From ab7270e3089a12dde3f107610bdfc4fc145fa47d Mon Sep 17 00:00:00 2001 From: Daniel Kroening Date: Tue, 24 Oct 2017 21:51:05 +0100 Subject: [PATCH 1/3] check taint on sinks _before_ the call --- src/goto-analyzer/taint_analysis.cpp | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/goto-analyzer/taint_analysis.cpp b/src/goto-analyzer/taint_analysis.cpp index 212f8aab981..44dd30a0c72 100644 --- a/src/goto-analyzer/taint_analysis.cpp +++ b/src/goto-analyzer/taint_analysis.cpp @@ -67,7 +67,7 @@ void taint_analysist::instrument( { const goto_programt::instructiont &instruction=*it; - goto_programt tmp; + goto_programt insert_before, insert_after; switch(instruction.type) { @@ -164,7 +164,7 @@ void taint_analysist::instrument( code_set_may.op0()=where; code_set_may.op1()= address_of_exprt(string_constantt(rule.taint)); - goto_programt::targett t=tmp.add_instruction(); + goto_programt::targett t=insert_after.add_instruction(); t->make_other(code_set_may); t->source_location=instruction.source_location; } @@ -172,7 +172,7 @@ void taint_analysist::instrument( case taint_parse_treet::rulet::SINK: { - goto_programt::targett t=tmp.add_instruction(); + goto_programt::targett t=insert_before.add_instruction(); binary_predicate_exprt get_may("get_may"); get_may.op0()=where; get_may.op1()=address_of_exprt(string_constantt(rule.taint)); @@ -191,7 +191,7 @@ void taint_analysist::instrument( code_clear_may.op0()=where; code_clear_may.op1()= address_of_exprt(string_constantt(rule.taint)); - goto_programt::targett t=tmp.add_instruction(); + goto_programt::targett t=insert_after.add_instruction(); t->make_other(code_clear_may); t->source_location=instruction.source_location; } @@ -208,11 +208,17 @@ void taint_analysist::instrument( } } - if(!tmp.empty()) + if(!insert_before.empty()) { - goto_programt::targett next=it; - next++; - goto_function.body.destructive_insert(next, tmp); + goto_function.body.insert_before_swap(it, insert_before); + // advance until we get back to the call + while(!it->is_function_call()) ++it; + } + + if(!insert_after.empty()) + { + goto_function.body.destructive_insert( + std::next(it), insert_after); } } } From 29bc3b8ce21f3f94545e84f144ed934c44a318ae Mon Sep 17 00:00:00 2001 From: Daniel Kroening Date: Tue, 24 Oct 2017 22:29:01 +0100 Subject: [PATCH 2/3] custom_bitvector_domain: allow objects that are members --- src/analyses/custom_bitvector_analysis.cpp | 76 ++++++++++++++++------ src/analyses/custom_bitvector_analysis.h | 7 ++ 2 files changed, 64 insertions(+), 19 deletions(-) diff --git a/src/analyses/custom_bitvector_analysis.cpp b/src/analyses/custom_bitvector_analysis.cpp index fb675b77b20..a0d835dd865 100644 --- a/src/analyses/custom_bitvector_analysis.cpp +++ b/src/analyses/custom_bitvector_analysis.cpp @@ -84,6 +84,19 @@ irep_idt custom_bitvector_domaint::object2id(const exprt &src) return '*'+id2string(op_id); } } + else if(src.id()==ID_member) + { + const auto &m=to_member_expr(src); + const exprt &op=m.compound(); + + irep_idt op_id=object2id(op); + + if(op_id.empty()) + return irep_idt(); + else + return id2string(op_id)+'.'+ + id2string(m.get_component_name()); + } else if(src.id()==ID_typecast) return object2id(to_typecast_expr(src).op()); else @@ -209,6 +222,49 @@ std::set custom_bitvector_analysist::aliases( return std::set(); } +void custom_bitvector_domaint::assign_struct_rec( + locationt from, + const exprt &lhs, + const exprt &rhs, + custom_bitvector_analysist &cba, + const namespacet &ns) +{ + if(ns.follow(lhs.type()).id()==ID_struct) + { + const struct_typet &struct_type= + to_struct_type(ns.follow(lhs.type())); + + // assign member-by-member + for(const auto &c : struct_type.components()) + { + member_exprt lhs_member(lhs, c), + rhs_member(rhs, c); + assign_struct_rec(from, lhs_member, rhs_member, cba, ns); + } + } + else + { + // may alias other stuff + std::set lhs_set=cba.aliases(lhs, from); + + vectorst rhs_vectors=get_rhs(rhs); + + for(const auto &lhs_alias : lhs_set) + { + assign_lhs(lhs_alias, rhs_vectors); + } + + // is it a pointer? + if(lhs.type().id()==ID_pointer) + { + dereference_exprt lhs_deref(lhs); + dereference_exprt rhs_deref(rhs); + vectorst rhs_vectors=get_rhs(rhs_deref); + assign_lhs(lhs_deref, rhs_vectors); + } + } +} + void custom_bitvector_domaint::transform( locationt from, locationt to, @@ -226,25 +282,7 @@ void custom_bitvector_domaint::transform( case ASSIGN: { const code_assignt &code_assign=to_code_assign(instruction.code); - - // may alias other stuff - std::set lhs_set=cba.aliases(code_assign.lhs(), from); - - vectorst rhs_vectors=get_rhs(code_assign.rhs()); - - for(const auto &lhs : lhs_set) - { - assign_lhs(lhs, rhs_vectors); - } - - // is it a pointer? - if(code_assign.lhs().type().id()==ID_pointer) - { - dereference_exprt lhs_deref(code_assign.lhs()); - dereference_exprt rhs_deref(code_assign.rhs()); - vectorst rhs_vectors=get_rhs(rhs_deref); - assign_lhs(lhs_deref, rhs_vectors); - } + assign_struct_rec(from, code_assign.lhs(), code_assign.rhs(), cba, ns); } break; diff --git a/src/analyses/custom_bitvector_analysis.h b/src/analyses/custom_bitvector_analysis.h index 55d5d444af8..4896d768cb7 100644 --- a/src/analyses/custom_bitvector_analysis.h +++ b/src/analyses/custom_bitvector_analysis.h @@ -96,6 +96,13 @@ class custom_bitvector_domaint:public ai_domain_baset bitst may_bits, must_bits; + void