10b57cec5SDimitry Andric //=== CastToStructChecker.cpp ----------------------------------*- C++ -*--===//
20b57cec5SDimitry Andric //
30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information.
50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
60b57cec5SDimitry Andric //
70b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
80b57cec5SDimitry Andric //
90b57cec5SDimitry Andric // This files defines CastToStructChecker, a builtin checker that checks for
100b57cec5SDimitry Andric // cast from non-struct pointer to struct pointer and widening struct data cast.
110b57cec5SDimitry Andric // This check corresponds to CWE-588.
120b57cec5SDimitry Andric //
130b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
140b57cec5SDimitry Andric
150b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
160b57cec5SDimitry Andric #include "clang/AST/RecursiveASTVisitor.h"
170b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h"
190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h"
200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
210b57cec5SDimitry Andric
220b57cec5SDimitry Andric using namespace clang;
230b57cec5SDimitry Andric using namespace ento;
240b57cec5SDimitry Andric
250b57cec5SDimitry Andric namespace {
260b57cec5SDimitry Andric class CastToStructVisitor : public RecursiveASTVisitor<CastToStructVisitor> {
270b57cec5SDimitry Andric BugReporter &BR;
280b57cec5SDimitry Andric const CheckerBase *Checker;
290b57cec5SDimitry Andric AnalysisDeclContext *AC;
300b57cec5SDimitry Andric
310b57cec5SDimitry Andric public:
CastToStructVisitor(BugReporter & B,const CheckerBase * Checker,AnalysisDeclContext * A)320b57cec5SDimitry Andric explicit CastToStructVisitor(BugReporter &B, const CheckerBase *Checker,
330b57cec5SDimitry Andric AnalysisDeclContext *A)
340b57cec5SDimitry Andric : BR(B), Checker(Checker), AC(A) {}
350b57cec5SDimitry Andric bool VisitCastExpr(const CastExpr *CE);
360b57cec5SDimitry Andric };
370b57cec5SDimitry Andric }
380b57cec5SDimitry Andric
VisitCastExpr(const CastExpr * CE)390b57cec5SDimitry Andric bool CastToStructVisitor::VisitCastExpr(const CastExpr *CE) {
400b57cec5SDimitry Andric const Expr *E = CE->getSubExpr();
410b57cec5SDimitry Andric ASTContext &Ctx = AC->getASTContext();
420b57cec5SDimitry Andric QualType OrigTy = Ctx.getCanonicalType(E->getType());
430b57cec5SDimitry Andric QualType ToTy = Ctx.getCanonicalType(CE->getType());
440b57cec5SDimitry Andric
450b57cec5SDimitry Andric const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
460b57cec5SDimitry Andric const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
470b57cec5SDimitry Andric
480b57cec5SDimitry Andric if (!ToPTy || !OrigPTy)
490b57cec5SDimitry Andric return true;
500b57cec5SDimitry Andric
510b57cec5SDimitry Andric QualType OrigPointeeTy = OrigPTy->getPointeeType();
520b57cec5SDimitry Andric QualType ToPointeeTy = ToPTy->getPointeeType();
530b57cec5SDimitry Andric
540b57cec5SDimitry Andric if (!ToPointeeTy->isStructureOrClassType())
550b57cec5SDimitry Andric return true;
560b57cec5SDimitry Andric
570b57cec5SDimitry Andric // We allow cast from void*.
580b57cec5SDimitry Andric if (OrigPointeeTy->isVoidType())
590b57cec5SDimitry Andric return true;
600b57cec5SDimitry Andric
610b57cec5SDimitry Andric // Now the cast-to-type is struct pointer, the original type is not void*.
