Coverage Report

Created: 2019-07-24 05:18

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/tools/clang/lib/StaticAnalyzer/Checkers/VforkChecker.cpp
Line
Count
Source (jump to first uncovered line)
1
//===- VforkChecker.cpp -------- Vfork usage checks --------------*- C++ -*-==//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
//  This file defines vfork checker which checks for dangerous uses of vfork.
10
//  Vforked process shares memory (including stack) with parent so it's
11
//  range of actions is significantly limited: can't write variables,
12
//  can't call functions not in whitelist, etc. For more details, see
13
//  http://man7.org/linux/man-pages/man2/vfork.2.html
14
//
15
//  This checker checks for prohibited constructs in vforked process.
16
//  The state transition diagram:
17
//  PARENT ---(vfork() == 0)--> CHILD
18
//                                   |
19
//                                   --(*p = ...)--> bug
20
//                                   |
21
//                                   --foo()--> bug
22
//                                   |
23
//                                   --return--> bug
24
//
25
//===----------------------------------------------------------------------===//
26
27
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
28
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
29
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
30
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
31
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
32
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
33
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
34
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
35
#include "clang/StaticAnalyzer/Core/Checker.h"
36
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
37
#include "clang/AST/ParentMap.h"
38
39
using namespace clang;
40
using namespace ento;
41
42
namespace {
43
44
class VforkChecker : public Checker<check::PreCall, check::PostCall,
45
                                    check::Bind, check::PreStmt<ReturnStmt>> {
46
  mutable std::unique_ptr<BuiltinBug> BT;
47
  mutable llvm::SmallSet<const IdentifierInfo *, 10> VforkWhitelist;
48
  mutable const IdentifierInfo *II_vfork;
49
50
  static bool isChildProcess(const ProgramStateRef State);
51
52
  bool isVforkCall(const Decl *D, CheckerContext &C) const;
53
  bool isCallWhitelisted(const IdentifierInfo *II, CheckerContext &C) const;
54
55
  void reportBug(const char *What, CheckerContext &C,
56
                 const char *Details = nullptr) const;
57
58
public:
59
27
  VforkChecker() : II_vfork(nullptr) {}
60
61
  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
62
  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
63
  void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
64
  void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
65
};
66
67
} // end anonymous namespace
68
69
// This trait holds region of variable that is assigned with vfork's
70
// return value (this is the only region child is allowed to write).
71
// VFORK_RESULT_INVALID means that we are in parent process.
72
// VFORK_RESULT_NONE means that vfork's return value hasn't been assigned.
73
// Other values point to valid regions.
74
REGISTER_TRAIT_WITH_PROGRAMSTATE(VforkResultRegion, const void *)
75
603
#define VFORK_RESULT_INVALID 0
76
8
#define VFORK_RESULT_NONE ((void *)(uintptr_t)1)
77
78
603
bool VforkChecker::isChildProcess(const ProgramStateRef State) {
79
603
  return State->get<VforkResultRegion>() != VFORK_RESULT_INVALID;
80
603
}
81
82
117
bool VforkChecker::isVforkCall(const Decl *D, CheckerContext &C) const {
83
117
  auto FD = dyn_cast_or_null<FunctionDecl>(D);
84
117
  if (!FD || !C.isCLibraryFunction(FD))
85
33
    return false;
86
84
87
84
  if (!II_vfork) {
88
15
    ASTContext &AC = C.getASTContext();
89
15
    II_vfork = &AC.Idents.get("vfork");
90
15
  }
91
84
92
84
  return FD->getIdentifier() == II_vfork;
93
84
}
94
95
// Returns true iff ok to call function after successful vfork.
96
bool VforkChecker::isCallWhitelisted(const IdentifierInfo *II,
97
18
                                 CheckerContext &C) const {
98
18
  if (VforkWhitelist.empty()) {
99
2
    // According to manpage.
100
2
    const char *ids[] = {
101
2
      "_exit",
102
2
      "_Exit",
103
2
      "execl",
104
2
      "execlp",
105
2
      "execle",
106
2
      "execv",
107
2
      "execvp",
108
2
      "execvpe",
109
2
      nullptr
110
2
    };
111
2
112
2
    ASTContext &AC = C.getASTContext();
113
18
    for (const char **id = ids; *id; 
++id16
)
114
16
      VforkWhitelist.insert(&AC.Idents.get(*id));
115
2
  }
116
18
117
18
  return VforkWhitelist.count(II);
118
18
}
119
120
void VforkChecker::reportBug(const char *What, CheckerContext &C,
121
18
                             const char *Details) const {
122
18
  if (ExplodedNode *N = C.generateErrorNode(C.getState())) {
123
18
    if (!BT)
124
2
      BT.reset(new BuiltinBug(this,
125
2
                              "Dangerous construct in a vforked process"));
126
18
127
18
    SmallString<256> buf;
128
18
    llvm::raw_svector_ostream os(buf);
129
18
130
18
    os << What << " is prohibited after a successful vfork";
131
18
132
18
    if (Details)
133
4
      os << "; " << Details;
134
18
135
18
    auto Report = llvm::make_unique<BugReport>(*BT, os.str(), N);
136
18
    // TODO: mark vfork call in BugReportVisitor
137
18
    C.emitReport(std::move(Report));
138
18
  }
139
18
}
140
141
// Detect calls to vfork and split execution appropriately.
142
void VforkChecker::checkPostCall(const CallEvent &Call,
143
123
                                 CheckerContext &C) const {
144
123
  // We can't call vfork in child so don't bother
145
123
  // (corresponding warning has already been emitted in checkPreCall).
146
123
  ProgramStateRef State = C.getState();
147
123
  if (isChildProcess(State))
148
6
    return;
149
117
150
117
  if (!isVforkCall(Call.getDecl(), C))
151
103
    return;
152
14
153
14
  // Get return value of vfork.
154
14
  SVal VforkRetVal = Call.getReturnValue();
155
14
  Optional<DefinedOrUnknownSVal> DVal =
156
14
    VforkRetVal.getAs<DefinedOrUnknownSVal>();
157
14
  if (!DVal)
158
0
    return;
159
14
160
14
  // Get assigned variable.
161
14
  const ParentMap &PM = C.getLocationContext()->getParentMap();
162
14
  const Stmt *P = PM.getParentIgnoreParenCasts(Call.getOriginExpr());
163
14
  const VarDecl *LhsDecl;
164
14
  std::tie(LhsDecl, std::ignore) = parseAssignment(P);
165
14
166
14
  // Get assigned memory region.
167
14
  MemRegionManager &M = C.getStoreManager().getRegionManager();
168
14
  const MemRegion *LhsDeclReg =
169
14
    LhsDecl
170
14
      ? 
M.getVarRegion(LhsDecl, C.getLocationContext())6
171
14
      : 
(const MemRegion *)8
VFORK_RESULT_NONE8
;
172
14
173
14
  // Parent branch gets nonzero return value (according to manpage).
174
14
  ProgramStateRef ParentState, ChildState;
175
14
  std::tie(ParentState, ChildState) = C.getState()->assume(*DVal);
176
14
  C.addTransition(ParentState);
177
14
  ChildState = ChildState->set<VforkResultRegion>(LhsDeclReg);
178
14
  C.addTransition(ChildState);
179
14
}
180
181
// Prohibit calls to non-whitelist functions in child process.
182
void VforkChecker::checkPreCall(const CallEvent &Call,
183
157
                                CheckerContext &C) const {
184
157
  ProgramStateRef State = C.getState();
185
157
  if (isChildProcess(State)
186
157
      && 
!isCallWhitelisted(Call.getCalleeIdentifier(), C)18
)
187
6
    reportBug("This function call", C);
188
157
}
189
190
// Prohibit writes in child process (except for vfork's lhs).
191
void VforkChecker::checkBind(SVal L, SVal V, const Stmt *S,
192
253
                             CheckerContext &C) const {
193
253
  ProgramStateRef State = C.getState();
194
253
  if (!isChildProcess(State))
195
235
    return;
196
18
197
18
  const MemRegion *VforkLhs =
198
18
    static_cast<const MemRegion *>(State->get<VforkResultRegion>());
199
18
  const MemRegion *MR = L.getAsRegion();
200
18
201
18
  // Child is allowed to modify only vfork's lhs.
202
18
  if (!MR || MR == VforkLhs)
203
10
    return;
204
8
205
8
  reportBug("This assignment", C);
206
8
}
207
208
// Prohibit return from function in child process.
209
70
void VforkChecker::checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const {
210
70
  ProgramStateRef State = C.getState();
211
70
  if (isChildProcess(State))
212
4
    reportBug("Return", C, "call _exit() instead");
213
70
}
214
215
27
void ento::registerVforkChecker(CheckerManager &mgr) {
216
27
  mgr.registerChecker<VforkChecker>();
217
27
}
218
219
27
bool ento::shouldRegisterVforkChecker(const LangOptions &LO) {
220
27
  return true;
221
27
}