gcc/testsuite/gcc.dg/analyzer/taint-alloc-1.c

   1 /* { dg-require-effective-target alloca } */
   2
   3 #include "analyzer-decls.h"
   4 #include <stdio.h>
   5 #include <stdlib.h>
   6 #include <string.h>
   7
   8 struct foo
   9 {
  10   size_t sz;
  11 };
  12
  13 /* malloc with tainted size.  */
  14
  15 void *test_1 (FILE *f)
  16 {
  17   struct foo tmp;
  18   if (1 == fread(&tmp, sizeof(tmp), 1, f)) { /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
  19                                              /* { dg-message "\\(\[0-9\]+\\) following 'true' branch\\.\\.\\." "event: following true branch" { target *-*-* } .-1 } */
  20     __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */
  21     /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */
  22
  23     return malloc (tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp\\.sz' as allocation size without upper-bounds checking" "warning" } */
  24     /* { dg-message "23: \\(\[0-9\]+\\) 'tmp.i' has an unchecked value here \\(from 'tmp'\\)" "event: tmp.i has an unchecked value" { xfail *-*-* } .-1 } */
  25     /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.sz' as allocation size without upper-bounds checking" "final event" { target *-*-* } .-2 } */
  26     /* { dg-message "heap-based allocation" "memory space" { target *-*-* } .-3 } */
  27
  28     // TOOD: better messages for state changes
  29   }
  30   return 0;
  31 }
  32
  33 /* VLA with tainted size.  */
  34
  35 void *test_2 (FILE *f)
  36 {
  37   struct foo tmp;
  38   if (1 == fread(&tmp, sizeof(tmp), 1, f)) { /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
  39                                              /* { dg-message "\\(\[0-9\]+\\) following 'true' branch\\.\\.\\." "event: following true branch" { target *-*-* } .-1 } */
  40     __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */
  41     /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */
  42
  43     /* VLA with tainted size.  */
  44     {
  45       char buf[tmp.sz]; /* { dg-warning "use of attacker-controlled value 'tmp\\.sz' as allocation size without upper-bounds checking" "warning" } */
  46       /* { dg-message "\\(\[0-9\]+\\) 'tmp.i' has an unchecked value here \\(from 'tmp'\\)" "event: tmp.i has an unchecked value" { xfail *-*-* } .-1 } */
  47       /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.sz' as allocation size without upper-bounds checking" "final event" { target *-*-* } .-2 } */
  48       /* { dg-message "stack-based allocation" "memory space" { target *-*-* } .-3 } */
  49       fread (buf, tmp.sz, 1, f);
  50     }
  51
  52     // TOOD: better messages for state changes
  53   }
  54   return 0;
  55 }
  56
  57 void *test_3 (FILE *f)
  58 {
  59   int num;
  60   fread (&num, sizeof (int), 1, f);
  61   __analyzer_dump_state ("taint", num); /* { dg-warning "state: 'tainted'" } */
  62   __analyzer_dump_state ("taint", num * 16); /* { dg-warning "state: 'tainted'" } */
  63   __analyzer_dump_state ("taint", (size_t)(num * 16)); /* { dg-warning "state: 'tainted'" } */
  64   return malloc (num * 16); /* { dg-warning "use of attacker-controlled value 'num \\* 16' as allocation size without upper-bounds checking" } */
  65 }