1 | //==- CheckSecuritySyntaxOnly.cpp - Basic security checks --------*- C++ -*-==// |
2 | // |
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
4 | // See https://llvm.org/LICENSE.txt for license information. |
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
6 | // |
7 | //===----------------------------------------------------------------------===// |
8 | // |
9 | // This file defines a set of flow-insensitive security checks. |
10 | // |
11 | //===----------------------------------------------------------------------===// |
12 | |
13 | #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" |
14 | #include "clang/AST/StmtVisitor.h" |
15 | #include "clang/Analysis/AnalysisDeclContext.h" |
16 | #include "clang/Basic/TargetInfo.h" |
17 | #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" |
18 | #include "clang/StaticAnalyzer/Core/Checker.h" |
19 | #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" |
20 | #include "llvm/ADT/SmallString.h" |
21 | #include "llvm/ADT/StringSwitch.h" |
22 | #include "llvm/Support/raw_ostream.h" |
23 | |
24 | using namespace clang; |
25 | using namespace ento; |
26 | |
27 | static bool isArc4RandomAvailable(const ASTContext &Ctx) { |
28 | const llvm::Triple &T = Ctx.getTargetInfo().getTriple(); |
29 | return T.getVendor() == llvm::Triple::Apple || |
30 | T.isOSFreeBSD() || |
31 | T.isOSNetBSD() || |
32 | T.isOSOpenBSD() || |
33 | T.isOSDragonFly(); |
34 | } |
35 | |
36 | namespace { |
37 | struct ChecksFilter { |
38 | bool check_bcmp = false; |
39 | bool check_bcopy = false; |
40 | bool check_bzero = false; |
41 | bool check_gets = false; |
42 | bool check_getpw = false; |
43 | bool check_mktemp = false; |
44 | bool check_mkstemp = false; |
45 | bool check_strcpy = false; |
46 | bool check_DeprecatedOrUnsafeBufferHandling = false; |
47 | bool check_rand = false; |
48 | bool check_vfork = false; |
49 | bool check_FloatLoopCounter = false; |
50 | bool check_UncheckedReturn = false; |
51 | bool check_decodeValueOfObjCType = false; |
52 | |
53 | CheckerNameRef checkName_bcmp; |
54 | CheckerNameRef checkName_bcopy; |
55 | CheckerNameRef checkName_bzero; |
56 | CheckerNameRef checkName_gets; |
57 | CheckerNameRef checkName_getpw; |
58 | CheckerNameRef checkName_mktemp; |
59 | CheckerNameRef checkName_mkstemp; |
60 | CheckerNameRef checkName_strcpy; |
61 | CheckerNameRef checkName_DeprecatedOrUnsafeBufferHandling; |
62 | CheckerNameRef checkName_rand; |
63 | CheckerNameRef checkName_vfork; |
64 | CheckerNameRef checkName_FloatLoopCounter; |
65 | CheckerNameRef checkName_UncheckedReturn; |
66 | CheckerNameRef checkName_decodeValueOfObjCType; |
67 | }; |
68 | |
69 | class WalkAST : public StmtVisitor<WalkAST> { |
70 | BugReporter &BR; |
71 | AnalysisDeclContext* AC; |
72 | enum { num_setids = 6 }; |
73 | IdentifierInfo *II_setid[num_setids]; |
74 | |
75 | const bool CheckRand; |
76 | const ChecksFilter &filter; |
77 | |
78 | public: |
79 | WalkAST(BugReporter &br, AnalysisDeclContext* ac, |
80 | const ChecksFilter &f) |
81 | : BR(br), AC(ac), II_setid(), |
82 | CheckRand(isArc4RandomAvailable(Ctx: BR.getContext())), |
83 | filter(f) {} |
84 | |
85 | // Statement visitor methods. |
86 | void VisitCallExpr(CallExpr *CE); |
87 | void VisitObjCMessageExpr(ObjCMessageExpr *CE); |
88 | void VisitForStmt(ForStmt *S); |
89 | void VisitCompoundStmt (CompoundStmt *S); |
90 | void VisitStmt(Stmt *S) { VisitChildren(S); } |
91 | |
92 | void VisitChildren(Stmt *S); |
93 | |
94 | // Helpers. |
95 | bool checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD); |
96 | |
97 | typedef void (WalkAST::*FnCheck)(const CallExpr *, const FunctionDecl *); |
98 | typedef void (WalkAST::*MsgCheck)(const ObjCMessageExpr *); |
99 | |
100 | // Checker-specific methods. |
101 | void checkLoopConditionForFloat(const ForStmt *FS); |
102 | void checkCall_bcmp(const CallExpr *CE, const FunctionDecl *FD); |
103 | void checkCall_bcopy(const CallExpr *CE, const FunctionDecl *FD); |
104 | void checkCall_bzero(const CallExpr *CE, const FunctionDecl *FD); |
105 | void checkCall_gets(const CallExpr *CE, const FunctionDecl *FD); |
106 | void checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD); |
107 | void checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD); |
108 | void checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD); |
109 | void checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD); |
110 | void checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD); |
111 | void checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE, |
112 | const FunctionDecl *FD); |
113 | void checkCall_rand(const CallExpr *CE, const FunctionDecl *FD); |
114 | void checkCall_random(const CallExpr *CE, const FunctionDecl *FD); |
115 | void checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD); |
116 | void checkMsg_decodeValueOfObjCType(const ObjCMessageExpr *ME); |
117 | void checkUncheckedReturnValue(CallExpr *CE); |
118 | }; |
119 | } // end anonymous namespace |
120 | |
121 | //===----------------------------------------------------------------------===// |
122 | // AST walking. |
123 | //===----------------------------------------------------------------------===// |
124 | |
125 | void WalkAST::VisitChildren(Stmt *S) { |
126 | for (Stmt *Child : S->children()) |
127 | if (Child) |
128 | Visit(Child); |
129 | } |
130 | |
131 | void WalkAST::VisitCallExpr(CallExpr *CE) { |
132 | // Get the callee. |
133 | const FunctionDecl *FD = CE->getDirectCallee(); |
134 | |
135 | if (!FD) |
136 | return; |
137 | |
138 | // Get the name of the callee. If it's a builtin, strip off the prefix. |
139 | IdentifierInfo *II = FD->getIdentifier(); |