assign_struct_rec( + locationt from, + const exprt &lhs, + const exprt &rhs, + custom_bitvector_analysist &, + const namespacet &); + void assign_lhs(const exprt &, const vectorst &); void assign_lhs(const irep_idt &, const vectorst &); vectorst get_rhs(const exprt &) const; From 3dd7f6c0e0c86a0d7d12d6d17c124ccfc49568b1 Mon Sep 17 00:00:00 2001 From: Daniel Kroening Date: Tue, 24 Oct 2017 21:37:18 +0100 Subject: [PATCH 3/3] first regression tests --- .../taint-basic1/main.c | 16 ++++++++++++ .../taint-basic1/main.o | Bin 0 -> 6096 bytes .../taint-basic1/taint.json | 6 +++++ .../taint-basic1/test.desc | 10 ++++++++ .../taint-copy1/main.c | 13 ++++++++++ .../taint-copy1/main.o | Bin 0 -> 5519 bytes .../taint-copy1/taint.json | 4 +++ .../taint-copy1/test.desc | 7 +++++ .../taint-member1/main.c | 24 ++++++++++++++++++ .../taint-member1/main.o | Bin 0 -> 6289 bytes .../taint-member1/taint.json | 4 +++ .../taint-member1/test.desc | 9 +++++++ 12 files changed, 93 insertions(+) create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-basic1/main.c create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-basic1/main.o create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-basic1/taint.json create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-basic1/test.desc create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-copy1/main.c create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-copy1/main.o create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-copy1/taint.json create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-copy1/test.desc create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-member1/main.c create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-member1/main.o create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-member1/taint.json create mode 100644 regression/goto-analyzer-taint-ansi-c/taint-member1/test.desc diff --git a/regression/goto-analyzer-taint-ansi-c/taint-basic1/main.c b/regression/goto-analyzer-taint-ansi-c/taint-basic1/main.c new file mode 100644 index 00000000000..5d06a69c547 --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-basic1/main.c @@ -0,0 +1,16 @@ +#include + +void my_f(void *) { } +void my_h(void *) { } +void *my_g(void) { return malloc(1); } + +void my_function() +{ + void *o; + + my_f(o); // T1 source + my_h(o); // T1,T2 sink + + o=my_g(); // T2 source + my_h(o); // T1,T2 sink +} diff --git a/regression/goto-analyzer-taint-ansi-c/taint-basic1/main.o b/regression/goto-analyzer-taint-ansi-c/taint-basic1/main.o new file mode 100644 index 0000000000000000000000000000000000000000..eef88d71225af839feb707d2ea58a4b15a4b1df9 GIT binary patch literal 6096 zcmbtYYj_mZ89rym02!i71Y5a?Xq47!NERYOv?;n9FD;IjsamUb-0aR~M|Nl8?5-r* zDi<$Ey;Q9hDWU@59^@vVNY%Dl5VxhZv8@)ow5W&>66nQNq3<_mc6S0U{^&jr580V> z-uL}(=ljmyanS`A%A;7K#Wt;s;V_L)Fj6gSi-j;~343kxoNGO|zY` zt0Pt<*>%rM~{OOsb{6-Z3&+$I@?!B(sK|iX`Ed z(?GPh@rz${${~nYUUqCkJ8nWK5Fko*;DEc7F+@}bSMLKp2ySoR1XpkT}VTJ;mi$pu*mWUHc z8HjP3eT8XXoy`jmm@1!