gets() not generating taint properly

[Quuxplusone]

Bugzilla Link	PR16475
Status	NEW
Importance	P normal
Reported by	Keaton Mowery (kmowery@gmail.com)
Reported on	2013-06-27 17:56:03 -0700
Last modified on	2019-06-19 11:50:09 -0700
Version	3.2
Hardware	PC All
CC	ganna@apple.com, jryans@gmail.com, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments	gets-taint.patch (2684 bytes, application/octet-stream)
Blocks
Blocked by
See also

Created attachment 10789
Patch for this bug, plus a regression test case

The llvm-3.2 taint engine does not properly taint the results of a gets() call.

Since none of the function arguments are tainted, ProgramStateRef
GenericTaintChecker::TaintPropagationRule::process() bails out early. gets() is
a special case, wherein stdin is implied.

The attached patch includes a fix for this issue and a regression test case.
This fix does slightly change the semantics of TaintPropagationRule, but I
think it maintains correctness.

[Quuxplusone]

Attached gets-taint.patch (2684 bytes, application/octet-stream): Patch for this bug, plus a regression test case

[Quuxplusone]

Keaton,

Patches are usually submitted to cfe-commits@cs.uiuc.edu mailing list.

Anna.