140 | if (!II) // if no identifier, not a simple C function |
141 | return; |
142 | StringRef Name = II->getName(); |
143 | Name.consume_front(Prefix: "__builtin_" ); |
144 | |
145 | // Set the evaluation function by switching on the callee name. |
146 | FnCheck evalFunction = |
147 | llvm::StringSwitch<FnCheck>(Name) |
148 | .Case(S: "bcmp" , Value: &WalkAST::checkCall_bcmp) |
149 | .Case(S: "bcopy" , Value: &WalkAST::checkCall_bcopy) |
150 | .Case(S: "bzero" , Value: &WalkAST::checkCall_bzero) |
151 | .Case(S: "gets" , Value: &WalkAST::checkCall_gets) |
152 | .Case(S: "getpw" , Value: &WalkAST::checkCall_getpw) |
153 | .Case(S: "mktemp" , Value: &WalkAST::checkCall_mktemp) |
154 | .Case(S: "mkstemp" , Value: &WalkAST::checkCall_mkstemp) |
155 | .Case(S: "mkdtemp" , Value: &WalkAST::checkCall_mkstemp) |
156 | .Case(S: "mkstemps" , Value: &WalkAST::checkCall_mkstemp) |
157 | .Cases(S0: "strcpy" , S1: "__strcpy_chk" , Value: &WalkAST::checkCall_strcpy) |
158 | .Cases(S0: "strcat" , S1: "__strcat_chk" , Value: &WalkAST::checkCall_strcat) |
159 | .Cases(S0: "sprintf" , S1: "vsprintf" , S2: "scanf" , S3: "wscanf" , S4: "fscanf" , S5: "fwscanf" , |
160 | S6: "vscanf" , S7: "vwscanf" , S8: "vfscanf" , S9: "vfwscanf" , |
161 | Value: &WalkAST::checkDeprecatedOrUnsafeBufferHandling) |
162 | .Cases(S0: "sscanf" , S1: "swscanf" , S2: "vsscanf" , S3: "vswscanf" , S4: "swprintf" , |
163 | S5: "snprintf" , S6: "vswprintf" , S7: "vsnprintf" , S8: "memcpy" , S9: "memmove" , |
164 | Value: &WalkAST::checkDeprecatedOrUnsafeBufferHandling) |
165 | .Cases(S0: "strncpy" , S1: "strncat" , S2: "memset" , S3: "fprintf" , |
166 | Value: &WalkAST::checkDeprecatedOrUnsafeBufferHandling) |
167 | .Case(S: "drand48" , Value: &WalkAST::checkCall_rand) |
168 | .Case(S: "erand48" , Value: &WalkAST::checkCall_rand) |
169 | .Case(S: "jrand48" , Value: &WalkAST::checkCall_rand) |
170 | .Case(S: "lrand48" , Value: &WalkAST::checkCall_rand) |
171 | .Case(S: "mrand48" , Value: &WalkAST::checkCall_rand) |
172 | .Case(S: "nrand48" , Value: &WalkAST::checkCall_rand) |
173 | .Case(S: "lcong48" , Value: &WalkAST::checkCall_rand) |
174 | .Case(S: "rand" , Value: &WalkAST::checkCall_rand) |
175 | .Case(S: "rand_r" , Value: &WalkAST::checkCall_rand) |
176 | .Case(S: "random" , Value: &WalkAST::checkCall_random) |
177 | .Case(S: "vfork" , Value: &WalkAST::checkCall_vfork) |
178 | .Default(Value: nullptr); |
179 | |
180 | // If the callee isn't defined, it is not of security concern. |
181 | // Check and evaluate the call. |
182 | if (evalFunction) |
183 | (this->*evalFunction)(CE, FD); |
184 | |
185 | // Recurse and check children. |
186 | VisitChildren(CE); |
187 | } |
188 | |
189 | void WalkAST::VisitObjCMessageExpr(ObjCMessageExpr *ME) { |
190 | MsgCheck evalFunction = |
191 | llvm::StringSwitch<MsgCheck>(ME->getSelector().getAsString()) |
192 | .Case(S: "decodeValueOfObjCType:at:" , |
193 | Value: &WalkAST::checkMsg_decodeValueOfObjCType) |
194 | .Default(Value: nullptr); |
195 | |
196 | if (evalFunction) |
197 | (this->*evalFunction)(ME); |
198 | |
199 | // Recurse and check children. |
200 | VisitChildren(ME); |
201 | } |
202 | |
203 | void WalkAST::VisitCompoundStmt(CompoundStmt *S) { |
204 | for (Stmt *Child : S->children()) |
205 | if (Child) { |
206 | if (CallExpr *CE = dyn_cast<CallExpr>(Val: Child)) |
207 | checkUncheckedReturnValue(CE); |
208 | Visit(Child); |
209 | } |
210 | } |
211 | |
212 | void WalkAST::VisitForStmt(ForStmt *FS) { |
213 | checkLoopConditionForFloat(FS); |
214 | |
215 | // Recurse and check children. |
216 | VisitChildren(S: FS); |
217 | } |
218 | |
219 | //===----------------------------------------------------------------------===// |
220 | // Check: floating point variable used as loop counter. |
221 | // Implements: CERT security coding advisory FLP-30. |
222 | //===----------------------------------------------------------------------===// |
223 | |
224 | // Returns either 'x' or 'y', depending on which one of them is incremented |
225 | // in 'expr', or nullptr if none of them is incremented. |
226 | static const DeclRefExpr* |
227 | getIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) { |
228 | expr = expr->IgnoreParenCasts(); |
229 | |
230 | if (const BinaryOperator *B = dyn_cast<BinaryOperator>(Val: expr)) { |
231 | if (!(B->isAssignmentOp() || B->isCompoundAssignmentOp() || |
232 | B->getOpcode() == BO_Comma)) |
233 | return nullptr; |
234 | |
235 | if (const DeclRefExpr *lhs = getIncrementedVar(expr: B->getLHS(), x, y)) |
236 | return lhs; |
237 | |
238 | if (const DeclRefExpr *rhs = getIncrementedVar(expr: B->getRHS(), x, y)) |
239 | return rhs; |
240 | |
241 | return nullptr; |
242 | } |
243 | |
244 | if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Val: expr)) { |
245 | const NamedDecl *ND = DR->getDecl(); |
246 | return ND == x || ND == y ? DR : nullptr; |
247 | } |
248 | |
249 | if (const UnaryOperator *U = dyn_cast<UnaryOperator>(Val: expr)) |
250 | return U->isIncrementDecrementOp() |
251 | ? getIncrementedVar(expr: U->getSubExpr(), x, y) : nullptr; |
252 | |
253 | return nullptr; |
254 | } |
255 | |
256 | /// CheckLoopConditionForFloat - This check looks for 'for' statements that |
257 | /// use a floating point variable as a loop counter. |
258 | /// CERT: FLP30-C, FLP30-CPP. |
259 | /// |
260 | void WalkAST::checkLoopConditionForFloat(const ForStmt *FS) { |
261 | if (!filter.check_FloatLoopCounter) |
262 | return; |
263 | |
264 | // Does the loop have a condition? |
265 | const Expr *condition = FS->getCond(); |
266 | |
267 | if (!condition) |
268 | return; |
269 | |
270 | // Does the loop have an increment? |
