mirrors/llvm-project
0
0
Fork 0
mirror of https://github.com/llvm/llvm-project.git synced 2025-04-23 22:36:07 +00:00
Code Issues Projects Releases Wiki Activity
llvm-project/clang/test/Analysis/security-syntax-checks.m

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

331 lines
15 KiB
Mathematica
Raw Permalink Normal View History

[clang] Evaluate strlen of strcpy argument for -Wfortify-source. Also introduce Expr::tryEvaluateStrLen. Differential Revision: https://reviews.llvm.org/D104887
2021-07-28 20:31:51 +00:00
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify -Wno-fortify-source \
[analyzer] PR41185: Fix regression where __builtin_* functions weren't recognized For the following code snippet: void builtin_function_call_crash_fixes(char *c) { __builtin_strncpy(c, "", 6); __builtin_memset(c, '\0', (0)); __builtin_memcpy(c, c, 0); } security.insecureAPI.DeprecatedOrUnsafeBufferHandling caused a regression, as it didn't recognize functions starting with __builtin_. Fixed exactly that. I wanted to modify an existing test file, but the two I found didn't seem like perfect candidates. While I was there, I prettified their RUN: lines. Differential Revision: https://reviews.llvm.org/D59812 llvm-svn: 358609
2019-04-17 19:56:40 +00:00
// RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter
[clang] Evaluate strlen of strcpy argument for -Wfortify-source. Also introduce Expr::tryEvaluateStrLen. Differential Revision: https://reviews.llvm.org/D104887
2021-07-28 20:31:51 +00:00
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify -Wno-fortify-source \
[analyzer] PR41185: Fix regression where __builtin_* functions weren't recognized For the following code snippet: void builtin_function_call_crash_fixes(char *c) { __builtin_strncpy(c, "", 6); __builtin_memset(c, '\0', (0)); __builtin_memcpy(c, c, 0); } security.insecureAPI.DeprecatedOrUnsafeBufferHandling caused a regression, as it didn't recognize functions starting with __builtin_. Fixed exactly that. I wanted to modify an existing test file, but the two I found didn't seem like perfect candidates. While I was there, I prettified their RUN: lines. Differential Revision: https://reviews.llvm.org/D59812 llvm-svn: 358609
2019-04-17 19:56:40 +00:00
// RUN: -DUSE_BUILTINS \
// RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter
[clang] Evaluate strlen of strcpy argument for -Wfortify-source. Also introduce Expr::tryEvaluateStrLen. Differential Revision: https://reviews.llvm.org/D104887
2021-07-28 20:31:51 +00:00
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify -Wno-fortify-source \
[analyzer] PR41185: Fix regression where __builtin_* functions weren't recognized For the following code snippet: void builtin_function_call_crash_fixes(char *c) { __builtin_strncpy(c, "", 6); __builtin_memset(c, '\0', (0)); __builtin_memcpy(c, c, 0); } security.insecureAPI.DeprecatedOrUnsafeBufferHandling caused a regression, as it didn't recognize functions starting with __builtin_. Fixed exactly that. I wanted to modify an existing test file, but the two I found didn't seem like perfect candidates. While I was there, I prettified their RUN: lines. Differential Revision: https://reviews.llvm.org/D59812 llvm-svn: 358609
2019-04-17 19:56:40 +00:00
// RUN: -DVARIANT \
// RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter
[clang] Evaluate strlen of strcpy argument for -Wfortify-source. Also introduce Expr::tryEvaluateStrLen. Differential Revision: https://reviews.llvm.org/D104887
2021-07-28 20:31:51 +00:00
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify -Wno-fortify-source \
[analyzer] PR41185: Fix regression where __builtin_* functions weren't recognized For the following code snippet: void builtin_function_call_crash_fixes(char *c) { __builtin_strncpy(c, "", 6); __builtin_memset(c, '\0', (0)); __builtin_memcpy(c, c, 0); } security.insecureAPI.DeprecatedOrUnsafeBufferHandling caused a regression, as it didn't recognize functions starting with __builtin_. Fixed exactly that. I wanted to modify an existing test file, but the two I found didn't seem like perfect candidates. While I was there, I prettified their RUN: lines. Differential Revision: https://reviews.llvm.org/D59812 llvm-svn: 358609
2019-04-17 19:56:40 +00:00
// RUN: -DUSE_BUILTINS -DVARIANT \
// RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter
Add security syntax checker for strcpy() which causes the Static Analyzer to generate a warning any time the strcpy() function is used with a note suggesting to use a function which provides bounded buffers. llvm-svn: 128679
2011-03-31 22:09:14 +00:00
#ifdef USE_BUILTINS
# define BUILTIN(f) __builtin_ ## f
#else /* USE_BUILTINS */
# define BUILTIN(f) f
#endif /* USE_BUILTINS */
[analyzer] New checker for detecting usages of unsafe I/O functions There are certain unsafe or deprecated (since C11) buffer handling functions which should be avoided in safety critical code. They could cause buffer overflows. A new checker, 'security.insecureAPI.DeprecatedOrUnsafeBufferHandling' warns for every occurrence of such functions (unsafe or deprecated printf, scanf family, and other buffer handling functions, which now have a secure variant). Patch by Dániel Kolozsvári! Differential Revision: https://reviews.llvm.org/D35068 llvm-svn: 353698
2019-02-11 13:46:43 +00:00
