[LLVMbugs] [Bug 16475] New: gets() not generating taint properly

Thu Jun 27 15:56:03 PDT 2013

http://llvm.org/bugs/show_bug.cgi?id=16475

            Bug ID: 16475
           Summary: gets() not generating taint properly
           Product: clang
           Version: 3.2
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: kmowery at gmail.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

Created attachment 10789
  --> http://llvm.org/bugs/attachment.cgi?id=10789&action=edit
Patch for this bug, plus a regression test case

The llvm-3.2 taint engine does not properly taint the results of a gets() call.

Since none of the function arguments are tainted, ProgramStateRef 
GenericTaintChecker::TaintPropagationRule::process() bails out early. gets() is
a special case, wherein stdin is implied.

The attached patch includes a fix for this issue and a regression test case.
This fix does slightly change the semantics of TaintPropagationRule, but I
think it maintains correctness.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20130627/e10e1ab6/attachment.html>