polytracker icon indicating copy to clipboard operation
polytracker copied to clipboard
verified publisher icon trailofbits

Tainted control of `fseek` not properly tracked

Open ESultanik opened this issue 4 years ago • 1 comments 

int foo() {
    FILE* input = fopen("foo", "rb");
    int taintedOffset = getc(input);
    fseek(input, taintedOffset, SEEK_SET);
    return getc(input);
}

Currently, I believe the return value of foo() will only be tainted by the byte offset that was read. However, philosophically, I think it should also be tainted by the first byte in the file. This is even more important for tracking tainted file writes:

void foo(int writeOffset) {
    FILE* input = fopen("foo", "wb");
    fseek(input, writeOffset, SEEK_SET);
    putc(SOME_CONSTANT);
    fclose(input);
}

Right now, we would not say that the output file has any tainted bytes written to it, because only a constant is ever written. However, I think any taints from writeOffset should be transferred to the byte offset of the output file to which the constant is written.

ESultanik avatar Nov 02 '21 15:11 ESultanik

This is almost the same as #6422 and #6426

ESultanik avatar Sep 01 '22 14:09 ESultanik