10b57cec5SDimitry Andric //==- CheckSecuritySyntaxOnly.cpp - Basic security checks --------*- C++ -*-==//
20b57cec5SDimitry Andric //
30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information.
50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
60b57cec5SDimitry Andric //
70b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
80b57cec5SDimitry Andric //
90b57cec5SDimitry Andric // This file defines a set of flow-insensitive security checks.
100b57cec5SDimitry Andric //
110b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
120b57cec5SDimitry Andric
130b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
140b57cec5SDimitry Andric #include "clang/AST/StmtVisitor.h"
150b57cec5SDimitry Andric #include "clang/Analysis/AnalysisDeclContext.h"
160b57cec5SDimitry Andric #include "clang/Basic/TargetInfo.h"
170b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h"
190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
200b57cec5SDimitry Andric #include "llvm/ADT/SmallString.h"
210b57cec5SDimitry Andric #include "llvm/ADT/StringSwitch.h"
220b57cec5SDimitry Andric #include "llvm/Support/raw_ostream.h"
230b57cec5SDimitry Andric
240b57cec5SDimitry Andric using namespace clang;
250b57cec5SDimitry Andric using namespace ento;
260b57cec5SDimitry Andric
isArc4RandomAvailable(const ASTContext & Ctx)270b57cec5SDimitry Andric static bool isArc4RandomAvailable(const ASTContext &Ctx) {
280b57cec5SDimitry Andric const llvm::Triple &T = Ctx.getTargetInfo().getTriple();
290b57cec5SDimitry Andric return T.getVendor() == llvm::Triple::Apple ||
300b57cec5SDimitry Andric T.isOSFreeBSD() ||
310b57cec5SDimitry Andric T.isOSNetBSD() ||
320b57cec5SDimitry Andric T.isOSOpenBSD() ||
330b57cec5SDimitry Andric T.isOSDragonFly();
340b57cec5SDimitry Andric }
350b57cec5SDimitry Andric
360b57cec5SDimitry Andric namespace {
370b57cec5SDimitry Andric struct ChecksFilter {
3881ad6265SDimitry Andric bool check_bcmp = false;
3981ad6265SDimitry Andric bool check_bcopy = false;
4081ad6265SDimitry Andric bool check_bzero = false;
4181ad6265SDimitry Andric bool check_gets = false;
4281ad6265SDimitry Andric bool check_getpw = false;
4381ad6265SDimitry Andric bool check_mktemp = false;
4481ad6265SDimitry Andric bool check_mkstemp = false;
4581ad6265SDimitry Andric bool check_strcpy = false;
4681ad6265SDimitry Andric bool check_DeprecatedOrUnsafeBufferHandling = false;
4781ad6265SDimitry Andric bool check_rand = false;
4881ad6265SDimitry Andric bool check_vfork = false;
4981ad6265SDimitry Andric bool check_FloatLoopCounter = false;
5081ad6265SDimitry Andric bool check_UncheckedReturn = false;
5181ad6265SDimitry Andric bool check_decodeValueOfObjCType = false;
520b57cec5SDimitry Andric
53a7dea167SDimitry Andric CheckerNameRef checkName_bcmp;
54a7dea167SDimitry Andric CheckerNameRef checkName_bcopy;
55a7dea167SDimitry Andric CheckerNameRef checkName_bzero;
56a7dea167SDimitry Andric CheckerNameRef checkName_gets;
57a7dea167SDimitry Andric CheckerNameRef checkName_getpw;
58a7dea167SDimitry Andric CheckerNameRef checkName_mktemp;
59a7dea167SDimitry Andric CheckerNameRef checkName_mkstemp;
60a7dea167SDimitry Andric CheckerNameRef checkName_strcpy;
61a7dea167SDimitry Andric CheckerNameRef checkName_DeprecatedOrUnsafeBufferHandling;
62a7dea167SDimitry Andric CheckerNameRef checkName_rand;
63a7dea167SDimitry Andric CheckerNameRef checkName_vfork;
64a7dea167SDimitry Andric CheckerNameRef checkName_FloatLoopCounter;
65a7dea167SDimitry Andric CheckerNameRef checkName_UncheckedReturn;
66480093f4SDimitry Andric CheckerNameRef checkName_decodeValueOfObjCType;
670b57cec5SDimitry Andric };
680b57cec5SDimitry Andric
690b57cec5SDimitry Andric class WalkAST : public StmtVisitor<WalkAST> {
700b57cec5SDimitry Andric BugReporter &BR;
710b57cec5SDimitry Andric AnalysisDeclContext* AC;
720b57cec5SDimitry Andric enum { num_setids = 6 };
730b57cec5SDimitry Andric IdentifierInfo *II_setid[num_setids];
740b57cec5SDimitry Andric
750b57cec5SDimitry Andric const bool CheckRand;
760b57cec5SDimitry Andric const ChecksFilter &filter;
770b57cec5SDimitry Andric
780b57cec5SDimitry Andric public:
WalkAST(BugReporter & br,AnalysisDeclContext * ac,const ChecksFilter & f)790b57cec5SDimitry Andric WalkAST(BugReporter &br, AnalysisDeclContext* ac,
800b57cec5SDimitry Andric const ChecksFilter &f)
810b57cec5SDimitry Andric : BR(br), AC(ac), II_setid(),
820b57cec5SDimitry Andric CheckRand(isArc4RandomAvailable(BR.getContext())),
830b57cec5SDimitry Andric filter(f) {}
840b57cec5SDimitry Andric
850b57cec5SDimitry Andric // Statement visitor methods.
860b57cec5SDimitry Andric void VisitCallExpr(CallExpr *CE);
87480093f4SDimitry Andric void VisitObjCMessageExpr(ObjCMessageExpr *CE);
880b57cec5SDimitry Andric void VisitForStmt(ForStmt *S);
890b57cec5SDimitry Andric void VisitCompoundStmt (CompoundStmt *S);
VisitStmt(Stmt * S)900b57cec5SDimitry Andric void VisitStmt(Stmt *S) { VisitChildren(S); }
910b57cec5SDimitry Andric
920b57cec5SDimitry Andric void VisitChildren(Stmt *S);
930b57cec5SDimitry Andric
940b57cec5SDimitry Andric // Helpers.
950b57cec5SDimitry Andric bool checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD);
960b57cec5SDimitry Andric
970b57cec5SDimitry Andric typedef void (WalkAST::*FnCheck)(const CallExpr *, const FunctionDecl *);
98480093f4SDimitry Andric typedef void (WalkAST::*MsgCheck)(const ObjCMessageExpr *);
990b57cec5SDimitry Andric
1000b57cec5SDimitry Andric // Checker-specific methods.
1010b57cec5SDimitry Andric void checkLoopConditionForFloat(const ForStmt *FS);
1020b57cec5SDimitry Andric void checkCall_bcmp(const CallExpr *CE, const FunctionDecl *FD);
1030b57cec5SDimitry Andric void checkCall_bcopy(const CallExpr *CE, const FunctionDecl *FD);
1040b57cec5SDimitry Andric void checkCall_bzero(const CallExpr *CE, const FunctionDecl *FD);
1050b57cec5SDimitry Andric void checkCall_gets(const CallExpr *CE, const FunctionDecl *FD);
1060b57cec5SDimitry Andric void checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD);
1070b57cec5SDimitry Andric void checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD);
1080b57cec5SDimitry Andric void checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD);
1090b57cec5SDimitry Andric void checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD);
1100b57cec5SDimitry Andric void checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD);
1110b57cec5SDimitry Andric void checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE,
1120b57cec5SDimitry Andric const FunctionDecl *FD);
1130b57cec5SDimitry Andric void checkCall_rand(const CallExpr *CE, const FunctionDecl *FD);
1140b57cec5SDimitry Andric void checkCall_random(const CallExpr *CE, const FunctionDecl *FD);
1150b57cec5SDimitry Andric void checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD);
116480093f4SDimitry Andric void checkMsg_decodeValueOfObjCType(const ObjCMessageExpr *ME);
1170b57cec5SDimitry Andric void checkUncheckedReturnValue(CallExpr *CE);
1180b57cec5SDimitry Andric };
1190b57cec5SDimitry Andric } // end anonymous namespace
1200b57cec5SDimitry Andric
1210b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
1220b57cec5SDimitry Andric // AST walking.
1230b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
1240b57cec5SDimitry Andric
VisitChildren(Stmt * S)1250b57cec5SDimitry Andric void WalkAST::VisitChildren(Stmt *S) {
1260b57cec5SDimitry Andric for (Stmt *Child : S->children())
1270b57cec5SDimitry Andric if (Child)
1280b57cec5SDimitry Andric Visit(Child);
1290b57cec5SDimitry Andric }
1300b57cec5SDimitry Andric
VisitCallExpr(CallExpr * CE)1310b57cec5SDimitry Andric void WalkAST::VisitCallExpr(CallExpr *CE) {
1320b57cec5SDimitry Andric // Get the callee.
1330b57cec5SDimitry Andric const FunctionDecl *FD = CE->getDirectCallee();
1340b57cec5SDimitry Andric
1350b57cec5SDimitry Andric if (!FD)
1360b57cec5SDimitry Andric return;
1370b57cec5SDimitry Andric
1380b57cec5SDimitry Andric // Get the name of the callee. If it's a builtin, strip off the prefix.
