clang 19.0.0git
ChrootChecker.cpp
Go to the documentation of this file.
1//===-- ChrootChecker.cpp - chroot usage checks ---------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines chroot checker, which checks improper use of chroot.
10//
11//===----------------------------------------------------------------------===//
12
23
24using namespace clang;
25using namespace ento;
26
27namespace {
28
29// enum value that represent the jail state
30enum Kind { NO_CHROOT, ROOT_CHANGED, JAIL_ENTERED };
31
32bool isRootChanged(intptr_t k) { return k == ROOT_CHANGED; }
33//bool isJailEntered(intptr_t k) { return k == JAIL_ENTERED; }
34
35// This checker checks improper use of chroot.
36// The state transition:
37// NO_CHROOT ---chroot(path)--> ROOT_CHANGED ---chdir(/) --> JAIL_ENTERED
38// | |
39// ROOT_CHANGED<--chdir(..)-- JAIL_ENTERED<--chdir(..)--
40// | |
41// bug<--foo()-- JAIL_ENTERED<--foo()--
42class ChrootChecker : public Checker<eval::Call, check::PreCall> {
43 // This bug refers to possibly break out of a chroot() jail.
44 const BugType BT_BreakJail{this, "Break out of jail"};
45
46 const CallDescription Chroot{{"chroot"}, 1}, Chdir{{"chdir"}, 1};
47
48public:
49 ChrootChecker() {}
50
51 static void *getTag() {
52 static int x;
53 return &x;
54 }
55
56 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
57 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
58
59private:
60 void evalChroot(const CallEvent &Call, CheckerContext &C) const;
61 void evalChdir(const CallEvent &Call, CheckerContext &C) const;
62};
63
64} // end anonymous namespace
65
66bool ChrootChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
67 if (Chroot.matches(Call)) {
68 evalChroot(Call, C);
69 return true;
70 }
71 if (Chdir.matches(Call)) {
72 evalChdir(Call, C);
73 return true;
74 }
75
76 return false;
77}
78
79void ChrootChecker::evalChroot(const CallEvent &Call, CheckerContext &C) const {
80 ProgramStateRef state = C.getState();
81 ProgramStateManager &Mgr = state->getStateManager();
82
83 // Once encouter a chroot(), set the enum value ROOT_CHANGED directly in
84 // the GDM.
85 state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) ROOT_CHANGED);
86 C.addTransition(state);
87}
88
89void ChrootChecker::evalChdir(const CallEvent &Call, CheckerContext &C) const {
90 ProgramStateRef state = C.getState();
91 ProgramStateManager &Mgr = state->getStateManager();
92
93 // If there are no jail state in the GDM, just return.
94 const void *k = state->FindGDM(ChrootChecker::getTag());
95 if (!k)
96 return;
97
98 // After chdir("/"), enter the jail, set the enum value JAIL_ENTERED.
99 const Expr *ArgExpr = Call.getArgExpr(0);
100 SVal ArgVal = C.getSVal(ArgExpr);
101
102 if (const MemRegion *R = ArgVal.getAsRegion()) {
103 R = R->StripCasts();
104 if (const StringRegion* StrRegion= dyn_cast<StringRegion>(R)) {
105 const StringLiteral* Str = StrRegion->getStringLiteral();
106 if (Str->getString() == "/")
107 state = Mgr.addGDM(state, ChrootChecker::getTag(),
108 (void*) JAIL_ENTERED);
109 }
110 }
111
112 C.addTransition(state);
113}
114
115// Check the jail state before any function call except chroot and chdir().
116void ChrootChecker::checkPreCall(const CallEvent &Call,
117 CheckerContext &C) const {
118 // Ignore chroot and chdir.
119 if (matchesAny(Call, Chroot, Chdir))
120 return;
121
122 // If jail state is ROOT_CHANGED, generate BugReport.
123 void *const* k = C.getState()->FindGDM(ChrootChecker::getTag());
124 if (k)
125 if (isRootChanged((intptr_t) *k))
126 if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
127 constexpr llvm::StringLiteral Msg =
128 "No call of chdir(\"/\") immediately after chroot";
129 C.emitReport(
130 std::make_unique<PathSensitiveBugReport>(BT_BreakJail, Msg, N));
131 }
132}
133
134void ento::registerChrootChecker(CheckerManager &mgr) {
135 mgr.registerChecker<ChrootChecker>();
136}
137
138bool ento::shouldRegisterChrootChecker(const CheckerManager &mgr) {
139 return true;
140}
This represents one expression.
Definition: Expr.h:110
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1773
StringRef getString() const
Definition: Expr.h:1850
A CallDescription is a pattern that can be used to match calls based on the qualified name and the ar...
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:152
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
ProgramStateRef addGDM(ProgramStateRef St, void *Key, void *Data)
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
StringRegion - Region associated with a StringLiteral.
Definition: MemRegion.h:824
The JSON file list parser is used to communicate input to InstallAPI.
__INTPTR_TYPE__ intptr_t
A signed integer type with the property that any valid pointer to void can be converted to this type,...