271 | const Expr *increment = FS->getInc(); |
272 | |
273 | if (!increment) |
274 | return; |
275 | |
276 | // Strip away '()' and casts. |
277 | condition = condition->IgnoreParenCasts(); |
278 | increment = increment->IgnoreParenCasts(); |
279 | |
280 | // Is the loop condition a comparison? |
281 | const BinaryOperator *B = dyn_cast<BinaryOperator>(Val: condition); |
282 | |
283 | if (!B) |
284 | return; |
285 | |
286 | // Is this a comparison? |
287 | if (!(B->isRelationalOp() || B->isEqualityOp())) |
288 | return; |
289 | |
290 | // Are we comparing variables? |
291 | const DeclRefExpr *drLHS = |
292 | dyn_cast<DeclRefExpr>(Val: B->getLHS()->IgnoreParenLValueCasts()); |
293 | const DeclRefExpr *drRHS = |
294 | dyn_cast<DeclRefExpr>(Val: B->getRHS()->IgnoreParenLValueCasts()); |
295 | |
296 | // Does at least one of the variables have a floating point type? |
297 | drLHS = drLHS && drLHS->getType()->isRealFloatingType() ? drLHS : nullptr; |
298 | drRHS = drRHS && drRHS->getType()->isRealFloatingType() ? drRHS : nullptr; |
299 | |
300 | if (!drLHS && !drRHS) |
301 | return; |
302 | |
303 | const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(Val: drLHS->getDecl()) : nullptr; |
304 | const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(Val: drRHS->getDecl()) : nullptr; |
305 | |
306 | if (!vdLHS && !vdRHS) |
307 | return; |
308 | |
309 | // Does either variable appear in increment? |
310 | const DeclRefExpr *drInc = getIncrementedVar(expr: increment, x: vdLHS, y: vdRHS); |
311 | if (!drInc) |
312 | return; |
313 | |
314 | const VarDecl *vdInc = cast<VarDecl>(Val: drInc->getDecl()); |
315 | assert(vdInc && (vdInc == vdLHS || vdInc == vdRHS)); |
316 | |
317 | // Emit the error. First figure out which DeclRefExpr in the condition |
318 | // referenced the compared variable. |
319 | const DeclRefExpr *drCond = vdLHS == vdInc ? drLHS : drRHS; |
320 | |
321 | SmallVector<SourceRange, 2> ranges; |
322 | SmallString<256> sbuf; |
323 | llvm::raw_svector_ostream os(sbuf); |
324 | |
325 | os << "Variable '" << drCond->getDecl()->getName() |
326 | << "' with floating point type '" << drCond->getType() |
327 | << "' should not be used as a loop counter" ; |
328 | |
329 | ranges.push_back(Elt: drCond->getSourceRange()); |
330 | ranges.push_back(Elt: drInc->getSourceRange()); |
331 | |
332 | const char *bugType = "Floating point variable used as loop counter" ; |
333 | |
334 | PathDiagnosticLocation FSLoc = |
335 | PathDiagnosticLocation::createBegin(S: FS, SM: BR.getSourceManager(), LAC: AC); |
336 | BR.EmitBasicReport(DeclWithIssue: AC->getDecl(), CheckerName: filter.checkName_FloatLoopCounter, |
337 | BugName: bugType, BugCategory: "Security" , BugStr: os.str(), |
338 | Loc: FSLoc, Ranges: ranges); |
339 | } |
340 | |
341 | //===----------------------------------------------------------------------===// |
342 | // Check: Any use of bcmp. |
343 | // CWE-477: Use of Obsolete Functions |
344 | // bcmp was deprecated in POSIX.1-2008 |
345 | //===----------------------------------------------------------------------===// |
346 | |
347 | void WalkAST::checkCall_bcmp(const CallExpr *CE, const FunctionDecl *FD) { |
348 | if (!filter.check_bcmp) |
349 | return; |
350 | |
351 | const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>(); |
352 | if (!FPT) |
353 | return; |
354 | |
355 | // Verify that the function takes three arguments. |
356 | if (FPT->getNumParams() != 3) |
357 | return; |
358 | |
359 | for (int i = 0; i < 2; i++) { |
360 | // Verify the first and second argument type is void*. |
361 | const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>(); |
362 | if (!PT) |
363 | return; |
364 | |
365 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy) |
366 | return; |
367 | } |
368 | |
369 | // Verify the third argument type is integer. |
370 | if (!FPT->getParamType(i: 2)->isIntegralOrUnscopedEnumerationType()) |
371 | return; |
372 | |
373 | // Issue a warning. |
374 | PathDiagnosticLocation CELoc = |
375 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
376 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_bcmp, |
377 | "Use of deprecated function in call to 'bcmp()'" , |
378 | "Security" , |
379 | "The bcmp() function is obsoleted by memcmp()." , |
380 | CELoc, CE->getCallee()->getSourceRange()); |
381 | } |
382 | |
383 | //===----------------------------------------------------------------------===// |
384 | // Check: Any use of bcopy. |
385 | // CWE-477: Use of Obsolete Functions |
386 | // bcopy was deprecated in POSIX.1-2008 |
387 | //===----------------------------------------------------------------------===// |
388 | |
389 | void WalkAST::checkCall_bcopy(const CallExpr *CE, const FunctionDecl *FD) { |
390 | if (!filter.check_bcopy) |
391 | return; |
392 | |
393 | const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>(); |
394 | if (!FPT) |
395 | return; |
396 | |
397 | // Verify that the function takes three arguments. |
398 | if (FPT->getNumParams() != 3) |
399 | return; |
400 | |
401 | for (int i = 0; i < 2; i++) { |
402 | // Verify the first and second argument type is void*. |
403 | const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>(); |
404 | if (!PT) |
405 | return; |
406 | |
407 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy) |
408 | return; |
409 | } |
410 | |
411 | // Verify the third argument type is integer. |
412 | if (!FPT->getParamType(i: 2)->isIntegralOrUnscopedEnumerationType()) |
413 | return; |
414 | |
415 | // Issue a warning. |
416 | PathDiagnosticLocation CELoc = |
417 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
418 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_bcopy, |
