<div dir="ltr"><span style="font-size:12.8px">Okay cool. One thing I have observed that in assignment statements is that, if a warning such as 'Division by a tainted value, possibly zero' occurs , then the taint is not propagated to the left hand side. But , there seems to be some discrepancy when I use float instead of int, the taint doesn't propagate at all . Does the type matter?</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><div><i>int readl()</i></div><div><i>{</i></div><div><i><span style="white-space:pre-wrap"> </span>float a;</i></div><div><i><span style="white-space:pre-wrap"> </span>scanf("%f",&a);</i></div><div><i> return a;</i></div><div><i>}</i></div><div><i> </i></div><div><i>int main()</i></div><div><i>{</i></div><div><i><span style="white-space:pre-wrap"> </span>float a,b,c,d,e;</i></div><div><i><span style="white-space:pre-wrap"> </span>a = readl();</i></div><div><i><span style="white-space:pre-wrap"> </span>printf("%f",a);</i></div><div><i><span style="white-space:pre-wrap"> </span>b = a*2.0;</i></div><div><i><span style="white-space:pre-wrap"> </span>c = (b+1.0)*100.0;</i></div><div><i><span style="white-space:pre-wrap"> </span>d = (c-1.0)/5.0;</i></div><div><i><span style="white-space:pre-wrap"> </span>return 0;</i></div><div><i>} </i></div><div><i><br></i></div><div>The taint doesn't propagate in the above case( I don't think even 'a' gets tainted) but if i change everything to <i>int, t</i>hen it works . Is it dependent on the variable type?</div><div><i><br></i></div><div><i>Regards,</i></div><div><i>Ashwin</i></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 12, 2016 at 11:05 AM, Ashwin Ganesh <span dir="ltr"><<a href="mailto:ashwingane@gmail.com" target="_blank">ashwingane@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Okay cool. One thing I have observed that in assignment statements is that, if a warning such as 'Division by a tainted value, possibly zero' occurs , then the taint is not propagated to the left hand side. But , there seems to be some discrepancy when I use float instead of int, the taint doesn't propagate at all . Does the type matter?<div><br></div><div><div><i>int readl()</i></div><div><i>{</i></div><div><i><span style="white-space:pre-wrap"> </span>float a;</i></div><div><i><span style="white-space:pre-wrap"> </span>scanf("%f",&a);</i></div><div><i> return a;</i></div><div><i>}</i></div><div><i> </i></div><div><i>int main()</i></div><div><i>{</i></div><div><i><span style="white-space:pre-wrap"> </span>float a,b,c,d,e;</i></div><div><i><span style="white-space:pre-wrap"> </span>a = readl();</i></div><div><i><span style="white-space:pre-wrap"> </span>printf("%f",a);</i></div><div><i><span style="white-space:pre-wrap"> </span>b = a*2.0;</i></div><div><i><span style="white-space:pre-wrap"> </span>c = (b+1.0)*100.0;</i></div><div><i><span style="white-space:pre-wrap"> </span>d = (c-1.0)/5.0;</i></div><div><i><span style="white-space:pre-wrap"> </span>return 0;</i></div><div><i>} </i></div><div><i><br></i></div><div>The taint doesn't propagate in the above case( I don't think even 'a' gets tainted) but if i change everything to <i>int, t</i>hen it works . Is it dependent on the variable type?</div><div><i><br></i></div><div><i>Regards,</i></div><div><i>Ashwin</i></div><div><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 11, 2016 at 8:43 PM, Artem Dergachev <span dir="ltr"><<a href="mailto:dergachev.a@samsung.com" target="_blank">dergachev.a@samsung.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 11.04.2016 16:32, Ashwin Ganesh wrote:<br>
> Is there anyway by which I can guarantee those<br>
> initial return values to be tainted?<br>
<br></span>
There shouldn't be a problem unless these values are compile-time constants.<br>
<br>
There might be a bit tricky (though not very hard) to determine if the correct function is called, in case it's actually loaded from a dynamic library and passed around as a pointer, but that's a different story. If the loading process is hidden in another translation unit, and the end user receives only a forward declaration of readval(), that shouldn't be a problem.<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>