10b57cec5SDimitry Andric // MallocOverflowSecurityChecker.cpp - Check for malloc overflows -*- C++ -*-=// 20b57cec5SDimitry Andric // 30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 60b57cec5SDimitry Andric // 70b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 80b57cec5SDimitry Andric // 90b57cec5SDimitry Andric // This checker detects a common memory allocation security flaw. 100b57cec5SDimitry Andric // Suppose 'unsigned int n' comes from an untrusted source. If the 110b57cec5SDimitry Andric // code looks like 'malloc (n * 4)', and an attacker can make 'n' be 120b57cec5SDimitry Andric // say MAX_UINT/4+2, then instead of allocating the correct 'n' 4-byte 130b57cec5SDimitry Andric // elements, this will actually allocate only two because of overflow. 140b57cec5SDimitry Andric // Then when the rest of the program attempts to store values past the 150b57cec5SDimitry Andric // second element, these values will actually overwrite other items in 160b57cec5SDimitry Andric // the heap, probably allowing the attacker to execute arbitrary code. 170b57cec5SDimitry Andric // 180b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 190b57cec5SDimitry Andric 200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 210b57cec5SDimitry Andric #include "clang/AST/EvaluatedExprVisitor.h" 220b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 230b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h" 240b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 250b57cec5SDimitry Andric #include "llvm/ADT/APSInt.h" 260b57cec5SDimitry Andric #include "llvm/ADT/SmallVector.h" 270b57cec5SDimitry Andric #include <utility> 280b57cec5SDimitry Andric 290b57cec5SDimitry Andric using namespace clang; 300b57cec5SDimitry Andric using namespace ento; 310b57cec5SDimitry Andric using llvm::APSInt; 320b57cec5SDimitry Andric 330b57cec5SDimitry Andric namespace { 340b57cec5SDimitry Andric struct MallocOverflowCheck { 35*349cc55cSDimitry Andric const CallExpr *call; 360b57cec5SDimitry Andric const BinaryOperator *mulop; 370b57cec5SDimitry Andric const Expr *variable; 380b57cec5SDimitry Andric APSInt maxVal; 390b57cec5SDimitry Andric 40*349cc55cSDimitry Andric MallocOverflowCheck(const CallExpr *call, const BinaryOperator *m, 41*349cc55cSDimitry Andric const Expr *v, APSInt val) 42*349cc55cSDimitry Andric : call(call), mulop(m), variable(v), maxVal(std::move(val)) {} 430b57cec5SDimitry Andric }; 440b57cec5SDimitry Andric 450b57cec5SDimitry Andric class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> { 460b57cec5SDimitry Andric public: 470b57cec5SDimitry Andric void checkASTCodeBody(const Decl *D, AnalysisManager &mgr, 480b57cec5SDimitry Andric BugReporter &BR) const; 490b57cec5SDimitry Andric 500b57cec5SDimitry Andric void CheckMallocArgument( 510b57cec5SDimitry Andric SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, 52*349cc55cSDimitry Andric const CallExpr *TheCall, ASTContext &Context) const; 530b57cec5SDimitry Andric 540b57cec5SDimitry Andric void OutputPossibleOverflows( 550b57cec5SDimitry Andric SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, 560b57cec5SDimitry Andric const Decl *D, BugReporter &BR, AnalysisManager &mgr) const; 570b57cec5SDimitry Andric 580b57cec5SDimitry Andric }; 590b57cec5SDimitry Andric } // end anonymous namespace 600b57cec5SDimitry Andric 610b57cec5SDimitry Andric // Return true for computations which evaluate to zero: e.g., mult by 0. 