1 // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
2 // RUN: -Wno-incompatible-library-redeclaration -verify %s \
3 // RUN: -analyzer-checker=alpha.security.taint \
4 // RUN: -analyzer-checker=core \
5 // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
6 // RUN: -analyzer-checker=debug.ExprInspection \
7 // RUN: -analyzer-config \
8 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
9
10 // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
11 // RUN: -Wno-incompatible-library-redeclaration -verify %s \
12 // RUN: -DFILE_IS_STRUCT \
13 // RUN: -analyzer-checker=alpha.security.taint \
14 // RUN: -analyzer-checker=core \
15 // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
16 // RUN: -analyzer-checker=debug.ExprInspection \
17 // RUN: -analyzer-config \
18 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
19
20 // RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast \
21 // RUN: -Wno-incompatible-library-redeclaration -verify %s \
22 // RUN: -analyzer-checker=alpha.security.taint \
23 // RUN: -analyzer-checker=debug.ExprInspection \
24 // RUN: -analyzer-config \
25 // RUN: alpha.security.taint.TaintPropagation:Config=justguessit \
26 // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE
27
28 // CHECK-INVALID-FILE: (frontend): invalid input for checker option
29 // CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config',
30 // CHECK-INVALID-FILE-SAME: that expects a valid filename instead of
31 // CHECK-INVALID-FILE-SAME: 'justguessit'
32
33 // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
34 // RUN: -verify %s \
35 // RUN: -analyzer-checker=alpha.security.taint \
36 // RUN: -analyzer-checker=debug.ExprInspection \
37 // RUN: -analyzer-config \
38 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \
39 // RUN: 2>&1 | FileCheck -DMSG=%errc_EINVAL %s -check-prefix=CHECK-ILL-FORMED
40
41 // CHECK-ILL-FORMED: (frontend): invalid input for checker option
42 // CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config',
43 // CHECK-ILL-FORMED-SAME: that expects a valid yaml file: [[MSG]]
44
45 // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
46 // RUN: -verify %s \
47 // RUN: -analyzer-checker=alpha.security.taint \
48 // RUN: -analyzer-checker=debug.ExprInspection \
49 // RUN: -analyzer-config \
50 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \
51 // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG
52
53 // CHECK-INVALID-ARG: (frontend): invalid input for checker option
54 // CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config',
55 // CHECK-INVALID-ARG-SAME: that expects an argument number for propagation
56 // CHECK-INVALID-ARG-SAME: rules greater or equal to -1
57
58 typedef long long rsize_t;
59 void clang_analyzer_isTainted_char(char);
60 void clang_analyzer_isTainted_charp(char*);
61 void clang_analyzer_isTainted_int(int);
62
63 int scanf(const char *restrict format, ...);
64 char *gets(char *str);
65 char *gets_s(char *str, rsize_t n);
66 int getchar(void);
67
68 typedef struct _FILE FILE;
69 #ifdef FILE_IS_STRUCT
70 extern struct _FILE *stdin;
71 #else
72 extern FILE *stdin;
73 #endif
74
75 #define bool _Bool
76 #define NULL (void*)0
77
78 char *getenv(const char *name);
79
80 FILE *fopen(const char *name, const char *mode);
81
82 int fscanf(FILE *restrict stream, const char *restrict format, ...);
83 int sprintf(char *str, const char *format, ...);
84 void setproctitle(const char *fmt, ...);
85 void setproctitle_init(int argc, char *argv[], char *envp[]);
86 typedef __typeof(sizeof(int)) size_t;
87 typedef signed long long ssize_t;
88
89 // Define string functions. Use builtin for some of them. They all default to
90 // the processing in the taint checker.
