src/third_party/llvm-project/clang/test/Analysis/taint-generic.c - cobalt - Git at Google

 // RUN: %clang_analyze_cc1  -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
 // RUN: %clang_analyze_cc1  -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s

 int scanf(const char *restrict format, ...);
 int getchar(void);

 typedef struct _FILE FILE;
 #ifdef FILE_IS_STRUCT
 extern struct _FILE *stdin;
 #else
 extern FILE *stdin;
 #endif

 int fscanf(FILE *restrict stream, const char *restrict format, ...);
 int sprintf(char *str, const char *format, ...);
 void setproctitle(const char *fmt, ...);
 typedef __typeof(sizeof(int)) size_t;

 // Define string functions. Use builtin for some of them. They all default to
 // the processing in the taint checker.
 #define strcpy(dest, src) \
   ((__builtin_object_size(dest, 0) != -1ULL) \
    ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
    : __inline_strcpy_chk(dest, src))

 static char *__inline_strcpy_chk (char *dest, const char *src) {
   return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
 }
 char *stpcpy(char *restrict s1, const char *restrict s2);
 char *strncpy( char * destination, const char * source, size_t num );
 char *strndup(const char *s, size_t n);
 char *strncat(char *restrict s1, const char *restrict s2, size_t n);

 void *malloc(size_t);
 void *calloc(size_t nmemb, size_t size);
 void bcopy(void *s1, void *s2, size_t n);

 #define BUFSIZE 10

 int Buffer[BUFSIZE];
 void bufferScanfDirect(void)
 {
   int n;
   scanf("%d", &n);
   Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
 }

 void bufferScanfArithmetic1(int x) {
   int n;
   scanf("%d", &n);
   int m = (n - 3);
   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
 }

 void bufferScanfArithmetic2(int x) {
   int n;
   scanf("%d", &n);
   int m = 100 - (n + 3) * x;
   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
 }

 void bufferScanfAssignment(int x) {
   int n;
   scanf("%d", &n);
   int m;
   if (x > 0) {
     m = n;
     Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
   }
 }

 void scanfArg() {
   int t = 0;
   scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
 }

 void bufferGetchar(int x) {
   int m = getchar();
   Buffer[m] = 1;  //expected-warning {{Out of bound memory access (index is tainted)}}
 }

 void testUncontrolledFormatString(char **p) {
   char s[80];
   fscanf(stdin, "%s", s);
   char buf[128];
   sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
   setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}

   // Test taint propagation through strcpy and family.
   char scpy[80];
   strcpy(scpy, s);
   sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}

   stpcpy(*(++p), s); // this generates __inline.
   setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}

   char spcpy[80];
   stpcpy(spcpy, s);
   setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}

   char *spcpyret;
   spcpyret = stpcpy(spcpy, s);
   setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}

   char sncpy[80];
   strncpy(sncpy, s, 20);
   setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}

   char *dup;
   dup = strndup(s, 20);
   setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}

 }

 int system(const char *command);
 void testTaintSystemCall() {
   char buffer[156];
   char addr[128];
   scanf("%s", addr);
   system(addr); // expected-warning {{Untrusted data is passed to a system call}}

   // Test that spintf transfers taint.
   sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
   system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
 }

 void testTaintSystemCall2() {
   // Test that snpintf transfers taint.
   char buffern[156];
   char addr[128];
   scanf("%s", addr);
   __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
   system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
 }

 void testTaintSystemCall3() {
   char buffern2[156];
   int numt;
   char addr[128];
   scanf("%s %d", addr, &numt);
   __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
   system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
 }

 void testTaintedBufferSize() {
   size_t ts;
   scanf("%zd", &ts);

   int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
   char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
   bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
   __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}

   // If both buffers are trusted, do not issue a warning.
   char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
   strncat(dst2, dst, ts); // no-warning
 }

 #define AF_UNIX   1   /* local to host (pipes) */
 #define AF_INET   2   /* internetwork: UDP, TCP, etc. */
 #define AF_LOCAL  AF_UNIX   /* backward compatibility */
 #define SOCK_STREAM 1
 int socket(int, int, int);
 size_t read(int, void *, size_t);
 int  execl(const char *, const char *, ...);

 void testSocket() {
   int sock;
   char buffer[100];

   sock = socket(AF_INET, SOCK_STREAM, 0);
   read(sock, buffer, 100);
   execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}

   sock = socket(AF_LOCAL, SOCK_STREAM, 0);
   read(sock, buffer, 100);
   execl(buffer, "filename", 0); // no-warning

   sock = socket(AF_INET, SOCK_STREAM, 0);
   // References to both buffer and &buffer as an argument should taint the argument
   read(sock, &buffer, 100);
   execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
 }

 void testStruct() {
   struct {
     char buf[16];
     int length;
   } tainted;

   char buffer[16];
   int sock;

   sock = socket(AF_INET, SOCK_STREAM, 0);
   read(sock, &tainted, sizeof(tainted));
   __builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
 }

 void testStructArray() {
   struct {
     int length;
   } tainted[4];

   char dstbuf[16], srcbuf[16];
   int sock;

   sock = socket(AF_INET, SOCK_STREAM, 0);
   __builtin_memset(srcbuf, 0, sizeof(srcbuf));

   read(sock, &tainted[0], sizeof(tainted));
   __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}

