1 //== InvalidPtrChecker.cpp ------------------------------------- -*- C++ -*--=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines InvalidPtrChecker which finds usages of possibly
10 // invalidated pointer.
11 // CERT SEI Rules ENV31-C and ENV34-C
12 // For more information see:
13 // https://wiki.sei.cmu.edu/confluence/x/8tYxBQ
14 // https://wiki.sei.cmu.edu/confluence/x/5NUxBQ
15 //===----------------------------------------------------------------------===//
16
17 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
18 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19 #include "clang/StaticAnalyzer/Core/Checker.h"
20 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24
25 using namespace clang;
26 using namespace ento;
27
28 namespace {
29
30 class InvalidPtrChecker
31 : public Checker<check::Location, check::BeginFunction, check::PostCall> {
32 private:
33 // For accurate emission of NoteTags, the BugType of this checker should have
34 // a unique address.
35 BugType InvalidPtrBugType{this, "Use of invalidated pointer",
36 categories::MemoryError};
37
38 void EnvpInvalidatingCall(const CallEvent &Call, CheckerContext &C) const;
39
40 using HandlerFn = void (InvalidPtrChecker::*)(const CallEvent &Call,
41 CheckerContext &C) const;
42
43 // SEI CERT ENV31-C
44
45 // If set to true, consider getenv calls as invalidating operations on the
46 // environment variable buffer. This is implied in the standard, but in
47 // practice does not cause problems (in the commonly used environments).
48 bool InvalidatingGetEnv = false;
49
50 // GetEnv can be treated invalidating and non-invalidating as well.
51 const CallDescription GetEnvCall{CDM::CLibrary, {"getenv"}, 1};
52
53 const CallDescriptionMap<HandlerFn> EnvpInvalidatingFunctions = {
54 {{CDM::CLibrary, {"setenv"}, 3},
55 &InvalidPtrChecker::EnvpInvalidatingCall},
56 {{CDM::CLibrary, {"unsetenv"}, 1},
57 &InvalidPtrChecker::EnvpInvalidatingCall},
58 {{CDM::CLibrary, {"putenv"}, 1},
59 &InvalidPtrChecker::EnvpInvalidatingCall},
60 {{CDM::CLibrary, {"_putenv_s"}, 2},
61 &InvalidPtrChecker::EnvpInvalidatingCall},
62 {{CDM::CLibrary, {"_wputenv_s"}, 2},
63 &InvalidPtrChecker::EnvpInvalidatingCall},
64 };
65
66 void postPreviousReturnInvalidatingCall(const CallEvent &Call,
67 CheckerContext &C) const;
68
69 // SEI CERT ENV34-C
70 const CallDescriptionMap<HandlerFn> PreviousCallInvalidatingFunctions = {
71 {{CDM::CLibrary, {"setlocale"}, 2},
72 &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
73 {{CDM::CLibrary, {"strerror"}, 1},
74 &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
75 {{CDM::CLibrary, {"localeconv"}, 0},
76 &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
77 {{CDM::CLibrary, {"asctime"}, 1},
78 &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
79 };
80
81 // The private members of this checker corresponding to commandline options
82 // are set in this function.
83 friend void ento::registerInvalidPtrChecker(CheckerManager &);
84
85 public:
86 // Obtain the environment pointer from 'main()' (if present).
87 void checkBeginFunction(CheckerContext &C) const;
88
89 // Handle functions in EnvpInvalidatingFunctions, that invalidate environment
90 // pointer from 'main()'
91 // Handle functions in PreviousCallInvalidatingFunctions.
92 // Also, check if invalidated region is passed to a
93 // conservatively evaluated function call as an argument.
94 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
95
96 // Check if invalidated region is being dereferenced.
97 void checkLocation(SVal l, bool isLoad, const Stmt *S,
98 CheckerContext &C) const;
99
100 private:
101 const NoteTag *createEnvInvalidationNote(CheckerContext &C,
102 ProgramStateRef State,
103 StringRef FunctionName) const;
104 };
105
106 } // namespace
107
108 // Set of memory regions that were invalidated
REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions,const MemRegion *)109 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
110
111 // Stores the region of the environment pointer of 'main' (if present).
112 REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
113
114 // Stores the regions of environments returned by getenv calls.
115 REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
116
117 // Stores key-value pairs, where key is function declaration and value is
118 // pointer to memory region returned by previous call of this function
119 REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, const FunctionDecl *,
120 const MemRegion *)
121
122 const NoteTag *InvalidPtrChecker::createEnvInvalidationNote(
123 CheckerContext &C, ProgramStateRef State, StringRef FunctionName) const {
124
125 const MemRegion *MainRegion = State->get<MainEnvPtrRegion>();
126 const auto GetenvRegions = State->get<GetenvEnvPtrRegions>();
127
128 return C.getNoteTag([this, MainRegion, GetenvRegions,
129 FunctionName = std::string{FunctionName}](
130 PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
131 // Only handle the BugType of this checker.
