[clang] 4fd6c6e - [analyzer] Add more propagations to Taint analysis

Endre Fülöp via cfe-commits cfe-commits at lists.llvm.org
Mon Mar 7 04:19:01 PST 2022


Author: Endre Fülöp
Date: 2022-03-07T13:18:54+01:00
New Revision: 4fd6c6e65ab59f82284d8272aa3bec8d5084511e

URL: https://github.com/llvm/llvm-project/commit/4fd6c6e65ab59f82284d8272aa3bec8d5084511e
DIFF: https://github.com/llvm/llvm-project/commit/4fd6c6e65ab59f82284d8272aa3bec8d5084511e.diff

LOG: [analyzer] Add more propagations to Taint analysis

Add more functions as taint propators to GenericTaintChecker.

Reviewed By: steakhal

Differential Revision: https://reviews.llvm.org/D120369

Added: 
    

Modified: 
    clang/docs/analyzer/checkers.rst
    clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
    clang/test/Analysis/taint-generic.c

Removed: 
    


################################################################################
diff  --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index bc42b80d166c7..6e42544c05808 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -2358,7 +2358,7 @@ Default sources defined by ``GenericTaintChecker``:
  ``_IO_getc``, ``fdopen``, ``fopen``, ``freopen``, ``get_current_dir_name``, ``getch``, ``getchar``, ``getchar_unlocked``, ``getwd``, ``getcwd``, ``getgroups``, ``gethostname``, ``getlogin``, ``getlogin_r``, ``getnameinfo``, ``gets``, ``gets_s``, ``getseuserbyname``, ``readlink``, ``readlinkat``, ``scanf``, ``scanf_s``, ``socket``, ``wgetch``
 
 Default propagations defined by ``GenericTaintChecker``:
-``atoi``, ``atol``, ``atoll``, ``fgetc``, ``fgetln``, ``fgets``, ``fscanf``, ``sscanf``, ``getc``, ``getc_unlocked``, ``getdelim``, ``getline``, ``getw``, ``pread``, ``read``, ``strchr``, ``strrchr``, ``tolower``, ``toupper``
+``atoi``, ``atol``, ``atoll``, ``basename``, ``dirname``, ``fgetc``, ``fgetln``, ``fgets``, ``fnmatch``, ``fread``, ``fscanf``, ``fscanf_s``, ``index``, ``inflate``, ``isalnum``, ``isalpha``, ``isascii``, ``isblank``, ``iscntrl``, ``isdigit``, ``isgraph``, ``islower``, ``isprint``, ``ispunct``, ``isspace``, ``isupper``, ``isxdigit``, ``memchr``, ``memrchr``, ``sscanf``, ``getc``, ``getc_unlocked``, ``getdelim``, ``getline``, ``getw``, ``memcmp``, ``memcpy``, ``memmem``, ``memmove``, ``mbtowc``, ``pread``, ``qsort``, ``qsort_r``, ``rawmemchr``, ``read``, ``recv``, ``recvfrom``, ``rindex``, ``strcasestr``, ``strchr``, ``strchrnul``, ``strcasecmp``, ``strcmp``, ``strcspn``, ``strlen``, ``strncasecmp``, ``strncmp``, ``strndup``, ``strndupa``, ``strnlen``, ``strpbrk``, ``strrchr``, ``strsep``, ``strspn``, ``strstr``, ``strtol``, ``strtoll``, ``strtoul``, ``strtoull``, ``tolower``, ``toupper``, ``ttyname``, ``ttyname_r``, ``wctomb``, ``wcwidth``
 
 Default sinks defined in ``GenericTaintChecker``:
 ``printf``, ``setproctitle``, ``system``, ``popen``, ``execl``, ``execle``, ``execlp``, ``execv``, ``execvp``, ``execvP``, ``execve``, ``dlopen``, ``memcpy``, ``memmove``, ``strncpy``, ``strndup``, ``malloc``, ``calloc``, ``alloca``, ``memccpy``, ``realloc``, ``bcopy``