#include "Inputs/system-header-simulator-for-valist.h"
#include "Inputs/system-header-simulator-for-simple-stream.h"
Add security syntax checker for strcpy() which causes the Static Analyzer to generate a warning any time the strcpy() function is used with a note suggesting to use a function which provides bounded buffers. llvm-svn: 128679
2011-03-31 22:09:14 +00:00
typedef typeof(sizeof(int)) size_t;
Refine checking and diagnostics for use of floating point variable as a counter. This implements <rdar://problem/6336718> and checks for CERT secure coding advisory FLP30-C. llvm-svn: 76900
2009-07-23 21:34:35 +00:00
[clang] Remove rdar links; NFC We have a new policy in place making links to private resources something we try to avoid in source and test files. Normally, we'd organically switch to the new policy rather than make a sweeping change across a project. However, Clang is in a somewhat special circumstance currently: recently, I've had several new contributors run into rdar links around test code which their patch was changing the behavior of. This turns out to be a surprisingly bad experience, especially for newer folks, for a handful of reasons: not understanding what the link is and feeling intimidated by it, wondering whether their changes are actually breaking something important to a downstream in some way, having to hunt down strangers not involved with the patch to impose on them for help, accidental pressure from asking for potentially private IP to be made public, etc. Because folks run into these links entirely by chance (through fixing bugs or working on new features), there's not really a set of problematic links to focus on -- all of the links have basically the same potential for causing these problems. As a result, this is an omnibus patch to remove all such links. This was not a mechanical change; it was done by manually searching for rdar, radar, radr, and other variants to find all the various problematic links. From there, I tried to retain or reword the surrounding comments so that we would lose as little context as possible. However, because most links were just a plain link with no supporting context, the majority of the changes are simple removals. Differential Review: https://reviews.llvm.org/D158071
2023-08-28 12:13:42 -04:00
// rule request: floating point used as loop condition (FLP30-C, FLP-30-CPP)
Refine checking and diagnostics for use of floating point variable as a counter. This implements <rdar://problem/6336718> and checks for CERT secure coding advisory FLP30-C. llvm-svn: 76900
2009-07-23 21:34:35 +00:00
//
// For reference: https://www.securecoding.cert.org/confluence/display/seccode/FLP30-C.+Do+not+use+floating+point+variables+as+loop+counters
//
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_float_condition(void) {
Refine checking and diagnostics for use of floating point variable as a counter. This implements <rdar://problem/6336718> and checks for CERT secure coding advisory FLP30-C. llvm-svn: 76900
2009-07-23 21:34:35 +00:00
for (float x = 0.1f; x <= 1.0f; x += 0.1f) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
for (float x = 100000001.0f; x <= 100000010.0f; x += 1.0f) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
for (float x = 100000001.0f; x <= 100000010.0f; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
for (double x = 100000001.0; x <= 100000010.0; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}
for (double x = 100000001.0; ((x)) <= 100000010.0; ((x))++ ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}
for (double x = 100000001.0; 100000010.0 >= x; x = x + 1.0 ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}
int i = 0;
for (double x = 100000001.0; ((x)) <= 100000010.0; ((x))++, ++i ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}
typedef float FooType;
for (FooType x = 100000001.0f; x <= 100000010.0f; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'FooType'}}
}
[analyzer] Add security checks for bcmp(), bcopy(), bzero(). These functions are obsolete. The analyzer would advice to replace them with memcmp(), memcpy() or memmove(), or memset(). Patch by Tom Rix! Differential Revision: https://reviews.llvm.org/D41881 llvm-svn: 333326
2018-05-26 00:04:26 +00:00
// Obsolete function bcmp
[Builtins] Treat `bcmp` as a builtin. Summary: This makes it consistent with `memcmp` and `__builtin_bcmp`. Also see the discussion in https://reviews.llvm.org/D56593. Reviewers: jyknight Subscribers: kristina, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D58120 llvm-svn: 354023
2019-02-14 12:00:34 +00:00
int bcmp(const void *, const void *, size_t);
[analyzer] Add security checks for bcmp(), bcopy(), bzero(). These functions are obsolete. The analyzer would advice to replace them with memcmp(), memcpy() or memmove(), or memset(). Patch by Tom Rix! Differential Revision: https://reviews.llvm.org/D41881 llvm-svn: 333326
2018-05-26 00:04:26 +00:00
int test_bcmp(void *a, void *b, size_t n) {
return bcmp(a, b, n); // expected-warning{{The bcmp() function is obsoleted by memcmp()}}
}
// Obsolete function bcopy
[Clang][CodeGen] Add __builtin_bcopy (#67130) Add __builtin_bcopy to the list of GNU builtins. This was causing a series of test failures in glibc. Adjust the tests to reflect the changes in codegen. Fixes #51409. Fixes #63065.
