1*12c85518Srobert //== InvalidPtrChecker.cpp ------------------------------------- -*- C++ -*--=//
2*12c85518Srobert //
3*12c85518Srobert // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4*12c85518Srobert // See https://llvm.org/LICENSE.txt for license information.
5*12c85518Srobert // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6*12c85518Srobert //
7*12c85518Srobert //===----------------------------------------------------------------------===//
8*12c85518Srobert //
9*12c85518Srobert // This file defines InvalidPtrChecker which finds usages of possibly
10*12c85518Srobert // invalidated pointer.
11*12c85518Srobert // CERT SEI Rules ENV31-C and ENV34-C
12*12c85518Srobert // For more information see:
13*12c85518Srobert // https://wiki.sei.cmu.edu/confluence/x/8tYxBQ
14*12c85518Srobert // https://wiki.sei.cmu.edu/confluence/x/5NUxBQ
15*12c85518Srobert //===----------------------------------------------------------------------===//
16*12c85518Srobert
17*12c85518Srobert #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
18*12c85518Srobert #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19*12c85518Srobert #include "clang/StaticAnalyzer/Core/Checker.h"
20*12c85518Srobert #include "clang/StaticAnalyzer/Core/CheckerManager.h"
21*12c85518Srobert #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
22*12c85518Srobert #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
23*12c85518Srobert #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24*12c85518Srobert
25*12c85518Srobert using namespace clang;
26*12c85518Srobert using namespace ento;
27*12c85518Srobert
28*12c85518Srobert namespace {
29*12c85518Srobert
30*12c85518Srobert class InvalidPtrChecker
31*12c85518Srobert : public Checker<check::Location, check::BeginFunction, check::PostCall> {
32*12c85518Srobert private:
33*12c85518Srobert BugType BT{this, "Use of invalidated pointer", categories::MemoryError};
34*12c85518Srobert
35*12c85518Srobert void EnvpInvalidatingCall(const CallEvent &Call, CheckerContext &C) const;
36*12c85518Srobert
37*12c85518Srobert using HandlerFn = void (InvalidPtrChecker::*)(const CallEvent &Call,
38*12c85518Srobert CheckerContext &C) const;
39*12c85518Srobert
40*12c85518Srobert // SEI CERT ENV31-C
41*12c85518Srobert const CallDescriptionMap<HandlerFn> EnvpInvalidatingFunctions = {
42*12c85518Srobert {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
43*12c85518Srobert {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
44*12c85518Srobert {{{"putenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
45*12c85518Srobert {{{"_putenv_s"}, 2}, &InvalidPtrChecker::EnvpInvalidatingCall},
46*12c85518Srobert {{{"_wputenv_s"}, 2}, &InvalidPtrChecker::EnvpInvalidatingCall},
47*12c85518Srobert };
48*12c85518Srobert
49*12c85518Srobert void postPreviousReturnInvalidatingCall(const CallEvent &Call,
50*12c85518Srobert CheckerContext &C) const;
51*12c85518Srobert
52*12c85518Srobert // SEI CERT ENV34-C
53*12c85518Srobert const CallDescriptionMap<HandlerFn> PreviousCallInvalidatingFunctions = {
54*12c85518Srobert {{{"getenv"}, 1}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
55*12c85518Srobert {{{"setlocale"}, 2},
56*12c85518Srobert &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
57*12c85518Srobert {{{"strerror"}, 1},
58*12c85518Srobert &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
59*12c85518Srobert {{{"localeconv"}, 0},
60*12c85518Srobert &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
61*12c85518Srobert {{{"asctime"}, 1},
62*12c85518Srobert &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
63*12c85518Srobert };
64*12c85518Srobert
65*12c85518Srobert public:
66*12c85518Srobert // Obtain the environment pointer from 'main()' (if present).
67*12c85518Srobert void checkBeginFunction(CheckerContext &C) const;
68*12c85518Srobert
69*12c85518Srobert // Handle functions in EnvpInvalidatingFunctions, that invalidate environment
70*12c85518Srobert // pointer from 'main()'
71*12c85518Srobert // Handle functions in PreviousCallInvalidatingFunctions.
72*12c85518Srobert // Also, check if invalidated region is passed to a
73*12c85518Srobert // conservatively evaluated function call as an argument.
