1 | // MallocOverflowSecurityChecker.cpp - Check for malloc overflows -*- C++ -*-=// |
2 | // |
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
4 | // See https://llvm.org/LICENSE.txt for license information. |
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
6 | // |
7 | //===----------------------------------------------------------------------===// |
8 | // |
9 | // This checker detects a common memory allocation security flaw. |
10 | // Suppose 'unsigned int n' comes from an untrusted source. If the |
11 | // code looks like 'malloc (n * 4)', and an attacker can make 'n' be |
12 | // say MAX_UINT/4+2, then instead of allocating the correct 'n' 4-byte |
13 | // elements, this will actually allocate only two because of overflow. |
14 | // Then when the rest of the program attempts to store values past the |
15 | // second element, these values will actually overwrite other items in |
16 | // the heap, probably allowing the attacker to execute arbitrary code. |
17 | // |
18 | //===----------------------------------------------------------------------===// |
19 | |
20 | #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" |
21 | #include "clang/AST/EvaluatedExprVisitor.h" |
22 | #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" |
23 | #include "clang/StaticAnalyzer/Core/Checker.h" |
24 | #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" |
25 | #include "llvm/ADT/APSInt.h" |
26 | #include "llvm/ADT/SmallVector.h" |
27 | #include <optional> |
28 | #include <utility> |
29 | |
30 | using namespace clang; |
31 | using namespace ento; |
32 | using llvm::APSInt; |
33 | |
34 | namespace { |
35 | struct MallocOverflowCheck { |
36 | const CallExpr *call; |
37 | const BinaryOperator *mulop; |
38 | const Expr *variable; |
39 | APSInt maxVal; |
40 | |
41 | MallocOverflowCheck(const CallExpr *call, const BinaryOperator *m, |
42 | const Expr *v, APSInt val) |
43 | : call(call), mulop(m), variable(v), maxVal(std::move(val)) {} |
44 | }; |
45 | |
46 | class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> { |
47 | public: |
48 | void checkASTCodeBody(const Decl *D, AnalysisManager &mgr, |
49 | BugReporter &BR) const; |
50 | |
51 | void CheckMallocArgument( |
52 | SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, |
53 | const CallExpr *TheCall, ASTContext &Context) const; |
54 | |
55 | void OutputPossibleOverflows( |
56 | SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, |
57 | const Decl *D, BugReporter &BR, AnalysisManager &mgr) const; |
58 | |
59 | }; |
60 | } // end anonymous namespace |
61 | |
62 | // Return true for computations which evaluate to zero: e.g., mult by 0. |
63 | static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) { |
64 | return (op == BO_Mul) && (Val == 0); |
65 | } |
66 | |
67 | void MallocOverflowSecurityChecker::CheckMallocArgument( |
68 | SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, |
69 | const CallExpr *TheCall, ASTContext &Context) const { |
70 | |
71 | /* Look for a linear combination with a single variable, and at least |
72 | one multiplication. |
73 | Reject anything that applies to the variable: an explicit cast, |
74 | conditional expression, an operation that could reduce the range |
75 | of the result, or anything too complicated :-). */ |
76 | const Expr *e = TheCall->getArg(Arg: 0); |