2023-09-24 11:58:14 -03:00
void bcopy(const void *, void *, size_t);
[analyzer] Add security checks for bcmp(), bcopy(), bzero(). These functions are obsolete. The analyzer would advice to replace them with memcmp(), memcpy() or memmove(), or memset(). Patch by Tom Rix! Differential Revision: https://reviews.llvm.org/D41881 llvm-svn: 333326
2018-05-26 00:04:26 +00:00
[Clang][CodeGen] Add __builtin_bcopy (#67130) Add __builtin_bcopy to the list of GNU builtins. This was causing a series of test failures in glibc. Adjust the tests to reflect the changes in codegen. Fixes #51409. Fixes #63065.
2023-09-24 11:58:14 -03:00
void test_bcopy(const void *a, void *b, size_t n) {
[analyzer] Add security checks for bcmp(), bcopy(), bzero(). These functions are obsolete. The analyzer would advice to replace them with memcmp(), memcpy() or memmove(), or memset(). Patch by Tom Rix! Differential Revision: https://reviews.llvm.org/D41881 llvm-svn: 333326
2018-05-26 00:04:26 +00:00
bcopy(a, b, n); // expected-warning{{The bcopy() function is obsoleted by memcpy() or memmove(}}
}
// Obsolete function bzero
void bzero(void *, size_t);
void test_bzero(void *a, size_t n) {
bzero(a, n); // expected-warning{{The bzero() function is obsoleted by memset()}}
}
[clang] Remove rdar links; NFC We have a new policy in place making links to private resources something we try to avoid in source and test files. Normally, we'd organically switch to the new policy rather than make a sweeping change across a project. However, Clang is in a somewhat special circumstance currently: recently, I've had several new contributors run into rdar links around test code which their patch was changing the behavior of. This turns out to be a surprisingly bad experience, especially for newer folks, for a handful of reasons: not understanding what the link is and feeling intimidated by it, wondering whether their changes are actually breaking something important to a downstream in some way, having to hunt down strangers not involved with the patch to impose on them for help, accidental pressure from asking for potentially private IP to be made public, etc. Because folks run into these links entirely by chance (through fixing bugs or working on new features), there's not really a set of problematic links to focus on -- all of the links have basically the same potential for causing these problems. As a result, this is an omnibus patch to remove all such links. This was not a mechanical change; it was done by manually searching for rdar, radar, radr, and other variants to find all the various problematic links. From there, I tried to retain or reword the surrounding comments so that we would lose as little context as possible. However, because most links were just a plain link with no supporting context, the majority of the changes are simple removals. Differential Review: https://reviews.llvm.org/D158071
2023-08-28 12:13:42 -04:00
// rule request: gets() buffer overflow
Implement: <rdar://problem/6335715> rule request: gets() buffer overflow llvm-svn: 76905
2009-07-23 22:29:41 +00:00
// Part of recommendation: 300-BSI (buildsecurityin.us-cert.gov)
char* gets(char *buf);
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_gets(void) {
Implement: <rdar://problem/6335715> rule request: gets() buffer overflow llvm-svn: 76905
2009-07-23 22:29:41 +00:00
char buff[1024];
gets(buff); // expected-warning{{Call to function 'gets' is extremely insecure as it can always result in a buffer overflow}}
}
Implement: <rdar://problem/6337132> CWE-273: Failure to Check Whether Privileges Were Dropped Successfully Patch by Geoff Keating! llvm-svn: 80313
2009-08-28 00:08:09 +00:00
Add check for obsolete function call of getpw(). llvm-svn: 86537
2009-11-09 12:19:26 +00:00
int getpw(unsigned int uid, char *buf);
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_getpw(void) {
Add check for obsolete function call of getpw(). llvm-svn: 86537
2009-11-09 12:19:26 +00:00
char buff[1024];
Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the same time. This fixes several issues: - removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer, but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer was used by itself. - emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings, as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine). As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped, just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now the tests have higher fidelity with what users will see. There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph) once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue) for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular consumer expects. llvm-svn: 162028
2012-08-16 17:45:23 +00:00
getpw(2, buff); // expected-warning{{The getpw() function is dangerous as it may overflow the provided buffer. It is obsoleted by getpwuid()}}
Add check for obsolete function call of getpw(). llvm-svn: 86537
2009-11-09 12:19:26 +00:00
}
[clang] Remove rdar links; NFC We have a new policy in place making links to private resources something we try to avoid in source and test files. Normally, we'd organically switch to the new policy rather than make a sweeping change across a project. However, Clang is in a somewhat special circumstance currently: recently, I've had several new contributors run into rdar links around test code which their patch was changing the behavior of. This turns out to be a surprisingly bad experience, especially for newer folks, for a handful of reasons: not understanding what the link is and feeling intimidated by it, wondering whether their changes are actually breaking something important to a downstream in some way, having to hunt down strangers not involved with the patch to impose on them for help, accidental pressure from asking for potentially private IP to be made public, etc. Because folks run into these links entirely by chance (through fixing bugs or working on new features), there's not really a set of problematic links to focus on -- all of the links have basically the same potential for causing these problems. As a result, this is an omnibus patch to remove all such links. This was not a mechanical change; it was done by manually searching for rdar, radar, radr, and other variants to find all the various problematic links. From there, I tried to retain or reword the surrounding comments so that we would lose as little context as possible. However, because most links were just a plain link with no supporting context, the majority of the changes are simple removals. Differential Review: https://reviews.llvm.org/D158071
2023-08-28 12:13:42 -04:00
// CWE-273: Failure to Check Whether Privileges Were Dropped Successfully
Implement: <rdar://problem/6337132> CWE-273: Failure to Check Whether Privileges Were Dropped Successfully Patch by Geoff Keating! llvm-svn: 80313
2009-08-28 00:08:09 +00:00
typedef unsigned int __uint32_t;
typedef __uint32_t __darwin_uid_t;
typedef __uint32_t __darwin_gid_t;
typedef __darwin_uid_t uid_t;
typedef __darwin_gid_t gid_t;
int setuid(uid_t);
int setregid(gid_t, gid_t);
int setreuid(uid_t, uid_t);
extern void check(int);
Add abort() as a builtin. This has two effects: one, we warn for incorrect declarations of abort(), and two, we mark it noreturn. Missing the latter shows up in one of the "embarassing" tests (from the thread on llvmdev "detailed comparison of generated code size for LLVM and other compilers"). llvm-svn: 91515
2009-12-16 06:28:21 +00:00
void abort(void);
Implement: <rdar://problem/6337132> CWE-273: Failure to Check Whether Privileges Were Dropped Successfully Patch by Geoff Keating! llvm-svn: 80313
2009-08-28 00:08:09 +00:00
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_setuid(void)
Implement: <rdar://problem/6337132> CWE-273: Failure to Check Whether Privileges Were Dropped Successfully Patch by Geoff Keating! llvm-svn: 80313
2009-08-28 00:08:09 +00:00
{
setuid(2); // expected-warning{{The return value from the call to 'setuid' is not checked. If an error occurs in 'setuid', the following code may execute with unexpected privileges}}
setuid(0); // expected-warning{{The return value from the call to 'setuid' is not checked. If an error occurs in 'setuid', the following code may execute with unexpected privileges}}
if (setuid (2) != 0)
abort();
// Currently the 'setuid' check is not flow-sensitive, and only looks
// at whether the function was called in a compound statement. This
// will lead to false negatives, but there should be no false positives.
