29class MmapWriteExecChecker :
public Checker<check::PreCall> {
35 const BugType BT{
this,
"W^X check fails, Write Exec prot flags set",
39 MmapWriteExecChecker() : MmapFn({
"mmap"}, 6), MprotectFn({
"mprotect"}, 3) {}
46int MmapWriteExecChecker::ProtWrite = 0x02;
47int MmapWriteExecChecker::ProtExec = 0x04;
48int MmapWriteExecChecker::ProtRead = 0x01;
52 if (matchesAny(
Call, MmapFn, MprotectFn)) {
57 int64_t Prot = ProtLoc->getValue().getSExtValue();
58 if (ProtExecOv != ProtExec)
59 ProtExec = ProtExecOv;
60 if (ProtReadOv != ProtRead)
61 ProtRead = ProtReadOv;
64 if (ProtRead == ProtExec)
67 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
72 auto Report = std::make_unique<PathSensitiveBugReport>(
74 "Both PROT_WRITE and PROT_EXEC flags are set. This can "
75 "lead to exploitable memory regions, which could be overwritten "
76 "with malicious code",
78 Report->addRange(
Call.getArgSourceRange(2));
79 C.emitReport(std::move(Report));
85 MmapWriteExecChecker *Mwec =
95bool ento::shouldRegisterMmapWriteExecChecker(
const CheckerManager &mgr) {
int getCheckerIntegerOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as an integer value.
A CallDescription is a pattern that can be used to match calls based on the qualified name and the ar...
Represents an abstract call to a function or method along a particular path.
const AnalyzerOptions & getAnalyzerOptions() const
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Value representing integer constant.
The JSON file list parser is used to communicate input to InstallAPI.