74*12c85518Srobert void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
75*12c85518Srobert
76*12c85518Srobert // Check if invalidated region is being dereferenced.
77*12c85518Srobert void checkLocation(SVal l, bool isLoad, const Stmt *S,
78*12c85518Srobert CheckerContext &C) const;
79*12c85518Srobert };
80*12c85518Srobert
81*12c85518Srobert } // namespace
82*12c85518Srobert
83*12c85518Srobert // Set of memory regions that were invalidated
REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions,const MemRegion *)84*12c85518Srobert REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
85*12c85518Srobert
86*12c85518Srobert // Stores the region of the environment pointer of 'main' (if present).
87*12c85518Srobert REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
88*12c85518Srobert
89*12c85518Srobert // Stores key-value pairs, where key is function declaration and value is
90*12c85518Srobert // pointer to memory region returned by previous call of this function
91*12c85518Srobert REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, const FunctionDecl *,
92*12c85518Srobert const MemRegion *)
93*12c85518Srobert
94*12c85518Srobert void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call,
95*12c85518Srobert CheckerContext &C) const {
96*12c85518Srobert StringRef FunctionName = Call.getCalleeIdentifier()->getName();
97*12c85518Srobert ProgramStateRef State = C.getState();
98*12c85518Srobert const MemRegion *SymbolicEnvPtrRegion = State->get<EnvPtrRegion>();
99*12c85518Srobert if (!SymbolicEnvPtrRegion)
100*12c85518Srobert return;
101*12c85518Srobert
102*12c85518Srobert State = State->add<InvalidMemoryRegions>(SymbolicEnvPtrRegion);
103*12c85518Srobert
104*12c85518Srobert const NoteTag *Note =
105*12c85518Srobert C.getNoteTag([SymbolicEnvPtrRegion, FunctionName](
106*12c85518Srobert PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
107*12c85518Srobert if (!BR.isInteresting(SymbolicEnvPtrRegion))
108*12c85518Srobert return;
109*12c85518Srobert Out << '\'' << FunctionName
110*12c85518Srobert << "' call may invalidate the environment parameter of 'main'";
111*12c85518Srobert });
112*12c85518Srobert
113*12c85518Srobert C.addTransition(State, Note);
114*12c85518Srobert }
115*12c85518Srobert
postPreviousReturnInvalidatingCall(const CallEvent & Call,CheckerContext & C) const116*12c85518Srobert void InvalidPtrChecker::postPreviousReturnInvalidatingCall(
117*12c85518Srobert const CallEvent &Call, CheckerContext &C) const {
118*12c85518Srobert ProgramStateRef State = C.getState();
119*12c85518Srobert
120*12c85518Srobert const NoteTag *Note = nullptr;
121*12c85518Srobert const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
122*12c85518Srobert // Invalidate the region of the previously returned pointer - if there was
123*12c85518Srobert // one.
124*12c85518Srobert if (const MemRegion *const *Reg = State->get<PreviousCallResultMap>(FD)) {
125*12c85518Srobert const MemRegion *PrevReg = *Reg;
126*12c85518Srobert State = State->add<InvalidMemoryRegions>(PrevReg);
127*12c85518Srobert Note = C.getNoteTag([PrevReg, FD](PathSensitiveBugReport &BR,
128*12c85518Srobert llvm::raw_ostream &Out) {
129*12c85518Srobert if (!BR.isInteresting(PrevReg))
130*12c85518Srobert return;
131*12c85518Srobert Out << '\'';
132*12c85518Srobert FD->getNameForDiagnostic(Out, FD->getASTContext().getLangOpts(), true);
133*12c85518Srobert Out << "' call may invalidate the result of the previous " << '\'';
134*12c85518Srobert FD->getNameForDiagnostic(Out, FD->getASTContext().getLangOpts(), true);
135*12c85518Srobert Out << '\'';
136*12c85518Srobert });
137*12c85518Srobert }
138*12c85518Srobert
139*12c85518Srobert const LocationContext *LCtx = C.getLocationContext();
140*12c85518Srobert const auto *CE = cast<CallExpr>(Call.getOriginExpr());
141*12c85518Srobert
142*12c85518Srobert // Function call will return a pointer to the new symbolic region.