1390b57cec5SDimitry Andric IdentifierInfo *II = FD->getIdentifier();
1400b57cec5SDimitry Andric if (!II) // if no identifier, not a simple C function
1410b57cec5SDimitry Andric return;
1420b57cec5SDimitry Andric StringRef Name = II->getName();
143647cbc5dSDimitry Andric Name.consume_front("__builtin_");
1440b57cec5SDimitry Andric
1450b57cec5SDimitry Andric // Set the evaluation function by switching on the callee name.
1465f757f3fSDimitry Andric FnCheck evalFunction =
1475f757f3fSDimitry Andric llvm::StringSwitch<FnCheck>(Name)
1480b57cec5SDimitry Andric .Case("bcmp", &WalkAST::checkCall_bcmp)
1490b57cec5SDimitry Andric .Case("bcopy", &WalkAST::checkCall_bcopy)
1500b57cec5SDimitry Andric .Case("bzero", &WalkAST::checkCall_bzero)
1510b57cec5SDimitry Andric .Case("gets", &WalkAST::checkCall_gets)
1520b57cec5SDimitry Andric .Case("getpw", &WalkAST::checkCall_getpw)
1530b57cec5SDimitry Andric .Case("mktemp", &WalkAST::checkCall_mktemp)
1540b57cec5SDimitry Andric .Case("mkstemp", &WalkAST::checkCall_mkstemp)
1550b57cec5SDimitry Andric .Case("mkdtemp", &WalkAST::checkCall_mkstemp)
1560b57cec5SDimitry Andric .Case("mkstemps", &WalkAST::checkCall_mkstemp)
1570b57cec5SDimitry Andric .Cases("strcpy", "__strcpy_chk", &WalkAST::checkCall_strcpy)
1580b57cec5SDimitry Andric .Cases("strcat", "__strcat_chk", &WalkAST::checkCall_strcat)
1590b57cec5SDimitry Andric .Cases("sprintf", "vsprintf", "scanf", "wscanf", "fscanf", "fwscanf",
1600b57cec5SDimitry Andric "vscanf", "vwscanf", "vfscanf", "vfwscanf",
1610b57cec5SDimitry Andric &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
1620b57cec5SDimitry Andric .Cases("sscanf", "swscanf", "vsscanf", "vswscanf", "swprintf",
1630b57cec5SDimitry Andric "snprintf", "vswprintf", "vsnprintf", "memcpy", "memmove",
1640b57cec5SDimitry Andric &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
1655f757f3fSDimitry Andric .Cases("strncpy", "strncat", "memset", "fprintf",
1660b57cec5SDimitry Andric &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
1670b57cec5SDimitry Andric .Case("drand48", &WalkAST::checkCall_rand)
1680b57cec5SDimitry Andric .Case("erand48", &WalkAST::checkCall_rand)
1690b57cec5SDimitry Andric .Case("jrand48", &WalkAST::checkCall_rand)
1700b57cec5SDimitry Andric .Case("lrand48", &WalkAST::checkCall_rand)
1710b57cec5SDimitry Andric .Case("mrand48", &WalkAST::checkCall_rand)
1720b57cec5SDimitry Andric .Case("nrand48", &WalkAST::checkCall_rand)
1730b57cec5SDimitry Andric .Case("lcong48", &WalkAST::checkCall_rand)
1740b57cec5SDimitry Andric .Case("rand", &WalkAST::checkCall_rand)
1750b57cec5SDimitry Andric .Case("rand_r", &WalkAST::checkCall_rand)
1760b57cec5SDimitry Andric .Case("random", &WalkAST::checkCall_random)
1770b57cec5SDimitry Andric .Case("vfork", &WalkAST::checkCall_vfork)
1780b57cec5SDimitry Andric .Default(nullptr);
1790b57cec5SDimitry Andric
1800b57cec5SDimitry Andric // If the callee isn't defined, it is not of security concern.
1810b57cec5SDimitry Andric // Check and evaluate the call.
1820b57cec5SDimitry Andric if (evalFunction)
1830b57cec5SDimitry Andric (this->*evalFunction)(CE, FD);
1840b57cec5SDimitry Andric
1850b57cec5SDimitry Andric // Recurse and check children.
1860b57cec5SDimitry Andric VisitChildren(CE);
1870b57cec5SDimitry Andric }
1880b57cec5SDimitry Andric
VisitObjCMessageExpr(ObjCMessageExpr * ME)189480093f4SDimitry Andric void WalkAST::VisitObjCMessageExpr(ObjCMessageExpr *ME) {
190480093f4SDimitry Andric MsgCheck evalFunction =
191480093f4SDimitry Andric llvm::StringSwitch<MsgCheck>(ME->getSelector().getAsString())
192480093f4SDimitry Andric .Case("decodeValueOfObjCType:at:",
193480093f4SDimitry Andric &WalkAST::checkMsg_decodeValueOfObjCType)
194480093f4SDimitry Andric .Default(nullptr);
195480093f4SDimitry Andric
196480093f4SDimitry Andric if (evalFunction)
197480093f4SDimitry Andric (this->*evalFunction)(ME);
198480093f4SDimitry Andric
199480093f4SDimitry Andric // Recurse and check children.
200480093f4SDimitry Andric VisitChildren(ME);
201480093f4SDimitry Andric }
202480093f4SDimitry Andric
VisitCompoundStmt(CompoundStmt * S)2030b57cec5SDimitry Andric void WalkAST::VisitCompoundStmt(CompoundStmt *S) {
2040b57cec5SDimitry Andric for (Stmt *Child : S->children())
2050b57cec5SDimitry Andric if (Child) {
2060b57cec5SDimitry Andric if (CallExpr *CE = dyn_cast<CallExpr>(Child))
2070b57cec5SDimitry Andric checkUncheckedReturnValue(CE);
2080b57cec5SDimitry Andric Visit(Child);
2090b57cec5SDimitry Andric }
2100b57cec5SDimitry Andric }
2110b57cec5SDimitry Andric
VisitForStmt(ForStmt * FS)2120b57cec5SDimitry Andric void WalkAST::VisitForStmt(ForStmt *FS) {
2130b57cec5SDimitry Andric checkLoopConditionForFloat(FS);
2140b57cec5SDimitry Andric
2150b57cec5SDimitry Andric // Recurse and check children.
2160b57cec5SDimitry Andric VisitChildren(FS);
2170b57cec5SDimitry Andric }
2180b57cec5SDimitry Andric
2190b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
2200b57cec5SDimitry Andric // Check: floating point variable used as loop counter.
2210b57cec5SDimitry Andric // Implements: CERT security coding advisory FLP-30.
2220b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
2230b57cec5SDimitry Andric
224a7dea167SDimitry Andric // Returns either 'x' or 'y', depending on which one of them is incremented
225a7dea167SDimitry Andric // in 'expr', or nullptr if none of them is incremented.
2260b57cec5SDimitry Andric static const DeclRefExpr*
getIncrementedVar(const Expr * expr,const VarDecl * x,const VarDecl * y)2270b57cec5SDimitry Andric getIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) {
2280b57cec5SDimitry Andric expr = expr->IgnoreParenCasts();
2290b57cec5SDimitry Andric
2300b57cec5SDimitry Andric if (const BinaryOperator *B = dyn_cast<BinaryOperator>(expr)) {
2310b57cec5SDimitry Andric if (!(B->isAssignmentOp() || B->isCompoundAssignmentOp() ||
2320b57cec5SDimitry Andric B->getOpcode() == BO_Comma))
2330b57cec5SDimitry Andric return nullptr;
2340b57cec5SDimitry Andric
2350b57cec5SDimitry Andric if (const DeclRefExpr *lhs = getIncrementedVar(B->getLHS(), x, y))
2360b57cec5SDimitry Andric return lhs;
2370b57cec5SDimitry Andric
2380b57cec5SDimitry Andric if (const DeclRefExpr *rhs = getIncrementedVar(B->getRHS(), x, y))
2390b57cec5SDimitry Andric return rhs;
2400b57cec5SDimitry Andric
2410b57cec5SDimitry Andric return nullptr;
2420b57cec5SDimitry Andric }
2430b57cec5SDimitry Andric
2440b57cec5SDimitry Andric if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(expr)) {
2450b57cec5SDimitry Andric const NamedDecl *ND = DR->getDecl();
2460b57cec5SDimitry Andric return ND == x || ND == y ? DR : nullptr;
2470b57cec5SDimitry Andric }
2480b57cec5SDimitry Andric
2490b57cec5SDimitry Andric if (const UnaryOperator *U = dyn_cast<UnaryOperator>(expr))
2500b57cec5SDimitry Andric return U->isIncrementDecrementOp()
2510b57cec5SDimitry Andric ? getIncrementedVar(U->getSubExpr(), x, y) : nullptr;
2520b57cec5SDimitry Andric
2530b57cec5SDimitry Andric return nullptr;
2540b57cec5SDimitry Andric }
2550b57cec5SDimitry Andric
2560b57cec5SDimitry Andric /// CheckLoopConditionForFloat - This check looks for 'for' statements that
2570b57cec5SDimitry Andric /// use a floating point variable as a loop counter.