`&;|-IgW#w^p{IEjJZb0_wy?oF8(HXnxypq8*NRuHS zlFCFuB}^sip`SEH?Nkd=B*xgFedNppEZ7(Bl=p?%h++NGX0v6)nr

PkL7xGaCD5 z%2iR@N@pTgh7I2?!Kb0;j;V_3u1P09A&EUYLJgJ?An?|z@+tiY2CGkIYS;}7JN4Oy z+M|C6KTriPoi@MWyr!&~%$Qbn#EB-%3^Fq77}e>FgDgxpz<&cz?@&f#ha0ZYR^b&k za+VTAa{L0I&ZoE?WL+I*N6DR6sT1S@JaKNU9PI*%Ut39!D(1(pVzOzw8 z@oNd~>tw0BZkA4Z#*nT6A=gSA|PjyRCVB4%aqYnP;TB-Z|0F$jEX|H<4hYh z!n9&WE7NKga3Nmzd8yWjI8LOEX+f8ZD3}^go3|QlbfYSdp{ITEwC>5gtCKb=RQOvB zpZ&s@dGt&C?Yas98vA*9DiXER5^^44)3D`rM43uy(!^*~%th!+XOi)U3F)&0R*q-Q8_iD3P9yAnLd z&w9zaQmiQ>g+8F$Ert`ZV!E4{Ild0`>xlk41%oCE=u6*`f@A&A6W5l4jwEs3q;P7% zp0xm6OMt2XyzDjQsP^C`*>kxdy<(mcq!vNthjU;gyL?S4(zw}b#PqoB=<%c-A?h`t zUPIJZdeotSCSboiR|!%>D8Oo~O2N{hKu1az?T!vn;I0DhD#E==;9kA**pen8JoF)x zt`XcLi>%jllwyt9*`}nSi%y#39boJr#_xHIp}@5Q?TjMYwaZGOc~eFKZW-W~5#09+ zaMuaA>mN~irO$OsOJTZ)RsO^(ATI^-QbPWLK)#{9v}@oN@(#I17wr9u#^{Sn5xW7& zJ7zKX7K87`gcg|)3N!%+?LPXLLMO=JSP!+r!YJgO;^MSvVwFt?{IBclgZ1^)HTH*X z)+rwdv$KX71^>i_!U08v@r9)n9^sXRP`MB)n}=X>NI<74bYAZt6mDYb9?3{1&6c#8 zX2anXlMOX{!a3f9KHfupe3Fop>^O>3MZ%F&Q$q6aqU6+qQj*bi3Nc&&wF@YQmY};V z6tD$U%Tr2_#+yRf*sDtcPIkkTIjnM419~-}Pr11O?EpG`s9cN$)ie{tVkS+lVi3qI z??1NJG3s>mFE)S2&f@Gu*G$n^hC1nwI_b~G4a<6-3I#CpP#>Q>Rl(3xRDMf)N#(Xv zI1SsOw;g(0%bIK(6KvZ#mYp$f&PI|q-N?vU?b+7vz;?eADjtQZgnVSPY-EqaYvS?Um5 zVb)eSY1kv4SwH1Vk5aSlIp~`8sAtw={2`@Rvwf5=DP>hUVLK=^Uj;9LO-rbPf9BCA zLxEWya>tVQGz|infA0>9rJj( zd#+EFs)#gZ#MyklSEi{(#|6ffiP%Y~papzcNEh=C-LG&#raNk-v<+82x?X~58}F32 zaWq?pkc@uAw{qFGBkvzGFC6~WrW>}uz137=n4to|0W#lUSL>&{5? zD>~)*6|8n1uUtkb%X#kn-WUD0bd7s4!+*jgap|AS-DvKWbFj5j-Yc{FUXnUc|0}32 zpYar}0SVQnA!4rxZ zwT3S$l~Htn7Fx_AZN?jrGi&F7^12L}^QrGeQKB?X$n=~Sm z5WD@5x*t-XLqR|9#_tToZzG>mj9>nu7k>fO?iTqbkN+2ZyD}!x&d*sZ z5wMl+0q`4S{bmmx#k|E6`5J#+8B^#ngzgse7M}Czwv5({E)Gjk(K+bNLGM=N!RwR< zIS=l){3E5VP(#H$!2913`Bsq!IljvWkCdhQjfgXN7qE8$dz*V&{2mN{Aci-H0W)I% z;_T)A8br_Cj)gylzQMaOcXgwocB7%b$SeQo>FVTrmAZV3>+*4X-Q2rHb%DDJ+{e)P z$)tW=;Xv7&q`OrO|B1iKGfvi^>*pbS0*w6`66L?}AxxddeZTg+g_h1(SNLsD@&I-4 zTcY60-{kqd?r%L(zkT6BV8}oGs{jPtcKiy&*uL-%590)N@b)jlXl8xh;X|}{`S^5O zstL1>DwCS`co!xO5~p5(pNcYud#ih&UlcQP7#LfBx9*a25SwcxO?L*|!M_w-B=3MUH@Kkvo&r|N=k^J$Uee{oNC8@;Rvo>-%Z@X~*r@@fMaG@Z$3z$F)TqsP0b@|KKt0pG9a| z=z7wN$u6 zHy!lQTY8H>L~FKD7F2`+2L-S;MT+^vV`oqJpdWmyM9!He`NU6`M9p5&8~#oyrrkyB zgxf=b>C)l8!OouWbjjzNy8(Ysag!