diff  --git a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
index 1100f215cb5d9..518a4eb4d7759 100644
--- a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp
@@ -580,7 +580,9 @@ void GenericTaintChecker::initTaintRules(CheckerContext &C) const {
       {{"fgetln"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
       {{"fgets"}, TR::Prop({{2}}, {{0, ReturnValueIndex}})},
       {{"fscanf"}, TR::Prop({{0}}, {{}, 2})},
+      {{"fscanf_s"}, TR::Prop({{0}}, {{}, {2}})},
       {{"sscanf"}, TR::Prop({{0}}, {{}, 2})},
+
       {{"getc"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
       {{"getc_unlocked"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
       {{"getdelim"}, TR::Prop({{3}}, {{0}})},
@@ -592,6 +594,78 @@ void GenericTaintChecker::initTaintRules(CheckerContext &C) const {
       {{"strrchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
       {{"tolower"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
       {{"toupper"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"fread"}, TR::Prop({{3}}, {{0, ReturnValueIndex}})},
+      {{"recv"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
+      {{"recvfrom"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
+
+      {{"ttyname"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"ttyname_r"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
+
+      {{"basename"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"dirname"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"fnmatch"}, TR::Prop({{1}}, {{ReturnValueIndex}})},
+      {{"memchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"memrchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"rawmemchr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+
+      {{"mbtowc"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
+      {{"wctomb"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
+      {{"wcwidth"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+
+      {{"memcmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
+      {{"memcpy"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
+      {{"memmove"}, TR::Prop({{1}}, {{0, ReturnValueIndex}})},
+      // If memmem was called with a tainted needle and the search was
+      // successful, that would mean that the value pointed by the return value
+      // has the same content as the needle. If we choose to go by the policy of
+      // content equivalence implies taintedness equivalence, that would mean
+      // haystack should be considered a propagation source argument.
+      {{"memmem"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+
+      // The comment for memmem above also applies to strstr.
+      {{"strstr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"strcasestr"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+
+      {{"strchrnul"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+
+      {{"index"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"rindex"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+
+      // FIXME: In case of arrays, only the first element of the array gets
+      // tainted.
+      {{"qsort"}, TR::Prop({{0}}, {{0}})},
+      {{"qsort_r"}, TR::Prop({{0}}, {{0}})},
+
+      {{"strcmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
+      {{"strcasecmp"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
+      {{"strncmp"}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})},
+      {{"strncasecmp"}, TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})},
+      {{"strspn"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
+      {{"strcspn"}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})},
+      {{"strpbrk"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"strndup"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"strndupa"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"strlen"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"strnlen"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"strtol"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
+      {{"strtoll"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
+      {{"strtoul"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
+      {{"strtoull"}, TR::Prop({{0}}, {{1, ReturnValueIndex}})},
+
+      {{"isalnum"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isalpha"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isascii"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isblank"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"iscntrl"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isdigit"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isgraph"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"islower"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isprint"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"ispunct"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isspace"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isupper"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+      {{"isxdigit"}, TR::Prop({{0}}, {{ReturnValueIndex}})},
+
       {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrncat)}},
        TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})},
       {{CDF_MaybeBuiltin, {BI.getName(Builtin::BIstrlcpy)}},
@@ -927,7 +1001,6 @@ void GenericTaintChecker::taintUnsafeSocketProtocol(const CallEvent &Call,
 }
 
 /// Checker registration
-
 void ento::registerGenericTaintChecker(CheckerManager &Mgr) {
   Mgr.registerChecker<GenericTaintChecker>();
 }

diff  --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c
index df74fedf886c3..0fdd05493172e 100644
--- a/clang/test/Analysis/taint-generic.c
+++ b/clang/test/Analysis/taint-generic.c
@@ -1,20 +1,26 @@
-// RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast -verify %s \
+// RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
+// RUN:   -Wno-incompatible-library-redeclaration -verify %s \
 // RUN:   -analyzer-checker=alpha.security.taint \
 // RUN:   -analyzer-checker=core \
 // RUN:   -analyzer-checker=alpha.security.ArrayBoundV2 \
+// RUN:   -analyzer-checker=debug.ExprInspection \
 // RUN:   -analyzer-config \
 // RUN:     alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
 
-// RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast -verify %s \
+// RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
+// RUN:   -Wno-incompatible-library-redeclaration -verify %s \
 // RUN:   -DFILE_IS_STRUCT \
 // RUN:   -analyzer-checker=alpha.security.taint \
 // RUN:   -analyzer-checker=core \
 // RUN:   -analyzer-checker=alpha.security.ArrayBoundV2 \
+// RUN:   -analyzer-checker=debug.ExprInspection \
 // RUN:   -analyzer-config \
 // RUN:     alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
 
-// RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast -verify %s \
+// RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast \
+// RUN:   -Wno-incompatible-library-redeclaration -verify %s \
 // RUN:   -analyzer-checker=alpha.security.taint \
+// RUN:   -analyzer-checker=debug.ExprInspection \
 // RUN:   -analyzer-config \
 // RUN:     alpha.security.taint.TaintPropagation:Config=justguessit \
 // RUN:   2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE
@@ -24,8 +30,10 @@
 // CHECK-INVALID-FILE-SAME:        that expects a valid filename instead of
 // CHECK-INVALID-FILE-SAME:        'justguessit'
 
-// RUN: not %clang_analyze_cc1 -verify %s \
+// RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
+// RUN:   -verify %s \
 // RUN:   -analyzer-checker=alpha.security.taint \
+// RUN:   -analyzer-checker=debug.ExprInspection \
 // RUN:   -analyzer-config \
 // RUN:     alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \
 // RUN:   2>&1 | FileCheck -DMSG=%errc_EINVAL %s -check-prefix=CHECK-ILL-FORMED
@@ -34,8 +42,10 @@
 // CHECK-ILL-FORMED-SAME:        'alpha.security.taint.TaintPropagation:Config',
 // CHECK-ILL-FORMED-SAME:        that expects a valid yaml file: [[MSG]]
 
-// RUN: not %clang_analyze_cc1 -verify %s \
+// RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
+// RUN:   -verify %s \
 // RUN:   -analyzer-checker=alpha.security.taint \
+// RUN:   -analyzer-checker=debug.ExprInspection \
 // RUN:   -analyzer-config \
 // RUN:     alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \
 // RUN:   2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG
@@ -46,6 +56,9 @@
 // CHECK-INVALID-ARG-SAME:        rules greater or equal to -1
 
 typedef long long rsize_t;
+void clang_analyzer_isTainted_char(char);
+void clang_analyzer_isTainted_charp(char*);
+void clang_analyzer_isTainted_int(int);
 
 int scanf(const char *restrict format, ...);
 char *gets(char *str);
@@ -60,13 +73,18 @@ extern FILE *stdin;
 #endif
 
 #define bool _Bool
+#define NULL (void*)0
 
 char *getenv(const char *name);
+
+FILE *fopen(const char *name, const char *mode);
+
 int fscanf(FILE *restrict stream, const char *restrict format, ...);
 int sprintf(char *str, const char *format, ...);
 void setproctitle(const char *fmt, ...);
 void setproctitle_init(int argc, char *argv[], char *envp[]);
 typedef __typeof(sizeof(int)) size_t;
+typedef signed long long ssize_t;
 
 // Define string functions. Use builtin for some of them. They all default to
 // the processing in the taint checker.
@@ -388,7 +406,6 @@ int testGetwd(char *buf) {
   return system(c); // expected-warning {{Untrusted data is passed to a system call}}
 }
 
-typedef signed long long ssize_t;
 ssize_t readlink(const char *path, char *buf, size_t bufsiz);
 int testReadlink(char *path, char *buf, size_t bufsiz) {
   ssize_t s = readlink(path, buf, bufsiz);
@@ -463,6 +480,510 @@ int testGetlogin_r(char *buf, size_t bufsize) {
   return system(buf); // expected-warning {{Untrusted data is passed to a system call}}
 }
 