91 #define strcpy(dest, src) \
92 ((__builtin_object_size(dest, 0) != -1ULL) \
93 ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
94 : __inline_strcpy_chk(dest, src))
95
__inline_strcpy_chk(char * dest,const char * src)96 static char *__inline_strcpy_chk (char *dest, const char *src) {
97 return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
98 }
99 char *stpcpy(char *restrict s1, const char *restrict s2);
100 char *strncpy( char * destination, const char * source, size_t num );
101 char *strndup(const char *s, size_t n);
102 char *strncat(char *restrict s1, const char *restrict s2, size_t n);
103
104 void *malloc(size_t);
105 void *calloc(size_t nmemb, size_t size);
106 void bcopy(void *s1, void *s2, size_t n);
107
108 typedef size_t socklen_t;
109
110 struct sockaddr {
111 unsigned short sa_family;
112 char sa_data[14];
113 };
114
115 #define BUFSIZE 10
116
117 int Buffer[BUFSIZE];
bufferScanfDirect(void)118 void bufferScanfDirect(void)
119 {
120 int n;
121 scanf("%d", &n);
122 Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
123 }
124
bufferScanfArithmetic1(int x)125 void bufferScanfArithmetic1(int x) {
126 int n;
127 scanf("%d", &n);
128 int m = (n - 3);
129 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
130 }
131
bufferScanfArithmetic2(int x)132 void bufferScanfArithmetic2(int x) {
133 int n;
134 scanf("%d", &n);
135 int m = 100 - (n + 3) * x;
136 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
137 }
138
bufferScanfAssignment(int x)139 void bufferScanfAssignment(int x) {
140 int n;
141 scanf("%d", &n);
142 int m;
143 if (x > 0) {
144 m = n;
145 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
146 }
147 }
148
scanfArg(void)149 void scanfArg(void) {
150 int t = 0;
151 scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
152 }
153
bufferGetchar(int x)154 void bufferGetchar(int x) {
155 int m = getchar();
156 Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
157 }
158
testUncontrolledFormatString(char ** p)159 void testUncontrolledFormatString(char **p) {
160 char s[80];
161 fscanf(stdin, "%s", s);
162 char buf[128];
163 sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
164 setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
165
166 // Test taint propagation through strcpy and family.
167 char scpy[80];
168 strcpy(scpy, s);
169 sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
170
171 stpcpy(*(++p), s); // this generates __inline.
172 setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
173
174 char spcpy[80];
175 stpcpy(spcpy, s);
176 setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
177
178 char *spcpyret;
179 spcpyret = stpcpy(spcpy, s);
180 setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
181
182 char sncpy[80];
183 strncpy(sncpy, s, 20);
184 setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
185
186 char *dup;
187 dup = strndup(s, 20);
188 setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
189
190 }
191
192 int system(const char *command);
testTaintSystemCall(void)193 void testTaintSystemCall(void) {
194 char buffer[156];
195 char addr[128];
196 scanf("%s", addr);
197 system(addr); // expected-warning {{Untrusted data is passed to a system call}}
198
199 // Test that spintf transfers taint.
200 sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
201 system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
202 }
203
testTaintSystemCall2(void)204 void testTaintSystemCall2(void) {
205 // Test that snpintf transfers taint.
206 char buffern[156];
207 char addr[128];
208 scanf("%s", addr);
209 __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
210 system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
211 }
212
testTaintSystemCall3(void)213 void testTaintSystemCall3(void) {
214 char buffern2[156];
215 int numt;
216 char addr[128];
217 scanf("%s %d", addr, &numt);
218 __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
219 system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
220 }
221
testGets(void)222 void testGets(void) {
223 char str[50];
224 gets(str);
225 system(str); // expected-warning {{Untrusted data is passed to a system call}}
226 }
227
testGets_s(void)228 void testGets_s(void) {
229 char str[50];
230 gets_s(str, 49);
231 system(str); // expected-warning {{Untrusted data is passed to a system call}}
232 }
233
testTaintedBufferSize(void)234 void testTaintedBufferSize(void) {
235 size_t ts;
236 scanf("%zd", &ts);
237
238 int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
239 char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
240 bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
241 __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
242
243 // If both buffers are trusted, do not issue a warning.
244 char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
245 strncat(dst2, dst, ts); // no-warning
246 }
247
248 #define AF_UNIX 1 /* local to host (pipes) */
249 #define AF_INET 2 /* internetwork: UDP, TCP, etc. */
250 #define AF_LOCAL AF_UNIX /* backward compatibility */
251 #define SOCK_STREAM 1
252 int socket(int, int, int);
253 size_t read(int, void *, size_t);
254 int execl(const char *, const char *, ...);
255
testSocket(void)256 void testSocket(void) {
257 int sock;
258 char buffer[100];
259
260 sock = socket(AF_INET, SOCK_STREAM, 0);
261 read(sock, buffer, 100);
262 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
263
264 sock = socket(AF_LOCAL, SOCK_STREAM, 0);
265 read(sock, buffer, 100);
266 execl(buffer, "filename", 0); // no-warning
267
268 sock = socket(AF_INET, SOCK_STREAM, 0);
269 // References to both buffer and &buffer as an argument should taint the argument
270 read(sock, &buffer, 100);
271 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
272 }
273
testStruct(void)274 void testStruct(void) {
275 struct {
276 char buf[16];
277 int length;
278 } tainted;
279
280 char buffer[16];
281 int sock;
282
283 sock = socket(AF_INET, SOCK_STREAM, 0);
284 read(sock, &tainted, sizeof(tainted));
285 __builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
286 }
287
testStructArray(void)288 void testStructArray(void) {
289 struct {
290 int length;
291 } tainted[4];
292
293 char dstbuf[16], srcbuf[16];
294 int sock;
295
296 sock = socket(AF_INET, SOCK_STREAM, 0);
297 __builtin_memset(srcbuf, 0, sizeof(srcbuf));
298
299 read(sock, &tainted[0], sizeof(tainted));
300 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
301
302 __builtin_memset(&tainted, 0, sizeof(tainted));
303 read(sock, &tainted, sizeof(tainted));
304 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
305
306 __builtin_memset(&tainted, 0, sizeof(tainted));
307 // If we taint element 1, we should not raise an alert on taint for element 0 or element 2
308 read(sock, &tainted[1], sizeof(tainted));
309 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
310 __builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
311 }
312
testUnion(void)313 void testUnion(void) {
314 union {
315 int x;
316 char y[4];
317 } tainted;
318
319 char buffer[4];
320
321 int sock = socket(AF_INET, SOCK_STREAM, 0);
322 read(sock, &tainted.y, sizeof(tainted.y));
323 // FIXME: overlapping regions aren't detected by isTainted yet
324 __builtin_memcpy(buffer, tainted.y, tainted.x);
325 }
326
testDivByZero(void)327 int testDivByZero(void) {
328 int x;
329 scanf("%d", &x);
330 return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
331 }
332
333 // Zero-sized VLAs.
