xref: /aosp_15_r20/external/clang/test/Analysis/taint-generic.c (revision 67e74705e28f6214e480b399dd47ea732279e315) 
1*67e74705SXin Li // RUN: %clang_cc1  -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
2*67e74705SXin Li 
3*67e74705SXin Li int scanf(const char *restrict format, ...);
4*67e74705SXin Li int getchar(void);
5*67e74705SXin Li 
6*67e74705SXin Li typedef struct _FILE FILE;
7*67e74705SXin Li extern FILE *stdin;
8*67e74705SXin Li int fscanf(FILE *restrict stream, const char *restrict format, ...);
9*67e74705SXin Li int sprintf(char *str, const char *format, ...);
10*67e74705SXin Li void setproctitle(const char *fmt, ...);
11*67e74705SXin Li typedef __typeof(sizeof(int)) size_t;
12*67e74705SXin Li 
13*67e74705SXin Li // Define string functions. Use builtin for some of them. They all default to
14*67e74705SXin Li // the processing in the taint checker.
15*67e74705SXin Li #define strcpy(dest, src) \
16*67e74705SXin Li   ((__builtin_object_size(dest, 0) != -1ULL) \
17*67e74705SXin Li    ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
18*67e74705SXin Li    : __inline_strcpy_chk(dest, src))
19*67e74705SXin Li 
__inline_strcpy_chk(char * dest,const char * src)20*67e74705SXin Li static char *__inline_strcpy_chk (char *dest, const char *src) {
21*67e74705SXin Li   return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
22*67e74705SXin Li }
23*67e74705SXin Li char *stpcpy(char *restrict s1, const char *restrict s2);
24*67e74705SXin Li char *strncpy( char * destination, const char * source, size_t num );
25*67e74705SXin Li char *strndup(const char *s, size_t n);
26*67e74705SXin Li char *strncat(char *restrict s1, const char *restrict s2, size_t n);
27*67e74705SXin Li 
28*67e74705SXin Li void *malloc(size_t);
29*67e74705SXin Li void *calloc(size_t nmemb, size_t size);
30*67e74705SXin Li void bcopy(void *s1, void *s2, size_t n);
31*67e74705SXin Li 
32*67e74705SXin Li #define BUFSIZE 10
33*67e74705SXin Li 
34*67e74705SXin Li int Buffer[BUFSIZE];
bufferScanfDirect(void)35*67e74705SXin Li void bufferScanfDirect(void)
36*67e74705SXin Li {
37*67e74705SXin Li   int n;
38*67e74705SXin Li   scanf("%d", &n);
39*67e74705SXin Li   Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
40*67e74705SXin Li }
41*67e74705SXin Li 
bufferScanfArithmetic1(int x)42*67e74705SXin Li void bufferScanfArithmetic1(int x) {
43*67e74705SXin Li   int n;
44*67e74705SXin Li   scanf("%d", &n);
45*67e74705SXin Li   int m = (n - 3);
46*67e74705SXin Li   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
47*67e74705SXin Li }
48*67e74705SXin Li 
bufferScanfArithmetic2(int x)49*67e74705SXin Li void bufferScanfArithmetic2(int x) {
50*67e74705SXin Li   int n;
51*67e74705SXin Li   scanf("%d", &n);
52*67e74705SXin Li   int m = 100 - (n + 3) * x;
53*67e74705SXin Li   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
54*67e74705SXin Li }
55*67e74705SXin Li 
bufferScanfAssignment(int x)56*67e74705SXin Li void bufferScanfAssignment(int x) {
57*67e74705SXin Li   int n;
58*67e74705SXin Li   scanf("%d", &n);
59*67e74705SXin Li   int m;
60*67e74705SXin Li   if (x > 0) {
61*67e74705SXin Li     m = n;
62*67e74705SXin Li     Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
63*67e74705SXin Li   }
64*67e74705SXin Li }
65*67e74705SXin Li 
scanfArg()66*67e74705SXin Li void scanfArg() {
67*67e74705SXin Li   int t = 0;
68*67e74705SXin Li   scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
69*67e74705SXin Li }
70*67e74705SXin Li 
bufferGetchar(int x)71*67e74705SXin Li void bufferGetchar(int x) {
72*67e74705SXin Li   int m = getchar();
73*67e74705SXin Li   Buffer[m] = 1;  //expected-warning {{Out of bound memory access (index is tainted)}}
74*67e74705SXin Li }
75*67e74705SXin Li 
testUncontrolledFormatString(char ** p)76*67e74705SXin Li void testUncontrolledFormatString(char **p) {
77*67e74705SXin Li   char s[80];
78*67e74705SXin Li   fscanf(stdin, "%s", s);
79*67e74705SXin Li   char buf[128];
80*67e74705SXin Li   sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
81*67e74705SXin Li   setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
82*67e74705SXin Li 
83*67e74705SXin Li   // Test taint propagation through strcpy and family.