%y4_q|EW4ScXf~_+oUuN7Zxn&A-V(u$n75)!R Cp%bkD literal 0 HcmV?d00001 diff --git a/regression/goto-analyzer-taint-ansi-c/taint-basic1/taint.json b/regression/goto-analyzer-taint-ansi-c/taint-basic1/taint.json new file mode 100644 index 00000000000..dc9129a43a8 --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-basic1/taint.json @@ -0,0 +1,6 @@ +[ +{ "id": "my_f", "kind": "source", "where": "parameter1", "taint": "T1", "function": "my_f" }, +{ "id": "my_g", "kind": "source", "where": "return_value", "taint": "T2", "function": "my_g" }, +{ "id": "my_h1", "kind": "sink", "where": "parameter1", "taint": "T1", "function": "my_h", "message": "There is a T1 flow" }, +{ "id": "my_h2", "kind": "sink", "where": "parameter1", "taint": "T2", "function": "my_h", "message": "There is a T2 flow" } +] diff --git a/regression/goto-analyzer-taint-ansi-c/taint-basic1/test.desc b/regression/goto-analyzer-taint-ansi-c/taint-basic1/test.desc new file mode 100644 index 00000000000..519166e0034 --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-basic1/test.desc @@ -0,0 +1,10 @@ +CORE +main.o +--taint taint.json +^EXIT=0$ +^SIGNAL=0$ +^file main.c line 12( function .*)?: There is a T1 flow \(taint rule my_h1\)$ +^file main.c line 15( function .*)?: There is a T2 flow \(taint rule my_h2\)$ +-- +^file main.c line 12( function .*)?: There is a T2 flow \(.*\)$ +^file main.c line 15( function .*)?: There is a T1 flow \(.*\)$ diff --git a/regression/goto-analyzer-taint-ansi-c/taint-copy1/main.c b/regression/goto-analyzer-taint-ansi-c/taint-copy1/main.c new file mode 100644 index 00000000000..65b8ab36cf4 --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-copy1/main.c @@ -0,0 +1,13 @@ +void my_f(void *) { } +void my_h(void *) { } + +void my_function() +{ + void *o1; + my_f(o1); // T1 source + + void *o2; + o2=o1; + + my_h(o2); // T1 sink +} diff --git a/regression/goto-analyzer-taint-ansi-c/taint-copy1/main.o b/regression/goto-analyzer-taint-ansi-c/taint-copy1/main.o new file mode 100644 index 0000000000000000000000000000000000000000..67438a63d97b9bfc9918660f18a79c15076d2f3d GIT binary patch literal 5519 zcmbtYYj_mZ89rxMbTb4OjT!-q)L3bim~4m$DP1WOyj91`h*~dos~pe zMXS~u_10QS5fu`yN#rJ=NEIT;#qGrwwY5a8y@*Jy^>3?vzd5tB8|dN>_j!08GBf9W z-|s!&_nmL%&I_iWA3lqvJ8aW(4Tq_Gnvv~ryOPcw|{uq_YTM6&sVFU4OmlpiVly`>Bv7Onb)vhH?$4I!g z)5VVdysBYl&Tw)KvmM*8aI>MqvD=-7L|Zmd-)_1Mj?wNIxg6*l+HKda*DXEMb(`VT zyWn^6XU?ooG>AVEc1Kr?;ivTQIcCyLvt!;5O=@O{CBz~j%git(>~?h+tO^f>UMm;a z(h_TFv717s7YD6DaYDPRJO`=GLA)=!_u4Cw4q2o$K5YMt}?31#~uuK=#HK>uroP! zJW~#aj7-Mt$eB4-voA!k($W+5#S?b60~?cMY~(<^zz5=c!vk?P?!?jHItlo-0{`T@ zq^6!yl|bFG%VLl znMj~^h9Y$<}sBI86Hj*>jEhE`>D{a)N?}a8pll)+~E@4|a zSGQbNBfoG|T|&4s?x~P?T*H1N;IGdJ9#g`nMF;^;k7G*ft$HSJu)62tjYs~$HaU7a z4Ee^A_|&$%nQ=|4UUw2{(?we59iu+yI!MJ_99Gqw(I+)wg|{K{9^nNWKVOQ$0(SbA zxTeXMUwPTpGp^LiAv9&?C6{PsPD85NhbS>9!jKj z2YABw38YP_sb3{EfkdRj**m$OOj0Rmc8aMD<4h}QbTYNEn+vsCnJqCxcO1QosZAai zQ7|QyGjB84#2HGsnXVp#tLHpj^fqIoE``BL>!g>y%)&1**z*QEa_)btvUL~M z-MlU%_Na!blSzltI%V%yqk<5!E!>2EEorrh0%L5#=1SWFEd{YO}D6CG+Q{2^cb zSlHA}m13YgLlm13#U?~Cb_QgfrnJ_{(ep(Z7c7%v$gX0_j%Vj@tb}D)NmI8hq!kc1 z0&ycDUMLVRnqPgyjgFD|a`a-s`n?`0c5XTA#TzQIW{oVmzh-wBj&3D2FEI;z1L!vp z{Ut#_mkMa*-B65rF6|3ya6G$oeI;l;gWi%wS3*4N0l1z3FB5>5@0N}jkC#kx^a??G znf3^%uXYzrEEt_Wo(_O*MWK+QL8?+9KA}w&RitLCYHlqwWbm*H3jM+ zc^q=oFoC-UxN8XaYJq#r>Jb$~!uHUQw&+^HJ-+1NwSARXlXku>V`$<4E$}`t_7UUv zeMUKYoj|+(32DfFU$?Rnq}N@FEha!-3FMVPz9FsNI8Bbu0xFKz8c}_sE@!dGthc;l zH8@ua{7tN5toP`#nox98Ph}4fKiNPY=t6bdJZZ?T>dPys_Utd(upFez$%aH=Ls9@5 z_ew+dGr6=9;9(9d1?W-&O$pHUz9U2;wv!@B3u57vR}bm#N}TBFf#Kbt>n1u=&|NM^ zZx&FqpOIoTcmxG@^V&*)b39wzL-KMhpw|NWv`he<1+?`=l{jJR>4;4xO&SfwxoY?eLwFqqhj@CznLu(o<2i?F4P62U2?= z)fv`i+Zo1k=UTRF+>+NbOmzeGc~Y;`-1;x6c}TjbbNoke;5c$L&+?y2CD~a$gK3$( zv5Yww2{#M=9 zOsEKg!8|y$BR>#8Km4cET-?Y{$`E{Eey9BefEHwwY{9w4o zpGR>2ZjP|;P+EV)-{myg;Lx4R4<1fnx7~~x3Nar9#X(Tq!_(@$93=PoBtPaKO3lGQ zRU*Ot`-$WpPAu#`zP}7TX?Vu!uGa+j1A9NP9{~1)g#D0@{V@Nx)EpcXC2ZWEN7xSt z?1%VgW!U~R;*dxS5mlxvh#LCGycvMoch zJ<4ekzflN7lrJN`ZlBu8b&$(%(Ov}W}9A+&!I^TEc7kr;I zu~>TG#P!I0K6scVP%sF}L5VeuiPXN0*NUL?F7VCyC0}`jj^(vpulFwW9UM_|a3Nn& z$-!LOcFn=3i!=-0&Yt08 zsQMCm&SmPeJ`sB4V&AtVe5W)q$XpsjlE#|w*taHUhm*>b+5y3}tv%nk#Cf8HB+mQ?QzFR5mY zD^V7!s4RMYtUmsc)J*SvUVAT<1@89~^GZ<`z5GB~ASk({7L@Y=gmQq&;yGXHHF9*d zzX4~KHefYhRcQnK4-7$NtilegqAgwHBd+DoRh+B+QO3)qbw2HSzCfZ$y2QSY_g7-~ zTIC^=O+OU$L&5W?CPztaK*4x*veCEgR1X;if(wz2d{3D@vHtr=qaj<1x^03Gj zAM^}QTYniq@%0aNBZ^+jQ-T$EKfwBF>we`MjoNwH_wW_IP>KbaK`H$*UtP(=;>lke ziB`kE)m{y4MGkNC(NQo1zQ|Yk>(a#FJP8VBfEUViTSlj=l~+vxdJE7Srq4$#w4I08 z*7&SpI|$!VT3_Qkxa;6WAHOf~i!!zoriXX&(M-9Umwl1gjRwlFb`Qz%Cd*N~x#wHe z4qjYK-zutc)uBKak)D zC7}F{G;aw8s1CF8~lQ#k-!u}HwWU?$Cfnw9yr^%`UgHm2|vmKvYX4% zy}pd=i{GEbTjQHNsXOg?g3K}XEm|UIX@&O)gb?%FTrVos5;#+d7?}88#7CB>{|M?o z5ePZ@4#zhz`hq49-hhe_7KF;A{u$5jD?Kkq2Ys32hsu1nT-cxxMkLeU;}_}p$k%R> z9xNV+5AqQuJ?{%E{zA)7^fpC~e&AEQ!iRGFl_%A|m23In5CgoW1Mv^a1O7V*{!v=w uhx#GEkh&mg+V8W?ERsRuejY7J{0ImKO5p_v-qJ&!{W!?3VIE9bI{ptNU{b^Y literal 0 HcmV?d00001 diff --git a/regression/goto-analyzer-taint-ansi-c/taint-copy1/taint.json b/regression/goto-analyzer-taint-ansi-c/taint-copy1/taint.json new file mode 100644 index 00000000000..44a841f0cc4 --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-copy1/taint.json @@ -0,0 +1,4 @@ +[ +{ "id": "my_f", "kind": "source", "where": "parameter1", "taint": "T1", "function": "my_f" }, +{ "id": "my_h", "kind": "sink", "where": "parameter1", "taint": "T1", "function": "my_h", "message": "There is a T1 flow" } +] diff --git a/regression/goto-analyzer-taint-ansi-c/taint-copy1/test.desc b/regression/goto-analyzer-taint-ansi-c/taint-copy1/test.desc new file mode 100644 index 00000000000..af2d62eb456 --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-copy1/test.desc @@ -0,0 +1,7 @@ +CORE +main.o +--taint taint.json +^EXIT=0$ +^SIGNAL=0$ +^file main.c line 12( function .