419 | "Use of deprecated function in call to 'bcopy()'" , |
420 | "Security" , |
421 | "The bcopy() function is obsoleted by memcpy() " |
422 | "or memmove()." , |
423 | CELoc, CE->getCallee()->getSourceRange()); |
424 | } |
425 | |
426 | //===----------------------------------------------------------------------===// |
427 | // Check: Any use of bzero. |
428 | // CWE-477: Use of Obsolete Functions |
429 | // bzero was deprecated in POSIX.1-2008 |
430 | //===----------------------------------------------------------------------===// |
431 | |
432 | void WalkAST::checkCall_bzero(const CallExpr *CE, const FunctionDecl *FD) { |
433 | if (!filter.check_bzero) |
434 | return; |
435 | |
436 | const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>(); |
437 | if (!FPT) |
438 | return; |
439 | |
440 | // Verify that the function takes two arguments. |
441 | if (FPT->getNumParams() != 2) |
442 | return; |
443 | |
444 | // Verify the first argument type is void*. |
445 | const PointerType *PT = FPT->getParamType(i: 0)->getAs<PointerType>(); |
446 | if (!PT) |
447 | return; |
448 | |
449 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy) |
450 | return; |
451 | |
452 | // Verify the second argument type is integer. |
453 | if (!FPT->getParamType(i: 1)->isIntegralOrUnscopedEnumerationType()) |
454 | return; |
455 | |
456 | // Issue a warning. |
457 | PathDiagnosticLocation CELoc = |
458 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
459 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_bzero, |
460 | "Use of deprecated function in call to 'bzero()'" , |
461 | "Security" , |
462 | "The bzero() function is obsoleted by memset()." , |
463 | CELoc, CE->getCallee()->getSourceRange()); |
464 | } |
465 | |
466 | |
467 | //===----------------------------------------------------------------------===// |
468 | // Check: Any use of 'gets' is insecure. Most man pages literally says this. |
469 | // |
470 | // Implements (part of): 300-BSI (buildsecurityin.us-cert.gov) |
471 | // CWE-242: Use of Inherently Dangerous Function |
472 | //===----------------------------------------------------------------------===// |
473 | |
474 | void WalkAST::checkCall_gets(const CallExpr *CE, const FunctionDecl *FD) { |
475 | if (!filter.check_gets) |
476 | return; |
477 | |
478 | const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>(); |
479 | if (!FPT) |
480 | return; |
481 | |
482 | // Verify that the function takes a single argument. |
483 | if (FPT->getNumParams() != 1) |
484 | return; |
485 | |
486 | // Is the argument a 'char*'? |
487 | const PointerType *PT = FPT->getParamType(i: 0)->getAs<PointerType>(); |
488 | if (!PT) |
489 | return; |
490 | |
491 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) |
492 | return; |
493 | |
494 | // Issue a warning. |
495 | PathDiagnosticLocation CELoc = |
496 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
497 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_gets, |
498 | "Potential buffer overflow in call to 'gets'" , |
499 | "Security" , |
500 | "Call to function 'gets' is extremely insecure as it can " |
501 | "always result in a buffer overflow" , |
502 | CELoc, CE->getCallee()->getSourceRange()); |
503 | } |
504 | |
505 | //===----------------------------------------------------------------------===// |
506 | // Check: Any use of 'getpwd' is insecure. |
507 | // CWE-477: Use of Obsolete Functions |
508 | //===----------------------------------------------------------------------===// |
509 | |
510 | void WalkAST::checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD) { |
511 | if (!filter.check_getpw) |
512 | return; |
513 | |
514 | const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>(); |
515 | if (!FPT) |
516 | return; |
517 | |
518 | // Verify that the function takes two arguments. |
519 | if (FPT->getNumParams() != 2) |
520 | return; |
521 | |
522 | // Verify the first argument type is integer. |
523 | if (!FPT->getParamType(i: 0)->isIntegralOrUnscopedEnumerationType()) |
524 | return; |
525 | |
526 | // Verify the second argument type is char*. |
527 | const PointerType *PT = FPT->getParamType(i: 1)->getAs<PointerType>(); |
528 | if (!PT) |
529 | return; |
530 | |
531 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) |
532 | return; |
533 | |
534 | // Issue a warning. |
535 | PathDiagnosticLocation CELoc = |
536 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
537 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_getpw, |
538 | "Potential buffer overflow in call to 'getpw'" , |
539 | "Security" , |
540 | "The getpw() function is dangerous as it may overflow the " |
541 | "provided buffer. It is obsoleted by getpwuid()." , |
542 | CELoc, CE->getCallee()->getSourceRange()); |
543 | } |
544 | |
545 | //===----------------------------------------------------------------------===// |
546 | // Check: Any use of 'mktemp' is insecure. It is obsoleted by mkstemp(). |
547 | // CWE-377: Insecure Temporary File |
548 | //===----------------------------------------------------------------------===// |
549 | |
550 | void WalkAST::checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD) { |
551 | if (!filter.check_mktemp) { |
552 | // Fall back to the security check of looking for enough 'X's in the |
553 | // format string, since that is a less severe warning. |
554 | checkCall_mkstemp(CE, FD); |
555 | return; |
556 | } |
557 | |
558 | const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>(); |
559 | if(!FPT) |
560 | return; |
561 | |
562 | // Verify that the function takes a single argument. |
563 | if (FPT->getNumParams() != 1) |
564 | return; |
565 | |
