28class MmapWriteExecChecker :
public Checker<check::PreCall> {
34 mutable std::unique_ptr<BugType> BT;
36 MmapWriteExecChecker() : MmapFn({
"mmap"}, 6), MprotectFn({
"mprotect"}, 3) {}
43int MmapWriteExecChecker::ProtWrite = 0x02;
44int MmapWriteExecChecker::ProtExec = 0x04;
45int MmapWriteExecChecker::ProtRead = 0x01;
49 if (matchesAny(
Call, MmapFn, MprotectFn)) {
54 int64_t Prot = ProtLoc->getValue().getSExtValue();
55 if (ProtExecOv != ProtExec)
56 ProtExec = ProtExecOv;
57 if (ProtReadOv != ProtRead)
58 ProtRead = ProtReadOv;
61 if (ProtRead == ProtExec)
64 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
66 BT.reset(
new BugType(
this,
"W^X check fails, Write Exec prot flags set",
"Security"));
72 auto Report = std::make_unique<PathSensitiveBugReport>(
73 *BT,
"Both PROT_WRITE and PROT_EXEC flags are set. This can "
74 "lead to exploitable memory regions, which could be overwritten "
75 "with malicious code", N);
76 Report->addRange(
Call.getArgSourceRange(2));
77 C.emitReport(std::move(Report));
83 MmapWriteExecChecker *Mwec =
93bool ento::shouldRegisterMmapWriteExecChecker(
const CheckerManager &mgr) {
int getCheckerIntegerOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as an integer value.
This class represents a description of a function call using the number of arguments and the name of ...
Represents an abstract call to a function or method along a particular path.
const AnalyzerOptions & getAnalyzerOptions() const
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Value representing integer constant.