Taint example (#5)

* Add option for pthread modeling, default false. Update LITs

Add option for pthread modeling set to a default of false. Uses
must opt-in. Update LITs so all pass.

* Add example taint analyis improvement demo test

Also, add additional LIT test for pointer deref.

---------

Co-authored-by: einvbri <[email protected]>

Author: kvbridgers

clang/test/Analysis/SD-tests/taint-thread.c

@@ -0,0 +1,37 @@
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core,optin.taint.GenericTaint -DPTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=true
+
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core,optin.taint.GenericTaint -DNO_PTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=false
+
+#define NULL ((void*) 0)
+typedef unsigned long int pthread_t;
+typedef struct __pthread_attr pthread_attr_t;
+int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void *), void *arg);
+
+char *strcat( char *dest, const char *src );
+int scanf(const char*, ...);
+int system(const char *command);
+
+void *thread_func(void *arg) {
+#ifdef PTHREAD_MODEL
+    system( (char *) arg); // expected-warning {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
+#endif
+#ifdef NO_PTHREAD_MODEL 
+    system( (char *) arg); // expected-no-diagnostics
+#endif
+    return NULL;
+}
+
+// Command Injection Vulnerability Example
+void test(void) {
+  char cmd[2048] = "/bin/cat ";
+  char filename[1024];
+  scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here
+  strcat(cmd, filename);
+  pthread_t p1;
+  pthread_create(&p1, NULL, &thread_func, &cmd);
+}
+

clang/test/Analysis/SD-tests/thread-modeling-ptr-deref.c

@@ -0,0 +1,42 @@
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core -DPTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=true
+//
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core -DNO_PTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=false
+
+#define NULL ((void*) 0)
+
+typedef unsigned long int pthread_t;
+typedef struct __pthread_attr pthread_attr_t;
+
+int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void *), void *arg);
+
+void clang_analyzer_checkInlined(int);
+void clang_analyzer_dump(int);
+
+void* thread_function(void* arg)
+{
+   // should expect to fail the test at this line if you set the checkInlined to true
+#ifdef PTHREAD_MODEL
+   clang_analyzer_checkInlined(1); // expected-warning{{TRUE}}
+#endif
+   int *ptr = (int *)arg;
+#ifdef PTHREAD_MODEL
+   clang_analyzer_dump(*ptr);      // expected-warning{{1 S32b}}
+#endif
+#ifdef NO_PTHREAD_MODEL
+   clang_analyzer_dump(*ptr);      // expected-warning-re{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<void * arg>},0 S64b,int}}}
+#endif
+   return NULL;
+}
+
+int test()
+{
+  int i = 1;
+  pthread_t p1;
+  pthread_create(&p1, NULL, &thread_function, &i);
+  return 0;
+}
+