Author: szelethus Date: Tue Mar 5 04:42:59 2019 New Revision: 355396 URL: http://llvm.org/viewvc/llvm-project?rev=355396&view=rev Log: [analyzer] Fix taint propagation in GenericTaintChecker
The gets function has no SrcArgs. Because the default value for isTainted was false, it didn't mark its DstArgs as tainted. Patch by Gábor Borsik! Differential Revision: https://reviews.llvm.org/D58828 Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp cfe/trunk/test/Analysis/taint-generic.c Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp?rev=355396&r1=355395&r2=355396&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp Tue Mar 5 04:42:59 2019 @@ -458,7 +458,7 @@ GenericTaintChecker::TaintPropagationRul ProgramStateRef State = C.getState(); // Check for taint in arguments. - bool IsTainted = false; + bool IsTainted = true; for (unsigned ArgNum : SrcArgs) { if (ArgNum >= CE->getNumArgs()) return State; Modified: cfe/trunk/test/Analysis/taint-generic.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=355396&r1=355395&r2=355396&view=diff ============================================================================== --- cfe/trunk/test/Analysis/taint-generic.c (original) +++ cfe/trunk/test/Analysis/taint-generic.c Tue Mar 5 04:42:59 2019 @@ -2,6 +2,7 @@ // RUN: %clang_analyze_cc1 -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s int scanf(const char *restrict format, ...); +char *gets(char *str); int getchar(void); typedef struct _FILE FILE; @@ -142,6 +143,12 @@ void testTaintSystemCall3() { system(buffern2); // expected-warning {{Untrusted data is passed to a system call}} } +void testGets() { + char str[50]; + gets(str); + system(str); // expected-warning {{Untrusted data is passed to a system call}} +} + void testTaintedBufferSize() { size_t ts; scanf("%zd", &ts); _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