620b57cec5SDimitry Andric if (!OrigPointeeTy->isRecordType()) {
630b57cec5SDimitry Andric SourceRange Sr[1] = {CE->getSourceRange()};
640b57cec5SDimitry Andric PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
650b57cec5SDimitry Andric BR.EmitBasicReport(
660b57cec5SDimitry Andric AC->getDecl(), Checker, "Cast from non-struct type to struct type",
670b57cec5SDimitry Andric categories::LogicError, "Casting a non-structure type to a structure "
680b57cec5SDimitry Andric "type and accessing a field can lead to memory "
690b57cec5SDimitry Andric "access errors or data corruption.",
700b57cec5SDimitry Andric Loc, Sr);
710b57cec5SDimitry Andric } else {
720b57cec5SDimitry Andric // Don't warn when size of data is unknown.
730b57cec5SDimitry Andric const auto *U = dyn_cast<UnaryOperator>(E);
740b57cec5SDimitry Andric if (!U || U->getOpcode() != UO_AddrOf)
750b57cec5SDimitry Andric return true;
760b57cec5SDimitry Andric
770b57cec5SDimitry Andric // Don't warn for references
780b57cec5SDimitry Andric const ValueDecl *VD = nullptr;
790b57cec5SDimitry Andric if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr()))
800b57cec5SDimitry Andric VD = SE->getDecl();
810b57cec5SDimitry Andric else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr()))
820b57cec5SDimitry Andric VD = SE->getMemberDecl();
830b57cec5SDimitry Andric if (!VD || VD->getType()->isReferenceType())
840b57cec5SDimitry Andric return true;
850b57cec5SDimitry Andric
860b57cec5SDimitry Andric if (ToPointeeTy->isIncompleteType() ||
870b57cec5SDimitry Andric OrigPointeeTy->isIncompleteType())
880b57cec5SDimitry Andric return true;
890b57cec5SDimitry Andric
900b57cec5SDimitry Andric // Warn when there is widening cast.
910b57cec5SDimitry Andric unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width;
920b57cec5SDimitry Andric unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width;
930b57cec5SDimitry Andric if (ToWidth <= OrigWidth)
940b57cec5SDimitry Andric return true;
950b57cec5SDimitry Andric
960b57cec5SDimitry Andric PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
970b57cec5SDimitry Andric BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type",
980b57cec5SDimitry Andric categories::LogicError,
990b57cec5SDimitry Andric "Casting data to a larger structure type and accessing "
1000b57cec5SDimitry Andric "a field can lead to memory access errors or data "
1010b57cec5SDimitry Andric "corruption.",
1020b57cec5SDimitry Andric Loc, CE->getSourceRange());
1030b57cec5SDimitry Andric }
1040b57cec5SDimitry Andric
1050b57cec5SDimitry Andric return true;
1060b57cec5SDimitry Andric }
1070b57cec5SDimitry Andric
1080b57cec5SDimitry Andric namespace {
1090b57cec5SDimitry Andric class CastToStructChecker : public Checker<check::ASTCodeBody> {
1100b57cec5SDimitry Andric public:
checkASTCodeBody(const Decl * D,AnalysisManager & Mgr,BugReporter & BR) const1110b57cec5SDimitry Andric void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
1120b57cec5SDimitry Andric BugReporter &BR) const {
1130b57cec5SDimitry Andric CastToStructVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D));
1140b57cec5SDimitry Andric Visitor.TraverseDecl(const_cast<Decl *>(D));
1150b57cec5SDimitry Andric }
1160b57cec5SDimitry Andric };
1170b57cec5SDimitry Andric } // end anonymous namespace
1180b57cec5SDimitry Andric
registerCastToStructChecker(CheckerManager & mgr)1190b57cec5SDimitry Andric void ento::registerCastToStructChecker(CheckerManager &mgr) {
1200b57cec5SDimitry Andric mgr.registerChecker<CastToStructChecker>();
1210b57cec5SDimitry Andric }
1220b57cec5SDimitry Andric
shouldRegisterCastToStructChecker(const CheckerManager & mgr)123*5ffd83dbSDimitry Andric bool ento::shouldRegisterCastToStructChecker(const CheckerManager &mgr) {
1240b57cec5SDimitry Andric return true;
1250b57cec5SDimitry Andric }
126