566 | // Verify that the argument is Pointer Type. |
567 | const PointerType *PT = FPT->getParamType(i: 0)->getAs<PointerType>(); |
568 | if (!PT) |
569 | return; |
570 | |
571 | // Verify that the argument is a 'char*'. |
572 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) |
573 | return; |
574 | |
575 | // Issue a warning. |
576 | PathDiagnosticLocation CELoc = |
577 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
578 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_mktemp, |
579 | "Potential insecure temporary file in call 'mktemp'" , |
580 | "Security" , |
581 | "Call to function 'mktemp' is insecure as it always " |
582 | "creates or uses insecure temporary file. Use 'mkstemp' " |
583 | "instead" , |
584 | CELoc, CE->getCallee()->getSourceRange()); |
585 | } |
586 | |
587 | //===----------------------------------------------------------------------===// |
588 | // Check: Use of 'mkstemp', 'mktemp', 'mkdtemp' should contain at least 6 X's. |
589 | //===----------------------------------------------------------------------===// |
590 | |
591 | void WalkAST::checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD) { |
592 | if (!filter.check_mkstemp) |
593 | return; |
594 | |
595 | StringRef Name = FD->getIdentifier()->getName(); |
596 | std::pair<signed, signed> ArgSuffix = |
597 | llvm::StringSwitch<std::pair<signed, signed> >(Name) |
598 | .Case(S: "mktemp" , Value: std::make_pair(x: 0,y: -1)) |
599 | .Case(S: "mkstemp" , Value: std::make_pair(x: 0,y: -1)) |
600 | .Case(S: "mkdtemp" , Value: std::make_pair(x: 0,y: -1)) |
601 | .Case(S: "mkstemps" , Value: std::make_pair(x: 0,y: 1)) |
602 | .Default(Value: std::make_pair(x: -1, y: -1)); |
603 | |
604 | assert(ArgSuffix.first >= 0 && "Unsupported function" ); |
605 | |
606 | // Check if the number of arguments is consistent with out expectations. |
607 | unsigned numArgs = CE->getNumArgs(); |
608 | if ((signed) numArgs <= ArgSuffix.first) |
609 | return; |
610 | |
611 | const StringLiteral *strArg = |
612 | dyn_cast<StringLiteral>(Val: CE->getArg(Arg: (unsigned)ArgSuffix.first) |
613 | ->IgnoreParenImpCasts()); |
614 | |
615 | // Currently we only handle string literals. It is possible to do better, |
616 | // either by looking at references to const variables, or by doing real |
617 | // flow analysis. |
618 | if (!strArg || strArg->getCharByteWidth() != 1) |
619 | return; |
620 | |
621 | // Count the number of X's, taking into account a possible cutoff suffix. |
622 | StringRef str = strArg->getString(); |
623 | unsigned numX = 0; |
624 | unsigned n = str.size(); |
625 | |
626 | // Take into account the suffix. |
627 | unsigned suffix = 0; |
628 | if (ArgSuffix.second >= 0) { |
629 | const Expr *suffixEx = CE->getArg(Arg: (unsigned)ArgSuffix.second); |
630 | Expr::EvalResult EVResult; |
631 | if (!suffixEx->EvaluateAsInt(Result&: EVResult, Ctx: BR.getContext())) |
632 | return; |
633 | llvm::APSInt Result = EVResult.Val.getInt(); |
634 | // FIXME: Issue a warning. |
635 | if (Result.isNegative()) |
636 | return; |
637 | suffix = (unsigned) Result.getZExtValue(); |
638 | n = (n > suffix) ? n - suffix : 0; |
639 | } |
640 | |
641 | for (unsigned i = 0; i < n; ++i) |
642 | if (str[i] == 'X') ++numX; |
643 | |
644 | if (numX >= 6) |
645 | return; |
646 | |
647 | // Issue a warning. |
648 | PathDiagnosticLocation CELoc = |
649 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
650 | SmallString<512> buf; |
651 | llvm::raw_svector_ostream out(buf); |
652 | out << "Call to '" << Name << "' should have at least 6 'X's in the" |
653 | " format string to be secure (" << numX << " 'X'" ; |
654 | if (numX != 1) |
655 | out << 's'; |
656 | out << " seen" ; |
657 | if (suffix) { |
658 | out << ", " << suffix << " character" ; |
659 | if (suffix > 1) |
660 | out << 's'; |
661 | out << " used as a suffix" ; |
662 | } |
663 | out << ')'; |
664 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_mkstemp, |
665 | "Insecure temporary file creation" , "Security" , |
666 | out.str(), CELoc, strArg->getSourceRange()); |
667 | } |
668 | |
669 | //===----------------------------------------------------------------------===// |
670 | // Check: Any use of 'strcpy' is insecure. |
671 | // |
672 | // CWE-119: Improper Restriction of Operations within |
673 | // the Bounds of a Memory Buffer |
674 | //===----------------------------------------------------------------------===// |
675 | |
676 | void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) { |
677 | if (!filter.check_strcpy) |
678 | return; |
679 | |
680 | if (!checkCall_strCommon(CE, FD)) |
681 | return; |
682 | |
683 | const auto *Target = CE->getArg(Arg: 0)->IgnoreImpCasts(), |
684 | *Source = CE->getArg(Arg: 1)->IgnoreImpCasts(); |
685 | |
686 | if (const auto *Array = dyn_cast<ConstantArrayType>(Val: Target->getType())) { |
687 | uint64_t ArraySize = BR.getContext().getTypeSize(Array) / 8; |
688 | if (const auto *String = dyn_cast<StringLiteral>(Val: Source)) { |
689 | if (ArraySize >= String->getLength() + 1) |
690 | return; |
691 | } |
692 | } |
693 | |
694 | // Issue a warning. |
695 | PathDiagnosticLocation CELoc = |
696 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
697 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy, |
698 | "Potential insecure memory buffer bounds restriction in " |
699 | "call 'strcpy'" , |
700 | "Security" , |
701 | "Call to function 'strcpy' is insecure as it does not " |
702 | "provide bounding of the memory buffer. Replace " |
703 | "unbounded copy functions with analogous functions that " |
704 | "support length arguments such as 'strlcpy'. CWE-119." , |
705 | CELoc, CE->getCallee()->getSourceRange()); |
