hanchenye-llvm-project/clang/test/Analysis/taint-tester.c

// RUN: %clang_cc1  -analyze -analyzer-checker=experimental.security.taint,debug.TaintTest -verify %s

int scanf(const char *restrict format, ...);
int getchar(void);

#define BUFSIZE 10
int Buffer[BUFSIZE];

struct XYStruct {
  int x;
  int y;
  char z;
};

void taintTracking(int x) {
  int n;
  int *addr = &Buffer[0];
  scanf("%d", &n);
  addr += n;// expected-warning 2 {{tainted}}
  *addr = n; // expected-warning 3 {{tainted}}

  double tdiv = n / 30; // expected-warning 3 {{tainted}}
  char *loc_cast = (char *) n; // expected-warning {{tainted}}
  char tinc = tdiv++; // expected-warning {{tainted}}
  int tincdec = (char)tinc--; // expected-warning 2 {{tainted}}

  // Tainted ptr arithmetic/array element address.
  int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}}

  // Dereference.
  int *ptr;
  scanf("%p", &ptr);
  int ptrDeref = *ptr; // expected-warning 2 {{tainted}}
  int _ptrDeref = ptrDeref + 13; // expected-warning 2 {{tainted}}

  // Pointer arithmetic + dereferencing.
  // FIXME: We fail to propagate the taint here because RegionStore does not
  // handle ElementRegions with symbolic indexes.
  int addrDeref = *addr; // expected-warning {{tainted}}
  int _addrDeref = addrDeref;

  // Tainted struct address, casts.
  struct XYStruct *xyPtr = 0;
  scanf("%p", &xyPtr);
  void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}}
  struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}}
  int ptrtx = xyPtr->x;// expected-warning 2 {{tainted}}
  int ptrty = xyPtr->y;// expected-warning 2 {{tainted}}

  // Taint on fields of a struct.
  struct XYStruct xy = {2, 3, 11};
  scanf("%f", &xy.y);
  scanf("%f", &xy.x);
  int tx = xy.x; // expected-warning {{tainted}}
  int ty = xy.y; // FIXME: This should be tainted as well.
  char ntz = xy.z;// no warning
}

void BitwiseOp(int in, char inn) {
  // Taint on bitwise operations, integer to integer cast.
  int m;
  int x = 0;
  scanf("%d", &x);
  int y = (in << (x << in)) * 5;// expected-warning 4 {{tainted}}
  // The next line tests integer to integer cast.
  int z = y & inn; // expected-warning 2 {{tainted}}
  if (y == 5) // expected-warning 2 {{tainted}}
    m = z | z;// expected-warning 4 {{tainted}}
  else
    m = inn;
  int mm = m; // expected-warning   {{tainted}}
}
[analyzer] Add a debug checker to test for tainted data. llvm-svn: 145827 2011-12-06 02:58:01 +08:00			`// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,debug.TaintTest -verify %s`

			`int scanf(const char *restrict format, ...);`
			`int getchar(void);`

			`#define BUFSIZE 10`
			`int Buffer[BUFSIZE];`

[analyzer] Propagate taint through MemRegions. SVal can be not only a symbol, but a MemRegion. Add support for such cases. llvm-svn: 146006 2011-12-07 09:09:52 +08:00			`struct XYStruct {`
			`int x;`
[analyzer] If memory region is tainted mark data as tainted. + random comments llvm-svn: 146199 2011-12-09 06:38:43 +08:00			`int y;`
			`char z;`
[analyzer] Propagate taint through MemRegions. SVal can be not only a symbol, but a MemRegion. Add support for such cases. llvm-svn: 146006 2011-12-07 09:09:52 +08:00			`};`

