1 // MallocOverflowSecurityChecker.cpp - Check for malloc overflows -*- C++ -*-=//
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
9 // This checker detects a common memory allocation security flaw.
12 // say MAX_UINT/4+2, then instead of allocating the correct 'n' 4-byte
18 //===----------------------------------------------------------------------===//
75    of the result, or anything too complicated :-).  */  in CheckMallocArgument()
76   const Expr *e = TheCall->getArg(0);  in CheckMallocArgument()
82     e = e->IgnoreParenImpCasts();  in CheckMallocArgument()
84       BinaryOperatorKind opc = binop->getOpcode();  in CheckMallocArgument()
91       const Expr *lhs = binop->getLHS();  in CheckMallocArgument()
92       const Expr *rhs = binop->getRHS();  in CheckMallocArgument()
93       if (rhs->isEvaluatable(Context)) {  in CheckMallocArgument()
95         maxVal = rhs->EvaluateKnownConstInt(Context);  in CheckMallocArgument()
99                  lhs->isEvaluatable(Context)) {  in CheckMallocArgument()
100         maxVal = lhs->EvaluateKnownConstInt(Context);  in CheckMallocArgument()
135       if (!E->getType()->isIntegralOrEnumerationType())  in isIntZeroExpr()
138       if (E->EvaluateAsInt(Result, Context))  in isIntZeroExpr()
143     static const Decl *getDecl(const DeclRefExpr *DR) { return DR->getDecl(); }  in getDecl()
145       return ME->getMemberDecl();  in getDecl()
151       auto P = [DR, Pred](const MallocOverflowCheck &Check) {  in Erase()
152         if (const auto *CheckDR = dyn_cast<T1>(Check.variable))  in Erase()
160       const Expr *E = E_p->IgnoreParenImpCasts();  in CheckExpr()
161       const auto PrecedesMalloc = [E, this](const MallocOverflowCheck &c) {  in CheckExpr()
163             E->getExprLoc(), c.call->getExprLoc());  in CheckExpr()
167       else if (const auto *ME = dyn_cast<MemberExpr>(E)) {  in CheckExpr()
184       const Expr *rhs = AssignEx->getRHS();  in CheckAssignmentExpr()
185       if (rhs->isEvaluatable(Context))  in CheckAssignmentExpr()
191       const Expr *rhse = rhs->IgnoreParenImpCasts();  in CheckAssignmentExpr()
193         if (BOp->getOpcode() == BO_Div) {  in CheckAssignmentExpr()
194           const Expr *denom = BOp->getRHS()->IgnoreParenImpCasts();  in CheckAssignmentExpr()
196           if (denom->EvaluateAsInt(Result, Context)) {  in CheckAssignmentExpr()
200           const Expr *numerator = BOp->getLHS()->IgnoreParenImpCasts();  in CheckAssignmentExpr()
201           if (numerator->isEvaluatable(Context))  in CheckAssignmentExpr()
207       auto denomExtVal = denomVal.getExtValue();  in CheckAssignmentExpr()
213       const Expr *lhs = AssignEx->getLHS();  in CheckAssignmentExpr()
214       const Expr *E = lhs->IgnoreParenImpCasts();  in CheckAssignmentExpr()
216       auto pred = [assignKnown, numeratorKnown,  in CheckAssignmentExpr()
224       else if (const auto *ME = dyn_cast<MemberExpr>(E))  in CheckAssignmentExpr()
230       if (E->isComparisonOp()) {  in VisitBinaryOperator()
231         const Expr * lhs = E->getLHS();  in VisitBinaryOperator()
232         const Expr * rhs = E->getRHS();  in VisitBinaryOperator()
240       if (E->isAssignmentOp())  in VisitBinaryOperator()
248       return this->Visit(S->getBody());  in VisitWhileStmt()
251       return this->Visit(S->getBody());  in VisitForStmt()
254       return this->Visit(S->getBody());  in VisitDoStmt()
264 // OutputPossibleOverflows - We've found a possible overflow earlier,
267 // This doesn't do flow analysis, range analysis, or points-to analysis; it's
280   c.Visit(mgr.getAnalysisDeclContext(D)->getBody());  in OutputPossibleOverflows()
289         Check.mulop->getSourceRange());  in OutputPossibleOverflows()
304   for (CFG::iterator it = cfg->begin(), ei = cfg->end(); it != ei; ++it) {  in checkASTCodeBody()
306     for (CFGBlock::iterator bi = block->begin(), be = block->end();  in checkASTCodeBody()
308         if (std::optional<CFGStmt> CS = bi->getAs<CFGStmt>()) {  in checkASTCodeBody()
309           if (const CallExpr *TheCall = dyn_cast<CallExpr>(CS->getStmt())) {  in checkASTCodeBody()
311             const FunctionDecl *FD = TheCall->getDirectCallee();  in checkASTCodeBody()
318             IdentifierInfo *FnInfo = FD->getIdentifier();  in checkASTCodeBody()
322             if (FnInfo->isStr("malloc") || FnInfo->isStr("_MALLOC")) {  in checkASTCodeBody()
323               if (TheCall->getNumArgs() == 1)  in checkASTCodeBody()