620b57cec5SDimitry Andric static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) { 630b57cec5SDimitry Andric return (op == BO_Mul) && (Val == 0); 640b57cec5SDimitry Andric } 650b57cec5SDimitry Andric 660b57cec5SDimitry Andric void MallocOverflowSecurityChecker::CheckMallocArgument( 670b57cec5SDimitry Andric SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, 68*349cc55cSDimitry Andric const CallExpr *TheCall, ASTContext &Context) const { 690b57cec5SDimitry Andric 700b57cec5SDimitry Andric /* Look for a linear combination with a single variable, and at least 710b57cec5SDimitry Andric one multiplication. 720b57cec5SDimitry Andric Reject anything that applies to the variable: an explicit cast, 730b57cec5SDimitry Andric conditional expression, an operation that could reduce the range 740b57cec5SDimitry Andric of the result, or anything too complicated :-). */ 75*349cc55cSDimitry Andric const Expr *e = TheCall->getArg(0); 760b57cec5SDimitry Andric const BinaryOperator * mulop = nullptr; 770b57cec5SDimitry Andric APSInt maxVal; 780b57cec5SDimitry Andric 790b57cec5SDimitry Andric for (;;) { 800b57cec5SDimitry Andric maxVal = 0; 810b57cec5SDimitry Andric e = e->IgnoreParenImpCasts(); 820b57cec5SDimitry Andric if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) { 830b57cec5SDimitry Andric BinaryOperatorKind opc = binop->getOpcode(); 840b57cec5SDimitry Andric // TODO: ignore multiplications by 1, reject if multiplied by 0. 850b57cec5SDimitry Andric if (mulop == nullptr && opc == BO_Mul) 860b57cec5SDimitry Andric mulop = binop; 870b57cec5SDimitry Andric if (opc != BO_Mul && opc != BO_Add && opc != BO_Sub && opc != BO_Shl) 880b57cec5SDimitry Andric return; 890b57cec5SDimitry Andric 900b57cec5SDimitry Andric const Expr *lhs = binop->getLHS(); 910b57cec5SDimitry Andric const Expr *rhs = binop->getRHS(); 920b57cec5SDimitry Andric if (rhs->isEvaluatable(Context)) { 930b57cec5SDimitry Andric e = lhs; 940b57cec5SDimitry Andric maxVal = rhs->EvaluateKnownConstInt(Context); 950b57cec5SDimitry Andric if (EvaluatesToZero(maxVal, opc)) 960b57cec5SDimitry Andric return; 970b57cec5SDimitry Andric } else if ((opc == BO_Add || opc == BO_Mul) && 980b57cec5SDimitry Andric lhs->isEvaluatable(Context)) { 990b57cec5SDimitry Andric maxVal = lhs->EvaluateKnownConstInt(Context); 1000b57cec5SDimitry Andric if (EvaluatesToZero(maxVal, opc)) 1010b57cec5SDimitry Andric return; 1020b57cec5SDimitry Andric e = rhs; 1030b57cec5SDimitry Andric } else 1040b57cec5SDimitry Andric return; 105*349cc55cSDimitry Andric } else if (isa<DeclRefExpr, MemberExpr>(e)) 1060b57cec5SDimitry Andric break; 1070b57cec5SDimitry Andric else 1080b57cec5SDimitry Andric return; 1090b57cec5SDimitry Andric } 1100b57cec5SDimitry Andric 1110b57cec5SDimitry Andric if (mulop == nullptr) 1120b57cec5SDimitry Andric return; 1130b57cec5SDimitry Andric 1140b57cec5SDimitry Andric // We've found the right structure of malloc argument, now save 1150b57cec5SDimitry Andric // the data so when the body of the function is completely available 1160b57cec5SDimitry Andric // we can check for comparisons. 