Coverage Report

Created: 2023-09-21 18:56

/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
Line
Count
Source (jump to first uncovered line)
1
// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// This checker tests the 3rd argument of mmap's calls to check if
10
// it is writable and executable in the same time. It's somehow
11
// an optional checker since for example in JIT libraries it is pretty common.
12
//
13
//===----------------------------------------------------------------------===//
14
15
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16
17
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18
#include "clang/StaticAnalyzer/Core/Checker.h"
19
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
21
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23
24
using namespace clang;
25
using namespace ento;
26
27
namespace {
28
class MmapWriteExecChecker : public Checker<check::PreCall> {
29
  CallDescription MmapFn;
30
  CallDescription MprotectFn;
31
  static int ProtWrite;
32
  static int ProtExec;
33
  static int ProtRead;
34
  mutable std::unique_ptr<BugType> BT;
35
public:
36
2
  MmapWriteExecChecker() : MmapFn({"mmap"}, 6), MprotectFn({"mprotect"}, 3) {}
37
  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
38
  int ProtExecOv;
39
  int ProtReadOv;
40
};
41
}
42
43
int MmapWriteExecChecker::ProtWrite = 0x02;
44
int MmapWriteExecChecker::ProtExec  = 0x04;
45
int MmapWriteExecChecker::ProtRead  = 0x01;
46
47
void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
48
14
                                         CheckerContext &C) const {
49
14
  if (matchesAny(Call, MmapFn, MprotectFn)) {
50
14
    SVal ProtVal = Call.getArgSVal(2);
51
14
    auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
52
14
    if (!ProtLoc)
53
2
      return;
54
12
    int64_t Prot = ProtLoc->getValue().getSExtValue();
55
12
    if (ProtExecOv != ProtExec)
56
1
      ProtExec = ProtExecOv;
57
12
    if (ProtReadOv != ProtRead)
58
1
      ProtRead = ProtReadOv;
59
60
    // Wrong settings
61
12
    if (ProtRead == ProtExec)
62
0
      return;
63
64
12
    if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
65
6
      if (!BT)
66
2
        BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security"));
67
68
6
      ExplodedNode *N = C.generateNonFatalErrorNode();
69
6
      if (!N)
70
0
        return;
71
72
6
      auto Report = std::make_unique<PathSensitiveBugReport>(
73
6
          *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can "
74
6
               "lead to exploitable memory regions, which could be overwritten "
75
6
               "with malicious code", N);
76
6
      Report->addRange(Call.getArgSourceRange(2));
77
6
      C.emitReport(std::move(Report));
78
6
    }
79
12
  }
80
14
}
81
82
2
void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
83
2
  MmapWriteExecChecker *Mwec =
84
2
      mgr.registerChecker<MmapWriteExecChecker>();
85
2
  Mwec->ProtExecOv =
86
2
    mgr.getAnalyzerOptions()
87
2
      .getCheckerIntegerOption(Mwec, "MmapProtExec");
88
2
  Mwec->ProtReadOv =
89
2
    mgr.getAnalyzerOptions()
90
2
      .getCheckerIntegerOption(Mwec, "MmapProtRead");
91
2
}
92
93
4
bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &mgr) {
94
4
  return true;
95
4
}