+int fscanf_s(FILE *stream, const char *format, ...);
+void testFscanf_s(const char *fname, int *d) {
+  FILE *f = fopen(fname, "r");
+  fscanf_s(f, "%d", d);
+  clang_analyzer_isTainted_int(*d); // expected-warning {{YES}}
+}
+
+int fread(void *buffer, size_t size, size_t count, FILE *stream);
+void testFread(const char *fname, int *buffer, size_t size, size_t count) {
+  FILE *f = fopen(fname, "r");
+  size_t read = fread(buffer, size, count, f);
+
+  clang_analyzer_isTainted_int(*buffer); // expected-warning {{YES}}
+  clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
+}
+
+ssize_t recv(int sockfd, void *buf, size_t len, int flags);
+void testRecv(int *buf, size_t len, int flags) {
+  int fd;
+  scanf("%d", &fd); // fake a tainted a file descriptor
+
+  size_t read = recv(fd, buf, len, flags);
+  clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}}
+  clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
+}
+
+typedef size_t socklen_t;
+
+struct sockaddr {
+  unsigned short sa_family;
+  char sa_data[14];
+};
+
+ssize_t recvfrom(int sockfd, void *restrict buf, size_t len, int flags,
+                 struct sockaddr *restrict src_addr,
+                 socklen_t *restrict addrlen);
+void testRecvfrom(int *restrict buf, size_t len, int flags,
+                 struct sockaddr *restrict src_addr,
+                 socklen_t *restrict addrlen) {
+  int fd;
+  scanf("%d", &fd); // fake a tainted a file descriptor
+
+  size_t read = recvfrom(fd, buf, len, flags, src_addr, addrlen);
+  clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}}
+  clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
+}
+
+char *ttyname(int fd);
+void testTtyname() {
+  int fd;
+  scanf("%d", &fd); // fake a tainted a file descriptor
+
+  char *name = ttyname(fd);
+  clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
+}
+
+int ttyname_r(int fd, char *buf, size_t buflen);
+void testTtyname_r(char *buf, size_t buflen) {
+  int fd;
+  scanf("%d", &fd); // fake a tainted a file descriptor
+
+  int result = ttyname_r(fd, buf, buflen);
+  clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}}
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+char *dirname(char *path);
+void testDirname() {
+  char buf[10];
+  scanf("%9s", buf);
+
+  char *name = dirname(buf);
+  clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
+}
+
+char *basename(char *path);
+void testBasename() {
+  char buf[10];
+  scanf("%9s", buf);
+
+  char *name = basename(buf);
+  clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
+}
+
+int fnmatch(const char *pattern, const char *string, int flags);
+void testFnmatch(const char *pattern, int flags) {
+  char string[10];
+  scanf("%9s", string);
+
+  int result = fnmatch(pattern, string, flags);
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+void *memchr(const void *s, int c, size_t n);
+void testMemchr(int c, size_t n) {
+  char buf[10];
+  scanf("%9s", buf);
+
+  char *result = memchr(buf, c, n);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+void *memrchr(const void *s, int c, size_t n);
+void testMemrchr(int c, size_t n) {
+  char buf[10];
+  scanf("%9s", buf);
+
+  char *result = memrchr(buf, c, n);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+void *rawmemchr(const void *s, int c);
+void testRawmemchr(int c) {
+  char buf[10];
+  scanf("%9s", buf);
+
+  char *result = rawmemchr(buf, c);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+typedef char wchar_t;
+int mbtowc(wchar_t *pwc, const char *s, size_t n);
+void testMbtowc(wchar_t *pwc, size_t n) {
+  char buf[10];
+  scanf("%9s", buf);
+
+  int result = mbtowc(pwc, buf, n);
+  clang_analyzer_isTainted_char(*pwc); // expected-warning {{YES}}
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+int wctomb(char *s, wchar_t wc);
+void testWctomb(char *buf) {
+  wchar_t wc;
+  scanf("%c", &wc);
+
+  int result = wctomb(buf, wc);
+  clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}}
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+int wcwidth(wchar_t c);
+void testWcwidth() {
+  wchar_t wc;
+  scanf("%c", &wc);
+
+  int width = wcwidth(wc);
+  clang_analyzer_isTainted_int(width); // expected-warning {{YES}}
+}
+
+int memcmp(const void *s1, const void *s2, size_t n);
+void testMemcmpWithLHSTainted(size_t n, char *rhs) {
+  char lhs[10];
+  scanf("%9s", lhs);
+
+  int cmp_result = memcmp(lhs, rhs, n);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+void testMemcmpWithRHSTainted(size_t n, char *lhs) {
+  char rhs[10];
+  scanf("%9s", rhs);
+