testTaintedVLASize(void)334 void testTaintedVLASize(void) {
335 int x;
336 scanf("%d", &x);
337 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
338 }
339
340 // This computation used to take a very long time.
341 #define longcmp(a,b,c) { \
342 a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
343 a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
344
radar11369570_hanging(const unsigned char * arr,int l)345 unsigned radar11369570_hanging(const unsigned char *arr, int l) {
346 unsigned a, b, c;
347 a = b = c = 0x9899e3 + l;
348 while (l >= 6) {
349 unsigned t;
350 scanf("%d", &t);
351 a += b;
352 a ^= a;
353 a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
354 longcmp(a, t, c);
355 l -= 12;
356 }
357 return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
358 }
359
360 // Check that we do not assert of the following code.
SymSymExprWithDiffTypes(void * p)361 int SymSymExprWithDiffTypes(void* p) {
362 int i;
363 scanf("%d", &i);
364 int j = (i % (int)(long)p);
365 return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
366 }
367
368
constraintManagerShouldTreatAsOpaque(int rhs)369 void constraintManagerShouldTreatAsOpaque(int rhs) {
370 int i;
371 scanf("%d", &i);
372 // This comparison used to hit an assertion in the constraint manager,
373 // which didn't handle NonLoc sym-sym comparisons.
374 if (i < rhs)
375 return;
376 if (i < rhs)
377 *(volatile int *) 0; // no-warning
378 }
379
testSprintf_is_not_a_source(char * buf,char * msg)380 int testSprintf_is_not_a_source(char *buf, char *msg) {
381 int x = sprintf(buf, "%s", msg); // no-warning
382 return 1 / x; // no-warning: 'sprintf' is not a taint source
383 }
384
testSprintf_propagates_taint(char * buf,char * msg)385 int testSprintf_propagates_taint(char *buf, char *msg) {
386 scanf("%s", msg);
387 int x = sprintf(buf, "%s", msg); // propagate taint!