84*67e74705SXin Li   char scpy[80];
85*67e74705SXin Li   strcpy(scpy, s);
86*67e74705SXin Li   sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
87*67e74705SXin Li 
88*67e74705SXin Li   stpcpy(*(++p), s); // this generates __inline.
89*67e74705SXin Li   setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
90*67e74705SXin Li 
91*67e74705SXin Li   char spcpy[80];
92*67e74705SXin Li   stpcpy(spcpy, s);
93*67e74705SXin Li   setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
94*67e74705SXin Li 
95*67e74705SXin Li   char *spcpyret;
96*67e74705SXin Li   spcpyret = stpcpy(spcpy, s);
97*67e74705SXin Li   setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
98*67e74705SXin Li 
99*67e74705SXin Li   char sncpy[80];
100*67e74705SXin Li   strncpy(sncpy, s, 20);
101*67e74705SXin Li   setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
102*67e74705SXin Li 
103*67e74705SXin Li   char *dup;
104*67e74705SXin Li   dup = strndup(s, 20);
105*67e74705SXin Li   setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
106*67e74705SXin Li 
107*67e74705SXin Li }
108*67e74705SXin Li 
109*67e74705SXin Li int system(const char *command);
testTaintSystemCall()110*67e74705SXin Li void testTaintSystemCall() {
111*67e74705SXin Li   char buffer[156];
112*67e74705SXin Li   char addr[128];
113*67e74705SXin Li   scanf("%s", addr);
114*67e74705SXin Li   system(addr); // expected-warning {{Untrusted data is passed to a system call}}
115*67e74705SXin Li 
116*67e74705SXin Li   // Test that spintf transfers taint.
117*67e74705SXin Li   sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
118*67e74705SXin Li   system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
119*67e74705SXin Li }
120*67e74705SXin Li 
testTaintSystemCall2()121*67e74705SXin Li void testTaintSystemCall2() {
122*67e74705SXin Li   // Test that snpintf transfers taint.
123*67e74705SXin Li   char buffern[156];
124*67e74705SXin Li   char addr[128];
125*67e74705SXin Li   scanf("%s", addr);
126*67e74705SXin Li   __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
127*67e74705SXin Li   system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
128*67e74705SXin Li }
129*67e74705SXin Li 
testTaintSystemCall3()130*67e74705SXin Li void testTaintSystemCall3() {
131*67e74705SXin Li   char buffern2[156];
132*67e74705SXin Li   int numt;
133*67e74705SXin Li   char addr[128];
134*67e74705SXin Li   scanf("%s %d", addr, &numt);
135*67e74705SXin Li   __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
136*67e74705SXin Li   system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
137*67e74705SXin Li }
138*67e74705SXin Li 
testTaintedBufferSize()139*67e74705SXin Li void testTaintedBufferSize() {
140*67e74705SXin Li   size_t ts;
141*67e74705SXin Li   scanf("%zd", &ts);
142*67e74705SXin Li 
143*67e74705SXin Li   int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
144*67e74705SXin Li   char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
145*67e74705SXin Li   bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
146*67e74705SXin Li   __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
147*67e74705SXin Li 
148*67e74705SXin Li   // If both buffers are trusted, do not issue a warning.
