28class MmapWriteExecChecker :
public Checker<check::PreCall> {
34 mutable std::unique_ptr<BugType> BT;
36 MmapWriteExecChecker() : MmapFn({
"mmap"}, 6), MprotectFn({
"mprotect"}, 3) {}
43int MmapWriteExecChecker::ProtWrite = 0x02;
44int MmapWriteExecChecker::ProtExec = 0x04;
45int MmapWriteExecChecker::ProtRead = 0x01;
47void MmapWriteExecChecker::checkPreCall(
const CallEvent &Call,
49 if (matchesAny(Call, MmapFn, MprotectFn)) {
52 int64_t Prot = ProtLoc.getValue().getSExtValue();
53 if (ProtExecOv != ProtExec)
54 ProtExec = ProtExecOv;
55 if (ProtReadOv != ProtRead)
56 ProtRead = ProtReadOv;
59 if (ProtRead == ProtExec)
62 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
64 BT.reset(
new BugType(
this,
"W^X check fails, Write Exec prot flags set",
"Security"));
70 auto Report = std::make_unique<PathSensitiveBugReport>(
71 *BT,
"Both PROT_WRITE and PROT_EXEC flags are set. This can "
72 "lead to exploitable memory regions, which could be overwritten "
73 "with malicious code", N);
74 Report->addRange(
Call.getArgSourceRange(2));
75 C.emitReport(std::move(Report));
81 MmapWriteExecChecker *Mwec =
91bool ento::shouldRegisterMmapWriteExecChecker(
const CheckerManager &mgr) {
int getCheckerIntegerOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as an integer value.
This class represents a description of a function call using the number of arguments and the name of ...
Represents an abstract call to a function or method along a particular path.
const AnalyzerOptions & getAnalyzerOptions() const
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Value representing integer constant.
bool Call(InterpState &S, CodePtr &PC, const Function *Func)
@ C
Languages that the frontend can parse and compile.