clang  8.0.0svn
ReturnPointerRangeChecker.cpp
Go to the documentation of this file.
1 //== ReturnPointerRangeChecker.cpp ------------------------------*- C++ -*--==//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines ReturnPointerRangeChecker, which is a path-sensitive check
11 // which looks for an out-of-bound pointer being returned to callers.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
21 
22 using namespace clang;
23 using namespace ento;
24 
25 namespace {
26 class ReturnPointerRangeChecker :
27  public Checker< check::PreStmt<ReturnStmt> > {
28  mutable std::unique_ptr<BuiltinBug> BT;
29 
30 public:
31  void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
32 };
33 }
34 
35 void ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
36  CheckerContext &C) const {
37  ProgramStateRef state = C.getState();
38 
39  const Expr *RetE = RS->getRetValue();
40  if (!RetE)
41  return;
42 
43  SVal V = C.getSVal(RetE);
44  const MemRegion *R = V.getAsRegion();
45 
46  const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
47  if (!ER)
48  return;
49 
50  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
51  // Zero index is always in bound, this also passes ElementRegions created for
52  // pointer casts.
53  if (Idx.isZeroConstant())
54  return;
55  // FIXME: All of this out-of-bounds checking should eventually be refactored
56  // into a common place.
57 
58  DefinedOrUnknownSVal NumElements
59  = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
60  ER->getValueType());
61 
62  ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
63  ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
64  if (StOutBound && !StInBound) {
65  ExplodedNode *N = C.generateErrorNode(StOutBound);
66 
67  if (!N)
68  return;
69 
70  // FIXME: This bug correspond to CWE-466. Eventually we should have bug
71  // types explicitly reference such exploit categories (when applicable).
72  if (!BT)
73  BT.reset(new BuiltinBug(
74  this, "Return of pointer value outside of expected range",
75  "Returned pointer value points outside the original object "
76  "(potential buffer overflow)"));
77 
78  // FIXME: It would be nice to eventually make this diagnostic more clear,
79  // e.g., by referencing the original declaration or by saying *why* this
80  // reference is outside the range.
81 
82  // Generate a report for this bug.
83  auto report = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N);
84 
85  report->addRange(RetE->getSourceRange());
86  C.emitReport(std::move(report));
87  }
88 }
89 
90 void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) {
91  mgr.registerChecker<ReturnPointerRangeChecker>();
92 }
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
const Expr * getRetValue() const
Definition: Stmt.cpp:937
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
This represents one expression.
Definition: Expr.h:105
ReturnStmt - This represents a return, optionally of an expression: return; return 4;...
Definition: Stmt.h:1444
Dataflow Directional Tag Classes.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:268