StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp

4579bad8SArtem Dergachev// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
4579bad8SArtem Dergachev//
2946cd70SChandler Carruth// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
2946cd70SChandler Carruth// See https://llvm.org/LICENSE.txt for license information.
2946cd70SChandler Carruth// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
4579bad8SArtem Dergachev//
4579bad8SArtem Dergachev//===----------------------------------------------------------------------===//
4579bad8SArtem Dergachev//
4579bad8SArtem Dergachev// This checker tests the 3rd argument of mmap's calls to check if
4579bad8SArtem Dergachev// it is writable and executable in the same time. It's somehow
4579bad8SArtem Dergachev// an optional checker since for example in JIT libraries it is pretty common.
4579bad8SArtem Dergachev//
4579bad8SArtem Dergachev//===----------------------------------------------------------------------===//
4579bad8SArtem Dergachev
76a21502SKristof Umann#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
4579bad8SArtem Dergachev
4579bad8SArtem Dergachev#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
4579bad8SArtem Dergachev#include "clang/StaticAnalyzer/Core/Checker.h"
4579bad8SArtem Dergachev#include "clang/StaticAnalyzer/Core/CheckerManager.h"
0b9d3a6eSBalazs Benics#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
4579bad8SArtem Dergachev#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
4579bad8SArtem Dergachev#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
4579bad8SArtem Dergachev
4579bad8SArtem Dergachevusing namespace clang;
4579bad8SArtem Dergachevusing namespace ento;
4579bad8SArtem Dergachev
4579bad8SArtem Dergachevnamespace {
4579bad8SArtem Dergachevclass MmapWriteExecChecker : public Checker<check::PreCall> {
4579bad8SArtem Dergachev  CallDescription MmapFn;
ce5f2d3dSArtem Dergachev  CallDescription MprotectFn;
4579bad8SArtem Dergachev  static int ProtWrite;
4579bad8SArtem Dergachev  static int ProtExec;
4579bad8SArtem Dergachev  static int ProtRead;
4579bad8SArtem Dergachev  mutable std::unique_ptr<BugType> BT;
4579bad8SArtem Dergachevpublic:
ce5f2d3dSArtem Dergachev  MmapWriteExecChecker() : MmapFn("mmap", 6), MprotectFn("mprotect", 3) {}
4579bad8SArtem Dergachev  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
4579bad8SArtem Dergachev  int ProtExecOv;
4579bad8SArtem Dergachev  int ProtReadOv;
4579bad8SArtem Dergachev};
4579bad8SArtem Dergachev}
4579bad8SArtem Dergachev
4579bad8SArtem Dergachevint MmapWriteExecChecker::ProtWrite = 0x02;
4579bad8SArtem Dergachevint MmapWriteExecChecker::ProtExec  = 0x04;
4579bad8SArtem Dergachevint MmapWriteExecChecker::ProtRead  = 0x01;
4579bad8SArtem Dergachev
4579bad8SArtem Dergachevvoid MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
4579bad8SArtem Dergachev                                         CheckerContext &C) const {
f18da190SBalazs Benics  if (matchesAny(Call, MmapFn, MprotectFn)) {
4579bad8SArtem Dergachev    SVal ProtVal = Call.getArgSVal(2);
*96ccb690SBalazs Benics    auto ProtLoc = ProtVal.castAs<nonloc::ConcreteInt>();
*96ccb690SBalazs Benics    int64_t Prot = ProtLoc.getValue().getSExtValue();
4579bad8SArtem Dergachev    if (ProtExecOv != ProtExec)
4579bad8SArtem Dergachev      ProtExec = ProtExecOv;
4579bad8SArtem Dergachev    if (ProtReadOv != ProtRead)
4579bad8SArtem Dergachev      ProtRead = ProtReadOv;
4579bad8SArtem Dergachev
4579bad8SArtem Dergachev    // Wrong settings
4579bad8SArtem Dergachev    if (ProtRead == ProtExec)
4579bad8SArtem Dergachev      return;
4579bad8SArtem Dergachev
4579bad8SArtem Dergachev    if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
4579bad8SArtem Dergachev      if (!BT)
4579bad8SArtem Dergachev        BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security"));
4579bad8SArtem Dergachev
4579bad8SArtem Dergachev      ExplodedNode *N = C.generateNonFatalErrorNode();
4579bad8SArtem Dergachev      if (!N)
4579bad8SArtem Dergachev        return;
4579bad8SArtem Dergachev
2f169e7cSArtem Dergachev      auto Report = std::make_unique<PathSensitiveBugReport>(
4579bad8SArtem Dergachev          *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can "
4579bad8SArtem Dergachev               "lead to exploitable memory regions, which could be overwritten "
4579bad8SArtem Dergachev               "with malicious code", N);
4579bad8SArtem Dergachev      Report->addRange(Call.getArgSourceRange(2));
4579bad8SArtem Dergachev      C.emitReport(std::move(Report));
4579bad8SArtem Dergachev    }
4579bad8SArtem Dergachev  }
4579bad8SArtem Dergachev}
4579bad8SArtem Dergachev
4579bad8SArtem Dergachevvoid ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
4579bad8SArtem Dergachev  MmapWriteExecChecker *Mwec =
4579bad8SArtem Dergachev      mgr.registerChecker<MmapWriteExecChecker>();
4579bad8SArtem Dergachev  Mwec->ProtExecOv =
0a1f91c8SKristof Umann    mgr.getAnalyzerOptions()
83cc1b35SKristof Umann      .getCheckerIntegerOption(Mwec, "MmapProtExec");
4579bad8SArtem Dergachev  Mwec->ProtReadOv =
0a1f91c8SKristof Umann    mgr.getAnalyzerOptions()
83cc1b35SKristof Umann      .getCheckerIntegerOption(Mwec, "MmapProtRead");
4579bad8SArtem Dergachev}
058a7a45SKristof Umann
bda3dd0dSKirstóf Umannbool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &mgr) {
058a7a45SKristof Umann  return true;
058a7a45SKristof Umann}