4

I am trying to execute clang static analyzer (version 3.8) on some of the examples shown in its documentation (https://clang-analyzer.llvm.org/alpha_checks.html#security_alpha_checkers).

I created a small C program, as follows:

// note: requires alpha.security.taint check turned on.
void test() {
    char s[] = "abc";
    int x = getchar();
    char c = s[x]; // warn: index is tainted
}

I am executing following command to analyze the above code:

/usr/lib/llvm-3.8/bin/scan-build -enable-checker alpha.security.taint.TaintPropagation clang -c example.c

The above command generates following error report:

scan-build: Using '/usr/lib/llvm-3.8/bin/clang' for static analysis
example.c:5:8: warning: Value stored to 'c' during its initialization is never read
char c = s[x]; // warn: index is tainted
   ^   ~~~~
1 warning generated.
scan-build: 1 bug found.
scan-build: Run 'scan-view /tmp/scan-build-2018-04-09-143549-15413-1' to examine bug reports.

I was expecting clang SA will complain about possible buffer overflow and buffer underflow at line 5, but it seems like taint analysis is not performed.

Can someone please suggest how to enable "alpha.security.taint" check?

Gunjan Aggarwal
  • 710
  • 5
  • 19

1 Answers1

2

To get a warning when using a tainted array index, you have to enable alpha.security.ArrayBoundV2 and alpha.security.taint.TaintPropagation:

$ ~/bld/llvm-project/build/bin/scan-build -enable-checker \
    alpha.security.taint.TaintPropagation,alpha.security.ArrayBoundV2 \
    gcc -c taint2.c
scan-build: Using '/home/scott/bld/llvm-project/build/bin/clang-9' for static analysis
taint2.c:6:10: warning: Value stored to 'c' during its initialization is never read
    char c = s[x]; // warn: index is tainted
         ^   ~~~~
taint2.c:6:14: warning: Out of bound memory access (index is tainted)
    char c = s[x]; // warn: index is tainted
             ^~~~
2 warnings generated.
scan-build: 2 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2019-09-11-204837-97704-1' to examine bug reports.

The TaintPropagation checker reports some things by itself, for example, passing tainted data to system(). It also exports tainting information for other checkers to use.

(I discovered this information primarily by looking at the source code, and secondarily through trial and error. The documentation isn't much help.)

Scott McPeak
  • 8,803
  • 2
  • 40
  • 79