+  int cmp_result = memcmp(lhs, rhs, n);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+void *memcpy(void *restrict dest, const void *restrict src, size_t n);
+void testMemcpy(char *dst, size_t n) {
+  char src[10];
+  scanf("%9s", src);
+
+  char *result = memcpy(dst, src, n);
+
+  clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}}
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+void *memmove(void *dest, const void *src, size_t n);
+void testMemmove(char *dst, size_t n) {
+  char src[10];
+  scanf("%9s", src);
+
+  char *result = memmove(dst, src, n);
+
+  clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}}
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen);
+void testMemmem(const void *needle, size_t needlelen) {
+  char haystack[10];
+  scanf("%9s", haystack);
+
+  char *result = memmem(haystack, 9, needle, needlelen);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+char *strstr(const char *haystack, const char *needle);
+void testStrstr(const char *needle) {
+  char haystack[10];
+  scanf("%9s", haystack);
+
+  char *result = strstr(haystack, needle);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+char *strcasestr(const char *haystack, const char *needle);
+void testStrcasestr(const char *needle) {
+  char haystack[10];
+  scanf("%9s", haystack);
+
+  char *result = strcasestr(haystack, needle);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+char *strchrnul(const char *s, int c);
+void testStrchrnul() {
+  char s[10];
+  scanf("%9s", s);
+
+  char *result = strchrnul(s, 9);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+char *index(const char *s, int c);
+void testIndex() {
+  char s[10];
+  scanf("%9s", s);
+
+  char *result = index(s, 9);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+char *rindex(const char *s, int c);
+void testRindex() {
+  char s[10];
+  scanf("%9s", s);
+
+  char *result = rindex(s, 9);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+int strcmp(const char *s1, const char *s2);
+void testStrcmpWithLHSTainted(char *rhs) {
+  char lhs[10];
+  scanf("%9s", lhs);
+
+  int cmp_result = strcmp(lhs, rhs);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+void testStrcmpWithRHSTainted(char *lhs) {
+  char rhs[10];
+  scanf("%9s", rhs);
+
+  int cmp_result = strcmp(lhs, rhs);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+int strcasecmp(const char *s1, const char *s2);
+void testStrcasecmpWithLHSTainted(char *rhs) {
+  char lhs[10];
+  scanf("%9s", lhs);
+
+  int cmp_result = strcasecmp(lhs, rhs);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+void testStrcasecmpWithRHSTainted(char *lhs) {
+  char rhs[10];
+  scanf("%9s", rhs);
+
+  int cmp_result = strcasecmp(lhs, rhs);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+int strncmp(const char *s1, const char *s2, size_t n);
+void testStrncmpWithLHSTainted(char *rhs, size_t n) {
+  char lhs[10];
+  scanf("%9s", lhs);
+
+  int cmp_result = strncmp(lhs, rhs, n);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+void testStrncmpWithRHSTainted(char *lhs, size_t n) {
+  char rhs[10];
+  scanf("%9s", rhs);
+
+  int cmp_result = strncmp(lhs, rhs, n);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+void testStrncmpWithNTainted(char *lhs, char *rhs) {
+  int n;
+  scanf("%d", &n);
+
+  int cmp_result = strncmp(lhs, rhs, n);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+int strncasecmp(const char *s1, const char *s2, size_t n);
+void testStrncasecmpWithLHSTainted(char *rhs, size_t n) {
+  char lhs[10];
+  scanf("%9s", lhs);
+
+  int cmp_result = strncmp(lhs, rhs, n);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+void testStrncasecmpWithRHSTainted(char *lhs, size_t n) {
+  char rhs[10];
+  scanf("%9s", rhs);
+
+  int cmp_result = strncmp(lhs, rhs, n);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+void testStrncasecmpWithNTainted(char *lhs, char *rhs) {
+  int n;
+  scanf("%d", &n);
+
+  int cmp_result = strncmp(lhs, rhs, n);
+  clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
+}
+
+size_t strspn(const char *s, const char *accept);
+void testStrspnFirstArgTainted(const char *accept) {
+  char s[10];
+  scanf("%9s", s);
+
+  size_t result = strspn(s, accept);
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+void testStrspnSecondArgTainted(const char *s) {
+  char accept[10];
+  scanf("%9s", accept);
+
+  size_t result = strspn(s, accept);
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+size_t strcspn(const char *s, const char *reject);
+void testStrcspnFirstArgTainted(const char *reject) {
+  char s[10];
+  scanf("%9s", s);
+