132 if (&BR.getBugType() != &InvalidPtrBugType)
133 return;
134
135 // Mark all regions that were interesting before as NOT interesting now
136 // to avoid extra notes coming from invalidation points higher up the
137 // bugpath. This ensures that only the last invalidation point is marked
138 // with a note tag.
139 llvm::SmallVector<std::string, 2> InvalidLocationNames;
140 if (BR.isInteresting(MainRegion)) {
141 BR.markNotInteresting(MainRegion);
142 InvalidLocationNames.push_back("the environment parameter of 'main'");
143 }
144 bool InterestingGetenvFound = false;
145 for (const MemRegion *MR : GetenvRegions) {
146 if (BR.isInteresting(MR)) {
147 BR.markNotInteresting(MR);
148 if (!InterestingGetenvFound) {
149 InterestingGetenvFound = true;
150 InvalidLocationNames.push_back(
151 "the environment returned by 'getenv'");
152 }
153 }
154 }
155
156 // Emit note tag message.
157 if (InvalidLocationNames.size() >= 1)
158 Out << '\'' << FunctionName << "' call may invalidate "
159 << InvalidLocationNames[0];
160 if (InvalidLocationNames.size() == 2)
161 Out << ", and " << InvalidLocationNames[1];
162 });
163 }
164
EnvpInvalidatingCall(const CallEvent & Call,CheckerContext & C) const165 void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call,
166 CheckerContext &C) const {
167 // This callevent invalidates all previously generated pointers to the
168 // environment.
169 ProgramStateRef State = C.getState();
170 if (const MemRegion *MainEnvPtr = State->get<MainEnvPtrRegion>())
171 State = State->add<InvalidMemoryRegions>(MainEnvPtr);
172 for (const MemRegion *EnvPtr : State->get<GetenvEnvPtrRegions>())
173 State = State->add<InvalidMemoryRegions>(EnvPtr);
174
175 StringRef FunctionName = Call.getCalleeIdentifier()->getName();
176 const NoteTag *InvalidationNote =
177 createEnvInvalidationNote(C, State, FunctionName);
178
179 C.addTransition(State, InvalidationNote);
180 }
181
postPreviousReturnInvalidatingCall(const CallEvent & Call,CheckerContext & C) const182 void InvalidPtrChecker::postPreviousReturnInvalidatingCall(
183 const CallEvent &Call, CheckerContext &C) const {
184 ProgramStateRef State = C.getState();
185
186 const NoteTag *Note = nullptr;
187 const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
188 // Invalidate the region of the previously returned pointer - if there was
189 // one.
190 if (const MemRegion *const *Reg = State->get<PreviousCallResultMap>(FD)) {
191 const MemRegion *PrevReg = *Reg;
192 State = State->add<InvalidMemoryRegions>(PrevReg);
193 Note = C.getNoteTag([this, PrevReg, FD](PathSensitiveBugReport &BR,
194 llvm::raw_ostream &Out) {
195 if (!BR.isInteresting(PrevReg) || &BR.getBugType() != &InvalidPtrBugType)
196 return;
197 Out << '\'';
198 FD->getNameForDiagnostic(Out, FD->getASTContext().getLangOpts(), true);
199 Out << "' call may invalidate the result of the previous " << '\'';
200 FD->getNameForDiagnostic(Out, FD->getASTContext().getLangOpts(), true);
201 Out << '\'';
202 });
203 }
204
205 const LocationContext *LCtx = C.getLocationContext();
206 const auto *CE = cast<CallExpr>(Call.getOriginExpr());
207
208 // Function call will return a pointer to the new symbolic region.
209 DefinedOrUnknownSVal RetVal = C.getSValBuilder().conjureSymbolVal(
210 CE, LCtx, CE->getType(), C.blockCount());
211 State = State->BindExpr(CE, LCtx, RetVal);
212
213 const auto *SymRegOfRetVal =
214 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
215 if (!SymRegOfRetVal)
216 return;
217
218 // Remember to this region.
219 const MemRegion *MR = SymRegOfRetVal->getBaseRegion();
220 State = State->set<PreviousCallResultMap>(FD, MR);
221
222 ExplodedNode *Node = C.addTransition(State, Note);
223 const NoteTag *PreviousCallNote = C.getNoteTag(
224 [this, MR](PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
225 if (!BR.isInteresting(MR) || &BR.getBugType() != &InvalidPtrBugType)
226 return;
227 Out << "previous function call was here";
228 });
229
230 C.addTransition(State, Node, PreviousCallNote);
231 }
232
233 // TODO: This seems really ugly. Simplify this.
findInvalidatedSymbolicBase(ProgramStateRef State,const MemRegion * Reg)234 static const MemRegion *findInvalidatedSymbolicBase(ProgramStateRef State,
235 const MemRegion *Reg) {
236 while (Reg) {
237 if (State->contains<InvalidMemoryRegions>(Reg))
238 return Reg;
239 const auto *SymBase = Reg->getSymbolicBase();
240 if (!SymBase)
241 break;
242 const auto *SRV = dyn_cast<SymbolRegionValue>(SymBase->getSymbol());
243 if (!SRV)
244 break;
245 Reg = SRV->getRegion();
246 if (const auto *VarReg = dyn_cast<VarRegion>(SRV->getRegion()))
247 Reg = VarReg;
248 }
249 return nullptr;
250 }
251
252 // Handle functions in EnvpInvalidatingFunctions, that invalidate environment
253 // pointer from 'main()' Also, check if invalidated region is passed to a
254 // function call as an argument.