143*12c85518Srobert DefinedOrUnknownSVal RetVal = C.getSValBuilder().conjureSymbolVal(
144*12c85518Srobert CE, LCtx, CE->getType(), C.blockCount());
145*12c85518Srobert State = State->BindExpr(CE, LCtx, RetVal);
146*12c85518Srobert
147*12c85518Srobert // Remember to this region.
148*12c85518Srobert const auto *SymRegOfRetVal = cast<SymbolicRegion>(RetVal.getAsRegion());
149*12c85518Srobert const MemRegion *MR =
150*12c85518Srobert const_cast<MemRegion *>(SymRegOfRetVal->getBaseRegion());
151*12c85518Srobert State = State->set<PreviousCallResultMap>(FD, MR);
152*12c85518Srobert
153*12c85518Srobert ExplodedNode *Node = C.addTransition(State, Note);
154*12c85518Srobert const NoteTag *PreviousCallNote =
155*12c85518Srobert C.getNoteTag([MR](PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
156*12c85518Srobert if (!BR.isInteresting(MR))
157*12c85518Srobert return;
158*12c85518Srobert Out << '\'' << "'previous function call was here" << '\'';
159*12c85518Srobert });
160*12c85518Srobert
161*12c85518Srobert C.addTransition(State, Node, PreviousCallNote);
162*12c85518Srobert }
163*12c85518Srobert
164*12c85518Srobert // TODO: This seems really ugly. Simplify this.
findInvalidatedSymbolicBase(ProgramStateRef State,const MemRegion * Reg)165*12c85518Srobert static const MemRegion *findInvalidatedSymbolicBase(ProgramStateRef State,
166*12c85518Srobert const MemRegion *Reg) {
167*12c85518Srobert while (Reg) {
168*12c85518Srobert if (State->contains<InvalidMemoryRegions>(Reg))
169*12c85518Srobert return Reg;
170*12c85518Srobert const auto *SymBase = Reg->getSymbolicBase();
171*12c85518Srobert if (!SymBase)
172*12c85518Srobert break;
173*12c85518Srobert const auto *SRV = dyn_cast<SymbolRegionValue>(SymBase->getSymbol());
174*12c85518Srobert if (!SRV)
175*12c85518Srobert break;
176*12c85518Srobert Reg = SRV->getRegion();
177*12c85518Srobert if (const auto *VarReg = dyn_cast<VarRegion>(SRV->getRegion()))
178*12c85518Srobert Reg = VarReg;
179*12c85518Srobert }
180*12c85518Srobert return nullptr;
181*12c85518Srobert }
182*12c85518Srobert
183*12c85518Srobert // Handle functions in EnvpInvalidatingFunctions, that invalidate environment
184*12c85518Srobert // pointer from 'main()' Also, check if invalidated region is passed to a
185*12c85518Srobert // function call as an argument.
checkPostCall(const CallEvent & Call,CheckerContext & C) const186*12c85518Srobert void InvalidPtrChecker::checkPostCall(const CallEvent &Call,
187*12c85518Srobert CheckerContext &C) const {
188*12c85518Srobert // Check if function invalidates 'envp' argument of 'main'
189*12c85518Srobert if (const auto *Handler = EnvpInvalidatingFunctions.lookup(Call))
190*12c85518Srobert (this->**Handler)(Call, C);
191*12c85518Srobert
192*12c85518Srobert // Check if function invalidates the result of previous call
193*12c85518Srobert if (const auto *Handler = PreviousCallInvalidatingFunctions.lookup(Call))
194*12c85518Srobert (this->**Handler)(Call, C);
195*12c85518Srobert
196*12c85518Srobert // Check if one of the arguments of the function call is invalidated
197*12c85518Srobert
198*12c85518Srobert // If call was inlined, don't report invalidated argument
199*12c85518Srobert if (C.wasInlined)
200*12c85518Srobert return;
201*12c85518Srobert
202*12c85518Srobert ProgramStateRef State = C.getState();
203*12c85518Srobert
204*12c85518Srobert for (unsigned I = 0, NumArgs = Call.getNumArgs(); I < NumArgs; ++I) {
205*12c85518Srobert
206*12c85518Srobert if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(
207*12c85518Srobert Call.getArgSVal(I).getAsRegion())) {
208*12c85518Srobert if (const MemRegion *InvalidatedSymbolicBase =
209*12c85518Srobert findInvalidatedSymbolicBase(State, SR)) {
210*12c85518Srobert ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
211*12c85518Srobert if (!ErrorNode)
212*12c85518Srobert return;
213*12c85518Srobert
214*12c85518Srobert SmallString<256> Msg;
215*12c85518Srobert llvm::raw_svector_ostream Out(Msg);
216*12c85518Srobert Out << "use of invalidated pointer '";
217*12c85518Srobert Call.getArgExpr(I)->printPretty(Out, /*Helper=*/nullptr,
218*12c85518Srobert C.getASTContext().getPrintingPolicy());
219*12c85518Srobert Out << "' in a function call";
220*12c85518Srobert
221*12c85518Srobert auto Report =
222*12c85518Srobert std::make_unique<PathSensitiveBugReport>(BT, Out.str(), ErrorNode);
223*12c85518Srobert Report->markInteresting(InvalidatedSymbolicBase);
224*12c85518Srobert Report->addRange(Call.getArgSourceRange(I));
225*12c85518Srobert C.emitReport(std::move(Report));
226*12c85518Srobert }
227*12c85518Srobert }
228*12c85518Srobert }
229*12c85518Srobert }
230*12c85518Srobert
231*12c85518Srobert // Obtain the environment pointer from 'main()', if present.