2580b57cec5SDimitry Andric /// CERT: FLP30-C, FLP30-CPP.
2590b57cec5SDimitry Andric ///
checkLoopConditionForFloat(const ForStmt * FS)2600b57cec5SDimitry Andric void WalkAST::checkLoopConditionForFloat(const ForStmt *FS) {
2610b57cec5SDimitry Andric if (!filter.check_FloatLoopCounter)
2620b57cec5SDimitry Andric return;
2630b57cec5SDimitry Andric
2640b57cec5SDimitry Andric // Does the loop have a condition?
2650b57cec5SDimitry Andric const Expr *condition = FS->getCond();
2660b57cec5SDimitry Andric
2670b57cec5SDimitry Andric if (!condition)
2680b57cec5SDimitry Andric return;
2690b57cec5SDimitry Andric
2700b57cec5SDimitry Andric // Does the loop have an increment?
2710b57cec5SDimitry Andric const Expr *increment = FS->getInc();
2720b57cec5SDimitry Andric
2730b57cec5SDimitry Andric if (!increment)
2740b57cec5SDimitry Andric return;
2750b57cec5SDimitry Andric
2760b57cec5SDimitry Andric // Strip away '()' and casts.
2770b57cec5SDimitry Andric condition = condition->IgnoreParenCasts();
2780b57cec5SDimitry Andric increment = increment->IgnoreParenCasts();
2790b57cec5SDimitry Andric
2800b57cec5SDimitry Andric // Is the loop condition a comparison?
2810b57cec5SDimitry Andric const BinaryOperator *B = dyn_cast<BinaryOperator>(condition);
2820b57cec5SDimitry Andric
2830b57cec5SDimitry Andric if (!B)
2840b57cec5SDimitry Andric return;
2850b57cec5SDimitry Andric
2860b57cec5SDimitry Andric // Is this a comparison?
2870b57cec5SDimitry Andric if (!(B->isRelationalOp() || B->isEqualityOp()))
2880b57cec5SDimitry Andric return;
2890b57cec5SDimitry Andric
2900b57cec5SDimitry Andric // Are we comparing variables?
2910b57cec5SDimitry Andric const DeclRefExpr *drLHS =
2920b57cec5SDimitry Andric dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenLValueCasts());
2930b57cec5SDimitry Andric const DeclRefExpr *drRHS =
2940b57cec5SDimitry Andric dyn_cast<DeclRefExpr>(B->getRHS()->IgnoreParenLValueCasts());
2950b57cec5SDimitry Andric
2960b57cec5SDimitry Andric // Does at least one of the variables have a floating point type?
2970b57cec5SDimitry Andric drLHS = drLHS && drLHS->getType()->isRealFloatingType() ? drLHS : nullptr;
2980b57cec5SDimitry Andric drRHS = drRHS && drRHS->getType()->isRealFloatingType() ? drRHS : nullptr;
2990b57cec5SDimitry Andric
3000b57cec5SDimitry Andric if (!drLHS && !drRHS)
3010b57cec5SDimitry Andric return;
3020b57cec5SDimitry Andric
3030b57cec5SDimitry Andric const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(drLHS->getDecl()) : nullptr;
3040b57cec5SDimitry Andric const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(drRHS->getDecl()) : nullptr;
3050b57cec5SDimitry Andric
3060b57cec5SDimitry Andric if (!vdLHS && !vdRHS)
3070b57cec5SDimitry Andric return;
3080b57cec5SDimitry Andric
3090b57cec5SDimitry Andric // Does either variable appear in increment?
3100b57cec5SDimitry Andric const DeclRefExpr *drInc = getIncrementedVar(increment, vdLHS, vdRHS);
3110b57cec5SDimitry Andric if (!drInc)
3120b57cec5SDimitry Andric return;
3130b57cec5SDimitry Andric
314a7dea167SDimitry Andric const VarDecl *vdInc = cast<VarDecl>(drInc->getDecl());
315a7dea167SDimitry Andric assert(vdInc && (vdInc == vdLHS || vdInc == vdRHS));
316a7dea167SDimitry Andric
3170b57cec5SDimitry Andric // Emit the error. First figure out which DeclRefExpr in the condition
3180b57cec5SDimitry Andric // referenced the compared variable.
319a7dea167SDimitry Andric const DeclRefExpr *drCond = vdLHS == vdInc ? drLHS : drRHS;
3200b57cec5SDimitry Andric
3210b57cec5SDimitry Andric SmallVector<SourceRange, 2> ranges;
3220b57cec5SDimitry Andric SmallString<256> sbuf;
3230b57cec5SDimitry Andric llvm::raw_svector_ostream os(sbuf);
3240b57cec5SDimitry Andric
3250b57cec5SDimitry Andric os << "Variable '" << drCond->getDecl()->getName()
32681ad6265SDimitry Andric << "' with floating point type '" << drCond->getType()
3270b57cec5SDimitry Andric << "' should not be used as a loop counter";
3280b57cec5SDimitry Andric
3290b57cec5SDimitry Andric ranges.push_back(drCond->getSourceRange());
3300b57cec5SDimitry Andric ranges.push_back(drInc->getSourceRange());
3310b57cec5SDimitry Andric
3320b57cec5SDimitry Andric const char *bugType = "Floating point variable used as loop counter";
3330b57cec5SDimitry Andric
3340b57cec5SDimitry Andric PathDiagnosticLocation FSLoc =
3350b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(FS, BR.getSourceManager(), AC);
3360b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_FloatLoopCounter,
3370b57cec5SDimitry Andric bugType, "Security", os.str(),
3380b57cec5SDimitry Andric FSLoc, ranges);
3390b57cec5SDimitry Andric }
3400b57cec5SDimitry Andric
3410b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
3420b57cec5SDimitry Andric // Check: Any use of bcmp.
3430b57cec5SDimitry Andric // CWE-477: Use of Obsolete Functions
3440b57cec5SDimitry Andric // bcmp was deprecated in POSIX.1-2008
3450b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
3460b57cec5SDimitry Andric
checkCall_bcmp(const CallExpr * CE,const FunctionDecl * FD)3470b57cec5SDimitry Andric void WalkAST::checkCall_bcmp(const CallExpr *CE, const FunctionDecl *FD) {
3480b57cec5SDimitry Andric if (!filter.check_bcmp)
3490b57cec5SDimitry Andric return;
3500b57cec5SDimitry Andric
3510b57cec5SDimitry Andric const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
3520b57cec5SDimitry Andric if (!FPT)
3530b57cec5SDimitry Andric return;
3540b57cec5SDimitry Andric
3550b57cec5SDimitry Andric // Verify that the function takes three arguments.
3560b57cec5SDimitry Andric if (FPT->getNumParams() != 3)
3570b57cec5SDimitry Andric return;
3580b57cec5SDimitry Andric
3590b57cec5SDimitry Andric for (int i = 0; i < 2; i++) {
3600b57cec5SDimitry Andric // Verify the first and second argument type is void*.
3610b57cec5SDimitry Andric const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>();
3620b57cec5SDimitry Andric if (!PT)
3630b57cec5SDimitry Andric return;
3640b57cec5SDimitry Andric
3650b57cec5SDimitry Andric if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy)
3660b57cec5SDimitry Andric return;
3670b57cec5SDimitry Andric }
3680b57cec5SDimitry Andric
3690b57cec5SDimitry Andric // Verify the third argument type is integer.
3700b57cec5SDimitry Andric if (!FPT->getParamType(2)->isIntegralOrUnscopedEnumerationType())
3710b57cec5SDimitry Andric return;
3720b57cec5SDimitry Andric
3730b57cec5SDimitry Andric // Issue a warning.
3740b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
3750b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
3760b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_bcmp,
3770b57cec5SDimitry Andric "Use of deprecated function in call to 'bcmp()'",
3780b57cec5SDimitry Andric "Security",
3790b57cec5SDimitry Andric "The bcmp() function is obsoleted by memcmp().",
3800b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
3810b57cec5SDimitry Andric }
3820b57cec5SDimitry Andric
3830b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
3840b57cec5SDimitry Andric // Check: Any use of bcopy.
3850b57cec5SDimitry Andric // CWE-477: Use of Obsolete Functions
3860b57cec5SDimitry Andric // bcopy was deprecated in POSIX.1-2008
3870b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
3880b57cec5SDimitry Andric
checkCall_bcopy(const CallExpr * CE,const FunctionDecl * FD)3890b57cec5SDimitry Andric void WalkAST::checkCall_bcopy(const CallExpr *CE, const FunctionDecl *FD) {
3900b57cec5SDimitry Andric if (!filter.check_bcopy)
3910b57cec5SDimitry Andric return;
3920b57cec5SDimitry Andric
3930b57cec5SDimitry Andric const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
3940b57cec5SDimitry Andric if (!FPT)
3950b57cec5SDimitry Andric return;
3960b57cec5SDimitry Andric
3970b57cec5SDimitry Andric // Verify that the function takes three arguments.
3980b57cec5SDimitry Andric if (FPT->getNumParams() != 3)
3990b57cec5SDimitry Andric return;
4000b57cec5SDimitry Andric
4010b57cec5SDimitry Andric for (int i = 0; i < 2; i++) {
4020b57cec5SDimitry Andric // Verify the first and second argument type is void*.