checkPostCall(const CallEvent & Call,CheckerContext & C) const255 void InvalidPtrChecker::checkPostCall(const CallEvent &Call,
256 CheckerContext &C) const {
257
258 ProgramStateRef State = C.getState();
259
260 // Model 'getenv' calls
261 if (GetEnvCall.matches(Call)) {
262 const MemRegion *Region = Call.getReturnValue().getAsRegion();
263 if (Region) {
264 State = State->add<GetenvEnvPtrRegions>(Region);
265 C.addTransition(State);
266 }
267 }
268
269 // Check if function invalidates 'envp' argument of 'main'
270 if (const auto *Handler = EnvpInvalidatingFunctions.lookup(Call))
271 (this->**Handler)(Call, C);
272
273 // Check if function invalidates the result of previous call
274 if (const auto *Handler = PreviousCallInvalidatingFunctions.lookup(Call))
275 (this->**Handler)(Call, C);
276
277 // If pedantic mode is on, regard 'getenv' calls invalidating as well
278 if (InvalidatingGetEnv && GetEnvCall.matches(Call))
279 postPreviousReturnInvalidatingCall(Call, C);
280
281 // Check if one of the arguments of the function call is invalidated
282
283 // If call was inlined, don't report invalidated argument
284 if (C.wasInlined)
285 return;
286
287 for (unsigned I = 0, NumArgs = Call.getNumArgs(); I < NumArgs; ++I) {
288
289 if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(
290 Call.getArgSVal(I).getAsRegion())) {
291 if (const MemRegion *InvalidatedSymbolicBase =
292 findInvalidatedSymbolicBase(State, SR)) {
293 ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
294 if (!ErrorNode)
295 return;
296
297 SmallString<256> Msg;
298 llvm::raw_svector_ostream Out(Msg);
299 Out << "use of invalidated pointer '";
300 Call.getArgExpr(I)->printPretty(Out, /*Helper=*/nullptr,
301 C.getASTContext().getPrintingPolicy());
302 Out << "' in a function call";
303
304 auto Report = std::make_unique<PathSensitiveBugReport>(
305 InvalidPtrBugType, Out.str(), ErrorNode);
306 Report->markInteresting(InvalidatedSymbolicBase);
307 Report->addRange(Call.getArgSourceRange(I));
308 C.emitReport(std::move(Report));
309 }
310 }
311 }
312 }
313
314 // Obtain the environment pointer from 'main()', if present.
checkBeginFunction(CheckerContext & C) const315 void InvalidPtrChecker::checkBeginFunction(CheckerContext &C) const {
316 if (!C.inTopFrame())
317 return;
318
319 const auto *FD = dyn_cast<FunctionDecl>(C.getLocationContext()->getDecl());
320 if (!FD || FD->param_size() != 3 || !FD->isMain())
321 return;
322
323 ProgramStateRef State = C.getState();
324 const MemRegion *EnvpReg =
325 State->getRegion(FD->parameters()[2], C.getLocationContext());
326
327 // Save the memory region pointed by the environment pointer parameter of
328 // 'main'.
329 C.addTransition(State->set<MainEnvPtrRegion>(EnvpReg));
330 }
331
332 // Check if invalidated region is being dereferenced.
checkLocation(SVal Loc,bool isLoad,const Stmt * S,CheckerContext & C) const333 void InvalidPtrChecker::checkLocation(SVal Loc, bool isLoad, const Stmt *S,
334 CheckerContext &C) const {
335 ProgramStateRef State = C.getState();
336
337 // Ignore memory operations involving 'non-invalidated' locations.
338 const MemRegion *InvalidatedSymbolicBase =
339 findInvalidatedSymbolicBase(State, Loc.getAsRegion());
340 if (!InvalidatedSymbolicBase)
341 return;
342
343 ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
344 if (!ErrorNode)
345 return;
346
347 auto Report = std::make_unique<PathSensitiveBugReport>(
348 InvalidPtrBugType, "dereferencing an invalid pointer", ErrorNode);
349 Report->markInteresting(InvalidatedSymbolicBase);
350 C.emitReport(std::move(Report));
351 }
352
registerInvalidPtrChecker(CheckerManager & Mgr)353 void ento::registerInvalidPtrChecker(CheckerManager &Mgr) {
354 auto *Checker = Mgr.registerChecker<InvalidPtrChecker>();
355 Checker->InvalidatingGetEnv =
356 Mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker,
357 "InvalidatingGetEnv");
358 }
359
shouldRegisterInvalidPtrChecker(const CheckerManager &)360 bool ento::shouldRegisterInvalidPtrChecker(const CheckerManager &) {
361 return true;
362 }
363