*)?: There is a T1 flow \(taint rule my_h\)$ +-- diff --git a/regression/goto-analyzer-taint-ansi-c/taint-member1/main.c b/regression/goto-analyzer-taint-ansi-c/taint-member1/main.c new file mode 100644 index 00000000000..5c372777154 --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-member1/main.c @@ -0,0 +1,24 @@ +#include + +void my_f(void *) { } +void my_h(void *) { } + +void my_function() +{ + struct some_struct + { + void *data; + } whatnot; + + my_f(whatnot.data); // T1 source + my_h(whatnot.data); // T1 sink + + // via a copy + void *o=whatnot.data; + my_h(o); // T1 sink + + // copy entire struct + struct some_struct whatelse; + whatelse=whatnot; + my_h(whatelse.data); // T1 sink +} diff --git a/regression/goto-analyzer-taint-ansi-c/taint-member1/main.o b/regression/goto-analyzer-taint-ansi-c/taint-member1/main.o new file mode 100644 index 0000000000000000000000000000000000000000..209a3a0924abf8ccede4e6829cdeacce84e7a3b6 GIT binary patch literal 6289 zcmbtYd3+S*8UDUmux5ZP8m%0)rA_Y|lMRten^Y zP!tfXS3U3+!cF9oL!??;Er@ArHLWcb)LtTDSV25WrO!Lx?Cu1*_(%8mOMbsOzUO)0 z=RLmnn;Xs@cTT8=4T(8%lc|TfYi4t9%Y;Q^M65C+EgYJ>|rVtmW8D zVoW_TVWmtKdZsaLSoY~L+^I@gw#oX;k{fU_IFYks-phS)wWIG8$DL%^t$N&Y%~;lP z+u3oSR@7daG2Kk6Zv|8C(*KBpoOa_d#txnddF>E8%ex2#o zWI>t5WyY$B)ryO>nQk%N2*Xd^8EP|JBW-2@&OXPq=J4$>cYs5ini}OZ2Ba#;aS5jH%neV*U0sRU5Wr*WvlRP_-2|?W~os0MLJLQ@UMG zju}&UE)WLnZ;CnTHmDS5OxhQvcUTuEx!AsFcSym1HmvgajMZwJ@s`O9W`y66hSy{H zoKSVlu`^l2&a#28OK?ls)TcTo0&~Jcl31g|0r-0&c>H(OP}T7SgSSs$YIL%Z%9-q> zCmZXI{UiMF$%yIa7c`#LlCx4-%dRopSklTOSUK0M$z)vwDANdat4>)d*JA~OdK^=> z3ys*I`{W3uVJB~C)OBUT#EUL#ny3dMboJ8l<8>>eBY+Nc*wWY?+S17C1}C*4Wb@FS z(kRdKfiV6HcS^CO;ZiU=xU7UvCEL`hFD{qsLE+L>1EaS;Vm6B+9|lYO;G4SkL7%DDUWM+(}e9Av8ySdD(;>Cckz zGX(auK}5d!pNg~*b223OsmhDIIwfK>kZIo{JJjg6XEq%h>$9JdY@urWeJ80^lVgmX zy186fU`rR@j9_d=Fit}-gyJurv&)~&Ic(D;)RE~gIRciDkB|K8NF>0|KL3R~V zb`Tr6p&XWJ$1TIQkyb$50K^T1I9ec%xv&2*<&V@+dkCK?SkLN^BO`;XXRa^DiuQ$` zs5@<@YuIt!OUy359`x&p{<}qo8U^(Cc1e*DLFmSH<)Doe8cZ793jVAE;5q^vD*(@a zQ9hA1D!NE6mnGp;8bS5KrIgQ(YndM!~$eQG7#Bw){ZSdI)2 z!Zxig2TM(XdPokfpSmV+R|9u7;hrmS&s#O1tV;+F{m7;B1^1v*N}Rv49BbUkwWLg4 z>=9jjB^XzN@q(oG{jo}TJdi?a)miG`3-i?EiyNQcr$jyBt!lAHG3}z!nf7#xlR||~ z7_H9WfxYD713`!}VjoRT!Mw&SfB z@70nTx+JMx3Y#wz0E0>ZUYo`32RLn7j*WZ~``+dE_KzD`gJ=cF_>YbvqJI8i)M4GB zkD~0f${+ZVP{LOTm4A4b+^Y_*SXNGIuj>|CZ&C4OP<$B_pU^DX7RlC^T`4@cYQ7wy zy~r2hV6=;W5H0xK9Xd$n{79Iica%>IBn9OLIeE1(*_bEyO7*Lklr!1O$wF={fu&1e zY0DhigeY9bn=7;y11jDdixYMRdm5HMMt-_h)Ou1KqwJs{>%u&)WfY)0D29e ztDGWq8=$W}Tp>oD8k%|Haf^mlG3dA}`i7?