77 | const BinaryOperator * mulop = nullptr; |
78 | APSInt maxVal; |
79 | |
80 | for (;;) { |
81 | maxVal = 0; |
82 | e = e->IgnoreParenImpCasts(); |
83 | if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(Val: e)) { |
84 | BinaryOperatorKind opc = binop->getOpcode(); |
85 | // TODO: ignore multiplications by 1, reject if multiplied by 0. |
86 | if (mulop == nullptr && opc == BO_Mul) |
87 | mulop = binop; |
88 | if (opc != BO_Mul && opc != BO_Add && opc != BO_Sub && opc != BO_Shl) |
89 | return; |
90 | |
91 | const Expr *lhs = binop->getLHS(); |
92 | const Expr *rhs = binop->getRHS(); |
93 | if (rhs->isEvaluatable(Ctx: Context)) { |
94 | e = lhs; |
95 | maxVal = rhs->EvaluateKnownConstInt(Ctx: Context); |
96 | if (EvaluatesToZero(Val&: maxVal, op: opc)) |
97 | return; |
98 | } else if ((opc == BO_Add || opc == BO_Mul) && |
99 | lhs->isEvaluatable(Ctx: Context)) { |
100 | maxVal = lhs->EvaluateKnownConstInt(Ctx: Context); |
101 | if (EvaluatesToZero(Val&: maxVal, op: opc)) |
102 | return; |
103 | e = rhs; |
104 | } else |
105 | return; |
106 | } else if (isa<DeclRefExpr, MemberExpr>(Val: e)) |
107 | break; |
108 | else |
109 | return; |
110 | } |
111 | |
112 | if (mulop == nullptr) |
113 | return; |
114 | |
115 | // We've found the right structure of malloc argument, now save |
116 | // the data so when the body of the function is completely available |
117 | // we can check for comparisons. |
118 | |
119 | PossibleMallocOverflows.push_back( |
120 | Elt: MallocOverflowCheck(TheCall, mulop, e, maxVal)); |
121 | } |
122 | |
123 | namespace { |
124 | // A worker class for OutputPossibleOverflows. |
125 | class CheckOverflowOps : |
126 | public EvaluatedExprVisitor<CheckOverflowOps> { |
127 | public: |
128 | typedef SmallVectorImpl<MallocOverflowCheck> theVecType; |
129 | |
130 | private: |
131 | theVecType &toScanFor; |
132 | ASTContext &Context; |
133 | |
134 | bool isIntZeroExpr(const Expr *E) const { |
135 | if (!E->getType()->isIntegralOrEnumerationType()) |
136 | return false; |
137 | Expr::EvalResult Result; |
138 | if (E->EvaluateAsInt(Result, Ctx: Context)) |
139 | return Result.Val.getInt() == 0; |
140 | return false; |
141 | } |
142 | |
143 | static const Decl *getDecl(const DeclRefExpr *DR) { return DR->getDecl(); } |
144 | static const Decl *getDecl(const MemberExpr *ME) { |
145 | return ME->getMemberDecl(); |
146 | } |
147 | |
148 | template <typename T1> |
149 | void Erase(const T1 *DR, |
150 | llvm::function_ref<bool(const MallocOverflowCheck &)> Pred) { |
151 | auto P = [DR, Pred](const MallocOverflowCheck &Check) { |
152 | if (const auto *CheckDR = dyn_cast<T1>(Check.variable)) |
153 | return getDecl(CheckDR) == getDecl(DR) && Pred(Check); |
154 | return false; |
155 | }; |
156 | llvm::erase_if(toScanFor, P); |
157 | } |
158 | |
159 | void CheckExpr(const Expr *E_p) { |
160 | const Expr *E = E_p->IgnoreParenImpCasts(); |
161 | const auto PrecedesMalloc = [E, this](const MallocOverflowCheck &c) { |
162 | return Context.getSourceManager().isBeforeInTranslationUnit( |
163 | E->getExprLoc(), c.call->getExprLoc()); |
164 | }; |
165 | if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Val: E)) |
166 | Erase<DeclRefExpr>(DR, PrecedesMalloc); |
167 | else if (const auto *ME = dyn_cast<MemberExpr>(Val: E)) { |
168 | Erase<MemberExpr>(ME, PrecedesMalloc); |
