[cfe-dev] Adding taint sources to GenericTaintChecker

Ashwin Ganesh via cfe-dev cfe-dev at lists.llvm.org
Mon Apr 11 22:36:14 PDT 2016


Okay cool. One thing I have observed that in assignment statements is that,
if a warning such as 'Division by a tainted value, possibly zero' occurs ,
then the taint is not propagated to the left hand side. But , there seems
to be some discrepancy when I use float instead of int, the taint doesn't
propagate at all . Does the type matter?

*int readl()*
*{*
* float a;*
* scanf("%f",&a);*
*        return a;*
*}*

*int main()*
*{*
* float a,b,c,d,e;*
* a = readl();*
* printf("%f",a);*
* b = a*2.0;*
* c = (b+1.0)*100.0;*
* d = (c-1.0)/5.0;*
* return 0;*
*} *

The taint doesn't propagate in the above case( I don't think even 'a' gets
tainted) but if i change everything to *int, t*hen it works . Is it
dependent on the variable type?

*Regards,*
*Ashwin*

On Tue, Apr 12, 2016 at 11:05 AM, Ashwin Ganesh <ashwingane at gmail.com>
wrote:

> Okay cool. One thing I have observed that in assignment statements is
> that, if a warning such as 'Division by a tainted value, possibly zero'
> occurs , then the taint is not propagated to the left hand side. But ,
> there seems to be some discrepancy when I use float instead of int, the
> taint doesn't propagate at all . Does the type matter?
>
> *int readl()*
> *{*
> * float a;*
> * scanf("%f",&a);*
> *        return a;*
> *}*
>
> *int main()*
> *{*
> * float a,b,c,d,e;*
> * a = readl();*
> * printf("%f",a);*
> * b = a*2.0;*
> * c = (b+1.0)*100.0;*
> * d = (c-1.0)/5.0;*
> * return 0;*
> *} *
>
> The taint doesn't propagate in the above case( I don't think even 'a' gets
> tainted) but if i change everything to *int, t*hen it works . Is it
> dependent on the variable type?
>
> *Regards,*
> *Ashwin*
>
>
> On Mon, Apr 11, 2016 at 8:43 PM, Artem Dergachev <dergachev.a at samsung.com>
> wrote:
>
>> On 11.04.2016 16:32, Ashwin Ganesh wrote:
>> > Is there anyway by which I can guarantee those
>> > initial return values to be tainted?
>>
>> There shouldn't be a problem unless these values are compile-time
>> constants.
>>
>> There might be a bit tricky (though not very hard) to determine if the
>> correct function is called, in case it's actually loaded from a dynamic
>> library and passed around as a pointer, but that's a different story. If
>> the loading process is hidden in another translation unit, and the end user
>> receives only a forward declaration of readval(), that shouldn't be a
>> problem.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160412/b58597b9/attachment-0001.html>


More information about the cfe-dev mailing list