================
@@ -827,8 +829,60 @@ void GenericTaintChecker::initTaintRules(CheckerContext
&C) const {
std::make_move_iterator(Rules.end()));
}
+// The incoming parameters of the main function get tainted
+// if the program called in an untrusted environment.
+void GenericTaintChecker::checkBeginFunction(CheckerContext &C) const {
+ if (!C.inTopFrame() || C.getAnalysisManager()
+ .getAnalyzerOptions()
+ .ShouldAssumeControlledEnvironment)
+ return;
+
+ const auto *FD = dyn_cast<FunctionDecl>(C.getLocationContext()->getDecl());
+ if (!FD || !FD->isMain() || FD->param_size() < 2)
+ return;
+
+ ProgramStateRef State = C.getState();
+ const MemRegion *ArgvReg =
+ State->getRegion(FD->parameters()[1], C.getLocationContext());
+ SVal ArgvSVal = State->getSVal(ArgvReg);
+ State = addTaint(State, ArgvSVal);
+ StringRef ArgvName = FD->parameters()[1]->getName();
+
+ const MemRegion *ArgcReg =
+ State->getRegion(FD->parameters()[0], C.getLocationContext());
+ SVal ArgcSVal = State->getSVal(ArgcReg);
+ State = addTaint(State, ArgcSVal);
+ StringRef ArgcName = FD->parameters()[0]->getName();
+ if (auto N = ArgcSVal.getAs<NonLoc>()) {
----------------
NagyDonat wrote:
The method `isMain` doesn't validate the argument types and would return true
for a global function declared as `double main(double foo, double bar)` as well.
Of course, having such unorthodox function under the name "main" would
presumably cause a compilation error (IIRC there is a specific error type for
this case), but I'm not sure that this preempts the execution of the analyzer
code. You should ensure that the analyzer won't crash even if the input
contains a `main` function with a bad type. However, apart from that I don't
think that we need more checking – the "normal" compiler error message is good
enough for us.
https://github.com/llvm/llvm-project/pull/178054
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
