diff options
| author | Artem Dergachev <artem.dergachev@gmail.com> | 2017-05-29 15:42:56 +0000 |
|---|---|---|
| committer | Artem Dergachev <artem.dergachev@gmail.com> | 2017-05-29 15:42:56 +0000 |
| commit | eed7a3102c51d863ff9035d31a33313e77364692 (patch) | |
| tree | 1513579135006000236c91d69cbe271a2995f7e5 /clang/test/Analysis/taint-generic.c | |
| parent | 4c4baf5093c808f41044f32ddef0c62855f1b39c (diff) | |
| download | bcm5719-llvm-eed7a3102c51d863ff9035d31a33313e77364692.tar.gz bcm5719-llvm-eed7a3102c51d863ff9035d31a33313e77364692.zip | |
[analyzer] Support partially tainted records.
The analyzer's taint analysis can now reason about structures or arrays
originating from taint sources in which only certain sections are tainted.
In particular, it also benefits modeling functions like read(), which may
read tainted data into a section of a structure, but RegionStore is incapable of
expressing the fact that the rest of the structure remains intact, even if we
try to model read() directly.
Patch by Vlad Tsyrklevich!
Differential revision: https://reviews.llvm.org/D28445
llvm-svn: 304162
Diffstat (limited to 'clang/test/Analysis/taint-generic.c')
| -rw-r--r-- | clang/test/Analysis/taint-generic.c | 41 |
1 files changed, 31 insertions, 10 deletions
diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c index 8efed66dacb..d3ca246b82a 100644 --- a/clang/test/Analysis/taint-generic.c +++ b/clang/test/Analysis/taint-generic.c @@ -192,20 +192,41 @@ void testStruct() { void testStructArray() { struct { - char buf[16]; - struct { - int length; - } st[1]; - } tainted; + int length; + } tainted[4]; - char buffer[16]; + char dstbuf[16], srcbuf[16]; int sock; sock = socket(AF_INET, SOCK_STREAM, 0); - read(sock, &tainted.buf[0], sizeof(tainted.buf)); - read(sock, &tainted.st[0], sizeof(tainted.st)); - // FIXME: tainted.st[0].length should be marked tainted - __builtin_memcpy(buffer, tainted.buf, tainted.st[0].length); // no-warning + __builtin_memset(srcbuf, 0, sizeof(srcbuf)); + + read(sock, &tainted[0], sizeof(tainted)); + __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}} + + __builtin_memset(&tainted, 0, sizeof(tainted)); + read(sock, &tainted, sizeof(tainted)); + __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}} + + __builtin_memset(&tainted, 0, sizeof(tainted)); + // If we taint element 1, we should not raise an alert on taint for element 0 or element 2 + read(sock, &tainted[1], sizeof(tainted)); + __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning + __builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning +} + +void testUnion() { + union { + int x; + char y[4]; + } tainted; + + char buffer[4]; + + int sock = socket(AF_INET, SOCK_STREAM, 0); + read(sock, &tainted.y, sizeof(tainted.y)); + // FIXME: overlapping regions aren't detected by isTainted yet + __builtin_memcpy(buffer, tainted.y, tainted.x); } int testDivByZero() { |
