[PATCH] Properly taint gets()
Keaton Mowery
kmowery at gmail.com
Mon Jul 1 17:50:17 PDT 2013
The llvm-3.2 taint engine does not properly taint the results of a gets()
call.
For gets(), since none of the function arguments are tainted,
ProgramStateRef GenericTaintChecker::TaintPropagationRule::process() bails
out early. Most other input functions take stdin as an argument; gets() is
a special case, wherein stdin is implied.
The attached patch includes a fix for this issue and a regression test
case. This fix does slightly change the semantics of TaintPropagationRule,
but I think it maintains correctness.
Note: this patch is against llvm/clang 3.2. Due to a bug, I can't use 3.3,
and HEAD is too unstable for my purposes. My apologies if this bug has been
fixed already!
Also, I mistakenly submitted this patch as Bug 16475. If this is committed,
could someone please close that bug? Thanks!
http://llvm.org/bugs/show_bug.cgi?id=16475
Keaton Mowery
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20130701/7a3e1195/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gets-taint.patch
Type: application/octet-stream
Size: 2684 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20130701/7a3e1195/attachment.obj>
More information about the cfe-commits
mailing list