24 using namespace clang;
28 class MmapWriteExecChecker :
public Checker<check::PreCall> {
29 CallDescription MmapFn;
30 CallDescription MprotectFn;
34 mutable std::unique_ptr<BugType> BT;
36 MmapWriteExecChecker() : MmapFn(
"mmap", 6), MprotectFn(
"mprotect", 3) {}
37 void checkPreCall(
const CallEvent &Call, CheckerContext &C)
const;
43 int MmapWriteExecChecker::ProtWrite = 0x02;
44 int MmapWriteExecChecker::ProtExec = 0x04;
45 int MmapWriteExecChecker::ProtRead = 0x01;
47 void MmapWriteExecChecker::checkPreCall(
const CallEvent &Call,
48 CheckerContext &C)
const {
49 if (matchesAny(Call, MmapFn, MprotectFn)) {
50 SVal ProtVal =
Call.getArgSVal(2);
51 auto ProtLoc = ProtVal.castAs<nonloc::ConcreteInt>();
52 int64_t Prot = ProtLoc.getValue().getSExtValue();
53 if (ProtExecOv != ProtExec)
54 ProtExec = ProtExecOv;
55 if (ProtReadOv != ProtRead)
56 ProtRead = ProtReadOv;
59 if (ProtRead == ProtExec)
62 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
64 BT.reset(
new BugType(
this,
"W^X check fails, Write Exec prot flags set",
"Security"));
66 ExplodedNode *N =
C.generateNonFatalErrorNode();
70 auto Report = std::make_unique<PathSensitiveBugReport>(
71 *BT,
"Both PROT_WRITE and PROT_EXEC flags are set. This can "
72 "lead to exploitable memory regions, which could be overwritten "
73 "with malicious code", N);
74 Report->addRange(
Call.getArgSourceRange(2));
75 C.emitReport(std::move(Report));
80 void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
81 MmapWriteExecChecker *Mwec =
82 mgr.registerChecker<MmapWriteExecChecker>();
84 mgr.getAnalyzerOptions()
85 .getCheckerIntegerOption(Mwec,
"MmapProtExec");
87 mgr.getAnalyzerOptions()
88 .getCheckerIntegerOption(Mwec,
"MmapProtRead");
91 bool ento::shouldRegisterMmapWriteExecChecker(
const CheckerManager &mgr) {