xref: /llvm-project/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp (revision 4579bad86c68e664282618339cd2ea1ae17686ad) 
1 // MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This checker tests the 3rd argument of mmap's calls to check if
11 // it is writable and executable in the same time. It's somehow
12 // an optional checker since for example in JIT libraries it is pretty common.
13 //
14 //===----------------------------------------------------------------------===//
15 
16 #include "ClangSACheckers.h"
17 
18 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19 #include "clang/StaticAnalyzer/Core/Checker.h"
20 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23 
24 using namespace clang;
25 using namespace ento;
26 using llvm::APSInt;
27 
28 namespace {
29 class MmapWriteExecChecker : public Checker<check::PreCall> {
30   CallDescription MmapFn;
31   static int ProtWrite;
32   static int ProtExec;
33   static int ProtRead;
34   mutable std::unique_ptr<BugType> BT;
35 public:
36   MmapWriteExecChecker() : MmapFn("mmap", 6) {}
37   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
38   int ProtExecOv;
39   int ProtReadOv;
40 };
41 }
42 
43 int MmapWriteExecChecker::ProtWrite = 0x02;
44 int MmapWriteExecChecker::ProtExec  = 0x04;
45 int MmapWriteExecChecker::ProtRead  = 0x01;
46 
47 void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
48                                          CheckerContext &C) const {
49   if (Call.isCalled(MmapFn)) {
50     SVal ProtVal = Call.getArgSVal(2);
51     Optional<nonloc::ConcreteInt> ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
52     int64_t Prot = ProtLoc->getValue().getSExtValue();
53     if (ProtExecOv != ProtExec)
54       ProtExec = ProtExecOv;
55     if (ProtReadOv != ProtRead)
56       ProtRead = ProtReadOv;
57 
58     // Wrong settings
59     if (ProtRead == ProtExec)
60       return;
61 
62     if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
63       if (!BT)
64         BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security"));
65 
66       ExplodedNode *N = C.generateNonFatalErrorNode();
67       if (!N)
68         return;
69 
70       auto Report = llvm::make_unique<BugReport>(
71           *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can "
72                "lead to exploitable memory regions, which could be overwritten "
73                "with malicious code", N);
74       Report->addRange(Call.getArgSourceRange(2));
75       C.emitReport(std::move(Report));
76     }
77   }
78 }
79 
80 void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
81   MmapWriteExecChecker *Mwec =
82       mgr.registerChecker<MmapWriteExecChecker>();
83   Mwec->ProtExecOv =
84     mgr.getAnalyzerOptions().getOptionAsInteger("MmapProtExec", 0x04, Mwec);
85   Mwec->ProtReadOv =
86     mgr.getAnalyzerOptions().getOptionAsInteger("MmapProtRead", 0x01, Mwec);
87 }
88