29class MmapWriteExecChecker :
public Checker<check::PreCall> {
35 const BugType BT{
this,
"W^X check fails, Write Exec prot flags set",
45int MmapWriteExecChecker::ProtWrite = 0x02;
46int MmapWriteExecChecker::ProtExec = 0x04;
47int MmapWriteExecChecker::ProtRead = 0x01;
51 if (matchesAny(
Call, MmapFn, MprotectFn)) {
56 int64_t Prot = ProtLoc->getValue().getSExtValue();
57 if (ProtExecOv != ProtExec)
58 ProtExec = ProtExecOv;
59 if (ProtReadOv != ProtRead)
60 ProtRead = ProtReadOv;
63 if (ProtRead == ProtExec)
66 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
71 auto Report = std::make_unique<PathSensitiveBugReport>(
73 "Both PROT_WRITE and PROT_EXEC flags are set. This can "
74 "lead to exploitable memory regions, which could be overwritten "
75 "with malicious code",
77 Report->addRange(
Call.getArgSourceRange(2));
78 C.emitReport(std::move(Report));
84 MmapWriteExecChecker *Mwec =
94bool ento::shouldRegisterMmapWriteExecChecker(
const CheckerManager &mgr) {
int getCheckerIntegerOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as an integer value.
A CallDescription is a pattern that can be used to match calls based on the qualified name and the ar...
Represents an abstract call to a function or method along a particular path.
const AnalyzerOptions & getAnalyzerOptions() const
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Value representing integer constant.
The JSON file list parser is used to communicate input to InstallAPI.