CSA: Tainted argument does not propagate

themod_1302 · February 19, 2018, 12:34pm

Hello,

I’m using the Clang Static Analyzer to find tainted allocations, so I added the checkBind callback to the Generic Taint Checker to test if the loaded “Val” is tainted.

However when running it on the following code …

int somfunc(int c) {
int d = c;
}
int main() {
int a;
scanf(“%d”, &a);
int b = a;
somefunc(a);
}

… a and b are marked as tainted, but c is not, State->isTainted(Val) returns false.
Why is that?

Thanks,

Tom

NoQ · February 19, 2018, 7:33pm

warning: implicit declaration of function 'somefunc' is invalid in C99

You have a typo: somfunc => somefunc.

Once you fix it, it'd work correctly.

You could have also noticed that via the -analyzer-display-progress flag.

Also you can use the debug.TaintTest checker to dump all tainted expressions.