1170b57cec5SDimitry Andric 118*349cc55cSDimitry Andric PossibleMallocOverflows.push_back( 119*349cc55cSDimitry Andric MallocOverflowCheck(TheCall, mulop, e, maxVal)); 1200b57cec5SDimitry Andric } 1210b57cec5SDimitry Andric 1220b57cec5SDimitry Andric namespace { 1230b57cec5SDimitry Andric // A worker class for OutputPossibleOverflows. 1240b57cec5SDimitry Andric class CheckOverflowOps : 1250b57cec5SDimitry Andric public EvaluatedExprVisitor<CheckOverflowOps> { 1260b57cec5SDimitry Andric public: 1270b57cec5SDimitry Andric typedef SmallVectorImpl<MallocOverflowCheck> theVecType; 1280b57cec5SDimitry Andric 1290b57cec5SDimitry Andric private: 1300b57cec5SDimitry Andric theVecType &toScanFor; 1310b57cec5SDimitry Andric ASTContext &Context; 1320b57cec5SDimitry Andric 1330b57cec5SDimitry Andric bool isIntZeroExpr(const Expr *E) const { 1340b57cec5SDimitry Andric if (!E->getType()->isIntegralOrEnumerationType()) 1350b57cec5SDimitry Andric return false; 1360b57cec5SDimitry Andric Expr::EvalResult Result; 1370b57cec5SDimitry Andric if (E->EvaluateAsInt(Result, Context)) 1380b57cec5SDimitry Andric return Result.Val.getInt() == 0; 1390b57cec5SDimitry Andric return false; 1400b57cec5SDimitry Andric } 1410b57cec5SDimitry Andric 1420b57cec5SDimitry Andric static const Decl *getDecl(const DeclRefExpr *DR) { return DR->getDecl(); } 1430b57cec5SDimitry Andric static const Decl *getDecl(const MemberExpr *ME) { 1440b57cec5SDimitry Andric return ME->getMemberDecl(); 1450b57cec5SDimitry Andric } 1460b57cec5SDimitry Andric 1470b57cec5SDimitry Andric template <typename T1> 1480b57cec5SDimitry Andric void Erase(const T1 *DR, 1490b57cec5SDimitry Andric llvm::function_ref<bool(const MallocOverflowCheck &)> Pred) { 1500b57cec5SDimitry Andric auto P = [DR, Pred](const MallocOverflowCheck &Check) { 1510b57cec5SDimitry Andric if (const auto *CheckDR = dyn_cast<T1>(Check.variable)) 1520b57cec5SDimitry Andric return getDecl(CheckDR) == getDecl(DR) && Pred(Check); 1530b57cec5SDimitry Andric return false; 1540b57cec5SDimitry Andric }; 155*349cc55cSDimitry Andric llvm::erase_if(toScanFor, P); 1560b57cec5SDimitry Andric } 1570b57cec5SDimitry Andric 1580b57cec5SDimitry Andric void CheckExpr(const Expr *E_p) { 1590b57cec5SDimitry Andric const Expr *E = E_p->IgnoreParenImpCasts(); 160*349cc55cSDimitry Andric const auto PrecedesMalloc = [E, this](const MallocOverflowCheck &c) { 161*349cc55cSDimitry Andric return Context.getSourceManager().isBeforeInTranslationUnit( 162*349cc55cSDimitry Andric E->getExprLoc(), c.call->getExprLoc()); 163*349cc55cSDimitry Andric }; 1640b57cec5SDimitry Andric if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E)) 165*349cc55cSDimitry Andric Erase<DeclRefExpr>(DR, PrecedesMalloc); 1660b57cec5SDimitry Andric else if (const auto *ME = dyn_cast<MemberExpr>(E)) { 167*349cc55cSDimitry Andric Erase<MemberExpr>(ME, PrecedesMalloc); 1680b57cec5SDimitry Andric } 1690b57cec5SDimitry Andric } 1700b57cec5SDimitry Andric 1710b57cec5SDimitry Andric // Check if the argument to malloc is assigned a value 1720b57cec5SDimitry Andric // which cannot cause an overflow. 