(root)/
gcc-13.2.0/
gcc/
testsuite/
gcc.dg/
analyzer/
taint-alloc-1.c
       1  // TODO: remove need for this option
       2  /* { dg-additional-options "-fanalyzer-checker=taint" } */
       3  /* { dg-require-effective-target alloca } */
       4  
       5  #include "analyzer-decls.h"
       6  #include <stdio.h>
       7  #include <stdlib.h>
       8  #include <string.h>
       9  
      10  struct foo
      11  {
      12    size_t sz;
      13  };
      14  
      15  /* malloc with tainted size.  */
      16  
      17  void *test_1 (FILE *f)
      18  {
      19    struct foo tmp;
      20    if (1 == fread(&tmp, sizeof(tmp), 1, f)) { /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
      21                                               /* { dg-message "\\(\[0-9\]+\\) following 'true' branch\\.\\.\\." "event: following true branch" { target *-*-* } .-1 } */
      22      __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */
      23      /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */
      24      
      25      return malloc (tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp\\.sz' as allocation size without upper-bounds checking" "warning" } */
      26      /* { dg-message "23: \\(\[0-9\]+\\) 'tmp.i' has an unchecked value here \\(from 'tmp'\\)" "event: tmp.i has an unchecked value" { xfail *-*-* } .-1 } */
      27      /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.sz' as allocation size without upper-bounds checking" "final event" { target *-*-* } .-2 } */
      28      /* { dg-message "heap-based allocation" "memory space" { target *-*-* } .-3 } */
      29      
      30      // TOOD: better messages for state changes
      31    }
      32    return 0;
      33  }
      34  
      35  /* VLA with tainted size.  */
      36  
      37  void *test_2 (FILE *f)
      38  {
      39    struct foo tmp;
      40    if (1 == fread(&tmp, sizeof(tmp), 1, f)) { /* { dg-message "\\(\[0-9\]+\\) 'tmp' gets an unchecked value here" "event: tmp gets unchecked value" { xfail *-*-* } } */
      41                                               /* { dg-message "\\(\[0-9\]+\\) following 'true' branch\\.\\.\\." "event: following true branch" { target *-*-* } .-1 } */
      42      __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */
      43      /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */
      44  
      45      /* VLA with tainted size.  */
      46      {
      47        char buf[tmp.sz]; /* { dg-warning "use of attacker-controlled value 'tmp\\.sz' as allocation size without upper-bounds checking" "warning" } */
      48        /* { dg-message "\\(\[0-9\]+\\) 'tmp.i' has an unchecked value here \\(from 'tmp'\\)" "event: tmp.i has an unchecked value" { xfail *-*-* } .-1 } */
      49        /* { dg-message "\\(\[0-9\]+\\) use of attacker-controlled value 'tmp\\.sz' as allocation size without upper-bounds checking" "final event" { target *-*-* } .-2 } */
      50        /* { dg-message "stack-based allocation" "memory space" { target *-*-* } .-3 } */
      51        fread (buf, tmp.sz, 1, f);
      52      }
      53      
      54      // TOOD: better messages for state changes
      55    }
      56    return 0;
      57  }
      58  
      59  void *test_3 (FILE *f)
      60  {
      61    int num;
      62    fread (&num, sizeof (int), 1, f);
      63    __analyzer_dump_state ("taint", num); /* { dg-warning "state: 'tainted'" } */
      64    __analyzer_dump_state ("taint", num * 16); /* { dg-warning "state: 'tainted'" } */
      65    __analyzer_dump_state ("taint", (size_t)(num * 16)); /* { dg-warning "state: 'tainted'" } */
      66    return malloc (num * 16); /* { dg-warning "use of attacker-controlled value 'num \\* 16' as allocation size without upper-bounds checking" } */
      67  }