4030b57cec5SDimitry Andric const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>();
4040b57cec5SDimitry Andric if (!PT)
4050b57cec5SDimitry Andric return;
4060b57cec5SDimitry Andric
4070b57cec5SDimitry Andric if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy)
4080b57cec5SDimitry Andric return;
4090b57cec5SDimitry Andric }
4100b57cec5SDimitry Andric
4110b57cec5SDimitry Andric // Verify the third argument type is integer.
4120b57cec5SDimitry Andric if (!FPT->getParamType(2)->isIntegralOrUnscopedEnumerationType())
4130b57cec5SDimitry Andric return;
4140b57cec5SDimitry Andric
4150b57cec5SDimitry Andric // Issue a warning.
4160b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
4170b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
4180b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_bcopy,
4190b57cec5SDimitry Andric "Use of deprecated function in call to 'bcopy()'",
4200b57cec5SDimitry Andric "Security",
4210b57cec5SDimitry Andric "The bcopy() function is obsoleted by memcpy() "
4220b57cec5SDimitry Andric "or memmove().",
4230b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
4240b57cec5SDimitry Andric }
4250b57cec5SDimitry Andric
4260b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
4270b57cec5SDimitry Andric // Check: Any use of bzero.
4280b57cec5SDimitry Andric // CWE-477: Use of Obsolete Functions
4290b57cec5SDimitry Andric // bzero was deprecated in POSIX.1-2008
4300b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
4310b57cec5SDimitry Andric
checkCall_bzero(const CallExpr * CE,const FunctionDecl * FD)4320b57cec5SDimitry Andric void WalkAST::checkCall_bzero(const CallExpr *CE, const FunctionDecl *FD) {
4330b57cec5SDimitry Andric if (!filter.check_bzero)
4340b57cec5SDimitry Andric return;
4350b57cec5SDimitry Andric
4360b57cec5SDimitry Andric const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
4370b57cec5SDimitry Andric if (!FPT)
4380b57cec5SDimitry Andric return;
4390b57cec5SDimitry Andric
4400b57cec5SDimitry Andric // Verify that the function takes two arguments.
4410b57cec5SDimitry Andric if (FPT->getNumParams() != 2)
4420b57cec5SDimitry Andric return;
4430b57cec5SDimitry Andric
4440b57cec5SDimitry Andric // Verify the first argument type is void*.
4450b57cec5SDimitry Andric const PointerType *PT = FPT->getParamType(0)->getAs<PointerType>();
4460b57cec5SDimitry Andric if (!PT)
4470b57cec5SDimitry Andric return;
4480b57cec5SDimitry Andric
4490b57cec5SDimitry Andric if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy)
4500b57cec5SDimitry Andric return;
4510b57cec5SDimitry Andric
4520b57cec5SDimitry Andric // Verify the second argument type is integer.
4530b57cec5SDimitry Andric if (!FPT->getParamType(1)->isIntegralOrUnscopedEnumerationType())
4540b57cec5SDimitry Andric return;
4550b57cec5SDimitry Andric
4560b57cec5SDimitry Andric // Issue a warning.
4570b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
4580b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
4590b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_bzero,
4600b57cec5SDimitry Andric "Use of deprecated function in call to 'bzero()'",
4610b57cec5SDimitry Andric "Security",
4620b57cec5SDimitry Andric "The bzero() function is obsoleted by memset().",
4630b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
4640b57cec5SDimitry Andric }
4650b57cec5SDimitry Andric
4660b57cec5SDimitry Andric
4670b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
4685f757f3fSDimitry Andric // Check: Any use of 'gets' is insecure. Most man pages literally says this.
4695f757f3fSDimitry Andric //
4700b57cec5SDimitry Andric // Implements (part of): 300-BSI (buildsecurityin.us-cert.gov)
4710b57cec5SDimitry Andric // CWE-242: Use of Inherently Dangerous Function
4720b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
4730b57cec5SDimitry Andric
checkCall_gets(const CallExpr * CE,const FunctionDecl * FD)4740b57cec5SDimitry Andric void WalkAST::checkCall_gets(const CallExpr *CE, const FunctionDecl *FD) {
4750b57cec5SDimitry Andric if (!filter.check_gets)
4760b57cec5SDimitry Andric return;
4770b57cec5SDimitry Andric
4780b57cec5SDimitry Andric const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
4790b57cec5SDimitry Andric if (!FPT)
4800b57cec5SDimitry Andric return;
4810b57cec5SDimitry Andric
4820b57cec5SDimitry Andric // Verify that the function takes a single argument.
4830b57cec5SDimitry Andric if (FPT->getNumParams() != 1)
4840b57cec5SDimitry Andric return;
4850b57cec5SDimitry Andric
4860b57cec5SDimitry Andric // Is the argument a 'char*'?
4870b57cec5SDimitry Andric const PointerType *PT = FPT->getParamType(0)->getAs<PointerType>();
4880b57cec5SDimitry Andric if (!PT)
4890b57cec5SDimitry Andric return;
4900b57cec5SDimitry Andric
4910b57cec5SDimitry Andric if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
4920b57cec5SDimitry Andric return;
4930b57cec5SDimitry Andric
4940b57cec5SDimitry Andric // Issue a warning.
4950b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
4960b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
4970b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_gets,
4980b57cec5SDimitry Andric "Potential buffer overflow in call to 'gets'",
4990b57cec5SDimitry Andric "Security",
5000b57cec5SDimitry Andric "Call to function 'gets' is extremely insecure as it can "
5010b57cec5SDimitry Andric "always result in a buffer overflow",
5020b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
5030b57cec5SDimitry Andric }
5040b57cec5SDimitry Andric
5050b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
5060b57cec5SDimitry Andric // Check: Any use of 'getpwd' is insecure.
5070b57cec5SDimitry Andric // CWE-477: Use of Obsolete Functions
5080b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
5090b57cec5SDimitry Andric
checkCall_getpw(const CallExpr * CE,const FunctionDecl * FD)5100b57cec5SDimitry Andric void WalkAST::checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD) {
5110b57cec5SDimitry Andric if (!filter.check_getpw)
5120b57cec5SDimitry Andric return;
5130b57cec5SDimitry Andric
5140b57cec5SDimitry Andric const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
5150b57cec5SDimitry Andric if (!FPT)
5160b57cec5SDimitry Andric return;
5170b57cec5SDimitry Andric
5180b57cec5SDimitry Andric // Verify that the function takes two arguments.
5190b57cec5SDimitry Andric if (FPT->getNumParams() != 2)
5200b57cec5SDimitry Andric return;
5210b57cec5SDimitry Andric
5220b57cec5SDimitry Andric // Verify the first argument type is integer.
5230b57cec5SDimitry Andric if (!FPT->getParamType(0)->isIntegralOrUnscopedEnumerationType())
5240b57cec5SDimitry Andric return;
5250b57cec5SDimitry Andric
5260b57cec5SDimitry Andric // Verify the second argument type is char*.
5270b57cec5SDimitry Andric const PointerType *PT = FPT->getParamType(1)->getAs<PointerType>();
5280b57cec5SDimitry Andric if (!PT)
5290b57cec5SDimitry Andric return;
5300b57cec5SDimitry Andric
5310b57cec5SDimitry Andric if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
5320b57cec5SDimitry Andric return;
5330b57cec5SDimitry Andric
5340b57cec5SDimitry Andric // Issue a warning.
5350b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
5360b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
5370b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_getpw,
5380b57cec5SDimitry Andric "Potential buffer overflow in call to 'getpw'",
5390b57cec5SDimitry Andric "Security",
5400b57cec5SDimitry Andric "The getpw() function is dangerous as it may overflow the "
5410b57cec5SDimitry Andric "provided buffer. It is obsoleted by getpwuid().",
5420b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
5430b57cec5SDimitry Andric }
5440b57cec5SDimitry Andric
5450b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
5460b57cec5SDimitry Andric // Check: Any use of 'mktemp' is insecure. It is obsoleted by mkstemp().
5470b57cec5SDimitry Andric // CWE-377: Insecure Temporary File
5480b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
5490b57cec5SDimitry Andric
checkCall_mktemp(const CallExpr * CE,const FunctionDecl * FD)5500b57cec5SDimitry Andric void WalkAST::checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD) {
5510b57cec5SDimitry Andric if (!filter.check_mktemp) {
5520b57cec5SDimitry Andric // Fall back to the security check of looking for enough 'X's in the
5530b57cec5SDimitry Andric // format string, since that is a less severe warning.
5540b57cec5SDimitry Andric checkCall_mkstemp(CE, FD);
5550b57cec5SDimitry Andric return;
5560b57cec5SDimitry Andric }
5570b57cec5SDimitry Andric
5580b57cec5SDimitry Andric const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
5590b57cec5SDimitry Andric if(!FPT)
5600b57cec5SDimitry Andric return;
5610b57cec5SDimitry Andric
5620b57cec5SDimitry Andric // Verify that the function takes a single argument.
5630b57cec5SDimitry Andric if (FPT->getNumParams() != 1)
5640b57cec5SDimitry Andric return;
5650b57cec5SDimitry Andric
5660b57cec5SDimitry Andric // Verify that the argument is Pointer Type.
