diff options
author | Balazs Benics <balazs.benics@sigmatechnology.se> | 2021-10-28 11:03:02 +0200 |
---|---|---|
committer | Balazs Benics <balazs.benics@sigmatechnology.se> | 2021-10-28 11:03:02 +0200 |
commit | 49285f43e5ed17206235e43c9cd17762d77ed275 (patch) | |
tree | 9acb779165f9982486d192f009febe848d0b5bb4 | |
parent | 30bd11fab47f75e43ba9d0133978d964eef819ca (diff) | |
download | llvm-49285f43e5ed17206235e43c9cd17762d77ed275.tar.gz |
[analyzer] sprintf is a taint propagator not a source
Due to a typo, `sprintf()` was recognized as a taint source instead of a
taint propagator. It was because an empty taint source list - which is
the first parameter of the `TaintPropagationRule` - encoded the
unconditional taint sources.
This typo effectively turned the `sprintf()` into an unconditional taint
source.
This patch fixes that typo and demonstrated the correct behavior with
tests.
Reviewed By: martong
Differential Revision: https://reviews.llvm.org/D112558
-rw-r--r-- | clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp | 2 | ||||
-rw-r--r-- | clang/test/Analysis/taint-generic.c | 10 |
2 files changed, 11 insertions, 1 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp index 69e9cbd51c35..66ef781871ec 100644 --- a/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp @@ -514,7 +514,7 @@ GenericTaintChecker::TaintPropagationRule::getTaintPropagationRule( if (OneOf("snprintf")) return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 3}; if (OneOf("sprintf")) - return {{}, {0, ReturnValueIndex}, VariadicType::Src, 2}; + return {{1}, {0, ReturnValueIndex}, VariadicType::Src, 2}; if (OneOf("strcpy", "stpcpy", "strcat")) return {{1}, {0, ReturnValueIndex}}; if (OneOf("bcopy")) diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c index 2cbd580168ba..90ab454ff7e8 100644 --- a/clang/test/Analysis/taint-generic.c +++ b/clang/test/Analysis/taint-generic.c @@ -341,6 +341,16 @@ void constraintManagerShouldTreatAsOpaque(int rhs) { *(volatile int *) 0; // no-warning } +int sprintf_is_not_a_source(char *buf, char *msg) { + int x = sprintf(buf, "%s", msg); // no-warning + return 1 / x; // no-warning: 'sprintf' is not a taint source +} + +int sprintf_propagates_taint(char *buf, char *msg) { + scanf("%s", msg); + int x = sprintf(buf, "%s", msg); // propagate taint! + return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}} +} // Test configuration int mySource1(); |