clang  14.0.0git
MmapWriteExecChecker.cpp
Go to the documentation of this file.
1 // MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker tests the 3rd argument of mmap's calls to check if
10 // it is writable and executable in the same time. It's somehow
11 // an optional checker since for example in JIT libraries it is pretty common.
12 //
13 //===----------------------------------------------------------------------===//
14 
16 
22 
23 using namespace clang;
24 using namespace ento;
25 using llvm::APSInt;
26 
27 namespace {
28 class MmapWriteExecChecker : public Checker<check::PreCall> {
29  CallDescription MmapFn;
30  CallDescription MprotectFn;
31  static int ProtWrite;
32  static int ProtExec;
33  static int ProtRead;
34  mutable std::unique_ptr<BugType> BT;
35 public:
36  MmapWriteExecChecker() : MmapFn("mmap", 6), MprotectFn("mprotect", 3) {}
37  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
38  int ProtExecOv;
39  int ProtReadOv;
40 };
41 }
42 
43 int MmapWriteExecChecker::ProtWrite = 0x02;
44 int MmapWriteExecChecker::ProtExec = 0x04;
45 int MmapWriteExecChecker::ProtRead = 0x01;
46 
47 void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
48  CheckerContext &C) const {
49  if (Call.isCalled(MmapFn) || Call.isCalled(MprotectFn)) {
50  SVal ProtVal = Call.getArgSVal(2);
51  Optional<nonloc::ConcreteInt> ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
52  int64_t Prot = ProtLoc->getValue().getSExtValue();
53  if (ProtExecOv != ProtExec)
54  ProtExec = ProtExecOv;
55  if (ProtReadOv != ProtRead)
56  ProtRead = ProtReadOv;
57 
58  // Wrong settings
59  if (ProtRead == ProtExec)
60  return;
61 
62  if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
63  if (!BT)
64  BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security"));
65 
66  ExplodedNode *N = C.generateNonFatalErrorNode();
67  if (!N)
68  return;
69 
70  auto Report = std::make_unique<PathSensitiveBugReport>(
71  *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can "
72  "lead to exploitable memory regions, which could be overwritten "
73  "with malicious code", N);
74  Report->addRange(Call.getArgSourceRange(2));
75  C.emitReport(std::move(Report));
76  }
77  }
78 }
79 
80 void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
81  MmapWriteExecChecker *Mwec =
82  mgr.registerChecker<MmapWriteExecChecker>();
83  Mwec->ProtExecOv =
84  mgr.getAnalyzerOptions()
85  .getCheckerIntegerOption(Mwec, "MmapProtExec");
86  Mwec->ProtReadOv =
87  mgr.getAnalyzerOptions()
88  .getCheckerIntegerOption(Mwec, "MmapProtRead");
89 }
90 
91 bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &mgr) {
92  return true;
93 }
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:54
llvm::Optional
Definition: LLVM.h:40
clang::index::SymbolRole::Call
@ Call
CallEvent.h
APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:19
BuiltinCheckerRegistration.h
CheckerManager.h
BugType.h
CheckerContext.h
Checker.h
clang
Definition: CalledOnceCheck.h:17