clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp

   1 // MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
   2 //
   3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
   4 // See https://llvm.org/LICENSE.txt for license information.
   5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
   6 //
   7 //===----------------------------------------------------------------------===//
   8 //
   9 // This checker tests the 3rd argument of mmap's calls to check if
  10 // it is writable and executable in the same time. It's somehow
  11 // an optional checker since for example in JIT libraries it is pretty common.
  12 //
  13 //===----------------------------------------------------------------------===//
  14
  15 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
  16
  17 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
  18 #include "clang/StaticAnalyzer/Core/Checker.h"
  19 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
  20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
  21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
  22 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
  23
  24 using namespace clang;
  25 using namespace ento;
  26
  27 namespace {
  28 class MmapWriteExecChecker : public Checker<check::PreCall> {
  29   CallDescription MmapFn;
  30   CallDescription MprotectFn;
  31   static int ProtWrite;
  32   static int ProtExec;
  33   static int ProtRead;
  34   mutable std::unique_ptr<BugType> BT;
  35 public:
  36   MmapWriteExecChecker() : MmapFn({"mmap"}, 6), MprotectFn({"mprotect"}, 3) {}
  37   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
  38   int ProtExecOv;
  39   int ProtReadOv;
  40 };
  41 }
  42
  43 int MmapWriteExecChecker::ProtWrite = 0x02;
  44 int MmapWriteExecChecker::ProtExec  = 0x04;
  45 int MmapWriteExecChecker::ProtRead  = 0x01;
  46
  47 void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
  48                                          CheckerContext &C) const {
  49   if (matchesAny(Call, MmapFn, MprotectFn)) {
  50     SVal ProtVal = Call.getArgSVal(2);
  51     auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
  52     if (!ProtLoc)
  53       return;
  54     int64_t Prot = ProtLoc->getValue().getSExtValue();
  55     if (ProtExecOv != ProtExec)
  56       ProtExec = ProtExecOv;
  57     if (ProtReadOv != ProtRead)
  58       ProtRead = ProtReadOv;
  59
  60     // Wrong settings
  61     if (ProtRead == ProtExec)
  62       return;
  63
  64     if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
  65       if (!BT)
  66         BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security"));
  67
  68       ExplodedNode *N = C.generateNonFatalErrorNode();
  69       if (!N)
  70         return;
  71
  72       auto Report = std::make_unique<PathSensitiveBugReport>(
  73           *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can "
  74                "lead to exploitable memory regions, which could be overwritten "
  75                "with malicious code", N);
  76       Report->addRange(Call.getArgSourceRange(2));
  77       C.emitReport(std::move(Report));
  78     }
  79   }
  80 }
  81
  82 void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
  83   MmapWriteExecChecker *Mwec =
  84       mgr.registerChecker<MmapWriteExecChecker>();
  85   Mwec->ProtExecOv =
  86     mgr.getAnalyzerOptions()
  87       .getCheckerIntegerOption(Mwec, "MmapProtExec");
  88   Mwec->ProtReadOv =
  89     mgr.getAnalyzerOptions()
  90       .getCheckerIntegerOption(Mwec, "MmapProtRead");
  91 }
  92
  93 bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &mgr) {
  94   return true;
  95 }