clang 19.0.0git
MmapWriteExecChecker.cpp
Go to the documentation of this file.
1// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This checker tests the 3rd argument of mmap's calls to check if
10// it is writable and executable in the same time. It's somehow
11// an optional checker since for example in JIT libraries it is pretty common.
12//
13//===----------------------------------------------------------------------===//
14
16
24
25using namespace clang;
26using namespace ento;
27
28namespace {
29class MmapWriteExecChecker : public Checker<check::PreCall> {
30 CallDescription MmapFn;
31 CallDescription MprotectFn;
32 static int ProtWrite;
33 static int ProtExec;
34 static int ProtRead;
35 const BugType BT{this, "W^X check fails, Write Exec prot flags set",
36 "Security"};
37
38public:
39 MmapWriteExecChecker() : MmapFn({"mmap"}, 6), MprotectFn({"mprotect"}, 3) {}
40 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
41 int ProtExecOv;
42 int ProtReadOv;
43};
44}
45
46int MmapWriteExecChecker::ProtWrite = 0x02;
47int MmapWriteExecChecker::ProtExec = 0x04;
48int MmapWriteExecChecker::ProtRead = 0x01;
49
50void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
51 CheckerContext &C) const {
52 if (matchesAny(Call, MmapFn, MprotectFn)) {
53 SVal ProtVal = Call.getArgSVal(2);
54 auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
55 if (!ProtLoc)
56 return;
57 int64_t Prot = ProtLoc->getValue().getSExtValue();
58 if (ProtExecOv != ProtExec)
59 ProtExec = ProtExecOv;
60 if (ProtReadOv != ProtRead)
61 ProtRead = ProtReadOv;
62
63 // Wrong settings
64 if (ProtRead == ProtExec)
65 return;
66
67 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
68 ExplodedNode *N = C.generateNonFatalErrorNode();
69 if (!N)
70 return;
71
72 auto Report = std::make_unique<PathSensitiveBugReport>(
73 BT,
74 "Both PROT_WRITE and PROT_EXEC flags are set. This can "
75 "lead to exploitable memory regions, which could be overwritten "
76 "with malicious code",
77 N);
78 Report->addRange(Call.getArgSourceRange(2));
79 C.emitReport(std::move(Report));
80 }
81 }
82}
83
84void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
85 MmapWriteExecChecker *Mwec =
86 mgr.registerChecker<MmapWriteExecChecker>();
87 Mwec->ProtExecOv =
89 .getCheckerIntegerOption(Mwec, "MmapProtExec");
90 Mwec->ProtReadOv =
92 .getCheckerIntegerOption(Mwec, "MmapProtRead");
93}
94
95bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &mgr) {
96 return true;
97}
int getCheckerIntegerOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as an integer value.
A CallDescription is a pattern that can be used to match calls based on the qualified name and the ar...
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:153
const AnalyzerOptions & getAnalyzerOptions() const
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:86
Value representing integer constant.
Definition: SVals.h:305
The JSON file list parser is used to communicate input to InstallAPI.
long int64_t