int t = setuid(2); // no-warning
(void)setuid (2); // no-warning
check(setuid (2)); // no-warning
setreuid(2,2); // expected-warning{{The return value from the call to 'setreuid' is not checked. If an error occurs in 'setreuid', the following code may execute with unexpected privileges}}
setregid(2,2); // expected-warning{{The return value from the call to 'setregid' is not checked. If an error occurs in 'setregid', the following code may execute with unexpected privileges}}
}
Implement: <rdar://problem/6337100> CWE-338: Use of cryptographically weak prng Patch by Geoff Keating! llvm-svn: 80752
2009-09-02 02:47:41 +00:00
[clang] Remove rdar links; NFC We have a new policy in place making links to private resources something we try to avoid in source and test files. Normally, we'd organically switch to the new policy rather than make a sweeping change across a project. However, Clang is in a somewhat special circumstance currently: recently, I've had several new contributors run into rdar links around test code which their patch was changing the behavior of. This turns out to be a surprisingly bad experience, especially for newer folks, for a handful of reasons: not understanding what the link is and feeling intimidated by it, wondering whether their changes are actually breaking something important to a downstream in some way, having to hunt down strangers not involved with the patch to impose on them for help, accidental pressure from asking for potentially private IP to be made public, etc. Because folks run into these links entirely by chance (through fixing bugs or working on new features), there's not really a set of problematic links to focus on -- all of the links have basically the same potential for causing these problems. As a result, this is an omnibus patch to remove all such links. This was not a mechanical change; it was done by manually searching for rdar, radar, radr, and other variants to find all the various problematic links. From there, I tried to retain or reword the surrounding comments so that we would lose as little context as possible. However, because most links were just a plain link with no supporting context, the majority of the changes are simple removals. Differential Review: https://reviews.llvm.org/D158071
2023-08-28 12:13:42 -04:00
// CWE-338: Use of cryptographically weak prng
Check the canonical parameter type with getAs<>() in a static checker This will prevent breakage when I introduce the DecayedType sugar node. llvm-svn: 184755
2013-06-24 16:56:16 +00:00
typedef unsigned short *ushort_ptr_t; // Test that sugar doesn't confuse the warning.
Implement: <rdar://problem/6337100> CWE-338: Use of cryptographically weak prng Patch by Geoff Keating! llvm-svn: 80752
2009-09-02 02:47:41 +00:00
int rand(void);
double drand48(void);
double erand48(unsigned short[3]);
Check the canonical parameter type with getAs<>() in a static checker This will prevent breakage when I introduce the DecayedType sugar node. llvm-svn: 184755
2013-06-24 16:56:16 +00:00
long jrand48(ushort_ptr_t);
Implement: <rdar://problem/6337100> CWE-338: Use of cryptographically weak prng Patch by Geoff Keating! llvm-svn: 80752
2009-09-02 02:47:41 +00:00
void lcong48(unsigned short[7]);
long lrand48(void);
long mrand48(void);
long nrand48(unsigned short[3]);
long random(void);
int rand_r(unsigned *);
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_rand(void)
Implement: <rdar://problem/6337100> CWE-338: Use of cryptographically weak prng Patch by Geoff Keating! llvm-svn: 80752
2009-09-02 02:47:41 +00:00
{
unsigned short a[7];
unsigned b;
rand(); // expected-warning{{Function 'rand' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
drand48(); // expected-warning{{Function 'drand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
erand48(a); // expected-warning{{Function 'erand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
jrand48(a); // expected-warning{{Function 'jrand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
lcong48(a); // expected-warning{{Function 'lcong48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
lrand48(); // expected-warning{{Function 'lrand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
mrand48(); // expected-warning{{Function 'mrand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
nrand48(a); // expected-warning{{Function 'nrand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
rand_r(&b); // expected-warning{{Function 'rand_r' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
random(); // expected-warning{{The 'random' function produces a sequence of values that an adversary may be able to predict. Use 'arc4random' instead}}
}
Add test case for mktemp. Patch by Lei Zhang. llvm-svn: 90706
2009-12-06 12:45:46 +00:00
char *mktemp(char *buf);
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_mktemp(void) {
Add test case for mktemp. Patch by Lei Zhang. llvm-svn: 90706
2009-12-06 12:45:46 +00:00
char *x = mktemp("/tmp/zxcv"); // expected-warning{{Call to function 'mktemp' is insecure as it always creates or uses insecure temporary file}}
}
Add security syntax checker for strcpy() which causes the Static Analyzer to generate a warning any time the strcpy() function is used with a note suggesting to use a function which provides bounded buffers. llvm-svn: 128679
2011-03-31 22:09:14 +00:00
//===----------------------------------------------------------------------===
// strcpy()
//===----------------------------------------------------------------------===
#ifdef VARIANT
#define __strcpy_chk BUILTIN(__strcpy_chk)
char *__strcpy_chk(char *restrict s1, const char *restrict s2, size_t destlen);
#define strcpy(a,b) __strcpy_chk(a,b,(size_t)-1)
#else /* VARIANT */
#define strcpy BUILTIN(strcpy)
char *strcpy(char *restrict s1, const char *restrict s2);
#endif /* VARIANT */