149*67e74705SXin Li   char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
150*67e74705SXin Li   strncat(dst2, dst, ts); // no-warning
151*67e74705SXin Li }
152*67e74705SXin Li 
153*67e74705SXin Li #define AF_UNIX   1   /* local to host (pipes) */
154*67e74705SXin Li #define AF_INET   2   /* internetwork: UDP, TCP, etc. */
155*67e74705SXin Li #define AF_LOCAL  AF_UNIX   /* backward compatibility */
156*67e74705SXin Li #define SOCK_STREAM 1
157*67e74705SXin Li int socket(int, int, int);
158*67e74705SXin Li size_t read(int, void *, size_t);
159*67e74705SXin Li int  execl(const char *, const char *, ...);
160*67e74705SXin Li 
testSocket()161*67e74705SXin Li void testSocket() {
162*67e74705SXin Li   int sock;
163*67e74705SXin Li   char buffer[100];
164*67e74705SXin Li 
165*67e74705SXin Li   sock = socket(AF_INET, SOCK_STREAM, 0);
166*67e74705SXin Li   read(sock, buffer, 100);
167*67e74705SXin Li   execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
168*67e74705SXin Li 
169*67e74705SXin Li   sock = socket(AF_LOCAL, SOCK_STREAM, 0);
170*67e74705SXin Li   read(sock, buffer, 100);
171*67e74705SXin Li   execl(buffer, "filename", 0); // no-warning
172*67e74705SXin Li }
173*67e74705SXin Li 
testDivByZero()174*67e74705SXin Li int testDivByZero() {
175*67e74705SXin Li   int x;
176*67e74705SXin Li   scanf("%d", &x);
177*67e74705SXin Li   return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
178*67e74705SXin Li }
179*67e74705SXin Li 
180*67e74705SXin Li // Zero-sized VLAs.
testTaintedVLASize()181*67e74705SXin Li void testTaintedVLASize() {
182*67e74705SXin Li   int x;
183*67e74705SXin Li   scanf("%d", &x);
184*67e74705SXin Li   int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
185*67e74705SXin Li }
186*67e74705SXin Li 
187*67e74705SXin Li // This computation used to take a very long time.
188*67e74705SXin Li #define longcmp(a,b,c) { \
189*67e74705SXin Li   a -= c;  a ^= c;  c += b; b -= a;  b ^= (a<<6) | (a >> (32-b));  a += c; c -= b;  c ^= b;  b += a; \
190*67e74705SXin Li   a -= c;  a ^= c;  c += b; b -= a;  b ^= a;  a += c; c -= b;  c ^= b;  b += a; }
191*67e74705SXin Li 
radar11369570_hanging(const unsigned char * arr,int l)192*67e74705SXin Li unsigned radar11369570_hanging(const unsigned char *arr, int l) {
193*67e74705SXin Li   unsigned a, b, c;
194*67e74705SXin Li   a = b = c = 0x9899e3 + l;
195*67e74705SXin Li   while (l >= 6) {
196*67e74705SXin Li     unsigned t;
197*67e74705SXin Li     scanf("%d", &t);
198*67e74705SXin Li     a += b;
199*67e74705SXin Li     a ^= a;
200*67e74705SXin Li     a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
201*67e74705SXin Li     longcmp(a, t, c);
202*67e74705SXin Li     l -= 12;
203*67e74705SXin Li   }
204*67e74705SXin Li   return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
205*67e74705SXin Li }
206*67e74705SXin Li 
207*67e74705SXin Li // Check that we do not assert of the following code.
SymSymExprWithDiffTypes(void * p)208*67e74705SXin Li int SymSymExprWithDiffTypes(void* p) {
209*67e74705SXin Li   int i;
210*67e74705SXin Li   scanf("%d", &i);
211*67e74705SXin Li   int j = (i % (int)(long)p);
212*67e74705SXin Li   return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
213*67e74705SXin Li }
214*67e74705SXin Li 
215*67e74705SXin Li 
constraintManagerShouldTreatAsOpaque(int rhs)216*67e74705SXin Li void constraintManagerShouldTreatAsOpaque(int rhs) {
217*67e74705SXin Li   int i;
218*67e74705SXin Li   scanf("%d", &i);
219*67e74705SXin Li   // This comparison used to hit an assertion in the constraint manager,
220*67e74705SXin Li   // which didn't handle NonLoc sym-sym comparisons.
221*67e74705SXin Li   if (i < rhs)
222*67e74705SXin Li     return;
223*67e74705SXin Li   if (i < rhs)
224*67e74705SXin Li     *(volatile int *) 0; // no-warning
225*67e74705SXin Li }
226