706 | } |
707 | |
708 | //===----------------------------------------------------------------------===// |
709 | // Check: Any use of 'strcat' is insecure. |
710 | // |
711 | // CWE-119: Improper Restriction of Operations within |
712 | // the Bounds of a Memory Buffer |
713 | //===----------------------------------------------------------------------===// |
714 | |
715 | void WalkAST::checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD) { |
716 | if (!filter.check_strcpy) |
717 | return; |
718 | |
719 | if (!checkCall_strCommon(CE, FD)) |
720 | return; |
721 | |
722 | // Issue a warning. |
723 | PathDiagnosticLocation CELoc = |
724 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
725 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy, |
726 | "Potential insecure memory buffer bounds restriction in " |
727 | "call 'strcat'" , |
728 | "Security" , |
729 | "Call to function 'strcat' is insecure as it does not " |
730 | "provide bounding of the memory buffer. Replace " |
731 | "unbounded copy functions with analogous functions that " |
732 | "support length arguments such as 'strlcat'. CWE-119." , |
733 | CELoc, CE->getCallee()->getSourceRange()); |
734 | } |
735 | |
736 | //===----------------------------------------------------------------------===// |
737 | // Check: Any use of 'sprintf', 'vsprintf', 'scanf', 'wscanf', 'fscanf', |
738 | // 'fwscanf', 'vscanf', 'vwscanf', 'vfscanf', 'vfwscanf', 'sscanf', |
739 | // 'swscanf', 'vsscanf', 'vswscanf', 'swprintf', 'snprintf', 'vswprintf', |
740 | // 'vsnprintf', 'memcpy', 'memmove', 'strncpy', 'strncat', 'memset', |
741 | // 'fprintf' is deprecated since C11. |
742 | // |
743 | // Use of 'sprintf', 'fprintf', 'vsprintf', 'scanf', 'wscanf', 'fscanf', |
744 | // 'fwscanf', 'vscanf', 'vwscanf', 'vfscanf', 'vfwscanf', 'sscanf', |
745 | // 'swscanf', 'vsscanf', 'vswscanf' without buffer limitations |
746 | // is insecure. |
747 | // |
748 | // CWE-119: Improper Restriction of Operations within |
749 | // the Bounds of a Memory Buffer |
750 | //===----------------------------------------------------------------------===// |
751 | |
752 | void WalkAST::checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE, |
753 | const FunctionDecl *FD) { |
754 | if (!filter.check_DeprecatedOrUnsafeBufferHandling) |
755 | return; |
756 | |
757 | if (!BR.getContext().getLangOpts().C11) |
758 | return; |
759 | |
760 | // Issue a warning. ArgIndex == -1: Deprecated but not unsafe (has size |
761 | // restrictions). |
762 | enum { DEPR_ONLY = -1, UNKNOWN_CALL = -2 }; |
763 | |
764 | StringRef Name = FD->getIdentifier()->getName(); |
765 | Name.consume_front(Prefix: "__builtin_" ); |
766 | |
767 | int ArgIndex = |
768 | llvm::StringSwitch<int>(Name) |
769 | .Cases(S0: "scanf" , S1: "wscanf" , S2: "vscanf" , S3: "vwscanf" , Value: 0) |
770 | .Cases(S0: "fscanf" , S1: "fwscanf" , S2: "vfscanf" , S3: "vfwscanf" , S4: "sscanf" , |
771 | S5: "swscanf" , S6: "vsscanf" , S7: "vswscanf" , Value: 1) |
772 | .Cases(S0: "sprintf" , S1: "vsprintf" , S2: "fprintf" , Value: 1) |
773 | .Cases(S0: "swprintf" , S1: "snprintf" , S2: "vswprintf" , S3: "vsnprintf" , S4: "memcpy" , |
774 | S5: "memmove" , S6: "memset" , S7: "strncpy" , S8: "strncat" , Value: DEPR_ONLY) |
775 | .Default(Value: UNKNOWN_CALL); |
776 | |
777 | assert(ArgIndex != UNKNOWN_CALL && "Unsupported function" ); |
778 | bool BoundsProvided = ArgIndex == DEPR_ONLY; |
779 | |
780 | if (!BoundsProvided) { |
781 | // Currently we only handle (not wide) string literals. It is possible to do |
782 | // better, either by looking at references to const variables, or by doing |
783 | // real flow analysis. |
784 | auto FormatString = |
785 | dyn_cast<StringLiteral>(Val: CE->getArg(Arg: ArgIndex)->IgnoreParenImpCasts()); |
786 | if (FormatString && !FormatString->getString().contains("%s" ) && |
787 | !FormatString->getString().contains("%[" )) |
788 | BoundsProvided = true; |
789 | } |
790 | |
791 | SmallString<128> Buf1; |
792 | SmallString<512> Buf2; |
793 | llvm::raw_svector_ostream Out1(Buf1); |
794 | llvm::raw_svector_ostream Out2(Buf2); |
795 | |
796 | Out1 << "Potential insecure memory buffer bounds restriction in call '" |
797 | << Name << "'" ; |
798 | Out2 << "Call to function '" << Name |
799 | << "' is insecure as it does not provide " ; |
800 | |
801 | if (!BoundsProvided) { |
802 | Out2 << "bounding of the memory buffer or " ; |
803 | } |
804 | |
805 | Out2 << "security checks introduced " |
806 | "in the C11 standard. Replace with analogous functions that " |
807 | "support length arguments or provides boundary checks such as '" |
808 | << Name << "_s' in case of C11" ; |
809 | |
810 | PathDiagnosticLocation CELoc = |
811 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
812 | BR.EmitBasicReport(AC->getDecl(), |
813 | filter.checkName_DeprecatedOrUnsafeBufferHandling, |
814 | Out1.str(), "Security" , Out2.str(), CELoc, |
815 | CE->getCallee()->getSourceRange()); |
816 | } |
817 | |
818 | //===----------------------------------------------------------------------===// |
819 | // Common check for str* functions with no bounds parameters. |
820 | //===----------------------------------------------------------------------===// |
821 | |
822 | bool WalkAST::checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD) { |
823 | const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>(); |
824 | if (!FPT) |
825 | return false; |
826 | |
827 | // Verify the function takes two arguments, three in the _chk version. |
828 | int numArgs = FPT->getNumParams(); |
829 | if (numArgs != 2 && numArgs != 3) |
830 | return false; |
831 | |