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_strcpy(void) {
Add security syntax checker for strcpy() which causes the Static Analyzer to generate a warning any time the strcpy() function is used with a note suggesting to use a function which provides bounded buffers. llvm-svn: 128679
2011-03-31 22:09:14 +00:00
char x[4];
char *y;
Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the same time. This fixes several issues: - removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer, but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer was used by itself. - emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings, as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine). As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped, just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now the tests have higher fidelity with what users will see. There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph) once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue) for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular consumer expects. llvm-svn: 162028
2012-08-16 17:45:23 +00:00
strcpy(x, y); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
Add security syntax checker for strcpy() which causes the Static Analyzer to generate a warning any time the strcpy() function is used with a note suggesting to use a function which provides bounded buffers. llvm-svn: 128679
2011-03-31 22:09:14 +00:00
}
Add security syntax checker for strcat() which causes the Static Analyzer to generate a warning any time the strcat() function is used with a note suggesting to use a function which provides bounded buffers. CWE-119. Also, brings the security syntax checker more inline with coding standards. llvm-svn: 128916
2011-04-05 20:18:46 +00:00
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_strcpy_2(void) {
[analyzer] Don't flag strcpy of string literals into sufficiently large buffers. In the security package, we have a simple syntactic check that warns about strcpy() being insecure, due to potential buffer overflows. Suppress that check's warning in the trivial situation when the source is an immediate null-terminated string literal and the target is an immediate sufficiently large buffer. Patch by András Leitereg! Differential Revision: https://reviews.llvm.org/D41384 llvm-svn: 322410
2018-01-12 22:12:11 +00:00
char x[4];
strcpy(x, "abcd"); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
}
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_strcpy_safe(void) {
[analyzer] Don't flag strcpy of string literals into sufficiently large buffers. In the security package, we have a simple syntactic check that warns about strcpy() being insecure, due to potential buffer overflows. Suppress that check's warning in the trivial situation when the source is an immediate null-terminated string literal and the target is an immediate sufficiently large buffer. Patch by András Leitereg! Differential Revision: https://reviews.llvm.org/D41384 llvm-svn: 322410
2018-01-12 22:12:11 +00:00
char x[5];
strcpy(x, "abcd");
}
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_strcpy_safe_2(void) {
[analyzer] [PR39792] false positive on strcpy targeting struct members Patch by Pierre van Houtryve. Differential Revision: https://reviews.llvm.org/D55226 llvm-svn: 351097
2019-01-14 18:54:48 +00:00
struct {char s1[100];} s;
strcpy(s.s1, "hello");
}
Add security syntax checker for strcat() which causes the Static Analyzer to generate a warning any time the strcat() function is used with a note suggesting to use a function which provides bounded buffers. CWE-119. Also, brings the security syntax checker more inline with coding standards. llvm-svn: 128916
2011-04-05 20:18:46 +00:00
//===----------------------------------------------------------------------===
// strcat()
//===----------------------------------------------------------------------===
#ifdef VARIANT
#define __strcat_chk BUILTIN(__strcat_chk)
char *__strcat_chk(char *restrict s1, const char *restrict s2, size_t destlen);
#define strcat(a,b) __strcat_chk(a,b,(size_t)-1)
#else /* VARIANT */
#define strcat BUILTIN(strcat)
char *strcat(char *restrict s1, const char *restrict s2);
#endif /* VARIANT */
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_strcat(void) {
Add security syntax checker for strcat() which causes the Static Analyzer to generate a warning any time the strcat() function is used with a note suggesting to use a function which provides bounded buffers. CWE-119. Also, brings the security syntax checker more inline with coding standards. llvm-svn: 128916
2011-04-05 20:18:46 +00:00
char x[4];
char *y;
Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the same time. This fixes several issues: - removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer, but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer was used by itself. - emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings, as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine). As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped, just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now the tests have higher fidelity with what users will see. There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph) once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue) for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular consumer expects. llvm-svn: 162028
2012-08-16 17:45:23 +00:00
strcat(x, y); //expected-warning{{Call to function 'strcat' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcat'. CWE-119}}
Add security syntax checker for strcat() which causes the Static Analyzer to generate a warning any time the strcat() function is used with a note suggesting to use a function which provides bounded buffers. CWE-119. Also, brings the security syntax checker more inline with coding standards. llvm-svn: 128916