169 | } |
170 | } |
171 | |
172 | // Check if the argument to malloc is assigned a value |
173 | // which cannot cause an overflow. |
174 | // e.g., malloc (mul * x) and, |
175 | // case 1: mul = <constant value> |
176 | // case 2: mul = a/b, where b > x |
177 | void CheckAssignmentExpr(BinaryOperator *AssignEx) { |
178 | bool assignKnown = false; |
179 | bool numeratorKnown = false, denomKnown = false; |
180 | APSInt denomVal; |
181 | denomVal = 0; |
182 | |
183 | // Erase if the multiplicand was assigned a constant value. |
184 | const Expr *rhs = AssignEx->getRHS(); |
185 | if (rhs->isEvaluatable(Ctx: Context)) |
186 | assignKnown = true; |
187 | |
188 | // Discard the report if the multiplicand was assigned a value, |
189 | // that can never overflow after multiplication. e.g., the assignment |
190 | // is a division operator and the denominator is > other multiplicand. |
191 | const Expr *rhse = rhs->IgnoreParenImpCasts(); |
192 | if (const BinaryOperator *BOp = dyn_cast<BinaryOperator>(Val: rhse)) { |
193 | if (BOp->getOpcode() == BO_Div) { |
194 | const Expr *denom = BOp->getRHS()->IgnoreParenImpCasts(); |
195 | Expr::EvalResult Result; |
196 | if (denom->EvaluateAsInt(Result, Ctx: Context)) { |
197 | denomVal = Result.Val.getInt(); |
198 | denomKnown = true; |
199 | } |
200 | const Expr *numerator = BOp->getLHS()->IgnoreParenImpCasts(); |
201 | if (numerator->isEvaluatable(Ctx: Context)) |
202 | numeratorKnown = true; |
203 | } |
204 | } |
205 | if (!assignKnown && !denomKnown) |
206 | return; |
207 | auto denomExtVal = denomVal.getExtValue(); |
208 | |
209 | // Ignore negative denominator. |
210 | if (denomExtVal < 0) |
211 | return; |
212 | |
213 | const Expr *lhs = AssignEx->getLHS(); |
214 | const Expr *E = lhs->IgnoreParenImpCasts(); |
215 | |
216 | auto pred = [assignKnown, numeratorKnown, |
217 | denomExtVal](const MallocOverflowCheck &Check) { |
218 | return assignKnown || |
219 | (numeratorKnown && (denomExtVal >= Check.maxVal.getExtValue())); |
220 | }; |
221 | |
222 | if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Val: E)) |
223 | Erase<DeclRefExpr>(DR, Pred: pred); |
224 | else if (const auto *ME = dyn_cast<MemberExpr>(Val: E)) |
225 | Erase<MemberExpr>(DR: ME, Pred: pred); |
226 | } |
227 | |
228 | public: |
229 | void VisitBinaryOperator(BinaryOperator *E) { |
230 | if (E->isComparisonOp()) { |
231 | const Expr * lhs = E->getLHS(); |
232 | const Expr * rhs = E->getRHS(); |
233 | // Ignore comparisons against zero, since they generally don't |
234 | // protect against an overflow. |
235 | if (!isIntZeroExpr(E: lhs) && !isIntZeroExpr(E: rhs)) { |
236 | CheckExpr(E_p: lhs); |
237 | CheckExpr(E_p: rhs); |
238 | } |
239 | } |
240 | if (E->isAssignmentOp()) |
241 | CheckAssignmentExpr(AssignEx: E); |
242 | EvaluatedExprVisitor<CheckOverflowOps>::VisitBinaryOperator(E); |
243 | } |
244 | |
245 | /* We specifically ignore loop conditions, because they're typically |
246 | not error checks. */ |
247 | void VisitWhileStmt(WhileStmt *S) { |
248 | return this->Visit(S: S->getBody()); |
249 | } |
250 | void VisitForStmt(ForStmt *S) { |
251 | return this->Visit(S: S->getBody()); |
252 | } |
253 | void VisitDoStmt(DoStmt *S) { |
254 | return this->Visit(S: S->getBody()); |
255 | } |
256 | |
257 | CheckOverflowOps(theVecType &v, ASTContext &ctx) |