&moe0pEYEh7wcK%w&A$WocEH}reOny#3N~dVYT3LtXQY@mwdg`S zxu8~Ew@+^9m9N^5{a27yla+8gYtPFi+tWr0!#oLOn^Q2R(P-4g^Ky46FSELz48c+0 zr(>1y^#Dg}yWtL*_L{+c{bsW>G>tQLuVkiDR$Io(uz`s9^=!cPd8B3@shP)MJDpb) zy0n;WF~-fnGP2fBi|JA|&Ej!0!EWT!0_M^7r&HhB)aNGts8qng0i-ySHP7_1ZszaF z4TZ$$34r)M`deuaeCvU4w{UW97KeAU2?6dUgPzUdOuLoO$AmMNC$(90Hh|%HmHy#G z&=14^JpL|C{E6NZKi(NIoA-Fl5n}d0haTu~8(@A$bhrBk-@)IN8;a#PCp6HXaq;|4 zj-cJf)#zP(7pHj{liclm@6k>AZOc5~~Y;-JxkRoBOQvC^xmocm={b6xsDSf3TEYg%d|&0soX+cEYkP z9DgyCE8&H{=N=>=n+kd;m=cg2QN!GlKe{$3&PP?X=%1|r& z*xN$Ai|)`Tw1+PDow!B`ukh_#$?uU1M*|!K2eB1=MOiD+Cj%4I3YfS8CU$y(pmWzv zoISyZQa6YhnJm**`F!aAt9|X)@U8OjVn!388tUY1HQyGHKbv$-Bd%LC8E!)aw#jVN zT91X!#OwIOrErV0-IIK%w!TER!6)0uAMYQjJA!R3XB+r}{-rkBX0@3(W#+uudO`p0 z(1QM~ZWGGoDJqxEKGxIx9l4>n0hG!G&$kfsCQ&Y%`JR9yD8;y5Eb~2ZWe=6hFMLza zQ^L>qaTr?4lV|wyauM*qb`&dSIYO`;A*g)TNBkv!qU<5gpPRk(e9ou6szm!7?<_~_ zb?hVN=T1;}g8Ek|#mQ>o*QhqH$e#E03VXpg4U%GU)DsmLuHk?Zye5sMV z=%)~Z=cN&A-tM!U;u+f+KrDQ9Kv9YoqUR{px_BqhJ1K}S`I4iUx_mW%%O8{@#T=pJ z?&7P;iCUO%3Pa~A2)fEEr{5u)fA6ECbYAw2`~!bU9$wsXily^1?+Vy$n^UuTuztE= zZx`$h(O$=-SGdG_qO*D5SBYS<8tvvUaLl+SHYs)(zc6EeL>NMU;zJlZ&uiEM8CLw6 zj1b%GYur<-;#FQ);C&PW^uDMB+``?z2pE9uz!QcKWqE^atmz$tcky%MW(*S*JpFJaBw1WStU;7WM6Z;ajBn0I(w+XEBc4VbX|2owD4q6r>YKDs+dxfhi05yl1J z>)|-gc?Voi!Cjyq4;#k^1l#Amuc<=gJU`#S_u5vQ{PA8LQ1a$|;m!V_HwS!gM)mgQ z19)?=WQ7twaD;kv2bLTNn*Jg1KcYoTDR3WShl3Hc_Z5xDMLxQW2h9HjYyKTrql6Fn z7X61mA=gtu`X@^f^H1qrKd}xKq x7i<8=Y$;p{*&JZpN*E#=iV)t~Bi@~hcjwW&o;=5V^)|`t5{S};9%G;%{1+B%P;&qP literal 0 HcmV?d00001 diff --git a/regression/goto-analyzer-taint-ansi-c/taint-member1/taint.json b/regression/goto-analyzer-taint-ansi-c/taint-member1/taint.json new file mode 100644 index 00000000000..44a841f0cc4 --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-member1/taint.json @@ -0,0 +1,4 @@ +[ +{ "id": "my_f", "kind": "source", "where": "parameter1", "taint": "T1", "function": "my_f" }, +{ "id": "my_h", "kind": "sink", "where": "parameter1", "taint": "T1", "function": "my_h", "message": "There is a T1 flow" } +] diff --git a/regression/goto-analyzer-taint-ansi-c/taint-member1/test.desc b/regression/goto-analyzer-taint-ansi-c/taint-member1/test.desc new file mode 100644 index 00000000000..0c71bfa735d --- /dev/null +++ b/regression/goto-analyzer-taint-ansi-c/taint-member1/test.desc @@ -0,0 +1,9 @@ +CORE +main.o +--taint taint.json +^EXIT=0$ +^SIGNAL=0$ +^file main.c line 14( function .*)?: There is a T1 flow \(taint rule my_h\)$ +^file main.c line 18( function .*)?: There is a T1 flow \(taint rule my_h\)$ +^file main.c line 23( function .*)?: There is a T1 flow \(taint rule my_h\)$ +--