r355396 - [analyzer] Fix taint propagation in GenericTaintChecker

Kristof Umann via cfe-commits cfe-commits at lists.llvm.org
Tue Mar 5 04:42:59 PST 2019


Author: szelethus
Date: Tue Mar  5 04:42:59 2019
New Revision: 355396

URL: http://llvm.org/viewvc/llvm-project?rev=355396&view=rev
Log:
[analyzer] Fix taint propagation in GenericTaintChecker

The gets function has no SrcArgs. Because the default value for isTainted was
false, it didn't mark its DstArgs as tainted.

Patch by Gábor Borsik!

Differential Revision: https://reviews.llvm.org/D58828

Modified:
    cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
    cfe/trunk/test/Analysis/taint-generic.c

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp?rev=355396&r1=355395&r2=355396&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp Tue Mar  5 04:42:59 2019
@@ -458,7 +458,7 @@ GenericTaintChecker::TaintPropagationRul
   ProgramStateRef State = C.getState();
 
   // Check for taint in arguments.
-  bool IsTainted = false;
+  bool IsTainted = true;
   for (unsigned ArgNum : SrcArgs) {
     if (ArgNum >= CE->getNumArgs())
       return State;

Modified: cfe/trunk/test/Analysis/taint-generic.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=355396&r1=355395&r2=355396&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-generic.c (original)
+++ cfe/trunk/test/Analysis/taint-generic.c Tue Mar  5 04:42:59 2019
@@ -2,6 +2,7 @@
 // RUN: %clang_analyze_cc1  -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
 
 int scanf(const char *restrict format, ...);
+char *gets(char *str);
 int getchar(void);
 
 typedef struct _FILE FILE;
@@ -142,6 +143,12 @@ void testTaintSystemCall3() {
   system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
 }
 
+void testGets() {
+  char str[50];
+  gets(str);
+  system(str); // expected-warning {{Untrusted data is passed to a system call}}
+}
+
 void testTaintedBufferSize() {
   size_t ts;
   scanf("%zd", &ts);




More information about the cfe-commits mailing list