5670b57cec5SDimitry Andric const PointerType *PT = FPT->getParamType(0)->getAs<PointerType>();
5680b57cec5SDimitry Andric if (!PT)
5690b57cec5SDimitry Andric return;
5700b57cec5SDimitry Andric
5710b57cec5SDimitry Andric // Verify that the argument is a 'char*'.
5720b57cec5SDimitry Andric if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
5730b57cec5SDimitry Andric return;
5740b57cec5SDimitry Andric
5750b57cec5SDimitry Andric // Issue a warning.
5760b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
5770b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
5780b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_mktemp,
5790b57cec5SDimitry Andric "Potential insecure temporary file in call 'mktemp'",
5800b57cec5SDimitry Andric "Security",
5810b57cec5SDimitry Andric "Call to function 'mktemp' is insecure as it always "
5820b57cec5SDimitry Andric "creates or uses insecure temporary file. Use 'mkstemp' "
5830b57cec5SDimitry Andric "instead",
5840b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
5850b57cec5SDimitry Andric }
5860b57cec5SDimitry Andric
5870b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
5880b57cec5SDimitry Andric // Check: Use of 'mkstemp', 'mktemp', 'mkdtemp' should contain at least 6 X's.
5890b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
5900b57cec5SDimitry Andric
checkCall_mkstemp(const CallExpr * CE,const FunctionDecl * FD)5910b57cec5SDimitry Andric void WalkAST::checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD) {
5920b57cec5SDimitry Andric if (!filter.check_mkstemp)
5930b57cec5SDimitry Andric return;
5940b57cec5SDimitry Andric
5950b57cec5SDimitry Andric StringRef Name = FD->getIdentifier()->getName();
5960b57cec5SDimitry Andric std::pair<signed, signed> ArgSuffix =
5970b57cec5SDimitry Andric llvm::StringSwitch<std::pair<signed, signed> >(Name)
5980b57cec5SDimitry Andric .Case("mktemp", std::make_pair(0,-1))
5990b57cec5SDimitry Andric .Case("mkstemp", std::make_pair(0,-1))
6000b57cec5SDimitry Andric .Case("mkdtemp", std::make_pair(0,-1))
6010b57cec5SDimitry Andric .Case("mkstemps", std::make_pair(0,1))
6020b57cec5SDimitry Andric .Default(std::make_pair(-1, -1));
6030b57cec5SDimitry Andric
6040b57cec5SDimitry Andric assert(ArgSuffix.first >= 0 && "Unsupported function");
6050b57cec5SDimitry Andric
6060b57cec5SDimitry Andric // Check if the number of arguments is consistent with out expectations.
6070b57cec5SDimitry Andric unsigned numArgs = CE->getNumArgs();
6080b57cec5SDimitry Andric if ((signed) numArgs <= ArgSuffix.first)
6090b57cec5SDimitry Andric return;
6100b57cec5SDimitry Andric
6110b57cec5SDimitry Andric const StringLiteral *strArg =
6120b57cec5SDimitry Andric dyn_cast<StringLiteral>(CE->getArg((unsigned)ArgSuffix.first)
6130b57cec5SDimitry Andric ->IgnoreParenImpCasts());
6140b57cec5SDimitry Andric
6150b57cec5SDimitry Andric // Currently we only handle string literals. It is possible to do better,
6160b57cec5SDimitry Andric // either by looking at references to const variables, or by doing real
6170b57cec5SDimitry Andric // flow analysis.
6180b57cec5SDimitry Andric if (!strArg || strArg->getCharByteWidth() != 1)
6190b57cec5SDimitry Andric return;
6200b57cec5SDimitry Andric
6210b57cec5SDimitry Andric // Count the number of X's, taking into account a possible cutoff suffix.
6220b57cec5SDimitry Andric StringRef str = strArg->getString();
6230b57cec5SDimitry Andric unsigned numX = 0;
6240b57cec5SDimitry Andric unsigned n = str.size();
6250b57cec5SDimitry Andric
6260b57cec5SDimitry Andric // Take into account the suffix.
6270b57cec5SDimitry Andric unsigned suffix = 0;
6280b57cec5SDimitry Andric if (ArgSuffix.second >= 0) {
6290b57cec5SDimitry Andric const Expr *suffixEx = CE->getArg((unsigned)ArgSuffix.second);
6300b57cec5SDimitry Andric Expr::EvalResult EVResult;
6310b57cec5SDimitry Andric if (!suffixEx->EvaluateAsInt(EVResult, BR.getContext()))
6320b57cec5SDimitry Andric return;
6330b57cec5SDimitry Andric llvm::APSInt Result = EVResult.Val.getInt();
6340b57cec5SDimitry Andric // FIXME: Issue a warning.
6350b57cec5SDimitry Andric if (Result.isNegative())
6360b57cec5SDimitry Andric return;
6370b57cec5SDimitry Andric suffix = (unsigned) Result.getZExtValue();
6380b57cec5SDimitry Andric n = (n > suffix) ? n - suffix : 0;
6390b57cec5SDimitry Andric }
6400b57cec5SDimitry Andric
6410b57cec5SDimitry Andric for (unsigned i = 0; i < n; ++i)
6420b57cec5SDimitry Andric if (str[i] == 'X') ++numX;
6430b57cec5SDimitry Andric
6440b57cec5SDimitry Andric if (numX >= 6)
6450b57cec5SDimitry Andric return;
6460b57cec5SDimitry Andric
6470b57cec5SDimitry Andric // Issue a warning.
6480b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
6490b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
6500b57cec5SDimitry Andric SmallString<512> buf;
6510b57cec5SDimitry Andric llvm::raw_svector_ostream out(buf);
6520b57cec5SDimitry Andric out << "Call to '" << Name << "' should have at least 6 'X's in the"
6530b57cec5SDimitry Andric " format string to be secure (" << numX << " 'X'";
6540b57cec5SDimitry Andric if (numX != 1)
6550b57cec5SDimitry Andric out << 's';
6560b57cec5SDimitry Andric out << " seen";
6570b57cec5SDimitry Andric if (suffix) {
6580b57cec5SDimitry Andric out << ", " << suffix << " character";
6590b57cec5SDimitry Andric if (suffix > 1)
6600b57cec5SDimitry Andric out << 's';
6610b57cec5SDimitry Andric out << " used as a suffix";
6620b57cec5SDimitry Andric }
6630b57cec5SDimitry Andric out << ')';
6640b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_mkstemp,
6650b57cec5SDimitry Andric "Insecure temporary file creation", "Security",
6660b57cec5SDimitry Andric out.str(), CELoc, strArg->getSourceRange());
6670b57cec5SDimitry Andric }
6680b57cec5SDimitry Andric
6690b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
6700b57cec5SDimitry Andric // Check: Any use of 'strcpy' is insecure.
6710b57cec5SDimitry Andric //
6720b57cec5SDimitry Andric // CWE-119: Improper Restriction of Operations within
6730b57cec5SDimitry Andric // the Bounds of a Memory Buffer
6740b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
6750b57cec5SDimitry Andric
checkCall_strcpy(const CallExpr * CE,const FunctionDecl * FD)6760b57cec5SDimitry Andric void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) {
6770b57cec5SDimitry Andric if (!filter.check_strcpy)
6780b57cec5SDimitry Andric return;
6790b57cec5SDimitry Andric
6800b57cec5SDimitry Andric if (!checkCall_strCommon(CE, FD))
6810b57cec5SDimitry Andric return;
6820b57cec5SDimitry Andric
6830b57cec5SDimitry Andric const auto *Target = CE->getArg(0)->IgnoreImpCasts(),
6840b57cec5SDimitry Andric *Source = CE->getArg(1)->IgnoreImpCasts();
6850b57cec5SDimitry Andric
6860b57cec5SDimitry Andric if (const auto *Array = dyn_cast<ConstantArrayType>(Target->getType())) {
6870b57cec5SDimitry Andric uint64_t ArraySize = BR.getContext().getTypeSize(Array) / 8;
6880b57cec5SDimitry Andric if (const auto *String = dyn_cast<StringLiteral>(Source)) {
6890b57cec5SDimitry Andric if (ArraySize >= String->getLength() + 1)
6900b57cec5SDimitry Andric return;
6910b57cec5SDimitry Andric }
6920b57cec5SDimitry Andric }
6930b57cec5SDimitry Andric
6940b57cec5SDimitry Andric // Issue a warning.
6950b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
6960b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
6970b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
6980b57cec5SDimitry Andric "Potential insecure memory buffer bounds restriction in "
6990b57cec5SDimitry Andric "call 'strcpy'",
7000b57cec5SDimitry Andric "Security",
7010b57cec5SDimitry Andric "Call to function 'strcpy' is insecure as it does not "
7020b57cec5SDimitry Andric "provide bounding of the memory buffer. Replace "
7030b57cec5SDimitry Andric "unbounded copy functions with analogous functions that "
7040b57cec5SDimitry Andric "support length arguments such as 'strlcpy'. CWE-119.",
7050b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
7060b57cec5SDimitry Andric }
7070b57cec5SDimitry Andric
7080b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
7090b57cec5SDimitry Andric // Check: Any use of 'strcat' is insecure.