1730b57cec5SDimitry Andric // e.g., malloc (mul * x) and, 1740b57cec5SDimitry Andric // case 1: mul = <constant value> 1750b57cec5SDimitry Andric // case 2: mul = a/b, where b > x 1760b57cec5SDimitry Andric void CheckAssignmentExpr(BinaryOperator *AssignEx) { 1770b57cec5SDimitry Andric bool assignKnown = false; 1780b57cec5SDimitry Andric bool numeratorKnown = false, denomKnown = false; 1790b57cec5SDimitry Andric APSInt denomVal; 1800b57cec5SDimitry Andric denomVal = 0; 1810b57cec5SDimitry Andric 1820b57cec5SDimitry Andric // Erase if the multiplicand was assigned a constant value. 1830b57cec5SDimitry Andric const Expr *rhs = AssignEx->getRHS(); 1840b57cec5SDimitry Andric if (rhs->isEvaluatable(Context)) 1850b57cec5SDimitry Andric assignKnown = true; 1860b57cec5SDimitry Andric 1870b57cec5SDimitry Andric // Discard the report if the multiplicand was assigned a value, 1880b57cec5SDimitry Andric // that can never overflow after multiplication. e.g., the assignment 1890b57cec5SDimitry Andric // is a division operator and the denominator is > other multiplicand. 1900b57cec5SDimitry Andric const Expr *rhse = rhs->IgnoreParenImpCasts(); 1910b57cec5SDimitry Andric if (const BinaryOperator *BOp = dyn_cast<BinaryOperator>(rhse)) { 1920b57cec5SDimitry Andric if (BOp->getOpcode() == BO_Div) { 1930b57cec5SDimitry Andric const Expr *denom = BOp->getRHS()->IgnoreParenImpCasts(); 1940b57cec5SDimitry Andric Expr::EvalResult Result; 1950b57cec5SDimitry Andric if (denom->EvaluateAsInt(Result, Context)) { 1960b57cec5SDimitry Andric denomVal = Result.Val.getInt(); 1970b57cec5SDimitry Andric denomKnown = true; 1980b57cec5SDimitry Andric } 1990b57cec5SDimitry Andric const Expr *numerator = BOp->getLHS()->IgnoreParenImpCasts(); 2000b57cec5SDimitry Andric if (numerator->isEvaluatable(Context)) 2010b57cec5SDimitry Andric numeratorKnown = true; 2020b57cec5SDimitry Andric } 2030b57cec5SDimitry Andric } 2040b57cec5SDimitry Andric if (!assignKnown && !denomKnown) 2050b57cec5SDimitry Andric return; 2060b57cec5SDimitry Andric auto denomExtVal = denomVal.getExtValue(); 2070b57cec5SDimitry Andric 2080b57cec5SDimitry Andric // Ignore negative denominator. 2090b57cec5SDimitry Andric if (denomExtVal < 0) 2100b57cec5SDimitry Andric return; 2110b57cec5SDimitry Andric 2120b57cec5SDimitry Andric const Expr *lhs = AssignEx->getLHS(); 2130b57cec5SDimitry Andric const Expr *E = lhs->IgnoreParenImpCasts(); 2140b57cec5SDimitry Andric 2150b57cec5SDimitry Andric auto pred = [assignKnown, numeratorKnown, 2160b57cec5SDimitry Andric denomExtVal](const MallocOverflowCheck &Check) { 2170b57cec5SDimitry Andric return assignKnown || 2180b57cec5SDimitry Andric (numeratorKnown && (denomExtVal >= Check.maxVal.getExtValue())); 2190b57cec5SDimitry Andric }; 2200b57cec5SDimitry Andric 2210b57cec5SDimitry Andric if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E)) 2220b57cec5SDimitry Andric Erase<DeclRefExpr>(DR, pred); 2230b57cec5SDimitry Andric else if (const auto *ME = dyn_cast<MemberExpr>(E)) 2240b57cec5SDimitry Andric Erase<MemberExpr>(ME, pred); 2250b57cec5SDimitry Andric } 2260b57cec5SDimitry Andric 2270b57cec5SDimitry Andric public: 2280b57cec5SDimitry Andric void VisitBinaryOperator(BinaryOperator *E) { 2290b57cec5SDimitry Andric if (E->isComparisonOp()) { 2300b57cec5SDimitry Andric const Expr * lhs = E->getLHS(); 2310b57cec5SDimitry Andric const Expr * rhs = E->getRHS(); 2320b57cec5SDimitry Andric // Ignore comparisons against zero, since they generally don't 2330b57cec5SDimitry Andric // protect against an overflow. 