   __builtin_memset(&tainted, 0, sizeof(tainted));
   read(sock, &tainted, sizeof(tainted));
   __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}

   __builtin_memset(&tainted, 0, sizeof(tainted));
   // If we taint element 1, we should not raise an alert on taint for element 0 or element 2
   read(sock, &tainted[1], sizeof(tainted));
   __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
   __builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
 }

 void testUnion() {
   union {
     int x;
     char y[4];
   } tainted;

   char buffer[4];

   int sock = socket(AF_INET, SOCK_STREAM, 0);
   read(sock, &tainted.y, sizeof(tainted.y));
   // FIXME: overlapping regions aren't detected by isTainted yet
   __builtin_memcpy(buffer, tainted.y, tainted.x);
 }

 int testDivByZero() {
   int x;
   scanf("%d", &x);
   return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
 }

 // Zero-sized VLAs.
 void testTaintedVLASize() {
   int x;
   scanf("%d", &x);
   int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
 }

 // This computation used to take a very long time.
 #define longcmp(a,b,c) { \
   a -= c;  a ^= c;  c += b; b -= a;  b ^= (a<<6) | (a >> (32-b));  a += c; c -= b;  c ^= b;  b += a; \
   a -= c;  a ^= c;  c += b; b -= a;  b ^= a;  a += c; c -= b;  c ^= b;  b += a; }

 unsigned radar11369570_hanging(const unsigned char *arr, int l) {
   unsigned a, b, c;
   a = b = c = 0x9899e3 + l;
   while (l >= 6) {
     unsigned t;
     scanf("%d", &t);
     a += b;
     a ^= a;
     a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
     longcmp(a, t, c);
     l -= 12;
   }
   return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
 }

 // Check that we do not assert of the following code.
 int SymSymExprWithDiffTypes(void* p) {
   int i;
   scanf("%d", &i);
   int j = (i % (int)(long)p);
   return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
 }


 void constraintManagerShouldTreatAsOpaque(int rhs) {
   int i;
   scanf("%d", &i);
   // This comparison used to hit an assertion in the constraint manager,
   // which didn't handle NonLoc sym-sym comparisons.
   if (i < rhs)
     return;
   if (i < rhs)
     *(volatile int *) 0; // no-warning
 }
	// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
	// RUN: %clang_analyze_cc1 -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s

	int scanf(const char *restrict format, ...);
	int getchar(void);

	typedef struct _FILE FILE;
	#ifdef FILE_IS_STRUCT
	extern struct _FILE *stdin;
	#else
	extern FILE *stdin;
	#endif

	int fscanf(FILE restrict stream, const char restrict format, ...);
	int sprintf(char str, const char format, ...);
	void setproctitle(const char *fmt, ...);
	typedef __typeof(sizeof(int)) size_t;

	// Define string functions. Use builtin for some of them. They all default to
	// the processing in the taint checker.
	#define strcpy(dest, src) \
	((__builtin_object_size(dest, 0) != -1ULL) \
	? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
	: __inline_strcpy_chk(dest, src))

	static char __inline_strcpy_chk (char dest, const char *src) {
	return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
	}
	char stpcpy(char restrict s1, const char *restrict s2);
	char strncpy( char destination, const char * source, size_t num );
	char strndup(const char s, size_t n);
	char strncat(char restrict s1, const char *restrict s2, size_t n);

	void *malloc(size_t);
	void *calloc(size_t nmemb, size_t size);
	void bcopy(void s1, void s2, size_t n);

	#define BUFSIZE 10

	int Buffer[BUFSIZE];
	void bufferScanfDirect(void)
	{
	int n;
	scanf("%d", &n);
	Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
	}

	void bufferScanfArithmetic1(int x) {
	int n;
	scanf("%d", &n);
	int m = (n - 3);
	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
	}

	void bufferScanfArithmetic2(int x) {
	int n;
	scanf("%d", &n);
	int m = 100 - (n + 3) * x;
	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
	}

	void bufferScanfAssignment(int x) {
	int n;
	scanf("%d", &n);
	int m;
	if (x > 0) {
	m = n;
	Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
	}
	}

	void scanfArg() {
	int t = 0;
	scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
	}

	void bufferGetchar(int x) {
	int m = getchar();
	Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
	}

	void testUncontrolledFormatString(char **p) {
	char s[80];
	fscanf(stdin, "%s", s);
	char buf[128];
	sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
	setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}