2011-04-05 20:18:46 +00:00
}
[analyzer] Warn about the use of insecure, deprecated vfork() function PR11053 (http://llvm.org/bugs/show_bug.cgi?id=11053). A patch by Graham Lee! llvm-svn: 141643
2011-10-11 04:34:54 +00:00
//===----------------------------------------------------------------------===
// vfork()
//===----------------------------------------------------------------------===
typedef int __int32_t;
typedef __int32_t pid_t;
Fix the signatures of vfork, __sigsetjmp and sigsetjmp. Patch by Dimitry Andric. llvm-svn: 142531
2011-10-19 14:50:34 +00:00
pid_t vfork(void);
[analyzer] Warn about the use of insecure, deprecated vfork() function PR11053 (http://llvm.org/bugs/show_bug.cgi?id=11053). A patch by Graham Lee! llvm-svn: 141643
2011-10-11 04:34:54 +00:00
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_vfork(void) {
Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the same time. This fixes several issues: - removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer, but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer was used by itself. - emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings, as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine). As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped, just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now the tests have higher fidelity with what users will see. There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph) once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue) for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular consumer expects. llvm-svn: 162028
2012-08-16 17:45:23 +00:00
vfork(); //expected-warning{{Call to function 'vfork' is insecure as it can lead to denial of service situations in the parent process}}
[analyzer] Warn about the use of insecure, deprecated vfork() function PR11053 (http://llvm.org/bugs/show_bug.cgi?id=11053). A patch by Graham Lee! llvm-svn: 141643
2011-10-11 04:34:54 +00:00
}
Implement checker that looks for calls to mktemps and friends that have fewer than 6 Xs. Implements <rdar://problem/6336672>. llvm-svn: 148531
2012-01-20 05:35:06 +00:00
//===----------------------------------------------------------------------===
// mkstemp()
//===----------------------------------------------------------------------===
char *mkdtemp(char *template);
int mkstemps(char *template, int suffixlen);
int mkstemp(char *template);
char *mktemp(char *template);
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_mkstemp(void) {
Implement checker that looks for calls to mktemps and friends that have fewer than 6 Xs. Implements <rdar://problem/6336672>. llvm-svn: 148531
2012-01-20 05:35:06 +00:00
mkstemp("XX"); // expected-warning {{Call to 'mkstemp' should have at least 6 'X's in the format string to be secure (2 'X's seen)}}
mkstemp("XXXXXX");
mkstemp("XXXXXXX");
mkstemps("XXXXXX", 0);
mkstemps("XXXXXX", 1); // expected-warning {{5 'X's seen}}
mkstemps("XXXXXX", 2); // expected-warning {{Call to 'mkstemps' should have at least 6 'X's in the format string to be secure (4 'X's seen, 2 characters used as a suffix)}}
mkdtemp("XX"); // expected-warning {{2 'X's seen}}
mkstemp("X"); // expected-warning {{Call to 'mkstemp' should have at least 6 'X's in the format string to be secure (1 'X' seen)}}
mkdtemp("XXXXXX");
}
[analyzer] New checker for detecting usages of unsafe I/O functions There are certain unsafe or deprecated (since C11) buffer handling functions which should be avoided in safety critical code. They could cause buffer overflows. A new checker, 'security.insecureAPI.DeprecatedOrUnsafeBufferHandling' warns for every occurrence of such functions (unsafe or deprecated printf, scanf family, and other buffer handling functions, which now have a secure variant). Patch by Dániel Kolozsvári! Differential Revision: https://reviews.llvm.org/D35068 llvm-svn: 353698
2019-02-11 13:46:43 +00:00
//===----------------------------------------------------------------------===
// deprecated or unsafe buffer handling
//===----------------------------------------------------------------------===
typedef int wchar_t;
int sprintf(char *str, const char *format, ...);
//int vsprintf (char *s, const char *format, va_list arg);
int scanf(const char *format, ...);
int wscanf(const wchar_t *format, ...);
int fscanf(FILE *stream, const char *format, ...);
int fwscanf(FILE *stream, const wchar_t *format, ...);
int vscanf(const char *format, va_list arg);
int vwscanf(const wchar_t *format, va_list arg);
int vfscanf(FILE *stream, const char *format, va_list arg);
int vfwscanf(FILE *stream, const wchar_t *format, va_list arg);
int sscanf(const char *s, const char *format, ...);
int swscanf(const wchar_t *ws, const wchar_t *format, ...);
int vsscanf(const char *s, const char *format, va_list arg);
int vswscanf(const wchar_t *ws, const wchar_t *format, va_list arg);
int swprintf(wchar_t *ws, size_t len, const wchar_t *format, ...);
int snprintf(char *s, size_t n, const char *format, ...);
int vswprintf(wchar_t *ws, size_t len, const wchar_t *format, va_list arg);
int vsnprintf(char *s, size_t n, const char *format, va_list arg);
void *memcpy(void *destination, const void *source, size_t num);
void *memmove(void *destination, const void *source, size_t num);
char *strncpy(char *destination, const char *source, size_t num);
char *strncat(char *destination, const char *source, size_t num);
void *memset(void *ptr, int value, size_t num);
A significant number of our tests in C accidentally use functions without prototypes. This patch converts the function signatures to have a prototype for the situations where the test is not specific to K&R C declarations. e.g., void func(); becomes void func(void); This is the ninth batch of tests being updated (there are a significant number of other tests left to be updated).