7100b57cec5SDimitry Andric //
7110b57cec5SDimitry Andric // CWE-119: Improper Restriction of Operations within
7120b57cec5SDimitry Andric // the Bounds of a Memory Buffer
7130b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
7140b57cec5SDimitry Andric
checkCall_strcat(const CallExpr * CE,const FunctionDecl * FD)7150b57cec5SDimitry Andric void WalkAST::checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD) {
7160b57cec5SDimitry Andric if (!filter.check_strcpy)
7170b57cec5SDimitry Andric return;
7180b57cec5SDimitry Andric
7190b57cec5SDimitry Andric if (!checkCall_strCommon(CE, FD))
7200b57cec5SDimitry Andric return;
7210b57cec5SDimitry Andric
7220b57cec5SDimitry Andric // Issue a warning.
7230b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
7240b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
7250b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
7260b57cec5SDimitry Andric "Potential insecure memory buffer bounds restriction in "
7270b57cec5SDimitry Andric "call 'strcat'",
7280b57cec5SDimitry Andric "Security",
7290b57cec5SDimitry Andric "Call to function 'strcat' is insecure as it does not "
7300b57cec5SDimitry Andric "provide bounding of the memory buffer. Replace "
7310b57cec5SDimitry Andric "unbounded copy functions with analogous functions that "
7320b57cec5SDimitry Andric "support length arguments such as 'strlcat'. CWE-119.",
7330b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
7340b57cec5SDimitry Andric }
7350b57cec5SDimitry Andric
7360b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
7370b57cec5SDimitry Andric // Check: Any use of 'sprintf', 'vsprintf', 'scanf', 'wscanf', 'fscanf',
7380b57cec5SDimitry Andric // 'fwscanf', 'vscanf', 'vwscanf', 'vfscanf', 'vfwscanf', 'sscanf',
7390b57cec5SDimitry Andric // 'swscanf', 'vsscanf', 'vswscanf', 'swprintf', 'snprintf', 'vswprintf',
7405f757f3fSDimitry Andric // 'vsnprintf', 'memcpy', 'memmove', 'strncpy', 'strncat', 'memset',
7415f757f3fSDimitry Andric // 'fprintf' is deprecated since C11.
7420b57cec5SDimitry Andric //
7435f757f3fSDimitry Andric // Use of 'sprintf', 'fprintf', 'vsprintf', 'scanf', 'wscanf', 'fscanf',
7440b57cec5SDimitry Andric // 'fwscanf', 'vscanf', 'vwscanf', 'vfscanf', 'vfwscanf', 'sscanf',
7450b57cec5SDimitry Andric // 'swscanf', 'vsscanf', 'vswscanf' without buffer limitations
7460b57cec5SDimitry Andric // is insecure.
7470b57cec5SDimitry Andric //
7480b57cec5SDimitry Andric // CWE-119: Improper Restriction of Operations within
7490b57cec5SDimitry Andric // the Bounds of a Memory Buffer
7500b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
7510b57cec5SDimitry Andric
checkDeprecatedOrUnsafeBufferHandling(const CallExpr * CE,const FunctionDecl * FD)7520b57cec5SDimitry Andric void WalkAST::checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE,
7530b57cec5SDimitry Andric const FunctionDecl *FD) {
7540b57cec5SDimitry Andric if (!filter.check_DeprecatedOrUnsafeBufferHandling)
7550b57cec5SDimitry Andric return;
7560b57cec5SDimitry Andric
7570b57cec5SDimitry Andric if (!BR.getContext().getLangOpts().C11)
7580b57cec5SDimitry Andric return;
7590b57cec5SDimitry Andric
7600b57cec5SDimitry Andric // Issue a warning. ArgIndex == -1: Deprecated but not unsafe (has size
7610b57cec5SDimitry Andric // restrictions).
7620b57cec5SDimitry Andric enum { DEPR_ONLY = -1, UNKNOWN_CALL = -2 };
7630b57cec5SDimitry Andric
7640b57cec5SDimitry Andric StringRef Name = FD->getIdentifier()->getName();
765647cbc5dSDimitry Andric Name.consume_front("__builtin_");
7660b57cec5SDimitry Andric
7670b57cec5SDimitry Andric int ArgIndex =
7680b57cec5SDimitry Andric llvm::StringSwitch<int>(Name)
7690b57cec5SDimitry Andric .Cases("scanf", "wscanf", "vscanf", "vwscanf", 0)
7705f757f3fSDimitry Andric .Cases("fscanf", "fwscanf", "vfscanf", "vfwscanf", "sscanf",
7715f757f3fSDimitry Andric "swscanf", "vsscanf", "vswscanf", 1)
7725f757f3fSDimitry Andric .Cases("sprintf", "vsprintf", "fprintf", 1)
7730b57cec5SDimitry Andric .Cases("swprintf", "snprintf", "vswprintf", "vsnprintf", "memcpy",
7740b57cec5SDimitry Andric "memmove", "memset", "strncpy", "strncat", DEPR_ONLY)
7750b57cec5SDimitry Andric .Default(UNKNOWN_CALL);
7760b57cec5SDimitry Andric
7770b57cec5SDimitry Andric assert(ArgIndex != UNKNOWN_CALL && "Unsupported function");
7780b57cec5SDimitry Andric bool BoundsProvided = ArgIndex == DEPR_ONLY;
7790b57cec5SDimitry Andric
7800b57cec5SDimitry Andric if (!BoundsProvided) {
7810b57cec5SDimitry Andric // Currently we only handle (not wide) string literals. It is possible to do
7820b57cec5SDimitry Andric // better, either by looking at references to const variables, or by doing
7830b57cec5SDimitry Andric // real flow analysis.
7840b57cec5SDimitry Andric auto FormatString =
7850b57cec5SDimitry Andric dyn_cast<StringLiteral>(CE->getArg(ArgIndex)->IgnoreParenImpCasts());
786349cc55cSDimitry Andric if (FormatString && !FormatString->getString().contains("%s") &&
787349cc55cSDimitry Andric !FormatString->getString().contains("%["))
7880b57cec5SDimitry Andric BoundsProvided = true;
7890b57cec5SDimitry Andric }
7900b57cec5SDimitry Andric
7910b57cec5SDimitry Andric SmallString<128> Buf1;
7920b57cec5SDimitry Andric SmallString<512> Buf2;
7930b57cec5SDimitry Andric llvm::raw_svector_ostream Out1(Buf1);
7940b57cec5SDimitry Andric llvm::raw_svector_ostream Out2(Buf2);
7950b57cec5SDimitry Andric
7960b57cec5SDimitry Andric Out1 << "Potential insecure memory buffer bounds restriction in call '"
7970b57cec5SDimitry Andric << Name << "'";
7980b57cec5SDimitry Andric Out2 << "Call to function '" << Name
7990b57cec5SDimitry Andric << "' is insecure as it does not provide ";
8000b57cec5SDimitry Andric
8010b57cec5SDimitry Andric if (!BoundsProvided) {
8020b57cec5SDimitry Andric Out2 << "bounding of the memory buffer or ";
8030b57cec5SDimitry Andric }
8040b57cec5SDimitry Andric
8050b57cec5SDimitry Andric Out2 << "security checks introduced "
8060b57cec5SDimitry Andric "in the C11 standard. Replace with analogous functions that "
8070b57cec5SDimitry Andric "support length arguments or provides boundary checks such as '"
8080b57cec5SDimitry Andric << Name << "_s' in case of C11";
8090b57cec5SDimitry Andric
8100b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
8110b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
8120b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(),
8130b57cec5SDimitry Andric filter.checkName_DeprecatedOrUnsafeBufferHandling,
8140b57cec5SDimitry Andric Out1.str(), "Security", Out2.str(), CELoc,
8150b57cec5SDimitry Andric CE->getCallee()->getSourceRange());
8160b57cec5SDimitry Andric }
8170b57cec5SDimitry Andric
8180b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
8190b57cec5SDimitry Andric // Common check for str* functions with no bounds parameters.
8200b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
8210b57cec5SDimitry Andric
checkCall_strCommon(const CallExpr * CE,const FunctionDecl * FD)8220b57cec5SDimitry Andric bool WalkAST::checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD) {
8230b57cec5SDimitry Andric const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
8240b57cec5SDimitry Andric if (!FPT)
8250b57cec5SDimitry Andric return false;
8260b57cec5SDimitry Andric
8270b57cec5SDimitry Andric // Verify the function takes two arguments, three in the _chk version.
8280b57cec5SDimitry Andric int numArgs = FPT->getNumParams();
8290b57cec5SDimitry Andric if (numArgs != 2 && numArgs != 3)
8300b57cec5SDimitry Andric return false;
8310b57cec5SDimitry Andric
8320b57cec5SDimitry Andric // Verify the type for both arguments.
8330b57cec5SDimitry Andric for (int i = 0; i < 2; i++) {
8340b57cec5SDimitry Andric // Verify that the arguments are pointers.
8350b57cec5SDimitry Andric const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>();
8360b57cec5SDimitry Andric if (!PT)
8370b57cec5SDimitry Andric return false;
8380b57cec5SDimitry Andric
8390b57cec5SDimitry Andric // Verify that the argument is a 'char*'.