388 return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}}
389 }
390
391 int scanf_s(const char *format, ...);
testScanf_s_(int * out)392 int testScanf_s_(int *out) {
393 scanf_s("%d", out);
394 return 1 / *out; // expected-warning {{Division by a tainted value, possibly zero}}
395 }
396
397 #define _IO_FILE FILE
398 int _IO_getc(_IO_FILE *__fp);
testUnderscoreIO_getc(_IO_FILE * fp)399 int testUnderscoreIO_getc(_IO_FILE *fp) {
400 char c = _IO_getc(fp);
401 return 1 / c; // expected-warning {{Division by a tainted value, possibly zero}}
402 }
403
404 char *getcwd(char *buf, size_t size);
testGetcwd(char * buf,size_t size)405 int testGetcwd(char *buf, size_t size) {
406 char *c = getcwd(buf, size);
407 return system(c); // expected-warning {{Untrusted data is passed to a system call}}
408 }
409
410 char *getwd(char *buf);
testGetwd(char * buf)411 int testGetwd(char *buf) {
412 char *c = getwd(buf);
413 return system(c); // expected-warning {{Untrusted data is passed to a system call}}
414 }
415
416 ssize_t readlink(const char *path, char *buf, size_t bufsiz);
testReadlink(char * path,char * buf,size_t bufsiz)417 int testReadlink(char *path, char *buf, size_t bufsiz) {
418 ssize_t s = readlink(path, buf, bufsiz);
419 system(buf); // expected-warning {{Untrusted data is passed to a system call}}
420 // readlink never returns 0
421 return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}}
422 }
423
424 ssize_t readlinkat(int dirfd, const char *pathname, char *buf, size_t bufsiz);
testReadlinkat(int dirfd,char * path,char * buf,size_t bufsiz)425 int testReadlinkat(int dirfd, char *path, char *buf, size_t bufsiz) {
426 ssize_t s = readlinkat(dirfd, path, buf, bufsiz);
427 system(buf); // expected-warning {{Untrusted data is passed to a system call}}
428 (void)(1 / dirfd); // arg 0 is not tainted
429 system(path); // arg 1 is not tainted
430 (void)(1 / bufsiz); // arg 3 is not tainted
431 // readlinkat never returns 0
432 return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}}
433 }
434
435 char *get_current_dir_name(void);
testGet_current_dir_name()436 int testGet_current_dir_name() {
437 char *d = get_current_dir_name();
438 return system(d); // expected-warning {{Untrusted data is passed to a system call}}
439 }
440
441 int gethostname(char *name, size_t len);
testGethostname(char * name,size_t len)442 int testGethostname(char *name, size_t len) {
443 gethostname(name, len);
444 return system(name); // expected-warning {{Untrusted data is passed to a system call}}
445 }
446
447 int getnameinfo(const struct sockaddr *restrict addr, socklen_t addrlen,
448 char *restrict host, socklen_t hostlen,
449 char *restrict serv, socklen_t servlen, int flags);
testGetnameinfo(const struct sockaddr * restrict addr,socklen_t addrlen,char * restrict host,socklen_t hostlen,char * restrict serv,socklen_t servlen,int flags)450 int testGetnameinfo(const struct sockaddr *restrict addr, socklen_t addrlen,
451 char *restrict host, socklen_t hostlen,
452 char *restrict serv, socklen_t servlen, int flags) {
453 getnameinfo(addr, addrlen, host, hostlen, serv, servlen, flags);
454
455 system(host); // expected-warning {{Untrusted data is passed to a system call}}
456 return system(serv); // expected-warning {{Untrusted data is passed to a system call}}
457 }
458
459 int getseuserbyname(const char *linuxuser, char **selinuxuser, char **level);
testGetseuserbyname(const char * linuxuser,char ** selinuxuser,char ** level)460 int testGetseuserbyname(const char *linuxuser, char **selinuxuser, char **level) {
461 getseuserbyname(linuxuser, selinuxuser, level);
462 system(selinuxuser[0]); // expected-warning {{Untrusted data is passed to a system call}}
463 return system(level[0]); // expected-warning {{Untrusted data is passed to a system call}}
464 }
465
466 typedef int gid_t;
467 int getgroups(int size, gid_t list[]);
testGetgroups(int size,gid_t list[],bool flag)468 int testGetgroups(int size, gid_t list[], bool flag) {
469 int result = getgroups(size, list);
470 if (flag)
471 return 1 / list[0]; // expected-warning {{Division by a tainted value, possibly zero}}
472
473 return 1 / (result + 1); // expected-warning {{Division by a tainted value, possibly zero}}
474 }
475
476 char *getlogin(void);
testGetlogin()477 int testGetlogin() {
478 char *n = getlogin();
479 return system(n); // expected-warning {{Untrusted data is passed to a system call}}
480 }
481
482 int getlogin_r(char *buf, size_t bufsize);
testGetlogin_r(char * buf,size_t bufsize)483 int testGetlogin_r(char *buf, size_t bufsize) {
484 getlogin_r(buf, bufsize);
485 return system(buf); // expected-warning {{Untrusted data is passed to a system call}}