	// Test taint propagation through strcpy and family.
	char scpy[80];
	strcpy(scpy, s);
	sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}

	stpcpy(*(++p), s); // this generates __inline.
	setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}

	char spcpy[80];
	stpcpy(spcpy, s);
	setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}

	char *spcpyret;
	spcpyret = stpcpy(spcpy, s);
	setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}

	char sncpy[80];
	strncpy(sncpy, s, 20);
	setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}

	char *dup;
	dup = strndup(s, 20);
	setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}

	}

	int system(const char *command);
	void testTaintSystemCall() {
	char buffer[156];
	char addr[128];
	scanf("%s", addr);
	system(addr); // expected-warning {{Untrusted data is passed to a system call}}

	// Test that spintf transfers taint.
	sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
	system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
	}

	void testTaintSystemCall2() {
	// Test that snpintf transfers taint.
	char buffern[156];
	char addr[128];
	scanf("%s", addr);
	__builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
	system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
	}

	void testTaintSystemCall3() {
	char buffern2[156];
	int numt;
	char addr[128];
	scanf("%s %d", addr, &numt);
	__builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
	system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
	}

	void testTaintedBufferSize() {
	size_t ts;
	scanf("%zd", &ts);

	int buf1 = (int)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
	char dst = (char)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
	bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
	__builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}

	// If both buffers are trusted, do not issue a warning.
	char dst2 = (char)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
	strncat(dst2, dst, ts); // no-warning
	}

	#define AF_UNIX 1 /* local to host (pipes) */
	#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
	#define AF_LOCAL AF_UNIX /* backward compatibility */
	#define SOCK_STREAM 1
	int socket(int, int, int);
	size_t read(int, void *, size_t);
	int execl(const char , const char , ...);

	void testSocket() {
	int sock;
	char buffer[100];

	sock = socket(AF_INET, SOCK_STREAM, 0);
	read(sock, buffer, 100);
	execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}

	sock = socket(AF_LOCAL, SOCK_STREAM, 0);
	read(sock, buffer, 100);
	execl(buffer, "filename", 0); // no-warning

	sock = socket(AF_INET, SOCK_STREAM, 0);
	// References to both buffer and &buffer as an argument should taint the argument
	read(sock, &buffer, 100);
	execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
	}

	void testStruct() {
	struct {
	char buf[16];
	int length;
	} tainted;

	char buffer[16];
	int sock;

	sock = socket(AF_INET, SOCK_STREAM, 0);
	read(sock, &tainted, sizeof(tainted));
	__builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
	}

	void testStructArray() {
	struct {
	int length;
	} tainted[4];

	char dstbuf[16], srcbuf[16];
	int sock;

	sock = socket(AF_INET, SOCK_STREAM, 0);
	__builtin_memset(srcbuf, 0, sizeof(srcbuf));

	read(sock, &tainted[0], sizeof(tainted));
	__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}

	__builtin_memset(&tainted, 0, sizeof(tainted));
	read(sock, &tainted, sizeof(tainted));
	__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}

	__builtin_memset(&tainted, 0, sizeof(tainted));
	// If we taint element 1, we should not raise an alert on taint for element 0 or element 2
	read(sock, &tainted[1], sizeof(tainted));
	__builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
	__builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
	}

	void testUnion() {
	union {
	int x;
	char y[4];
	} tainted;

	char buffer[4];

	int sock = socket(AF_INET, SOCK_STREAM, 0);
	read(sock, &tainted.y, sizeof(tainted.y));
	// FIXME: overlapping regions aren't detected by isTainted yet
	__builtin_memcpy(buffer, tainted.y, tainted.x);
	}

	int testDivByZero() {
	int x;
	scanf("%d", &x);
	return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
	}

	// Zero-sized VLAs.
	void testTaintedVLASize() {
	int x;
	scanf("%d", &x);
	int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
	}

	// This computation used to take a very long time.
	#define longcmp(a,b,c) { \
	a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) \| (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
	a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }

	unsigned radar11369570_hanging(const unsigned char *arr, int l) {
	unsigned a, b, c;
	a = b = c = 0x9899e3 + l;
	while (l >= 6) {
	unsigned t;
	scanf("%d", &t);
	a += b;
	a ^= a;
	a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
	longcmp(a, t, c);
	l -= 12;
	}
	return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
	}

	// Check that we do not assert of the following code.
	int SymSymExprWithDiffTypes(void* p) {
	int i;
	scanf("%d", &i);
	int j = (i % (int)(long)p);
	return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
	}


	void constraintManagerShouldTreatAsOpaque(int rhs) {
	int i;
	scanf("%d", &i);
	// This comparison used to hit an assertion in the constraint manager,
	// which didn't handle NonLoc sym-sym comparisons.
	if (i < rhs)
	return;
	if (i < rhs)
	(volatile int ) 0; // no-warning
	}