8400b57cec5SDimitry Andric if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
8410b57cec5SDimitry Andric return false;
8420b57cec5SDimitry Andric }
8430b57cec5SDimitry Andric
8440b57cec5SDimitry Andric return true;
8450b57cec5SDimitry Andric }
8460b57cec5SDimitry Andric
8470b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
8485f757f3fSDimitry Andric // Check: Linear congruent random number generators should not be used,
8495f757f3fSDimitry Andric // i.e. rand(), random().
8505f757f3fSDimitry Andric //
8515f757f3fSDimitry Andric // E. Bach, "Efficient prediction of Marsaglia-Zaman random number generators,"
8525f757f3fSDimitry Andric // in IEEE Transactions on Information Theory, vol. 44, no. 3, pp. 1253-1257,
8535f757f3fSDimitry Andric // May 1998, https://doi.org/10.1109/18.669305
8545f757f3fSDimitry Andric //
8550b57cec5SDimitry Andric // CWE-338: Use of cryptographically weak prng
8560b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
8570b57cec5SDimitry Andric
checkCall_rand(const CallExpr * CE,const FunctionDecl * FD)8580b57cec5SDimitry Andric void WalkAST::checkCall_rand(const CallExpr *CE, const FunctionDecl *FD) {
8590b57cec5SDimitry Andric if (!filter.check_rand || !CheckRand)
8600b57cec5SDimitry Andric return;
8610b57cec5SDimitry Andric
8620b57cec5SDimitry Andric const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();
8630b57cec5SDimitry Andric if (!FTP)
8640b57cec5SDimitry Andric return;
8650b57cec5SDimitry Andric
8660b57cec5SDimitry Andric if (FTP->getNumParams() == 1) {
8670b57cec5SDimitry Andric // Is the argument an 'unsigned short *'?
8680b57cec5SDimitry Andric // (Actually any integer type is allowed.)
8690b57cec5SDimitry Andric const PointerType *PT = FTP->getParamType(0)->getAs<PointerType>();
8700b57cec5SDimitry Andric if (!PT)
8710b57cec5SDimitry Andric return;
8720b57cec5SDimitry Andric
8730b57cec5SDimitry Andric if (! PT->getPointeeType()->isIntegralOrUnscopedEnumerationType())
8740b57cec5SDimitry Andric return;
8750b57cec5SDimitry Andric } else if (FTP->getNumParams() != 0)
8760b57cec5SDimitry Andric return;
8770b57cec5SDimitry Andric
8780b57cec5SDimitry Andric // Issue a warning.
8790b57cec5SDimitry Andric SmallString<256> buf1;
8800b57cec5SDimitry Andric llvm::raw_svector_ostream os1(buf1);
8810b57cec5SDimitry Andric os1 << '\'' << *FD << "' is a poor random number generator";
8820b57cec5SDimitry Andric
8830b57cec5SDimitry Andric SmallString<256> buf2;
8840b57cec5SDimitry Andric llvm::raw_svector_ostream os2(buf2);
8850b57cec5SDimitry Andric os2 << "Function '" << *FD
8860b57cec5SDimitry Andric << "' is obsolete because it implements a poor random number generator."
8870b57cec5SDimitry Andric << " Use 'arc4random' instead";
8880b57cec5SDimitry Andric
8890b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
8900b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
8910b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_rand, os1.str(),
8920b57cec5SDimitry Andric "Security", os2.str(), CELoc,
8930b57cec5SDimitry Andric CE->getCallee()->getSourceRange());
8940b57cec5SDimitry Andric }
8950b57cec5SDimitry Andric
8965f757f3fSDimitry Andric // See justification for rand().
checkCall_random(const CallExpr * CE,const FunctionDecl * FD)8970b57cec5SDimitry Andric void WalkAST::checkCall_random(const CallExpr *CE, const FunctionDecl *FD) {
8980b57cec5SDimitry Andric if (!CheckRand || !filter.check_rand)
8990b57cec5SDimitry Andric return;
9000b57cec5SDimitry Andric
9010b57cec5SDimitry Andric const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();
9020b57cec5SDimitry Andric if (!FTP)
9030b57cec5SDimitry Andric return;
9040b57cec5SDimitry Andric
9050b57cec5SDimitry Andric // Verify that the function takes no argument.
9060b57cec5SDimitry Andric if (FTP->getNumParams() != 0)
9070b57cec5SDimitry Andric return;
9080b57cec5SDimitry Andric
9090b57cec5SDimitry Andric // Issue a warning.
9100b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
9110b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
9120b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_rand,
9130b57cec5SDimitry Andric "'random' is not a secure random number generator",
9140b57cec5SDimitry Andric "Security",
9150b57cec5SDimitry Andric "The 'random' function produces a sequence of values that "
9160b57cec5SDimitry Andric "an adversary may be able to predict. Use 'arc4random' "
9170b57cec5SDimitry Andric "instead", CELoc, CE->getCallee()->getSourceRange());
9180b57cec5SDimitry Andric }
9190b57cec5SDimitry Andric
9200b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
9210b57cec5SDimitry Andric // Check: 'vfork' should not be used.
9220b57cec5SDimitry Andric // POS33-C: Do not use vfork().
9230b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
9240b57cec5SDimitry Andric
checkCall_vfork(const CallExpr * CE,const FunctionDecl * FD)9250b57cec5SDimitry Andric void WalkAST::checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD) {
9260b57cec5SDimitry Andric if (!filter.check_vfork)
9270b57cec5SDimitry Andric return;
9280b57cec5SDimitry Andric
9290b57cec5SDimitry Andric // All calls to vfork() are insecure, issue a warning.
9300b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
9310b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
9320b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_vfork,
9330b57cec5SDimitry Andric "Potential insecure implementation-specific behavior in "
9340b57cec5SDimitry Andric "call 'vfork'",
9350b57cec5SDimitry Andric "Security",
9360b57cec5SDimitry Andric "Call to function 'vfork' is insecure as it can lead to "
9370b57cec5SDimitry Andric "denial of service situations in the parent process. "
9380b57cec5SDimitry Andric "Replace calls to vfork with calls to the safer "
9390b57cec5SDimitry Andric "'posix_spawn' function",
9400b57cec5SDimitry Andric CELoc, CE->getCallee()->getSourceRange());
9410b57cec5SDimitry Andric }
9420b57cec5SDimitry Andric
9430b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
944480093f4SDimitry Andric // Check: '-decodeValueOfObjCType:at:' should not be used.
945480093f4SDimitry Andric // It is deprecated in favor of '-decodeValueOfObjCType:at:size:' due to
946480093f4SDimitry Andric // likelihood of buffer overflows.
947480093f4SDimitry Andric //===----------------------------------------------------------------------===//
948480093f4SDimitry Andric
checkMsg_decodeValueOfObjCType(const ObjCMessageExpr * ME)949480093f4SDimitry Andric void WalkAST::checkMsg_decodeValueOfObjCType(const ObjCMessageExpr *ME) {
950480093f4SDimitry Andric if (!filter.check_decodeValueOfObjCType)
951480093f4SDimitry Andric return;
952480093f4SDimitry Andric
953480093f4SDimitry Andric // Check availability of the secure alternative:
954480093f4SDimitry Andric // iOS 11+, macOS 10.13+, tvOS 11+, and watchOS 4.0+
955480093f4SDimitry Andric // FIXME: We probably shouldn't register the check if it's not available.
956480093f4SDimitry Andric const TargetInfo &TI = AC->getASTContext().getTargetInfo();
957480093f4SDimitry Andric const llvm::Triple &T = TI.getTriple();
958480093f4SDimitry Andric const VersionTuple &VT = TI.getPlatformMinVersion();
959480093f4SDimitry Andric switch (T.getOS()) {
960480093f4SDimitry Andric case llvm::Triple::IOS:
961480093f4SDimitry Andric if (VT < VersionTuple(11, 0))
962480093f4SDimitry Andric return;
963480093f4SDimitry Andric break;
964480093f4SDimitry Andric case llvm::Triple::MacOSX:
965480093f4SDimitry Andric if (VT < VersionTuple(10, 13))
966480093f4SDimitry Andric return;
967480093f4SDimitry Andric break;
968480093f4SDimitry Andric case llvm::Triple::WatchOS:
969480093f4SDimitry Andric if (VT < VersionTuple(4, 0))
970480093f4SDimitry Andric return;
971480093f4SDimitry Andric break;
972480093f4SDimitry Andric case llvm::Triple::TvOS:
973480093f4SDimitry Andric if (VT < VersionTuple(11, 0))
974480093f4SDimitry Andric return;
975480093f4SDimitry Andric break;
976*7a6dacacSDimitry Andric case llvm::Triple::XROS:
977*7a6dacacSDimitry Andric break;
978480093f4SDimitry Andric default:
979480093f4SDimitry Andric return;
980480093f4SDimitry Andric }
981480093f4SDimitry Andric
982480093f4SDimitry Andric PathDiagnosticLocation MELoc =
983480093f4SDimitry Andric PathDiagnosticLocation::createBegin(ME, BR.getSourceManager(), AC);
984480093f4SDimitry Andric BR.EmitBasicReport(
985480093f4SDimitry Andric AC->getDecl(), filter.checkName_decodeValueOfObjCType,
986480093f4SDimitry Andric "Potential buffer overflow in '-decodeValueOfObjCType:at:'", "Security",
987480093f4SDimitry Andric "Deprecated method '-decodeValueOfObjCType:at:' is insecure "
988480093f4SDimitry Andric "as it can lead to potential buffer overflows. Use the safer "
989480093f4SDimitry Andric "'-decodeValueOfObjCType:at:size:' method.",
990480093f4SDimitry Andric MELoc, ME->getSourceRange());
991480093f4SDimitry Andric }
992480093f4SDimitry Andric
993480093f4SDimitry Andric //===----------------------------------------------------------------------===//
9945f757f3fSDimitry Andric // Check: The caller should always verify that the privileges
9955f757f3fSDimitry Andric // were dropped successfully.