2340b57cec5SDimitry Andric if (!isIntZeroExpr(lhs) && !isIntZeroExpr(rhs)) { 2350b57cec5SDimitry Andric CheckExpr(lhs); 2360b57cec5SDimitry Andric CheckExpr(rhs); 2370b57cec5SDimitry Andric } 2380b57cec5SDimitry Andric } 2390b57cec5SDimitry Andric if (E->isAssignmentOp()) 2400b57cec5SDimitry Andric CheckAssignmentExpr(E); 2410b57cec5SDimitry Andric EvaluatedExprVisitor<CheckOverflowOps>::VisitBinaryOperator(E); 2420b57cec5SDimitry Andric } 2430b57cec5SDimitry Andric 2440b57cec5SDimitry Andric /* We specifically ignore loop conditions, because they're typically 2450b57cec5SDimitry Andric not error checks. */ 2460b57cec5SDimitry Andric void VisitWhileStmt(WhileStmt *S) { 2470b57cec5SDimitry Andric return this->Visit(S->getBody()); 2480b57cec5SDimitry Andric } 2490b57cec5SDimitry Andric void VisitForStmt(ForStmt *S) { 2500b57cec5SDimitry Andric return this->Visit(S->getBody()); 2510b57cec5SDimitry Andric } 2520b57cec5SDimitry Andric void VisitDoStmt(DoStmt *S) { 2530b57cec5SDimitry Andric return this->Visit(S->getBody()); 2540b57cec5SDimitry Andric } 2550b57cec5SDimitry Andric 2560b57cec5SDimitry Andric CheckOverflowOps(theVecType &v, ASTContext &ctx) 2570b57cec5SDimitry Andric : EvaluatedExprVisitor<CheckOverflowOps>(ctx), 2580b57cec5SDimitry Andric toScanFor(v), Context(ctx) 2590b57cec5SDimitry Andric { } 2600b57cec5SDimitry Andric }; 2610b57cec5SDimitry Andric } 2620b57cec5SDimitry Andric 2630b57cec5SDimitry Andric // OutputPossibleOverflows - We've found a possible overflow earlier, 2640b57cec5SDimitry Andric // now check whether Body might contain a comparison which might be 2650b57cec5SDimitry Andric // preventing the overflow. 2660b57cec5SDimitry Andric // This doesn't do flow analysis, range analysis, or points-to analysis; it's 2670b57cec5SDimitry Andric // just a dumb "is there a comparison" scan. The aim here is to 2680b57cec5SDimitry Andric // detect the most blatent cases of overflow and educate the 2690b57cec5SDimitry Andric // programmer. 2700b57cec5SDimitry Andric void MallocOverflowSecurityChecker::OutputPossibleOverflows( 2710b57cec5SDimitry Andric SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, 2720b57cec5SDimitry Andric const Decl *D, BugReporter &BR, AnalysisManager &mgr) const { 2730b57cec5SDimitry Andric // By far the most common case: nothing to check. 2740b57cec5SDimitry Andric if (PossibleMallocOverflows.empty()) 2750b57cec5SDimitry Andric return; 2760b57cec5SDimitry Andric 2770b57cec5SDimitry Andric // Delete any possible overflows which have a comparison. 