258 | : EvaluatedExprVisitor<CheckOverflowOps>(ctx), |
259 | toScanFor(v), Context(ctx) |
260 | { } |
261 | }; |
262 | } |
263 | |
264 | // OutputPossibleOverflows - We've found a possible overflow earlier, |
265 | // now check whether Body might contain a comparison which might be |
266 | // preventing the overflow. |
267 | // This doesn't do flow analysis, range analysis, or points-to analysis; it's |
268 | // just a dumb "is there a comparison" scan. The aim here is to |
269 | // detect the most blatent cases of overflow and educate the |
270 | // programmer. |
271 | void MallocOverflowSecurityChecker::OutputPossibleOverflows( |
272 | SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, |
273 | const Decl *D, BugReporter &BR, AnalysisManager &mgr) const { |
274 | // By far the most common case: nothing to check. |
275 | if (PossibleMallocOverflows.empty()) |
276 | return; |
277 | |
278 | // Delete any possible overflows which have a comparison. |
279 | CheckOverflowOps c(PossibleMallocOverflows, BR.getContext()); |
280 | c.Visit(S: mgr.getAnalysisDeclContext(D)->getBody()); |
281 | |
282 | // Output warnings for all overflows that are left. |
283 | for (const MallocOverflowCheck &Check : PossibleMallocOverflows) { |
284 | BR.EmitBasicReport( |
285 | D, this, "malloc() size overflow" , categories::UnixAPI, |
286 | "the computation of the size of the memory allocation may overflow" , |
287 | PathDiagnosticLocation::createOperatorLoc(BO: Check.mulop, |
288 | SM: BR.getSourceManager()), |
289 | Check.mulop->getSourceRange()); |
290 | } |
291 | } |
292 | |
293 | void MallocOverflowSecurityChecker::checkASTCodeBody(const Decl *D, |
294 | AnalysisManager &mgr, |
295 | BugReporter &BR) const { |
296 | |
297 | CFG *cfg = mgr.getCFG(D); |
298 | if (!cfg) |
299 | return; |
300 | |
301 | // A list of variables referenced in possibly overflowing malloc operands. |
302 | SmallVector<MallocOverflowCheck, 2> PossibleMallocOverflows; |
303 | |
304 | for (CFG::iterator it = cfg->begin(), ei = cfg->end(); it != ei; ++it) { |
305 | CFGBlock *block = *it; |
306 | for (CFGBlock::iterator bi = block->begin(), be = block->end(); |
307 | bi != be; ++bi) { |
308 | if (std::optional<CFGStmt> CS = bi->getAs<CFGStmt>()) { |
309 | if (const CallExpr *TheCall = dyn_cast<CallExpr>(Val: CS->getStmt())) { |
310 | // Get the callee. |
311 | const FunctionDecl *FD = TheCall->getDirectCallee(); |
312 | |
313 | if (!FD) |
314 | continue; |
315 | |
316 | // Get the name of the callee. If it's a builtin, strip off the |
317 | // prefix. |
318 | IdentifierInfo *FnInfo = FD->getIdentifier(); |
319 | if (!FnInfo) |
320 | continue; |
321 | |
322 | if (FnInfo->isStr(Str: "malloc" ) || FnInfo->isStr(Str: "_MALLOC" )) { |
323 | if (TheCall->getNumArgs() == 1) |
324 | CheckMallocArgument(PossibleMallocOverflows, TheCall, |
325 | Context&: mgr.getASTContext()); |
326 | } |
327 | } |
328 | } |
329 | } |
330 | } |
331 | |
332 | OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr); |
333 | } |
334 | |
335 | void ento::registerMallocOverflowSecurityChecker(CheckerManager &mgr) { |
336 | mgr.registerChecker<MallocOverflowSecurityChecker>(); |
337 | } |
338 | |
339 | bool ento::shouldRegisterMallocOverflowSecurityChecker(const CheckerManager &mgr) { |
340 | return true; |
341 | } |
342 | |