[cfe-commits] r148518 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp test/Analysis/taint-generic.c
Anna Zaks
ganna at apple.com
Thu Jan 19 16:11:20 PST 2012
Author: zaks
Date: Thu Jan 19 18:11:19 2012
New Revision: 148518
URL: http://llvm.org/viewvc/llvm-project?rev=148518&view=rev
Log:
[analyzer] Add socket API as a source of taint.
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
cfe/trunk/test/Analysis/taint-generic.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp?rev=148518&r1=148517&r2=148518&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp Thu Jan 19 18:11:19 2012
@@ -76,6 +76,7 @@
typedef const ProgramState *(GenericTaintChecker::*FnCheck)(const CallExpr *,
CheckerContext &C) const;
const ProgramState *postScanf(const CallExpr *CE, CheckerContext &C) const;
+ const ProgramState *postSocket(const CallExpr *CE, CheckerContext &C) const;
const ProgramState *postRetTaint(const CallExpr *CE, CheckerContext &C) const;
/// Taint the scanned input if the file is tainted.
@@ -207,6 +208,8 @@
.Case("atoi", TaintPropagationRule(0, ReturnValueIndex))
.Case("atol", TaintPropagationRule(0, ReturnValueIndex))
.Case("atoll", TaintPropagationRule(0, ReturnValueIndex))
+ .Case("read", TaintPropagationRule(0, 2, 1, true))
+ .Case("pread", TaintPropagationRule(InvalidArgIndex, 1, true))
.Default(TaintPropagationRule());
if (!Rule.isNull())
@@ -360,6 +363,7 @@
.Case("fopen", &GenericTaintChecker::postRetTaint)
.Case("fdopen", &GenericTaintChecker::postRetTaint)
.Case("freopen", &GenericTaintChecker::postRetTaint)
+ .Case("socket", &GenericTaintChecker::postSocket)
.Default(0);
// If the callee isn't defined, it is not of security concern.
@@ -501,6 +505,23 @@
return 0;
}
+
+// If argument 0(protocol domain) is network, the return value should get taint.
+const ProgramState *GenericTaintChecker::postSocket(const CallExpr *CE,
+ CheckerContext &C) const {
+ assert(CE->getNumArgs() >= 3);
+ const ProgramState *State = C.getState();
+
+ SourceLocation DomLoc = CE->getArg(0)->getExprLoc();
+ StringRef DomName = C.getMacroNameOrSpelling(DomLoc);
+ // White list the internal communication protocols.
+ if (DomName.equals("AF_SYSTEM") || DomName.equals("AF_LOCAL") ||
+ DomName.equals("AF_UNIX") || DomName.equals("AF_RESERVED_36"))
+ return State;
+ State = State->addTaint(CE, C.getLocationContext());
+ return State;
+}
+
const ProgramState *GenericTaintChecker::postScanf(const CallExpr *CE,
CheckerContext &C) const {
const ProgramState *State = C.getState();
@@ -627,6 +648,12 @@
unsigned ArgNum = llvm::StringSwitch<unsigned>(Name)
.Case("system", 0)
.Case("popen", 0)
+ .Case("execl", 0)
+ .Case("execle", 0)
+ .Case("execlp", 0)
+ .Case("execv", 0)
+ .Case("execvp", 0)
+ .Case("execvP", 0)
.Default(UINT_MAX);
if (ArgNum == UINT_MAX)
Modified: cfe/trunk/test/Analysis/taint-generic.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=148518&r1=148517&r2=148518&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-generic.c (original)
+++ cfe/trunk/test/Analysis/taint-generic.c Thu Jan 19 18:11:19 2012
@@ -148,5 +148,26 @@
// If both buffers are trusted, do not issue a warning.
char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Tainted data is used to specify the buffer size}}
strncat(dst2, dst, ts); // no-warning
+}
+
+#define AF_UNIX 1 /* local to host (pipes) */
+#define AF_INET 2 /* internetwork: UDP, TCP, etc. */
+#define AF_LOCAL AF_UNIX /* backward compatibility */
+#define SOCK_STREAM 1
+int socket(int, int, int);
+size_t read(int, void *, size_t);
+int execl(const char *, const char *, ...);
+
+void testSocket() {
+ int sock;
+ char buffer[100];
+ sock = socket(AF_INET, SOCK_STREAM, 0);
+ read(sock, buffer, 100);
+ execl(buffer, "filename", 0); // expected-warning {{Tainted data passed to a system call}}
+
+ sock = socket(AF_LOCAL, SOCK_STREAM, 0);
+ read(sock, buffer, 100);
+ execl(buffer, "filename", 0); // no-warning
}
+
More information about the cfe-commits
mailing list