[cfe-commits] r146532 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp lib/StaticAnalyzer/Core/ProgramState.cpp test/Analysis/taint-tester.c
Anna Zaks
ganna at apple.com
Tue Dec 13 16:55:58 PST 2011
Author: zaks
Date: Tue Dec 13 18:55:58 2011
New Revision: 146532
URL: http://llvm.org/viewvc/llvm-project?rev=146532&view=rev
Log:
[analyzer] Mark getenv output as tainted.
Also, allow adding taint to a region (not only a symbolic value).
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
cfe/trunk/test/Analysis/taint-tester.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp?rev=146532&r1=146531&r2=146532&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp Tue Dec 13 18:55:58 2011
@@ -63,6 +63,7 @@
FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
.Case("scanf", &GenericTaintChecker::processScanf)
.Case("getchar", &GenericTaintChecker::processRetTaint)
+ .Case("getenv", &GenericTaintChecker::processRetTaint)
.Default(NULL);
// If the callee isn't defined, it is not of security concern.
Modified: cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp?rev=146532&r1=146531&r2=146532&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp Tue Dec 13 18:55:58 2011
@@ -654,8 +654,15 @@
const ProgramState* ProgramState::addTaint(const Stmt *S,
TaintTagType Kind) const {
SymbolRef Sym = getSVal(S).getAsSymbol();
- assert(Sym && "Cannot add taint to statements whose value is not a symbol");
- return addTaint(Sym, Kind);
+ if (Sym)
+ return addTaint(Sym, Kind);
+
+ const MemRegion *R = getSVal(S).getAsRegion();
+ if (const SymbolicRegion *SR = dyn_cast_or_null<SymbolicRegion>(R))
+ return addTaint(SR->getSymbol(), Kind);
+
+ // Cannot add taint, so just return the state.
+ return this;
}
const ProgramState* ProgramState::addTaint(SymbolRef Sym,
Modified: cfe/trunk/test/Analysis/taint-tester.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-tester.c?rev=146532&r1=146531&r2=146532&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-tester.c (original)
+++ cfe/trunk/test/Analysis/taint-tester.c Tue Dec 13 18:55:58 2011
@@ -70,3 +70,13 @@
m = inn;
int mm = m; // expected-warning {{tainted}}
}
+
+// Test getenv.
+char *getenv(const char *name);
+void getenvTest(char *home) {
+ home = getenv("HOME"); // expected-warning 2 {{tainted}}
+ if (home != 0) { // expected-warning 2 {{tainted}}
+ char d = home[0]; // expected-warning 2 {{tainted}}
+ }
+}
+
More information about the cfe-commits
mailing list