clang/test/Analysis/mmap-writeexec.c

   1 // RUN: %clang_analyze_cc1 -triple i686-unknown-linux -analyzer-checker=alpha.security.MmapWriteExec -analyzer-config alpha.security.MmapWriteExec:MmapProtExec=1 -analyzer-config alpha.security.MmapWriteExec:MmapProtRead=4 -DUSE_ALTERNATIVE_PROT_EXEC_DEFINITION -verify %s
   2 // RUN: %clang_analyze_cc1 -triple x86_64-unknown-apple-darwin10 -analyzer-checker=alpha.security.MmapWriteExec -verify %s
   3
   4 #define PROT_WRITE  0x02
   5 #ifndef USE_ALTERNATIVE_PROT_EXEC_DEFINITION
   6 #define PROT_EXEC   0x04
   7 #define PROT_READ   0x01
   8 #else
   9 #define PROT_EXEC   0x01
  10 #define PROT_READ   0x04
  11 #endif
  12 #define MAP_PRIVATE 0x0002
  13 #define MAP_ANON    0x1000
  14 #define MAP_FIXED   0x0010
  15 #define NULL        ((void *)0)
  16
  17 typedef __typeof(sizeof(int)) size_t;
  18 void *mmap(void *, size_t, int, int, int, long);
  19 int mprotect(void *, size_t, int);
  20
  21 void f1(void)
  22 {
  23   void *a = mmap(NULL, 16, PROT_READ | PROT_EXEC, MAP_PRIVATE | MAP_ANON, -1, 0); // no-warning
  24   void *b = mmap(a, 16, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_ANON, -1, 0); // no-warning
  25   void *c = mmap(NULL, 32, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANON, -1, 0); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}}
  26   (void)a;
  27   (void)b;
  28   (void)c;
  29 }
  30
  31 void f2(void)
  32 {
  33   void *(*callm)(void *, size_t, int, int, int, long);
  34   callm = mmap;
  35   int prot = PROT_WRITE | PROT_EXEC;
  36   (void)callm(NULL, 1024, prot, MAP_PRIVATE | MAP_ANON, -1, 0); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}}
  37 }
  38
  39 void f3(void)
  40 {
  41   void *p = mmap(NULL, 1024, PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0); // no-warning
  42   int m = mprotect(p, 1024, PROT_WRITE | PROT_EXEC); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}}
  43   (void)m;
  44 }
  45
  46 // gh62285: no crash on non concrete arg 'prot'
  47 void *gh62285(void *addr, int prot)
  48 {
  49   return mmap(addr, 1, prot, 1, 1, 1);
  50 }