[PATCH] D58828: [analyzer] Fix taint propagation in GenericTaintChecker
Borsik Gábor via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Mar 1 07:02:01 PST 2019
boga95 created this revision.
boga95 added reviewers: gerazo, xazax.hun, Szelethus, a_sidorin, dcoughlin, george.karpenkov, NoQ.
boga95 added a project: clang.
Herald added subscribers: cfe-commits, Charusso, dkrupp, donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware, whisperity.
The `gets` function has no SrcArgs. Because the default value for isTainted was false, it didn't mark its DstArgs as tainted.
Repository:
rC Clang
https://reviews.llvm.org/D58828
Files:
lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
test/Analysis/taint-generic.c
Index: test/Analysis/taint-generic.c
===================================================================
--- test/Analysis/taint-generic.c
+++ test/Analysis/taint-generic.c
@@ -2,6 +2,7 @@
// RUN: %clang_analyze_cc1 -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
int scanf(const char *restrict format, ...);
+char *gets(char *str);
int getchar(void);
typedef struct _FILE FILE;
@@ -142,6 +143,12 @@
system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
}
+void testGets() {
+ char str[50];
+ gets(str);
+ system(str); // expected-warning {{Untrusted data is passed to a system call}}
+}
+
void testTaintedBufferSize() {
size_t ts;
scanf("%zd", &ts);
Index: lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
===================================================================
--- lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -458,7 +458,7 @@
ProgramStateRef State = C.getState();
// Check for taint in arguments.
- bool IsTainted = false;
+ bool IsTainted = true;
for (unsigned ArgNum : SrcArgs) {
if (ArgNum >= CE->getNumArgs())
return State;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D58828.188902.patch
Type: text/x-patch
Size: 1265 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20190301/8cd01f49/attachment.bin>
More information about the cfe-commits
mailing list