72 void scanfArg() {
73 int t = 0;
74 scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
75 }
76
bufferGetchar(int x)77 void bufferGetchar(int x) {
78 int m = getchar();
79 Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
80 }
81
testUncontrolledFormatString(char ** p)82 void testUncontrolledFormatString(char **p) {
83 char s[80];
84 fscanf(stdin, "%s", s);
85 char buf[128];
86 sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
87 setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
88
89 // Test taint propagation through strcpy and family.
90 char scpy[80];
91 strcpy(scpy, s);
92 sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
93
94 stpcpy(*(++p), s); // this generates __inline.
95 setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
96
97 char spcpy[80];
98 stpcpy(spcpy, s);
99 setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
100
101 char *spcpyret;
102 spcpyret = stpcpy(spcpy, s);
103 setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
104
105 char sncpy[80];
106 strncpy(sncpy, s, 20);
107 setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
108
109 char *dup;
110 dup = strndup(s, 20);
111 setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
112
113 }
114
115 int system(const char *command);
testTaintSystemCall()116 void testTaintSystemCall() {
117 char buffer[156];
118 char addr[128];
119 scanf("%s", addr);
120 system(addr); // expected-warning {{Untrusted data is passed to a system call}}
121
122 // Test that spintf transfers taint.
123 sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
124 system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
125 }
126
testTaintSystemCall2()127 void testTaintSystemCall2() {
128 // Test that snpintf transfers taint.
129 char buffern[156];
130 char addr[128];
131 scanf("%s", addr);
132 __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
133 system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
134 }
135
testTaintSystemCall3()136 void testTaintSystemCall3() {
137 char buffern2[156];
138 int numt;
139 char addr[128];
140 scanf("%s %d", addr, &numt);
141 __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
142 system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
143 }
144
testTaintedBufferSize()145 void testTaintedBufferSize() {
146 size_t ts;
147 scanf("%zd", &ts);
148
149 int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
150 char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
151 bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
152 __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
153
154 // If both buffers are trusted, do not issue a warning.
155 char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
156 strncat(dst2, dst, ts); // no-warning
157 }
158
159 #define AF_UNIX 1 /* local to host (pipes) */
160 #define AF_INET 2 /* internetwork: UDP, TCP, etc. */
161 #define AF_LOCAL AF_UNIX /* backward compatibility */
162 #define SOCK_STREAM 1
163 int socket(int, int, int);
164 size_t read(int, void *, size_t);
165 int execl(const char *, const char *, ...);
166
testSocket()167 void testSocket() {
168 int sock;
169 char buffer[100];
170
171 sock = socket(AF_INET, SOCK_STREAM, 0);
172 read(sock, buffer, 100);
173 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
174
175 sock = socket(AF_LOCAL, SOCK_STREAM, 0);
176 read(sock, buffer, 100);
177 execl(buffer, "filename", 0); // no-warning
178
179 sock = socket(AF_INET, SOCK_STREAM, 0);
180 // References to both buffer and &buffer as an argument should taint the argument
181 read(sock, &buffer, 100);
182 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
183 }
184
testStruct()185 void testStruct() {
186 struct {
187 char buf[16];
188 int length;
189 } tainted;
190
191 char buffer[16];
192 int sock;
193
194 sock = socket(AF_INET, SOCK_STREAM, 0);
195 read(sock, &tainted, sizeof(tainted));
196 __builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
197 }
198
testStructArray()199 void testStructArray() {
200 struct {
201 int length;
202 } tainted[4];
203
204 char dstbuf[16], srcbuf[16];
205 int sock;
206
207 sock = socket(AF_INET, SOCK_STREAM, 0);
208 __builtin_memset(srcbuf, 0, sizeof(srcbuf));
209
210 read(sock, &tainted[0], sizeof(tainted));
211 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
212
213 __builtin_memset(&tainted, 0, sizeof(tainted));
214 read(sock, &tainted, sizeof(tainted));
215 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
216
217 __builtin_memset(&tainted, 0, sizeof(tainted));
218 // If we taint element 1, we should not raise an alert on taint for element 0 or element 2
219 read(sock, &tainted[1], sizeof(tainted));
220 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
221 __builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
222 }
223
testUnion()224 void testUnion() {
225 union {
226 int x;
227 char y[4];
228 } tainted;
229
230 char buffer[4];
231
232 int sock = socket(AF_INET, SOCK_STREAM, 0);
233 read(sock, &tainted.y, sizeof(tainted.y));
234 // FIXME: overlapping regions aren't detected by isTainted yet
235 __builtin_memcpy(buffer, tainted.y, tainted.x);
236 }
237
testDivByZero()238 int testDivByZero() {
239 int x;
240 scanf("%d", &x);
241 return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
242 }
243
244 // Zero-sized VLAs.
testTaintedVLASize()245 void testTaintedVLASize() {
246 int x;
247 scanf("%d", &x);
248 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
249 }
250
251 // This computation used to take a very long time.
252 #define longcmp(a,b,c) { \
253 a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
254 a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
255
radar11369570_hanging(const unsigned char * arr,int l)256 unsigned radar11369570_hanging(const unsigned char *arr, int l) {
257 unsigned a, b, c;
258 a = b = c = 0x9899e3 + l;
259 while (l >= 6) {
260 unsigned t;
261 scanf("%d", &t);
262 a += b;
263 a ^= a;
264 a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
265 longcmp(a, t, c);
266 l -= 12;
267 }
268 return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
269 }
270
271 // Check that we do not assert of the following code.
SymSymExprWithDiffTypes(void * p)272 int SymSymExprWithDiffTypes(void* p) {
273 int i;
274 scanf("%d", &i);
275 int j = (i % (int)(long)p);
276 return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
277 }
278
279
constraintManagerShouldTreatAsOpaque(int rhs)280 void constraintManagerShouldTreatAsOpaque(int rhs) {
281 int i;
282 scanf("%d", &i);
283 // This comparison used to hit an assertion in the constraint manager,
284 // which didn't handle NonLoc sym-sym comparisons.
285 if (i < rhs)
286 return;
287 if (i < rhs)
288 *(volatile int *) 0; // no-warning
289 }
290