1 // RUN: %clang_cc1  -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s
2 
3 int scanf(const char *restrict format, ...);
4 int getchar(void);
5 
6 typedef struct _FILE FILE;
7 extern FILE *stdin;
8 int fscanf(FILE *restrict stream, const char *restrict format, ...);
9 int sprintf(char *str, const char *format, ...);
10 void setproctitle(const char *fmt, ...);
11 typedef __typeof(sizeof(int)) size_t;
12 
13 // Define string functions. Use builtin for some of them. They all default to
14 // the processing in the taint checker.
15 #define strcpy(dest, src) \
16   ((__builtin_object_size(dest, 0) != -1ULL) \
17    ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
18    : __inline_strcpy_chk(dest, src))
19 
__inline_strcpy_chk(char * dest,const char * src)20 static char *__inline_strcpy_chk (char *dest, const char *src) {
21   return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
22 }
23 char *stpcpy(char *restrict s1, const char *restrict s2);
24 char *strncpy( char * destination, const char * source, size_t num );
25 char *strndup(const char *s, size_t n);
26 char *strncat(char *restrict s1, const char *restrict s2, size_t n);
27 
28 void *malloc(size_t);
29 void *calloc(size_t nmemb, size_t size);
30 void bcopy(void *s1, void *s2, size_t n);
31 
32 #define BUFSIZE 10
33 
34 int Buffer[BUFSIZE];
bufferScanfDirect(void)35 void bufferScanfDirect(void)
36 {
37   int n;
38   scanf("%d", &n);
39   Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
40 }
41 
bufferScanfArithmetic1(int x)42 void bufferScanfArithmetic1(int x) {
43   int n;
44   scanf("%d", &n);
45   int m = (n - 3);
46   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
47 }
48 
bufferScanfArithmetic2(int x)49 void bufferScanfArithmetic2(int x) {
50   int n;
51   scanf("%d", &n);
52   int m = 100 - (n + 3) * x;
53   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
54 }
55 
bufferScanfAssignment(int x)56 void bufferScanfAssignment(int x) {
57   int n;
58   scanf("%d", &n);
59   int m;
60   if (x > 0) {
61     m = n;
62     Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
63   }
64 }
65 
scanfArg()66 void scanfArg() {
67   int t = 0;
68   scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
69 }
70 
bufferGetchar(int x)71 void bufferGetchar(int x) {
72   int m = getchar();
73   Buffer[m] = 1;  //expected-warning {{Out of bound memory access (index is tainted)}}
74 }
75 
testUncontrolledFormatString(char ** p)76 void testUncontrolledFormatString(char **p) {
77   char s[80];
78   fscanf(stdin, "%s", s);
79   char buf[128];
80   sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
81   setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
82 
83   // Test taint propagation through strcpy and family.
84   char scpy[80];
85   strcpy(scpy, s);
86   sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
87 
88   stpcpy(*(++p), s); // this generates __inline.
89   setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
90 
91   char spcpy[80];
92   stpcpy(spcpy, s);
93   setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
94 
95   char *spcpyret;
96   spcpyret = stpcpy(spcpy, s);
97   setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
98 
99   char sncpy[80];
100   strncpy(sncpy, s, 20);
101   setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
102 
103   char *dup;
104   dup = strndup(s, 20);
105   setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
106 
107 }
108 
109 int system(const char *command);
testTaintSystemCall()110 void testTaintSystemCall() {
111   char buffer[156];
112   char addr[128];
113   scanf("%s", addr);
114   system(addr); // expected-warning {{Untrusted data is passed to a system call}}
115 
116   // Test that spintf transfers taint.
117   sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
118   system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
119 }
120 
testTaintSystemCall2()121 void testTaintSystemCall2() {
122   // Test that snpintf transfers taint.
123   char buffern[156];
124   char addr[128];
125   scanf("%s", addr);
126   __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
127   system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
128 }
129 
testTaintSystemCall3()130 void testTaintSystemCall3() {
131   char buffern2[156];
132   int numt;
133   char addr[128];
134   scanf("%s %d", addr, &numt);
135   __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
136   system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
137 }
138 
testTaintedBufferSize()139 void testTaintedBufferSize() {
140   size_t ts;
141   scanf("%zd", &ts);
142 
143   int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
144   char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
145   bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
146   __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
147 
148   // If both buffers are trusted, do not issue a warning.
149   char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
150   strncat(dst2, dst, ts); // no-warning
151 }
152 
153 #define AF_UNIX   1   /* local to host (pipes) */
154 #define AF_INET   2   /* internetwork: UDP, TCP, etc. */
155 #define AF_LOCAL  AF_UNIX   /* backward compatibility */
156 #define SOCK_STREAM 1
157 int socket(int, int, int);
158 size_t read(int, void *, size_t);
159 int  execl(const char *, const char *, ...);
160 
testSocket()161 void testSocket() {
162   int sock;
163   char buffer[100];
164 
165   sock = socket(AF_INET, SOCK_STREAM, 0);
166   read(sock, buffer, 100);
167   execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
168 
169   sock = socket(AF_LOCAL, SOCK_STREAM, 0);
170   read(sock, buffer, 100);
171   execl(buffer, "filename", 0); // no-warning
172 }
173 
testDivByZero()174 int testDivByZero() {
175   int x;
176   scanf("%d", &x);
177   return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
178 }
179 
180 // Zero-sized VLAs.
testTaintedVLASize()181 void testTaintedVLASize() {
182   int x;
183   scanf("%d", &x);
184   int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
185 }
186 
187 // This computation used to take a very long time.
188 #define longcmp(a,b,c) { \
189   a -= c;  a ^= c;  c += b; b -= a;  b ^= (a<<6) | (a >> (32-b));  a += c; c -= b;  c ^= b;  b += a; \
190   a -= c;  a ^= c;  c += b; b -= a;  b ^= a;  a += c; c -= b;  c ^= b;  b += a; }
191 
radar11369570_hanging(const unsigned char * arr,int l)192 unsigned radar11369570_hanging(const unsigned char *arr, int l) {
193   unsigned a, b, c;
194   a = b = c = 0x9899e3 + l;
195   while (l >= 6) {
196     unsigned t;
197     scanf("%d", &t);
198     a += b;
199     a ^= a;
200     a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
201     longcmp(a, t, c);
202     l -= 12;
203   }
204   return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
205 }
206 
207 // Check that we do not assert of the following code.
SymSymExprWithDiffTypes(void * p)208 int SymSymExprWithDiffTypes(void* p) {
209   int i;
210   scanf("%d", &i);
211   int j = (i % (int)(long)p);
212   return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
213 }
214 
215 
constraintManagerShouldTreatAsOpaque(int rhs)216 void constraintManagerShouldTreatAsOpaque(int rhs) {
217   int i;
218   scanf("%d", &i);
219   // This comparison used to hit an assertion in the constraint manager,
220   // which didn't handle NonLoc sym-sym comparisons.
221   if (i < rhs)
222     return;
223   if (i < rhs)
224     *(volatile int *) 0; // no-warning
225 }
226