checkBeginFunction(CheckerContext & C) const232*12c85518Srobert void InvalidPtrChecker::checkBeginFunction(CheckerContext &C) const {
233*12c85518Srobert if (!C.inTopFrame())
234*12c85518Srobert return;
235*12c85518Srobert
236*12c85518Srobert const auto *FD = dyn_cast<FunctionDecl>(C.getLocationContext()->getDecl());
237*12c85518Srobert if (!FD || FD->param_size() != 3 || !FD->isMain())
238*12c85518Srobert return;
239*12c85518Srobert
240*12c85518Srobert ProgramStateRef State = C.getState();
241*12c85518Srobert const MemRegion *EnvpReg =
242*12c85518Srobert State->getRegion(FD->parameters()[2], C.getLocationContext());
243*12c85518Srobert
244*12c85518Srobert // Save the memory region pointed by the environment pointer parameter of
245*12c85518Srobert // 'main'.
246*12c85518Srobert C.addTransition(State->set<EnvPtrRegion>(EnvpReg));
247*12c85518Srobert }
248*12c85518Srobert
249*12c85518Srobert // Check if invalidated region is being dereferenced.
checkLocation(SVal Loc,bool isLoad,const Stmt * S,CheckerContext & C) const250*12c85518Srobert void InvalidPtrChecker::checkLocation(SVal Loc, bool isLoad, const Stmt *S,
251*12c85518Srobert CheckerContext &C) const {
252*12c85518Srobert ProgramStateRef State = C.getState();
253*12c85518Srobert
254*12c85518Srobert // Ignore memory operations involving 'non-invalidated' locations.
255*12c85518Srobert const MemRegion *InvalidatedSymbolicBase =
256*12c85518Srobert findInvalidatedSymbolicBase(State, Loc.getAsRegion());
257*12c85518Srobert if (!InvalidatedSymbolicBase)
258*12c85518Srobert return;
259*12c85518Srobert
260*12c85518Srobert ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
261*12c85518Srobert if (!ErrorNode)
262*12c85518Srobert return;
263*12c85518Srobert
264*12c85518Srobert auto Report = std::make_unique<PathSensitiveBugReport>(
265*12c85518Srobert BT, "dereferencing an invalid pointer", ErrorNode);
266*12c85518Srobert Report->markInteresting(InvalidatedSymbolicBase);
267*12c85518Srobert C.emitReport(std::move(Report));
268*12c85518Srobert }
269*12c85518Srobert
registerInvalidPtrChecker(CheckerManager & Mgr)270*12c85518Srobert void ento::registerInvalidPtrChecker(CheckerManager &Mgr) {
271*12c85518Srobert Mgr.registerChecker<InvalidPtrChecker>();
272*12c85518Srobert }
273*12c85518Srobert
shouldRegisterInvalidPtrChecker(const CheckerManager &)274*12c85518Srobert bool ento::shouldRegisterInvalidPtrChecker(const CheckerManager &) {
275*12c85518Srobert return true;
276*12c85518Srobert }
277