+  size_t result = strcspn(s, reject);
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+void testStrcspnSecondArgTainted(const char *s) {
+  char reject[10];
+  scanf("%9s", reject);
+
+  size_t result = strcspn(s, reject);
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+char *strpbrk(const char *s, const char *accept);
+void testStrpbrk(const char *accept) {
+  char s[10];
+  scanf("%9s", s);
+
+  char *result = strpbrk(s, accept);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+char *strndup(const char *s, size_t n);
+void testStrndup(size_t n) {
+  char s[10];
+  scanf("%9s", s);
+
+  char *result = strndup(s, n);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+char *strdupa(const char *s);
+void testStrdupa() {
+  char s[10];
+  scanf("%9s", s);
+
+  char *result = strdupa(s);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+char *strndupa(const char *s, size_t n);
+void testStrndupa(size_t n) {
+  char s[10];
+  scanf("%9s", s);
+
+  char *result = strndupa(s, n);
+  clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
+}
+
+size_t strlen(const char *s);
+void testStrlen() {
+  char s[10];
+  scanf("%9s", s);
+
+  size_t result = strlen(s);
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+size_t strnlen(const char *s, size_t maxlen);
+void testStrnlen(size_t maxlen) {
+  char s[10];
+  scanf("%9s", s);
+
+  size_t result = strnlen(s, maxlen);
+  clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
+}
+
+long strtol(const char *restrict nptr, char **restrict endptr, int base);
+long long strtoll(const char *restrict nptr, char **restrict endptr, int base);
+unsigned long int strtoul(const char *nptr, char **endptr, int base);
+unsigned long long int strtoull(const char *nptr, char **endptr, int base);
+void testStrtolVariants(char **restrict endptr, int base) {
+  char s[10];
+  scanf("%9s", s);
+
+  long result_l = strtol(s, endptr, base);
+  clang_analyzer_isTainted_int(result_l); // expected-warning {{YES}}
+
+  long long result_ll = strtoll(s, endptr, base);
+  clang_analyzer_isTainted_int(result_ll); // expected-warning {{YES}}
+
+  unsigned long result_ul = strtoul(s, endptr, base);
+  clang_analyzer_isTainted_int(result_ul); // expected-warning {{YES}}
+
+  unsigned long long result_ull = strtoull(s, endptr, base);
+  clang_analyzer_isTainted_int(result_ull); // expected-warning {{YES}}
+}
+
+int isalnum(int c);
+int isalpha(int c);
+int isascii(int c);
+int isblank(int c);
+int iscntrl(int c);
+int isdigit(int c);
+int isgraph(int c);
+int islower(int c);
+int isprint(int c);
+int ispunct(int c);
+int isspace(int c);
+int isupper(int c);
+int isxdigit(int c);
+
+void testIsFunctions() {
+  char c;
+  scanf("%c", &c);
+
+  int alnum = isalnum(c);
+  clang_analyzer_isTainted_int(alnum); // expected-warning {{YES}}
+
+  int alpha = isalpha(c);
+  clang_analyzer_isTainted_int(alpha); // expected-warning {{YES}}
+
+  int ascii = isascii(c);
+  clang_analyzer_isTainted_int(ascii); // expected-warning {{YES}}
+
+  int blank = isblank(c);
+  clang_analyzer_isTainted_int(blank); // expected-warning {{YES}}
+
+  int cntrl = iscntrl(c);
+  clang_analyzer_isTainted_int(cntrl); // expected-warning {{YES}}
+
+  int digit = isdigit(c);
+  clang_analyzer_isTainted_int(digit); // expected-warning {{YES}}
+
+  int graph = isgraph(c);
+  clang_analyzer_isTainted_int(graph); // expected-warning {{YES}}
+
+  int lower = islower(c);
+  clang_analyzer_isTainted_int(lower); // expected-warning {{YES}}
+
+  int print = isprint(c);
+  clang_analyzer_isTainted_int(print); // expected-warning {{YES}}
+
+  int punct = ispunct(c);
+  clang_analyzer_isTainted_int(punct); // expected-warning {{YES}}
+
+  int space = isspace(c);
+  clang_analyzer_isTainted_int(space); // expected-warning {{YES}}
+
+  int upper = isupper(c);
+  clang_analyzer_isTainted_int(upper); // expected-warning {{YES}}
+
+  int xdigit = isxdigit(c);
+  clang_analyzer_isTainted_int(xdigit); // expected-warning {{YES}}
+}
+
+void qsort(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *));
+void qsort_r(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *, void *), void *arg);
+void testQsort() {
+  int data[1];
+  scanf("%d", data);
+
+  qsort(data, sizeof(data), sizeof(data[0]), NULL);
+  clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}}
+  qsort_r(data, sizeof(data), sizeof(data[0]), NULL, NULL);
+  clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}}
+}
+
 // Test configuration
 int mySource1(void);
 void mySource2(int*);


        


More information about the cfe-commits mailing list