example_good.c

1. #include <stdarg.h>
2. #include <stdlib.h>
3. #include <stdio.h>
4. #include <sys/stat.h>
5. #include <fcntl.h>
6. #include <sys/types.h>
7. #include <ctype.h>
8. #include <stdbool.h>
9.  
10. void clang_analyzer_eval(bool);
11. void clang_analyzer_warnIfReached();
12. void clang_analyzer_numTimesReached();
13. void clang_analyzer_explain(void *);
14. void clang_analyzer_dump(void *);
15. void clang_analyzer_isTainted(void *);
16. void clang_analyzer_printState();
17.  
18. char *globInBuf;
19.  
20. void someFoo(char *src, int size)
21. {
22.     clang_analyzer_explain(src);
23.     clang_analyzer_dump(src); //&Element{SymRegion{conj_$14{void *, LC1, S33468, #1}},0 S64b,char}
24.     clang_analyzer_printState();
25.     system(&(src[0]));
26.  
27.     for(int i=0; i<size;i++){
28.         //clang_analyzer_numTimesReached();
29.         printf("%d", src[i]);
30.     }
31. }
32.  
33.  
34. int main(int argc, char **argv)
35. {
36.  
37.  
38.     char const *inFileName = "../v1_input/input_file.bin";
39.     FILE *inFile=fopen(inFileName,"r"); // here appears tain symbol
40.     // conj_$3{FILE *, LC1, S32864, #1}\n{ [1, 18446744073709551615] } - тип FILE *, в инструкции S32864: fopen(inFileName, "r")
41.     if (inFile==NULL)
42.     {
43.         //clang_analyzer_warnIfReached();
44.         //clang_analyzer_numTimesReached();
45.         fprintf(stderr, "%s: open file err %s: \n", inFileName, inFileName);
46.         perror("");
47.         exit(4);
48.     }
49.  
50.     struct stat st;
51.     stat(inFileName, &st);
52.     char *inBuf;
53.     clang_analyzer_explain(inBuf);
54.     clang_analyzer_dump(inBuf);
55.  
56.     int inBufSize = st.st_size;
57.     printf("inBufSize=%d\n", inBufSize);
58.     // here local buf wich was successfuly tainted
59.     inBuf = (char *)malloc(inBufSize);
60.     clang_analyzer_explain(inBuf); // pointer to element of type 'char' with index 0 of pointee of symbol of type 'void *' conjured at statement 'malloc(inBufSize)'
61.     clang_analyzer_dump(inBuf); // &Element{SymRegion{conj_$14{void *, LC1, S33468, #1}},0 S64b,char}
62.  
63.     fread(inBuf,1,inBufSize,inFile);
64.     clang_analyzer_dump(inBuf); // &Element{SymRegion{conj_$14{void *, LC1, S33468, #1}},0 S64b,char}
65.  
66.     if (inBuf[inBufSize-1] == 0x55){
67.         printf("inBuf[inBufSize-1] is 0x55\n"); //S33668
68.     }
69.     else{
70.         printf("inBuf[inBufSize-1] is not 0x55\n"); //S33699
71.     }
72.  
73.     clang_analyzer_explain(globInBuf);
74.     // &SymRegion{derived_$24{conj_$21{int, LC1, S33699, #1},globInBuf}}
75.     // &SymRegion{derived_$43{conj_$31{int, LC1, S33668, #1},globInBuf}}
76.     // why globInBuf derived from symbols conjured at statements S33699, S33668 ?
77.     clang_analyzer_dump(globInBuf);
78.     globInBuf = inBuf;
79.     clang_analyzer_explain(globInBuf);
80.     // &Element{SymRegion{conj_$14{void *, LC1, S33468, #1}},0 S64b,char}
81.     // S33468 is malloc(inBufSize)
82.     clang_analyzer_dump(globInBuf);
83.  
84.     someFoo(globInBuf, inBufSize);
85.  
86. }
87.  
88.  
89.  
90.  
91.  
92.