486 }
487
488 int fscanf_s(FILE *stream, const char *format, ...);
testFscanf_s(const char * fname,int * d)489 void testFscanf_s(const char *fname, int *d) {
490 FILE *f = fopen(fname, "r");
491 fscanf_s(f, "%d", d);
492 clang_analyzer_isTainted_int(*d); // expected-warning {{YES}}
493 }
494
495 int fread(void *buffer, size_t size, size_t count, FILE *stream);
testFread(const char * fname,int * buffer,size_t size,size_t count)496 void testFread(const char *fname, int *buffer, size_t size, size_t count) {
497 FILE *f = fopen(fname, "r");
498 size_t read = fread(buffer, size, count, f);
499
500 clang_analyzer_isTainted_int(*buffer); // expected-warning {{YES}}
501 clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
502 }
503
504 ssize_t recv(int sockfd, void *buf, size_t len, int flags);
testRecv(int * buf,size_t len,int flags)505 void testRecv(int *buf, size_t len, int flags) {
506 int fd;
507 scanf("%d", &fd); // fake a tainted a file descriptor
508
509 size_t read = recv(fd, buf, len, flags);
510 clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}}
511 clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
512 }
513
514 ssize_t recvfrom(int sockfd, void *restrict buf, size_t len, int flags,
515 struct sockaddr *restrict src_addr,
516 socklen_t *restrict addrlen);
testRecvfrom(int * restrict buf,size_t len,int flags,struct sockaddr * restrict src_addr,socklen_t * restrict addrlen)517 void testRecvfrom(int *restrict buf, size_t len, int flags,
518 struct sockaddr *restrict src_addr,
519 socklen_t *restrict addrlen) {
520 int fd;
521 scanf("%d", &fd); // fake a tainted a file descriptor
522
523 size_t read = recvfrom(fd, buf, len, flags, src_addr, addrlen);
524 clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}}
525 clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
526 }
527
528 char *ttyname(int fd);
testTtyname()529 void testTtyname() {
530 int fd;
531 scanf("%d", &fd); // fake a tainted a file descriptor
532
533 char *name = ttyname(fd);
534 clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
535 }
536
537 int ttyname_r(int fd, char *buf, size_t buflen);
testTtyname_r(char * buf,size_t buflen)538 void testTtyname_r(char *buf, size_t buflen) {
539 int fd;
540 scanf("%d", &fd); // fake a tainted a file descriptor
541
542 int result = ttyname_r(fd, buf, buflen);
543 clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}}
544 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
545 }
546
547 char *dirname(char *path);
testDirname()548 void testDirname() {
549 char buf[10];
550 scanf("%9s", buf);
551
552 char *name = dirname(buf);
553 clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
554 }
555
556 char *basename(char *path);
testBasename()557 void testBasename() {
558 char buf[10];
559 scanf("%9s", buf);
560
561 char *name = basename(buf);
562 clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
563 }
564
565 int fnmatch(const char *pattern, const char *string, int flags);
testFnmatch(const char * pattern,int flags)566 void testFnmatch(const char *pattern, int flags) {
567 char string[10];
568 scanf("%9s", string);
569
570 int result = fnmatch(pattern, string, flags);
571 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
572 }
573
574 void *memchr(const void *s, int c, size_t n);
testMemchr(int c,size_t n)575 void testMemchr(int c, size_t n) {
576 char buf[10];
577 scanf("%9s", buf);
578
579 char *result = memchr(buf, c, n);
580 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
581 }
582
583 void *memrchr(const void *s, int c, size_t n);
testMemrchr(int c,size_t n)584 void testMemrchr(int c, size_t n) {
585 char buf[10];
586 scanf("%9s", buf);
587
588 char *result = memrchr(buf, c, n);
589 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
590 }
591
592 void *rawmemchr(const void *s, int c);
testRawmemchr(int c)593 void testRawmemchr(int c) {
594 char buf[10];
595 scanf("%9s", buf);
596
597 char *result = rawmemchr(buf, c);
598 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
599 }
600
601 typedef char wchar_t;
602 int mbtowc(wchar_t *pwc, const char *s, size_t n);
testMbtowc(wchar_t * pwc,size_t n)603 void testMbtowc(wchar_t *pwc, size_t n) {
604 char buf[10];
605 scanf("%9s", buf);
606
607 int result = mbtowc(pwc, buf, n);
608 clang_analyzer_isTainted_char(*pwc); // expected-warning {{YES}}
609 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
610 }
611
612 int wctomb(char *s, wchar_t wc);
testWctomb(char * buf)613 void testWctomb(char *buf) {
614 wchar_t wc;
615 scanf("%c", &wc);
616
617 int result = wctomb(buf, wc);
618 clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}}
619 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
620 }
621
