MmapWriteExecChecker.cpp source code [clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp]

1	// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This checker tests the 3rd argument of mmap's calls to check if
10	// it is writable and executable in the same time. It's somehow
11	// an optional checker since for example in JIT libraries it is pretty common.
12	//
13	//===----------------------------------------------------------------------===//
14
15	#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16
17	#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18	#include "clang/StaticAnalyzer/Core/Checker.h"
19	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20	#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
21	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
24
25	using namespace clang;
26	using namespace ento;
27
28	namespace {
29	class MmapWriteExecChecker
30	: public Checker<check::ASTDecl<TranslationUnitDecl>, check::PreCall> {
31	CallDescription MmapFn{CDM::CLibrary, {"mmap"}, `6`};
32	CallDescription MprotectFn{CDM::CLibrary, {"mprotect"}, `3`};
33	const BugType BT{this, "W^X check fails, Write Exec prot flags set",
34	"Security"};
35
36	// Default values are used if definition of the flags is not found.
37	mutable int ProtRead = `0x01`;
38	mutable int ProtWrite = `0x02`;
39	mutable int ProtExec = `0x04`;
40
41	public:
42	void checkASTDecl(const TranslationUnitDecl *TU, AnalysisManager &Mgr,
43	BugReporter &BR) const;
44	void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
45	};
46	}
47
48	void MmapWriteExecChecker::checkASTDecl(const TranslationUnitDecl *TU,
49	AnalysisManager &Mgr,
50	BugReporter &BR) const {
51	Preprocessor &PP = Mgr.getPreprocessor();
52	const std::optional<int> FoundProtRead = tryExpandAsInteger(Macro: "PROT_READ", PP);
53	const std::optional<int> FoundProtWrite =
54	tryExpandAsInteger(Macro: "PROT_WRITE", PP);
55	const std::optional<int> FoundProtExec = tryExpandAsInteger(Macro: "PROT_EXEC", PP);
56	if (FoundProtRead && FoundProtWrite && FoundProtExec) {
57	ProtRead = *FoundProtRead;
58	ProtWrite = *FoundProtWrite;
59	ProtExec = *FoundProtExec;
60	}
61	}
62
63	void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
64	CheckerContext &C) const {
65	if (matchesAny(Call, CD1: MmapFn, CDs: MprotectFn)) {
66	SVal ProtVal = Call.getArgSVal(Index: `2`);
67	auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
68	if (!ProtLoc)
69	return;
70	int64_t Prot = ProtLoc ->getValue()->getSExtValue();
71
72	if ((Prot & ProtWrite) && (Prot & ProtExec)) {
73	ExplodedNode *N = C.generateNonFatalErrorNode();
74	if (!N)
75	return;
76
77	auto Report = std::make_unique<PathSensitiveBugReport>(
78	args: BT,
79	args: "Both PROT_WRITE and PROT_EXEC flags are set. This can "
80	"lead to exploitable memory regions, which could be overwritten "
81	"with malicious code",
82	args&: N);
83	Report ->addRange(R: Call.getArgSourceRange(Index: `2`));
84	C.emitReport(R: std::move(Report));
85	}
86	}
87	}
88
89	void ento::registerMmapWriteExecChecker(CheckerManager &Mgr) {
90	Mgr.registerChecker<MmapWriteExecChecker>();
91	}
92
93	bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &) {
94	return true;
95	}
96

source code of clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp