From: Kristof Umann Date: Tue, 5 Mar 2019 12:42:59 +0000 (+0000) Subject: [analyzer] Fix taint propagation in GenericTaintChecker X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5e92476f72e535372a9a911abbe3ee16c5cd3215;p=clang [analyzer] Fix taint propagation in GenericTaintChecker The gets function has no SrcArgs. Because the default value for isTainted was false, it didn't mark its DstArgs as tainted. Patch by Gábor Borsik! Differential Revision: https://reviews.llvm.org/D58828 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@355396 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp b/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp index c50fe49cbd..eeddfddc4d 100644 --- a/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp +++ b/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp @@ -458,7 +458,7 @@ GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE, ProgramStateRef State = C.getState(); // Check for taint in arguments. - bool IsTainted = false; + bool IsTainted = true; for (unsigned ArgNum : SrcArgs) { if (ArgNum >= CE->getNumArgs()) return State; diff --git a/test/Analysis/taint-generic.c b/test/Analysis/taint-generic.c index 30529503e5..42e390ddde 100644 --- a/test/Analysis/taint-generic.c +++ b/test/Analysis/taint-generic.c @@ -2,6 +2,7 @@ // RUN: %clang_analyze_cc1 -DFILE_IS_STRUCT -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -Wno-format-security -verify %s int scanf(const char *restrict format, ...); +char *gets(char *str); int getchar(void); typedef struct _FILE FILE; @@ -142,6 +143,12 @@ void testTaintSystemCall3() { system(buffern2); // expected-warning {{Untrusted data is passed to a system call}} } +void testGets() { + char str[50]; + gets(str); + system(str); // expected-warning {{Untrusted data is passed to a system call}} +} + void testTaintedBufferSize() { size_t ts; scanf("%zd", &ts);