622 int wcwidth(wchar_t c);
testWcwidth()623 void testWcwidth() {
624 wchar_t wc;
625 scanf("%c", &wc);
626
627 int width = wcwidth(wc);
628 clang_analyzer_isTainted_int(width); // expected-warning {{YES}}
629 }
630
631 int memcmp(const void *s1, const void *s2, size_t n);
testMemcmpWithLHSTainted(size_t n,char * rhs)632 void testMemcmpWithLHSTainted(size_t n, char *rhs) {
633 char lhs[10];
634 scanf("%9s", lhs);
635
636 int cmp_result = memcmp(lhs, rhs, n);
637 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
638 }
639
testMemcmpWithRHSTainted(size_t n,char * lhs)640 void testMemcmpWithRHSTainted(size_t n, char *lhs) {
641 char rhs[10];
642 scanf("%9s", rhs);
643
644 int cmp_result = memcmp(lhs, rhs, n);
645 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
646 }
647
648 void *memcpy(void *restrict dest, const void *restrict src, size_t n);
testMemcpy(char * dst,size_t n)649 void testMemcpy(char *dst, size_t n) {
650 char src[10];
651 scanf("%9s", src);
652
653 char *result = memcpy(dst, src, n);
654
655 clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}}
656 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
657 }
658
659 void *memmove(void *dest, const void *src, size_t n);
testMemmove(char * dst,size_t n)660 void testMemmove(char *dst, size_t n) {
661 char src[10];
662 scanf("%9s", src);
663
664 char *result = memmove(dst, src, n);
665
666 clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}}
667 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
668 }
669
670 void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen);
testMemmem(const void * needle,size_t needlelen)671 void testMemmem(const void *needle, size_t needlelen) {
672 char haystack[10];
673 scanf("%9s", haystack);
674
675 char *result = memmem(haystack, 9, needle, needlelen);
676 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
677 }
678
679 char *strstr(const char *haystack, const char *needle);
testStrstr(const char * needle)680 void testStrstr(const char *needle) {
681 char haystack[10];
682 scanf("%9s", haystack);
683
684 char *result = strstr(haystack, needle);
685 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
686 }
687
688 char *strcasestr(const char *haystack, const char *needle);
testStrcasestr(const char * needle)689 void testStrcasestr(const char *needle) {
690 char haystack[10];
691 scanf("%9s", haystack);
692
693 char *result = strcasestr(haystack, needle);
694 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
695 }
696
697 char *strchrnul(const char *s, int c);
testStrchrnul()698 void testStrchrnul() {
699 char s[10];
700 scanf("%9s", s);
701
702 char *result = strchrnul(s, 9);
703 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
704 }
705
706 char *index(const char *s, int c);
testIndex()707 void testIndex() {
708 char s[10];
709 scanf("%9s", s);
710
711 char *result = index(s, 9);
712 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
713 }
714
715 char *rindex(const char *s, int c);
testRindex()716 void testRindex() {
717 char s[10];
718 scanf("%9s", s);
719
720 char *result = rindex(s, 9);
721 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
722 }
723
724 int strcmp(const char *s1, const char *s2);
testStrcmpWithLHSTainted(char * rhs)725 void testStrcmpWithLHSTainted(char *rhs) {
726 char lhs[10];
727 scanf("%9s", lhs);
728
729 int cmp_result = strcmp(lhs, rhs);
730 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
731 }
732
testStrcmpWithRHSTainted(char * lhs)733 void testStrcmpWithRHSTainted(char *lhs) {
734 char rhs[10];
735 scanf("%9s", rhs);
736
737 int cmp_result = strcmp(lhs, rhs);
738 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
739 }
740 int strcasecmp(const char *s1, const char *s2);
testStrcasecmpWithLHSTainted(char * rhs)741 void testStrcasecmpWithLHSTainted(char *rhs) {
742 char lhs[10];
743 scanf("%9s", lhs);
744
745 int cmp_result = strcasecmp(lhs, rhs);
746 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
747 }
748
testStrcasecmpWithRHSTainted(char * lhs)749 void testStrcasecmpWithRHSTainted(char *lhs) {
750 char rhs[10];
751 scanf("%9s", rhs);
752
753 int cmp_result = strcasecmp(lhs, rhs);
754 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
755 }
756 int strncmp(const char *s1, const char *s2, size_t n);
testStrncmpWithLHSTainted(char * rhs,size_t n)757 void testStrncmpWithLHSTainted(char *rhs, size_t n) {
758 char lhs[10];
759 scanf("%9s", lhs);
760
761 int cmp_result = strncmp(lhs, rhs, n);
762 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
763 }
764
testStrncmpWithRHSTainted(char * lhs,size_t n)765 void testStrncmpWithRHSTainted(char *lhs, size_t n) {
766 char rhs[10];
767 scanf("%9s", rhs);
768