832 | // Verify the type for both arguments. |
833 | for (int i = 0; i < 2; i++) { |
834 | // Verify that the arguments are pointers. |
835 | const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>(); |
836 | if (!PT) |
837 | return false; |
838 | |
839 | // Verify that the argument is a 'char*'. |
840 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) |
841 | return false; |
842 | } |
843 | |
844 | return true; |
845 | } |
846 | |
847 | //===----------------------------------------------------------------------===// |
848 | // Check: Linear congruent random number generators should not be used, |
849 | // i.e. rand(), random(). |
850 | // |
851 | // E. Bach, "Efficient prediction of Marsaglia-Zaman random number generators," |
852 | // in IEEE Transactions on Information Theory, vol. 44, no. 3, pp. 1253-1257, |
853 | // May 1998, https://doi.org/10.1109/18.669305 |
854 | // |
855 | // CWE-338: Use of cryptographically weak prng |
856 | //===----------------------------------------------------------------------===// |
857 | |
858 | void WalkAST::checkCall_rand(const CallExpr *CE, const FunctionDecl *FD) { |
859 | if (!filter.check_rand || !CheckRand) |
860 | return; |
861 | |
862 | const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>(); |
863 | if (!FTP) |
864 | return; |
865 | |
866 | if (FTP->getNumParams() == 1) { |
867 | // Is the argument an 'unsigned short *'? |
868 | // (Actually any integer type is allowed.) |
869 | const PointerType *PT = FTP->getParamType(i: 0)->getAs<PointerType>(); |
870 | if (!PT) |
871 | return; |
872 | |
873 | if (! PT->getPointeeType()->isIntegralOrUnscopedEnumerationType()) |
874 | return; |
875 | } else if (FTP->getNumParams() != 0) |
876 | return; |
877 | |
878 | // Issue a warning. |
879 | SmallString<256> buf1; |
880 | llvm::raw_svector_ostream os1(buf1); |
881 | os1 << '\'' << *FD << "' is a poor random number generator" ; |
882 | |
883 | SmallString<256> buf2; |
884 | llvm::raw_svector_ostream os2(buf2); |
885 | os2 << "Function '" << *FD |
886 | << "' is obsolete because it implements a poor random number generator." |
887 | << " Use 'arc4random' instead" ; |
888 | |
889 | PathDiagnosticLocation CELoc = |
890 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
891 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_rand, os1.str(), |
892 | "Security" , os2.str(), CELoc, |
893 | CE->getCallee()->getSourceRange()); |
894 | } |
895 | |
896 | // See justification for rand(). |
897 | void WalkAST::checkCall_random(const CallExpr *CE, const FunctionDecl *FD) { |
898 | if (!CheckRand || !filter.check_rand) |
899 | return; |
900 | |
901 | const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>(); |
902 | if (!FTP) |
903 | return; |
904 | |
905 | // Verify that the function takes no argument. |
906 | if (FTP->getNumParams() != 0) |
907 | return; |
908 | |
909 | // Issue a warning. |
910 | PathDiagnosticLocation CELoc = |
911 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
912 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_rand, |
913 | "'random' is not a secure random number generator" , |
914 | "Security" , |
915 | "The 'random' function produces a sequence of values that " |
916 | "an adversary may be able to predict. Use 'arc4random' " |
917 | "instead" , CELoc, CE->getCallee()->getSourceRange()); |
918 | } |
919 | |
920 | //===----------------------------------------------------------------------===// |
921 | // Check: 'vfork' should not be used. |
922 | // POS33-C: Do not use vfork(). |
923 | //===----------------------------------------------------------------------===// |
924 | |
925 | void WalkAST::checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD) { |
926 | if (!filter.check_vfork) |
927 | return; |
928 | |
929 | // All calls to vfork() are insecure, issue a warning. |
930 | PathDiagnosticLocation CELoc = |
931 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
932 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_vfork, |
933 | "Potential insecure implementation-specific behavior in " |
934 | "call 'vfork'" , |
935 | "Security" , |
936 | "Call to function 'vfork' is insecure as it can lead to " |
937 | "denial of service situations in the parent process. " |
938 | "Replace calls to vfork with calls to the safer " |
939 | "'posix_spawn' function" , |
940 | CELoc, CE->getCallee()->getSourceRange()); |
941 | } |
942 | |
943 | //===----------------------------------------------------------------------===// |
944 | // Check: '-decodeValueOfObjCType:at:' should not be used. |
945 | // It is deprecated in favor of '-decodeValueOfObjCType:at:size:' due to |
946 | // likelihood of buffer overflows. |
947 | //===----------------------------------------------------------------------===// |
948 | |
949 | void WalkAST::checkMsg_decodeValueOfObjCType(const ObjCMessageExpr *ME) { |
950 | if (!filter.check_decodeValueOfObjCType) |
951 | return; |
952 | |
953 | // Check availability of the secure alternative: |
954 | // iOS 11+, macOS 10.13+, tvOS 11+, and watchOS 4.0+ |
955 | // FIXME: We probably shouldn't register the check if it's not available. |
956 | const TargetInfo &TI = AC->getASTContext().getTargetInfo(); |
957 | const llvm::Triple &T = TI.getTriple(); |
958 | const VersionTuple &VT = TI.getPlatformMinVersion(); |
959 | switch (T.getOS()) { |
960 | case llvm::Triple::IOS: |
961 | if (VT < VersionTuple(11, 0)) |
962 | return; |
963 | break; |
964 | case llvm::Triple::MacOSX: |
965 | if (VT < VersionTuple(10, 13)) |
966 | return; |
967 | break; |
968 | case llvm::Triple::WatchOS: |
969 | if (VT < VersionTuple(4, 0)) |
970 | return; |
971 | break; |
972 | case llvm::Triple::TvOS: |
