[clang] [clang][analyzer] Move PutenvStackArrayChecker out of alpha package. (PR #93980)

Balázs Kéri via cfe-commits cfe-commits at lists.llvm.org
Mon Jun 3 00:41:20 PDT 2024 

================
@@ -1179,6 +1179,41 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C)
    strncpy(buf, "a", 1); // warn
  }
 
+.. _security-putenv-stack-array:
+
+security.PutenvStackArray (C)
+"""""""""""""""""""""""""""""
+Finds calls to the ``putenv`` function which pass a pointer to a stack-allocated
+(automatic) array as the argument. Function ``putenv`` does not copy the passed
+string, only a pointer to the data is stored and this data can be read even by
+other threads. Content of a stack-allocated array is likely to be overwritten
+after returning from the parent function.
+
+The problem can be solved by using a static array variable or dynamically
+allocated memory. Even better is to avoid using ``putenv`` (it has other
+problems related to memory leaks) and use ``setenv`` instead.
+
+The check corresponds to CERT rule
+`POS34-C. Do not call putenv() with a pointer to an automatic variable as the argument
+<https://wiki.sei.cmu.edu/confluence/display/c/POS34-C.+Do+not+call+putenv%28%29+with+a+pointer+to+an+automatic+variable+as+the+argument>`_.
+
+.. code-block:: c
+
+  int f() {
+    char env[] = "NAME=value";
+    return putenv(env); // putenv function should not be called with stack-allocated string
+  }
+
+There is one case where the checker can report a false positive. This is when
+the stack-allocated array is used at `putenv` in a function or code branch that
+does not return (calls `fork` or `exec` like function).
----------------
balazske wrote:

Then it looks better to remove this section about the false positive. At least for `execv` it should copy the environment that could be changed by `putenv`, and I did not found in the documentation that `fork` does not use it. One case still exists, when all paths after `putenv` do exit from the program (call `exit` or assert) (this happens really in the linked case). This is probably a checkable thing (with limitations), but maybe not worth it. 

https://github.com/llvm/llvm-project/pull/93980

More information about the cfe-commits mailing list