[clang] 49285f4 - [analyzer] sprintf is a taint propagator not a source

Balazs Benics via cfe-commits cfe-commits at lists.llvm.org
Thu Oct 28 02:03:22 PDT 2021 

Author: Balazs Benics
Date: 2021-10-28T11:03:02+02:00
New Revision: 49285f43e5ed17206235e43c9cd17762d77ed275

URL: https://github.com/llvm/llvm-project/commit/49285f43e5ed17206235e43c9cd17762d77ed275
DIFF: https://github.com/llvm/llvm-project/commit/49285f43e5ed17206235e43c9cd17762d77ed275.diff

LOG: [analyzer] sprintf is a taint propagator not a source

Due to a typo, `sprintf()` was recognized as a taint source instead of a
taint propagator. It was because an empty taint source list - which is
the first parameter of the `TaintPropagationRule` - encoded the
unconditional taint sources.
This typo effectively turned the `sprintf()` into an unconditional taint
source.

This patch fixes that typo and demonstrated the correct behavior with
tests.

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D112558

Added: 
    

Modified: 
    clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
    clang/test/Analysis/taint-generic.c

Removed: 
    


################################################################################
diff  --git a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
index 69e9cbd51c357..66ef781871ec9 100644
--- a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -514,7 +514,7 @@ GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule(
     if (OneOf("snprintf"))
       return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3};
     if (OneOf("sprintf"))
-      return {{}, {0, ReturnValueIndex}, VariadicType::Src, 2};
+      return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 2};
     if (OneOf("strcpy", "stpcpy", "strcat"))
       return {{1}, {0, ReturnValueIndex}};
     if (OneOf("bcopy"))

diff  --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c
index 2cbd580168ba9..90ab454ff7e8f 100644
--- a/clang/test/Analysis/taint-generic.c
+++ b/clang/test/Analysis/taint-generic.c
@@ -341,6 +341,16 @@ void constraintManagerShouldTreatAsOpaque(int rhs) {
     *(volatile int *) 0; // no-warning
 }
 
+int sprintf_is_not_a_source(char *buf, char *msg) {
+  int x = sprintf(buf, "%s", msg); // no-warning
+  return 1 / x; // no-warning: 'sprintf' is not a taint source
+}
+
+int sprintf_propagates_taint(char *buf, char *msg) {
+  scanf("%s", msg);
+  int x = sprintf(buf, "%s", msg); // propagate taint!
+  return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}}
+}
 
 // Test configuration
 int mySource1();

More information about the cfe-commits mailing list