973 | if (VT < VersionTuple(11, 0)) |
974 | return; |
975 | break; |
976 | case llvm::Triple::XROS: |
977 | break; |
978 | default: |
979 | return; |
980 | } |
981 | |
982 | PathDiagnosticLocation MELoc = |
983 | PathDiagnosticLocation::createBegin(ME, BR.getSourceManager(), AC); |
984 | BR.EmitBasicReport( |
985 | AC->getDecl(), filter.checkName_decodeValueOfObjCType, |
986 | "Potential buffer overflow in '-decodeValueOfObjCType:at:'" , "Security" , |
987 | "Deprecated method '-decodeValueOfObjCType:at:' is insecure " |
988 | "as it can lead to potential buffer overflows. Use the safer " |
989 | "'-decodeValueOfObjCType:at:size:' method." , |
990 | MELoc, ME->getSourceRange()); |
991 | } |
992 | |
993 | //===----------------------------------------------------------------------===// |
994 | // Check: The caller should always verify that the privileges |
995 | // were dropped successfully. |
996 | // |
997 | // Some library functions, like setuid() and setgid(), should always be used |
998 | // with a check of the return value to verify that the function completed |
999 | // successfully. If the drop fails, the software will continue to run |
1000 | // with the raised privileges, which might provide additional access |
1001 | // to unprivileged users. |
1002 | // |
1003 | // (Note that this check predates __attribute__((warn_unused_result)). |
1004 | // Do we still need it now that we have a compiler warning for this? |
1005 | // Are these standard functions already annotated this way?) |
1006 | //===----------------------------------------------------------------------===// |
1007 | |
1008 | void WalkAST::checkUncheckedReturnValue(CallExpr *CE) { |
1009 | if (!filter.check_UncheckedReturn) |
1010 | return; |
1011 | |
1012 | const FunctionDecl *FD = CE->getDirectCallee(); |
1013 | if (!FD) |
1014 | return; |
1015 | |
1016 | if (II_setid[0] == nullptr) { |
1017 | static const char * const identifiers[num_setids] = { |
1018 | "setuid" , "setgid" , "seteuid" , "setegid" , |
1019 | "setreuid" , "setregid" |
1020 | }; |
1021 | |
1022 | for (size_t i = 0; i < num_setids; i++) |
1023 | II_setid[i] = &BR.getContext().Idents.get(Name: identifiers[i]); |
1024 | } |
1025 | |
1026 | const IdentifierInfo *id = FD->getIdentifier(); |
1027 | size_t identifierid; |
1028 | |
1029 | for (identifierid = 0; identifierid < num_setids; identifierid++) |
1030 | if (id == II_setid[identifierid]) |
1031 | break; |
1032 | |
1033 | if (identifierid >= num_setids) |
1034 | return; |
1035 | |
1036 | const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>(); |
1037 | if (!FTP) |
1038 | return; |
1039 | |
1040 | // Verify that the function takes one or two arguments (depending on |
1041 | // the function). |
1042 | if (FTP->getNumParams() != (identifierid < 4 ? 1 : 2)) |
1043 | return; |
1044 | |
1045 | // The arguments must be integers. |
1046 | for (unsigned i = 0; i < FTP->getNumParams(); i++) |
1047 | if (!FTP->getParamType(i)->isIntegralOrUnscopedEnumerationType()) |
1048 | return; |
1049 | |
1050 | // Issue a warning. |
1051 | SmallString<256> buf1; |
1052 | llvm::raw_svector_ostream os1(buf1); |
1053 | os1 << "Return value is not checked in call to '" << *FD << '\''; |
1054 | |
1055 | SmallString<256> buf2; |
1056 | llvm::raw_svector_ostream os2(buf2); |
1057 | os2 << "The return value from the call to '" << *FD |
1058 | << "' is not checked. If an error occurs in '" << *FD |
1059 | << "', the following code may execute with unexpected privileges" ; |
1060 | |
1061 | PathDiagnosticLocation CELoc = |
1062 | PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); |
1063 | BR.EmitBasicReport(AC->getDecl(), filter.checkName_UncheckedReturn, os1.str(), |
1064 | "Security" , os2.str(), CELoc, |
1065 | CE->getCallee()->getSourceRange()); |
1066 | } |
1067 | |
1068 | //===----------------------------------------------------------------------===// |
1069 | // SecuritySyntaxChecker |
1070 | //===----------------------------------------------------------------------===// |
1071 | |
1072 | namespace { |
1073 | class SecuritySyntaxChecker : public Checker<check::ASTCodeBody> { |
1074 | public: |
1075 | ChecksFilter filter; |
1076 | |
1077 | void checkASTCodeBody(const Decl *D, AnalysisManager& mgr, |
1078 | BugReporter &BR) const { |
1079 | WalkAST walker(BR, mgr.getAnalysisDeclContext(D), filter); |
1080 | walker.Visit(D->getBody()); |
1081 | } |
1082 | }; |
1083 | } |
1084 | |
1085 | void ento::registerSecuritySyntaxChecker(CheckerManager &mgr) { |
1086 | mgr.registerChecker<SecuritySyntaxChecker>(); |
1087 | } |
1088 | |
1089 | bool ento::shouldRegisterSecuritySyntaxChecker(const CheckerManager &mgr) { |
1090 | return true; |
1091 | } |
1092 | |
1093 | #define REGISTER_CHECKER(name) \ |
1094 | void ento::register##name(CheckerManager &mgr) { \ |
1095 | SecuritySyntaxChecker *checker = mgr.getChecker<SecuritySyntaxChecker>(); \ |
1096 | checker->filter.check_##name = true; \ |
1097 | checker->filter.checkName_##name = mgr.getCurrentCheckerName(); \ |
1098 | } \ |
1099 | \ |
1100 | bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; } |
1101 | |
1102 | REGISTER_CHECKER(bcmp) |
1103 | REGISTER_CHECKER(bcopy) |
1104 | REGISTER_CHECKER(bzero) |
1105 | REGISTER_CHECKER(gets) |
1106 | REGISTER_CHECKER(getpw) |
1107 | REGISTER_CHECKER(mkstemp) |
1108 | REGISTER_CHECKER(mktemp) |
1109 | REGISTER_CHECKER(strcpy) |
1110 | REGISTER_CHECKER(rand) |
1111 | REGISTER_CHECKER(vfork) |
1112 | REGISTER_CHECKER(FloatLoopCounter) |
1113 | REGISTER_CHECKER(UncheckedReturn) |
1114 | REGISTER_CHECKER(DeprecatedOrUnsafeBufferHandling) |
1115 | REGISTER_CHECKER(decodeValueOfObjCType) |
1116 | |