9965f757f3fSDimitry Andric //
9975f757f3fSDimitry Andric // Some library functions, like setuid() and setgid(), should always be used
9985f757f3fSDimitry Andric // with a check of the return value to verify that the function completed
9995f757f3fSDimitry Andric // successfully. If the drop fails, the software will continue to run
10005f757f3fSDimitry Andric // with the raised privileges, which might provide additional access
10015f757f3fSDimitry Andric // to unprivileged users.
10025f757f3fSDimitry Andric //
10035f757f3fSDimitry Andric // (Note that this check predates __attribute__((warn_unused_result)).
10045f757f3fSDimitry Andric // Do we still need it now that we have a compiler warning for this?
10055f757f3fSDimitry Andric // Are these standard functions already annotated this way?)
10060b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
10070b57cec5SDimitry Andric
checkUncheckedReturnValue(CallExpr * CE)10080b57cec5SDimitry Andric void WalkAST::checkUncheckedReturnValue(CallExpr *CE) {
10090b57cec5SDimitry Andric if (!filter.check_UncheckedReturn)
10100b57cec5SDimitry Andric return;
10110b57cec5SDimitry Andric
10120b57cec5SDimitry Andric const FunctionDecl *FD = CE->getDirectCallee();
10130b57cec5SDimitry Andric if (!FD)
10140b57cec5SDimitry Andric return;
10150b57cec5SDimitry Andric
10160b57cec5SDimitry Andric if (II_setid[0] == nullptr) {
10170b57cec5SDimitry Andric static const char * const identifiers[num_setids] = {
10180b57cec5SDimitry Andric "setuid", "setgid", "seteuid", "setegid",
10190b57cec5SDimitry Andric "setreuid", "setregid"
10200b57cec5SDimitry Andric };
10210b57cec5SDimitry Andric
10220b57cec5SDimitry Andric for (size_t i = 0; i < num_setids; i++)
10230b57cec5SDimitry Andric II_setid[i] = &BR.getContext().Idents.get(identifiers[i]);
10240b57cec5SDimitry Andric }
10250b57cec5SDimitry Andric
10260b57cec5SDimitry Andric const IdentifierInfo *id = FD->getIdentifier();
10270b57cec5SDimitry Andric size_t identifierid;
10280b57cec5SDimitry Andric
10290b57cec5SDimitry Andric for (identifierid = 0; identifierid < num_setids; identifierid++)
10300b57cec5SDimitry Andric if (id == II_setid[identifierid])
10310b57cec5SDimitry Andric break;
10320b57cec5SDimitry Andric
10330b57cec5SDimitry Andric if (identifierid >= num_setids)
10340b57cec5SDimitry Andric return;
10350b57cec5SDimitry Andric
10360b57cec5SDimitry Andric const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();
10370b57cec5SDimitry Andric if (!FTP)
10380b57cec5SDimitry Andric return;
10390b57cec5SDimitry Andric
10400b57cec5SDimitry Andric // Verify that the function takes one or two arguments (depending on
10410b57cec5SDimitry Andric // the function).
10420b57cec5SDimitry Andric if (FTP->getNumParams() != (identifierid < 4 ? 1 : 2))
10430b57cec5SDimitry Andric return;
10440b57cec5SDimitry Andric
10450b57cec5SDimitry Andric // The arguments must be integers.
10460b57cec5SDimitry Andric for (unsigned i = 0; i < FTP->getNumParams(); i++)
10470b57cec5SDimitry Andric if (!FTP->getParamType(i)->isIntegralOrUnscopedEnumerationType())
10480b57cec5SDimitry Andric return;
10490b57cec5SDimitry Andric
10500b57cec5SDimitry Andric // Issue a warning.
10510b57cec5SDimitry Andric SmallString<256> buf1;
10520b57cec5SDimitry Andric llvm::raw_svector_ostream os1(buf1);
10530b57cec5SDimitry Andric os1 << "Return value is not checked in call to '" << *FD << '\'';
10540b57cec5SDimitry Andric
10550b57cec5SDimitry Andric SmallString<256> buf2;
10560b57cec5SDimitry Andric llvm::raw_svector_ostream os2(buf2);
10570b57cec5SDimitry Andric os2 << "The return value from the call to '" << *FD
10580b57cec5SDimitry Andric << "' is not checked. If an error occurs in '" << *FD
10590b57cec5SDimitry Andric << "', the following code may execute with unexpected privileges";
10600b57cec5SDimitry Andric
10610b57cec5SDimitry Andric PathDiagnosticLocation CELoc =
10620b57cec5SDimitry Andric PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
10630b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), filter.checkName_UncheckedReturn, os1.str(),
10640b57cec5SDimitry Andric "Security", os2.str(), CELoc,
10650b57cec5SDimitry Andric CE->getCallee()->getSourceRange());
10660b57cec5SDimitry Andric }
10670b57cec5SDimitry Andric
10680b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
10690b57cec5SDimitry Andric // SecuritySyntaxChecker
10700b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
10710b57cec5SDimitry Andric
10720b57cec5SDimitry Andric namespace {
10730b57cec5SDimitry Andric class SecuritySyntaxChecker : public Checker<check::ASTCodeBody> {
10740b57cec5SDimitry Andric public:
10750b57cec5SDimitry Andric ChecksFilter filter;
10760b57cec5SDimitry Andric
checkASTCodeBody(const Decl * D,AnalysisManager & mgr,BugReporter & BR) const10770b57cec5SDimitry Andric void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
10780b57cec5SDimitry Andric BugReporter &BR) const {
10790b57cec5SDimitry Andric WalkAST walker(BR, mgr.getAnalysisDeclContext(D), filter);
10800b57cec5SDimitry Andric walker.Visit(D->getBody());
10810b57cec5SDimitry Andric }
10820b57cec5SDimitry Andric };
10830b57cec5SDimitry Andric }
10840b57cec5SDimitry Andric
registerSecuritySyntaxChecker(CheckerManager & mgr)10850b57cec5SDimitry Andric void ento::registerSecuritySyntaxChecker(CheckerManager &mgr) {
10860b57cec5SDimitry Andric mgr.registerChecker<SecuritySyntaxChecker>();
10870b57cec5SDimitry Andric }
10880b57cec5SDimitry Andric
shouldRegisterSecuritySyntaxChecker(const CheckerManager & mgr)10895ffd83dbSDimitry Andric bool ento::shouldRegisterSecuritySyntaxChecker(const CheckerManager &mgr) {
10900b57cec5SDimitry Andric return true;
10910b57cec5SDimitry Andric }
10920b57cec5SDimitry Andric
10930b57cec5SDimitry Andric #define REGISTER_CHECKER(name) \
10940b57cec5SDimitry Andric void ento::register##name(CheckerManager &mgr) { \
10950b57cec5SDimitry Andric SecuritySyntaxChecker *checker = mgr.getChecker<SecuritySyntaxChecker>(); \
10960b57cec5SDimitry Andric checker->filter.check_##name = true; \
1097a7dea167SDimitry Andric checker->filter.checkName_##name = mgr.getCurrentCheckerName(); \
10980b57cec5SDimitry Andric } \
10990b57cec5SDimitry Andric \
11005ffd83dbSDimitry Andric bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
11010b57cec5SDimitry Andric
11020b57cec5SDimitry Andric REGISTER_CHECKER(bcmp)
11030b57cec5SDimitry Andric REGISTER_CHECKER(bcopy)
11040b57cec5SDimitry Andric REGISTER_CHECKER(bzero)
11050b57cec5SDimitry Andric REGISTER_CHECKER(gets)
11060b57cec5SDimitry Andric REGISTER_CHECKER(getpw)
11070b57cec5SDimitry Andric REGISTER_CHECKER(mkstemp)
11080b57cec5SDimitry Andric REGISTER_CHECKER(mktemp)
11090b57cec5SDimitry Andric REGISTER_CHECKER(strcpy)
11100b57cec5SDimitry Andric REGISTER_CHECKER(rand)
11110b57cec5SDimitry Andric REGISTER_CHECKER(vfork)
11120b57cec5SDimitry Andric REGISTER_CHECKER(FloatLoopCounter)
11130b57cec5SDimitry Andric REGISTER_CHECKER(UncheckedReturn)
11140b57cec5SDimitry Andric REGISTER_CHECKER(DeprecatedOrUnsafeBufferHandling)
1115480093f4SDimitry Andric REGISTER_CHECKER(decodeValueOfObjCType)
1116