clang 19.0.0git
ReturnPointerRangeChecker.cpp
Go to the documentation of this file.
1//== ReturnPointerRangeChecker.cpp ------------------------------*- C++ -*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ReturnPointerRangeChecker, which is a path-sensitive check
10// which looks for an out-of-bound pointer being returned to callers.
11//
12//===----------------------------------------------------------------------===//
13
22
23using namespace clang;
24using namespace ento;
25
26namespace {
27class ReturnPointerRangeChecker :
28 public Checker< check::PreStmt<ReturnStmt> > {
29 // FIXME: This bug correspond to CWE-466. Eventually we should have bug
30 // types explicitly reference such exploit categories (when applicable).
31 const BugType BT{this, "Buffer overflow"};
32
33public:
34 void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
35};
36}
37
38void ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
39 CheckerContext &C) const {
40 ProgramStateRef state = C.getState();
41
42 const Expr *RetE = RS->getRetValue();
43 if (!RetE)
44 return;
45
46 // Skip "body farmed" functions.
47 if (RetE->getSourceRange().isInvalid())
48 return;
49
50 SVal V = C.getSVal(RetE);
51 const MemRegion *R = V.getAsRegion();
52
53 const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
54 if (!ER)
55 return;
56
58 // Zero index is always in bound, this also passes ElementRegions created for
59 // pointer casts.
60 if (Idx.isZeroConstant())
61 return;
62
63 // FIXME: All of this out-of-bounds checking should eventually be refactored
64 // into a common place.
66 state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
67
68 // We assume that the location after the last element in the array is used as
69 // end() iterator. Reporting on these would return too many false positives.
70 if (Idx == ElementCount)
71 return;
72
73 ProgramStateRef StInBound, StOutBound;
74 std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);
75 if (StOutBound && !StInBound) {
76 ExplodedNode *N = C.generateErrorNode(StOutBound);
77
78 if (!N)
79 return;
80
81 constexpr llvm::StringLiteral Msg =
82 "Returned pointer value points outside the original object "
83 "(potential buffer overflow)";
84
85 // Generate a report for this bug.
86 auto Report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);
87 Report->addRange(RetE->getSourceRange());
88
89 const auto ConcreteElementCount = ElementCount.getAs<nonloc::ConcreteInt>();
90 const auto ConcreteIdx = Idx.getAs<nonloc::ConcreteInt>();
91
92 const auto *DeclR = ER->getSuperRegion()->getAs<DeclRegion>();
93
94 if (DeclR)
95 Report->addNote("Original object declared here",
96 {DeclR->getDecl(), C.getSourceManager()});
97
98 if (ConcreteElementCount) {
100 llvm::raw_svector_ostream OS(SBuf);
101 OS << "Original object ";
102 if (DeclR) {
103 OS << "'";
104 DeclR->getDecl()->printName(OS);
105 OS << "' ";
106 }
107 OS << "is an array of " << ConcreteElementCount->getValue() << " '";
108 ER->getValueType().print(OS,
109 PrintingPolicy(C.getASTContext().getLangOpts()));
110 OS << "' objects";
111 if (ConcreteIdx) {
112 OS << ", returned pointer points at index " << ConcreteIdx->getValue();
113 }
114
115 Report->addNote(SBuf,
116 {RetE, C.getSourceManager(), C.getLocationContext()});
117 }
118
119 bugreporter::trackExpressionValue(N, RetE, *Report);
120
121 C.emitReport(std::move(Report));
122 }
123}
124
125void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) {
126 mgr.registerChecker<ReturnPointerRangeChecker>();
127}
128
129bool ento::shouldRegisterReturnPointerRangeChecker(const CheckerManager &mgr) {
130 return true;
131}
#define V(N, I)
Definition: ASTContext.h:3323
This represents one expression.
Definition: Expr.h:110
void print(raw_ostream &OS, const PrintingPolicy &Policy, const Twine &PlaceHolder=Twine(), unsigned Indentation=0) const
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:3020
Expr * getRetValue()
Definition: Stmt.h:3051
bool isInvalid() const
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:326
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
ElementRegion is used to represent both array elements and casts.
Definition: MemRegion.h:1199
QualType getValueType() const override
Definition: MemRegion.h:1221
NonLoc getIndex() const
Definition: MemRegion.h:1219
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
const RegionTy * getAs() const
Definition: MemRegion.h:1388
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
bool isZeroConstant() const
Definition: SVals.cpp:258
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:86
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getSuperRegion() const
Definition: MemRegion.h:459
Value representing integer constant.
Definition: SVals.h:297
const llvm::APSInt & getValue() const
Definition: SVals.h:301
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)
The JSON file list parser is used to communicate input to InstallAPI.
Describes how types, statements, expressions, and declarations should be printed.
Definition: PrettyPrinter.h:57