clang 19.0.0git
ReturnPointerRangeChecker.cpp
Go to the documentation of this file.
1//== ReturnPointerRangeChecker.cpp ------------------------------*- C++ -*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ReturnPointerRangeChecker, which is a path-sensitive check
10// which looks for an out-of-bound pointer being returned to callers.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
22
23using namespace clang;
24using namespace ento;
25
26namespace {
27class ReturnPointerRangeChecker :
28 public Checker< check::PreStmt<ReturnStmt> > {
29 // FIXME: This bug correspond to CWE-466. Eventually we should have bug
30 // types explicitly reference such exploit categories (when applicable).
31 const BugType BT{this, "Buffer overflow"};
32
33public:
34 void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
35};
36}
37
38void ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
39 CheckerContext &C) const {
40 ProgramStateRef state = C.getState();
41
42 const Expr *RetE = RS->getRetValue();
43 if (!RetE)
44 return;
45
46 // Skip "body farmed" functions.
47 if (RetE->getSourceRange().isInvalid())
48 return;
49
50 SVal V = C.getSVal(RetE);
51 const MemRegion *R = V.getAsRegion();
52
53 const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
54 if (!ER)
55 return;
56
57 DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
58 // Zero index is always in bound, this also passes ElementRegions created for
59 // pointer casts.
60 if (Idx.isZeroConstant())
61 return;
62
63 // FIXME: All of this out-of-bounds checking should eventually be refactored
64 // into a common place.
65 DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
66 state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
67
68 // We assume that the location after the last element in the array is used as
69 // end() iterator. Reporting on these would return too many false positives.
70 if (Idx == ElementCount)
71 return;
72
73 ProgramStateRef StInBound, StOutBound;
74 std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);
75 if (StOutBound && !StInBound) {
76 ExplodedNode *N = C.generateErrorNode(StOutBound);
77
78 if (!N)
79 return;
80
81 constexpr llvm::StringLiteral Msg =
82 "Returned pointer value points outside the original object "
83 "(potential buffer overflow)";
84
85 // Generate a report for this bug.
86 auto Report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);
87 Report->addRange(RetE->getSourceRange());
88
89 const auto ConcreteElementCount = ElementCount.getAs<nonloc::ConcreteInt>();
90 const auto ConcreteIdx = Idx.getAs<nonloc::ConcreteInt>();
91
92 const auto *DeclR = ER->getSuperRegion()->getAs<DeclRegion>();
93
94 if (DeclR)
95 Report->addNote("Original object declared here",
96 {DeclR->getDecl(), C.getSourceManager()});
97
98 if (ConcreteElementCount) {
99 SmallString<128> SBuf;
100 llvm::raw_svector_ostream OS(SBuf);
101 OS << "Original object ";
102 if (DeclR) {
103 OS << "'";
104 DeclR->getDecl()->printName(OS);
105 OS << "' ";
106 }
107 OS << "is an array of " << ConcreteElementCount->getValue() << " '";
108 ER->getValueType().print(OS,
109 PrintingPolicy(C.getASTContext().getLangOpts()));
110 OS << "' objects";
111 if (ConcreteIdx) {
112 OS << ", returned pointer points at index " << ConcreteIdx->getValue();
113 }
114
115 Report->addNote(SBuf,
116 {RetE, C.getSourceManager(), C.getLocationContext()});
117 }
118
119 bugreporter::trackExpressionValue(N, RetE, *Report);
120
121 C.emitReport(std::move(Report));
122 }
123}
124
125void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) {
126 mgr.registerChecker<ReturnPointerRangeChecker>();
127}
128
129bool ento::shouldRegisterReturnPointerRangeChecker(const CheckerManager &mgr) {
130 return true;
131}
V
#define V(N, I)
Definition: ASTContext.h:3273
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::QualType::print
void print(raw_ostream &OS, const PrintingPolicy &Policy, const Twine &PlaceHolder=Twine(), unsigned Indentation=0) const
Definition: TypePrinter.cpp:2538
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:3024
clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition: Stmt.h:3055
clang::SourceRange::isInvalid
bool isInvalid() const
Definition: SourceLocation.h:228
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:326
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::ElementRegion
ElementRegion is used to represent both array elements and casts.
Definition: MemRegion.h:1194
clang::ento::ElementRegion::getValueType
QualType getValueType() const override
Definition: MemRegion.h:1216
clang::ento::ElementRegion::getIndex
NonLoc getIndex() const
Definition: MemRegion.h:1214
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
clang::ento::MemRegion::getAs
const RegionTy * getAs() const
Definition: MemRegion.h:1383
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::isZeroConstant
bool isZeroConstant() const
Definition: SVals.cpp:258
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:86
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82
clang::ento::SubRegion::getSuperRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getSuperRegion() const
Definition: MemRegion.h:454
clang::ento::nonloc::ConcreteInt
Value representing integer constant.
Definition: SVals.h:297
clang::ento::nonloc::ConcreteInt::getValue
const llvm::APSInt & getValue() const
Definition: SVals.h:301
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2685
clang::ento::getDynamicElementCount
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
clang::PrintingPolicy
Describes how types, statements, expressions, and declarations should be printed.
Definition: PrettyPrinter.h:57
Generated on Fri Apr 19 2024 04:18:14 for clang by doxygen 1.9.6