769 int cmp_result = strncmp(lhs, rhs, n);
770 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
771 }
772
testStrncmpWithNTainted(char * lhs,char * rhs)773 void testStrncmpWithNTainted(char *lhs, char *rhs) {
774 int n;
775 scanf("%d", &n);
776
777 int cmp_result = strncmp(lhs, rhs, n);
778 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
779 }
780
781 int strncasecmp(const char *s1, const char *s2, size_t n);
testStrncasecmpWithLHSTainted(char * rhs,size_t n)782 void testStrncasecmpWithLHSTainted(char *rhs, size_t n) {
783 char lhs[10];
784 scanf("%9s", lhs);
785
786 int cmp_result = strncmp(lhs, rhs, n);
787 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
788 }
789
testStrncasecmpWithRHSTainted(char * lhs,size_t n)790 void testStrncasecmpWithRHSTainted(char *lhs, size_t n) {
791 char rhs[10];
792 scanf("%9s", rhs);
793
794 int cmp_result = strncmp(lhs, rhs, n);
795 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
796 }
797
testStrncasecmpWithNTainted(char * lhs,char * rhs)798 void testStrncasecmpWithNTainted(char *lhs, char *rhs) {
799 int n;
800 scanf("%d", &n);
801
802 int cmp_result = strncmp(lhs, rhs, n);
803 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
804 }
805
806 size_t strspn(const char *s, const char *accept);
testStrspnFirstArgTainted(const char * accept)807 void testStrspnFirstArgTainted(const char *accept) {
808 char s[10];
809 scanf("%9s", s);
810
811 size_t result = strspn(s, accept);
812 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
813 }
814
testStrspnSecondArgTainted(const char * s)815 void testStrspnSecondArgTainted(const char *s) {
816 char accept[10];
817 scanf("%9s", accept);
818
819 size_t result = strspn(s, accept);
820 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
821 }
822
823 size_t strcspn(const char *s, const char *reject);
testStrcspnFirstArgTainted(const char * reject)824 void testStrcspnFirstArgTainted(const char *reject) {
825 char s[10];
826 scanf("%9s", s);
827
828 size_t result = strcspn(s, reject);
829 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
830 }
831
testStrcspnSecondArgTainted(const char * s)832 void testStrcspnSecondArgTainted(const char *s) {
833 char reject[10];
834 scanf("%9s", reject);
835
836 size_t result = strcspn(s, reject);
837 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
838 }
839
840 char *strpbrk(const char *s, const char *accept);
testStrpbrk(const char * accept)841 void testStrpbrk(const char *accept) {
842 char s[10];
843 scanf("%9s", s);
844
845 char *result = strpbrk(s, accept);
846 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
847 }
848
849 char *strndup(const char *s, size_t n);
testStrndup(size_t n)850 void testStrndup(size_t n) {
851 char s[10];
852 scanf("%9s", s);
853
854 char *result = strndup(s, n);
855 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
856 }
857
858 char *strdupa(const char *s);
testStrdupa()859 void testStrdupa() {
860 char s[10];
861 scanf("%9s", s);
862
863 char *result = strdupa(s);
864 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
865 }
866
867 char *strndupa(const char *s, size_t n);
testStrndupa(size_t n)868 void testStrndupa(size_t n) {
869 char s[10];
870 scanf("%9s", s);
871
872 char *result = strndupa(s, n);
873 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
874 }
875
876 size_t strlen(const char *s);
testStrlen()877 void testStrlen() {
878 char s[10];
879 scanf("%9s", s);
880
881 size_t result = strlen(s);
882 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
883 }
884
885 size_t strnlen(const char *s, size_t maxlen);
testStrnlen(size_t maxlen)886 void testStrnlen(size_t maxlen) {
887 char s[10];
888 scanf("%9s", s);
889
890 size_t result = strnlen(s, maxlen);
891 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
892 }
893
894 long strtol(const char *restrict nptr, char **restrict endptr, int base);
895 long long strtoll(const char *restrict nptr, char **restrict endptr, int base);
896 unsigned long int strtoul(const char *nptr, char **endptr, int base);
897 unsigned long long int strtoull(const char *nptr, char **endptr, int base);
testStrtolVariants(char ** restrict endptr,int base)898 void testStrtolVariants(char **restrict endptr, int base) {
899 char s[10];
900 scanf("%9s", s);
901
902 long result_l = strtol(s, endptr, base);
903 clang_analyzer_isTainted_int(result_l); // expected-warning {{YES}}
904
905 long long result_ll = strtoll(s, endptr, base);
906 clang_analyzer_isTainted_int(result_ll); // expected-warning {{YES}}
907
908 unsigned long result_ul = strtoul(s, endptr, base);
909 clang_analyzer_isTainted_int(result_ul); // expected-warning {{YES}}
910
911 unsigned long long result_ull = strtoull(s, endptr, base);