2022-02-13 08:02:46 -05:00
void test_deprecated_or_unsafe_buffer_handling_1(void) {
[analyzer] New checker for detecting usages of unsafe I/O functions There are certain unsafe or deprecated (since C11) buffer handling functions which should be avoided in safety critical code. They could cause buffer overflows. A new checker, 'security.insecureAPI.DeprecatedOrUnsafeBufferHandling' warns for every occurrence of such functions (unsafe or deprecated printf, scanf family, and other buffer handling functions, which now have a secure variant). Patch by Dániel Kolozsvári! Differential Revision: https://reviews.llvm.org/D35068 llvm-svn: 353698
2019-02-11 13:46:43 +00:00
char buf [5];
wchar_t wbuf [5];
int a;
FILE *file;
sprintf(buf, "a"); // expected-warning{{Call to function 'sprintf' is insecure}}
scanf("%d", &a); // expected-warning{{Call to function 'scanf' is insecure}}
scanf("%s", buf); // expected-warning{{Call to function 'scanf' is insecure}}
scanf("%4s", buf); // expected-warning{{Call to function 'scanf' is insecure}}
wscanf((const wchar_t*) L"%s", buf); // expected-warning{{Call to function 'wscanf' is insecure}}
fscanf(file, "%d", &a); // expected-warning{{Call to function 'fscanf' is insecure}}
fscanf(file, "%s", buf); // expected-warning{{Call to function 'fscanf' is insecure}}
fscanf(file, "%4s", buf); // expected-warning{{Call to function 'fscanf' is insecure}}
fwscanf(file, (const wchar_t*) L"%s", wbuf); // expected-warning{{Call to function 'fwscanf' is insecure}}
sscanf("5", "%d", &a); // expected-warning{{Call to function 'sscanf' is insecure}}
sscanf("5", "%s", buf); // expected-warning{{Call to function 'sscanf' is insecure}}
sscanf("5", "%4s", buf); // expected-warning{{Call to function 'sscanf' is insecure}}
swscanf(L"5", (const wchar_t*) L"%s", wbuf); // expected-warning{{Call to function 'swscanf' is insecure}}
swprintf(L"5", 1, (const wchar_t*) L"%s", wbuf); // expected-warning{{Call to function 'swprintf' is insecure}}
snprintf("5", 1, "%s", buf); // expected-warning{{Call to function 'snprintf' is insecure}}
memcpy(buf, wbuf, 1); // expected-warning{{Call to function 'memcpy' is insecure}}
memmove(buf, wbuf, 1); // expected-warning{{Call to function 'memmove' is insecure}}
strncpy(buf, "a", 1); // expected-warning{{Call to function 'strncpy' is insecure}}
strncat(buf, "a", 1); // expected-warning{{Call to function 'strncat' is insecure}}
memset(buf, 'a', 1); // expected-warning{{Call to function 'memset' is insecure}}
}
void test_deprecated_or_unsafe_buffer_handling_2(const char *format, ...) {
char buf [5];
FILE *file;
va_list args;
va_start(args, format);
vsprintf(buf, format, args); // expected-warning{{Call to function 'vsprintf' is insecure}}
vscanf(format, args); // expected-warning{{Call to function 'vscanf' is insecure}}
vfscanf(file, format, args); // expected-warning{{Call to function 'vfscanf' is insecure}}
vsscanf("a", format, args); // expected-warning{{Call to function 'vsscanf' is insecure}}
vsnprintf("a", 1, format, args); // expected-warning{{Call to function 'vsnprintf' is insecure}}
}
void test_deprecated_or_unsafe_buffer_handling_3(const wchar_t *format, ...) {
wchar_t wbuf [5];
FILE *file;
va_list args;
va_start(args, format);
vwscanf(format, args); // expected-warning{{Call to function 'vwscanf' is insecure}}
vfwscanf(file, format, args); // expected-warning{{Call to function 'vfwscanf' is insecure}}
vswscanf(L"a", format, args); // expected-warning{{Call to function 'vswscanf' is insecure}}
vswprintf(L"a", 1, format, args); // expected-warning{{Call to function 'vswprintf' is insecure}}
}
Reference in New Issue Copy Permalink