clang 17.0.0git
MmapWriteExecChecker.cpp
Go to the documentation of this file.
1// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This checker tests the 3rd argument of mmap's calls to check if
10// it is writable and executable in the same time. It's somehow
11// an optional checker since for example in JIT libraries it is pretty common.
12//
13//===----------------------------------------------------------------------===//
14
16
23
24using namespace clang;
25using namespace ento;
26
27namespace {
28class MmapWriteExecChecker : public Checker<check::PreCall> {
29 CallDescription MmapFn;
30 CallDescription MprotectFn;
31 static int ProtWrite;
32 static int ProtExec;
33 static int ProtRead;
34 mutable std::unique_ptr<BugType> BT;
35public:
36 MmapWriteExecChecker() : MmapFn({"mmap"}, 6), MprotectFn({"mprotect"}, 3) {}
37 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
38 int ProtExecOv;
39 int ProtReadOv;
40};
41}
42
43int MmapWriteExecChecker::ProtWrite = 0x02;
44int MmapWriteExecChecker::ProtExec = 0x04;
45int MmapWriteExecChecker::ProtRead = 0x01;
46
47void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
48 CheckerContext &C) const {
49 if (matchesAny(Call, MmapFn, MprotectFn)) {
50 SVal ProtVal = Call.getArgSVal(2);
51 auto ProtLoc = ProtVal.castAs<nonloc::ConcreteInt>();
52 int64_t Prot = ProtLoc.getValue().getSExtValue();
53 if (ProtExecOv != ProtExec)
54 ProtExec = ProtExecOv;
55 if (ProtReadOv != ProtRead)
56 ProtRead = ProtReadOv;
57
58 // Wrong settings
59 if (ProtRead == ProtExec)
60 return;
61
62 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
63 if (!BT)
64 BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security"));
65
66 ExplodedNode *N = C.generateNonFatalErrorNode();
67 if (!N)
68 return;
69
70 auto Report = std::make_unique<PathSensitiveBugReport>(
71 *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can "
72 "lead to exploitable memory regions, which could be overwritten "
73 "with malicious code", N);
74 Report->addRange(Call.getArgSourceRange(2));
75 C.emitReport(std::move(Report));
76 }
77 }
78}
79
80void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
81 MmapWriteExecChecker *Mwec =
82 mgr.registerChecker<MmapWriteExecChecker>();
83 Mwec->ProtExecOv =
85 .getCheckerIntegerOption(Mwec, "MmapProtExec");
86 Mwec->ProtReadOv =
88 .getCheckerIntegerOption(Mwec, "MmapProtRead");
89}
90
91bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &mgr) {
92 return true;
93}
int getCheckerIntegerOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as an integer value.
This class represents a description of a function call using the number of arguments and the name of ...
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:149
const AnalyzerOptions & getAnalyzerOptions() const
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:99
Value representing integer constant.
Definition: SVals.h:329
bool Call(InterpState &S, CodePtr &PC, const Function *Func)
Definition: Interp.h:1493
@ C
Languages that the frontend can parse and compile.
long int64_t