912 clang_analyzer_isTainted_int(result_ull); // expected-warning {{YES}}
913 }
914
915 int isalnum(int c);
916 int isalpha(int c);
917 int isascii(int c);
918 int isblank(int c);
919 int iscntrl(int c);
920 int isdigit(int c);
921 int isgraph(int c);
922 int islower(int c);
923 int isprint(int c);
924 int ispunct(int c);
925 int isspace(int c);
926 int isupper(int c);
927 int isxdigit(int c);
928
testIsFunctions()929 void testIsFunctions() {
930 char c;
931 scanf("%c", &c);
932
933 int alnum = isalnum(c);
934 clang_analyzer_isTainted_int(alnum); // expected-warning {{YES}}
935
936 int alpha = isalpha(c);
937 clang_analyzer_isTainted_int(alpha); // expected-warning {{YES}}
938
939 int ascii = isascii(c);
940 clang_analyzer_isTainted_int(ascii); // expected-warning {{YES}}
941
942 int blank = isblank(c);
943 clang_analyzer_isTainted_int(blank); // expected-warning {{YES}}
944
945 int cntrl = iscntrl(c);
946 clang_analyzer_isTainted_int(cntrl); // expected-warning {{YES}}
947
948 int digit = isdigit(c);
949 clang_analyzer_isTainted_int(digit); // expected-warning {{YES}}
950
951 int graph = isgraph(c);
952 clang_analyzer_isTainted_int(graph); // expected-warning {{YES}}
953
954 int lower = islower(c);
955 clang_analyzer_isTainted_int(lower); // expected-warning {{YES}}
956
957 int print = isprint(c);
958 clang_analyzer_isTainted_int(print); // expected-warning {{YES}}
959
960 int punct = ispunct(c);
961 clang_analyzer_isTainted_int(punct); // expected-warning {{YES}}
962
963 int space = isspace(c);
964 clang_analyzer_isTainted_int(space); // expected-warning {{YES}}
965
966 int upper = isupper(c);
967 clang_analyzer_isTainted_int(upper); // expected-warning {{YES}}
968
969 int xdigit = isxdigit(c);
970 clang_analyzer_isTainted_int(xdigit); // expected-warning {{YES}}
971 }
972
973 void qsort(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *));
974 void qsort_r(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *, void *), void *arg);
testQsort()975 void testQsort() {
976 int data[1];
977 scanf("%d", data);
978
979 qsort(data, sizeof(data), sizeof(data[0]), NULL);
980 clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}}
981 qsort_r(data, sizeof(data), sizeof(data[0]), NULL, NULL);
982 clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}}
983 }
984
985 // Test configuration
986 int mySource1(void);
987 void mySource2(int*);
988 void myScanf(const char*, ...);
989 int myPropagator(int, int*);
990 int mySnprintf(char*, size_t, const char*, ...);
991 bool isOutOfRange(const int*);
992 void mySink(int, int, int);
993
testConfigurationSources1(void)994 void testConfigurationSources1(void) {
995 int x = mySource1();
996 Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
997 }
998
testConfigurationSources2(void)999 void testConfigurationSources2(void) {
1000 int x;
1001 mySource2(&x);
1002 Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
1003 }
1004
testConfigurationSources3(void)1005 void testConfigurationSources3(void) {
1006 int x, y;
1007 myScanf("%d %d", &x, &y);
1008 Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
1009 }
1010
testConfigurationPropagation(void)1011 void testConfigurationPropagation(void) {
1012 int x = mySource1();
1013 int y;
1014 myPropagator(x, &y);
1015 Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
1016 }
1017
testConfigurationFilter(void)1018 void testConfigurationFilter(void) {
1019 int x = mySource1();
1020 if (isOutOfRange(&x)) // the filter function
1021 return;
1022 Buffer[x] = 1; // no-warning
1023 }
1024
testConfigurationSinks(void)1025 void testConfigurationSinks(void) {
1026 int x = mySource1();
1027 mySink(x, 1, 2);
1028 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
1029 mySink(1, x, 2); // no-warning
1030 mySink(1, 2, x);
1031 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
1032 }
1033
testUnknownFunction(void (* foo)(void))1034 void testUnknownFunction(void (*foo)(void)) {
1035 foo(); // no-crash
1036 }
1037
testProctitleFalseNegative(void)1038 void testProctitleFalseNegative(void) {
1039 char flag[80];
1040 fscanf(stdin, "%79s", flag);
1041 char *argv[] = {"myapp", flag};
1042 // FIXME: We should have a warning below: Untrusted data passed to sink.
1043 setproctitle_init(1, argv, 0);
1044 }
1045
testProctitle2(char * real_argv[])1046 void testProctitle2(char *real_argv[]) {
1047 char *app = getenv("APP_NAME");
1048 if (!app)
1049 return;
1050 char *argv[] = {app, "--foobar"};
1051 setproctitle_init(1, argv, 0); // expected-warning {{Untrusted data is passed to a user-defined sink}}
1052 setproctitle_init(1, real_argv, argv); // expected-warning {{Untrusted data is passed to a user-defined sink}}
1053 }
1054