2780b57cec5SDimitry Andric CheckOverflowOps c(PossibleMallocOverflows, BR.getContext()); 2790b57cec5SDimitry Andric c.Visit(mgr.getAnalysisDeclContext(D)->getBody()); 2800b57cec5SDimitry Andric 2810b57cec5SDimitry Andric // Output warnings for all overflows that are left. 2820b57cec5SDimitry Andric for (CheckOverflowOps::theVecType::iterator 2830b57cec5SDimitry Andric i = PossibleMallocOverflows.begin(), 2840b57cec5SDimitry Andric e = PossibleMallocOverflows.end(); 2850b57cec5SDimitry Andric i != e; 2860b57cec5SDimitry Andric ++i) { 2870b57cec5SDimitry Andric BR.EmitBasicReport( 2880b57cec5SDimitry Andric D, this, "malloc() size overflow", categories::UnixAPI, 2890b57cec5SDimitry Andric "the computation of the size of the memory allocation may overflow", 2900b57cec5SDimitry Andric PathDiagnosticLocation::createOperatorLoc(i->mulop, 2910b57cec5SDimitry Andric BR.getSourceManager()), 2920b57cec5SDimitry Andric i->mulop->getSourceRange()); 2930b57cec5SDimitry Andric } 2940b57cec5SDimitry Andric } 2950b57cec5SDimitry Andric 2960b57cec5SDimitry Andric void MallocOverflowSecurityChecker::checkASTCodeBody(const Decl *D, 2970b57cec5SDimitry Andric AnalysisManager &mgr, 2980b57cec5SDimitry Andric BugReporter &BR) const { 2990b57cec5SDimitry Andric 3000b57cec5SDimitry Andric CFG *cfg = mgr.getCFG(D); 3010b57cec5SDimitry Andric if (!cfg) 3020b57cec5SDimitry Andric return; 3030b57cec5SDimitry Andric 3040b57cec5SDimitry Andric // A list of variables referenced in possibly overflowing malloc operands. 3050b57cec5SDimitry Andric SmallVector<MallocOverflowCheck, 2> PossibleMallocOverflows; 3060b57cec5SDimitry Andric 3070b57cec5SDimitry Andric for (CFG::iterator it = cfg->begin(), ei = cfg->end(); it != ei; ++it) { 3080b57cec5SDimitry Andric CFGBlock *block = *it; 3090b57cec5SDimitry Andric for (CFGBlock::iterator bi = block->begin(), be = block->end(); 3100b57cec5SDimitry Andric bi != be; ++bi) { 3110b57cec5SDimitry Andric if (Optional<CFGStmt> CS = bi->getAs<CFGStmt>()) { 3120b57cec5SDimitry Andric if (const CallExpr *TheCall = dyn_cast<CallExpr>(CS->getStmt())) { 3130b57cec5SDimitry Andric // Get the callee. 3140b57cec5SDimitry Andric const FunctionDecl *FD = TheCall->getDirectCallee(); 3150b57cec5SDimitry Andric 3160b57cec5SDimitry Andric if (!FD) 3170b57cec5SDimitry Andric continue; 3180b57cec5SDimitry Andric 3190b57cec5SDimitry Andric // Get the name of the callee. If it's a builtin, strip off the prefix. 3200b57cec5SDimitry Andric IdentifierInfo *FnInfo = FD->getIdentifier(); 3210b57cec5SDimitry Andric if (!FnInfo) 3220b57cec5SDimitry Andric continue; 3230b57cec5SDimitry Andric 3240b57cec5SDimitry Andric if (FnInfo->isStr ("malloc") || FnInfo->isStr ("_MALLOC")) { 3250b57cec5SDimitry Andric if (TheCall->getNumArgs() == 1) 326*349cc55cSDimitry Andric CheckMallocArgument(PossibleMallocOverflows, TheCall, 3270b57cec5SDimitry Andric mgr.getASTContext()); 3280b57cec5SDimitry Andric } 3290b57cec5SDimitry Andric } 3300b57cec5SDimitry Andric } 3310b57cec5SDimitry Andric } 3320b57cec5SDimitry Andric } 3330b57cec5SDimitry Andric 3340b57cec5SDimitry Andric OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr); 3350b57cec5SDimitry Andric } 3360b57cec5SDimitry Andric 3370b57cec5SDimitry Andric void ento::registerMallocOverflowSecurityChecker(CheckerManager &mgr) { 3380b57cec5SDimitry Andric mgr.registerChecker<MallocOverflowSecurityChecker>(); 3390b57cec5SDimitry Andric } 3400b57cec5SDimitry Andric 3415ffd83dbSDimitry Andric bool ento::shouldRegisterMallocOverflowSecurityChecker(const CheckerManager &mgr) { 3420b57cec5SDimitry Andric return true; 3430b57cec5SDimitry Andric } 344