			`void taintTracking(int x) {`
[analyzer] Add a debug checker to test for tainted data. llvm-svn: 145827 2011-12-06 02:58:01 +08:00			`int n;`
			`int *addr = &Buffer[0];`
			`scanf("%d", &n);`
[analyzer] Propagate taint through MemRegions. SVal can be not only a symbol, but a MemRegion. Add support for such cases. llvm-svn: 146006 2011-12-07 09:09:52 +08:00			`addr += n;// expected-warning 2 {{tainted}}`
			`*addr = n; // expected-warning 3 {{tainted}}`
[analyzer] Propagate taint through NonLoc to NonLoc casts. - Created a new SymExpr type - SymbolCast. - SymbolCast is created when we don't know how to simplify a NonLoc to NonLoc casts. - A bit of code refactoring: introduced dispatchCast to have better code reuse, remove a goto. - Updated the test case to showcase the new taint flow. llvm-svn: 145985 2011-12-07 07:12:27 +08:00
			`double tdiv = n / 30; // expected-warning 3 {{tainted}}`
			`char loc_cast = (char ) n; // expected-warning {{tainted}}`
			`char tinc = tdiv++; // expected-warning {{tainted}}`
			`int tincdec = (char)tinc--; // expected-warning 2 {{tainted}}`

[analyzer] Propagate taint through MemRegions. SVal can be not only a symbol, but a MemRegion. Add support for such cases. llvm-svn: 146006 2011-12-07 09:09:52 +08:00			`// Tainted ptr arithmetic/array element address.`
			`int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}}`
[analyzer] Propagate taint through NonLoc to NonLoc casts. - Created a new SymExpr type - SymbolCast. - SymbolCast is created when we don't know how to simplify a NonLoc to NonLoc casts. - A bit of code refactoring: introduced dispatchCast to have better code reuse, remove a goto. - Updated the test case to showcase the new taint flow. llvm-svn: 145985 2011-12-07 07:12:27 +08:00
[analyzer] If memory region is tainted mark data as tainted. + random comments llvm-svn: 146199 2011-12-09 06:38:43 +08:00			`// Dereference.`
			`int *ptr;`
			`scanf("%p", &ptr);`
			`int ptrDeref = *ptr; // expected-warning 2 {{tainted}}`
			`int _ptrDeref = ptrDeref + 13; // expected-warning 2 {{tainted}}`

			`// Pointer arithmetic + dereferencing.`
			`// FIXME: We fail to propagate the taint here because RegionStore does not`
			`// handle ElementRegions with symbolic indexes.`
			`int addrDeref = *addr; // expected-warning {{tainted}}`
			`int _addrDeref = addrDeref;`

[analyzer] Propagate taint through MemRegions. SVal can be not only a symbol, but a MemRegion. Add support for such cases. llvm-svn: 146006 2011-12-07 09:09:52 +08:00			`// Tainted struct address, casts.`
			`struct XYStruct *xyPtr = 0;`
			`scanf("%p", &xyPtr);`
			`void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}}`
			`struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}}`
[analyzer] If memory region is tainted mark data as tainted. + random comments llvm-svn: 146199 2011-12-09 06:38:43 +08:00			`int ptrtx = xyPtr->x;// expected-warning 2 {{tainted}}`
			`int ptrty = xyPtr->y;// expected-warning 2 {{tainted}}`

			`// Taint on fields of a struct.`
			`struct XYStruct xy = {2, 3, 11};`
			`scanf("%f", &xy.y);`
			`scanf("%f", &xy.x);`
			`int tx = xy.x; // expected-warning {{tainted}}`
			`int ty = xy.y; // FIXME: This should be tainted as well.`
			`char ntz = xy.z;// no warning`
[analyzer] Add a debug checker to test for tainted data. llvm-svn: 145827 2011-12-06 02:58:01 +08:00			`}`
[analyzer] Fix inconsistency on when SValBuilder assumes that 2 types are equivalent. + A taint test which tests bitwise operations and which was triggering an assertion due to presence of the integer to integer cast. llvm-svn: 146240 2011-12-09 11:34:02 +08:00
			`void BitwiseOp(int in, char inn) {`
			`// Taint on bitwise operations, integer to integer cast.`
			`int m;`
			`int x = 0;`
			`scanf("%d", &x);`
			`int y = (in << (x << in)) * 5;// expected-warning 4 {{tainted}}`
			`// The next line tests integer to integer cast.`
			`int z = y & inn; // expected-warning 2 {{tainted}}`
			`if (y == 5) // expected-warning 2 {{tainted}}`
			`m = z \| z;// expected-warning 4 {{tainted}}`
			`else`
			`m = inn;`
			`int mm = m; // expected-warning {{tainted}}`
			`}`