1 // MallocOverflowSecurityChecker.cpp - Check for malloc overflows -*- C++ -*-=// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This checker detects a common memory allocation security flaw. 10 // Suppose 'unsigned int n' comes from an untrusted source. If the 11 // code looks like 'malloc (n * 4)', and an attacker can make 'n' be 12 // say MAX_UINT/4+2, then instead of allocating the correct 'n' 4-byte 13 // elements, this will actually allocate only two because of overflow. 14 // Then when the rest of the program attempts to store values past the 15 // second element, these values will actually overwrite other items in 16 // the heap, probably allowing the attacker to execute arbitrary code. 17 // 18 //===----------------------------------------------------------------------===// 19 20 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 21 #include "clang/AST/EvaluatedExprVisitor.h" 22 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 23 #include "clang/StaticAnalyzer/Core/Checker.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 25 #include "llvm/ADT/APSInt.h" 26 #include "llvm/ADT/SmallVector.h" 27 #include <utility> 28 29 using namespace clang; 30 using namespace ento; 31 using llvm::APSInt; 32 33 namespace { 34 struct MallocOverflowCheck { 35 const CallExpr *call; 36 const BinaryOperator *mulop; 37 const Expr *variable; 38 APSInt maxVal; 39 40 MallocOverflowCheck(const CallExpr *call, const BinaryOperator *m, 41 const Expr *v, APSInt val) 42 : call(call), mulop(m), variable(v), maxVal(std::move(val)) {} 43 }; 44 45 class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> { 46 public: 47 void checkASTCodeBody(const Decl *D, AnalysisManager &mgr, 48 BugReporter &BR) const; 49 50 void CheckMallocArgument( 51 SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, 52 const CallExpr *TheCall, ASTContext &Context) const; 53 54 void OutputPossibleOverflows( 55 SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, 56 const Decl *D, BugReporter &BR, AnalysisManager &mgr) const; 57 58 }; 59 } // end anonymous namespace 60 61 // Return true for computations which evaluate to zero: e.g., mult by 0. 62 static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) { 63 return (op == BO_Mul) && (Val == 0); 64 } 65 66 void MallocOverflowSecurityChecker::CheckMallocArgument( 67 SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, 68 const CallExpr *TheCall, ASTContext &Context) const { 69 70 /* Look for a linear combination with a single variable, and at least 71 one multiplication. 72 Reject anything that applies to the variable: an explicit cast, 73 conditional expression, an operation that could reduce the range 74 of the result, or anything too complicated :-). */ 75 const Expr *e = TheCall->getArg(0); 76 const BinaryOperator * mulop = nullptr; 77 APSInt maxVal; 78 79 for (;;) { 80 maxVal = 0; 81 e = e->IgnoreParenImpCasts(); 82 if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) { 83 BinaryOperatorKind opc = binop->getOpcode(); 84 // TODO: ignore multiplications by 1, reject if multiplied by 0. 85 if (mulop == nullptr && opc == BO_Mul) 86 mulop = binop; 87 if (opc != BO_Mul && opc != BO_Add && opc != BO_Sub && opc != BO_Shl) 88 return; 89 90 const Expr *lhs = binop->getLHS(); 91 const Expr *rhs = binop->getRHS(); 92 if (rhs->isEvaluatable(Context)) { 93 e = lhs; 94 maxVal = rhs->EvaluateKnownConstInt(Context); 95 if (EvaluatesToZero(maxVal, opc)) 96 return; 97 } else if ((opc == BO_Add || opc == BO_Mul) && 98 lhs->isEvaluatable(Context)) { 99 maxVal = lhs->EvaluateKnownConstInt(Context); 100 if (EvaluatesToZero(maxVal, opc)) 101 return; 102 e = rhs; 103 } else 104 return; 105 } else if (isa<DeclRefExpr, MemberExpr>(e)) 106 break; 107 else 108 return; 109 } 110 111 if (mulop == nullptr) 112 return; 113 114 // We've found the right structure of malloc argument, now save 115 // the data so when the body of the function is completely available 116 // we can check for comparisons. 117 118 PossibleMallocOverflows.push_back( 119 MallocOverflowCheck(TheCall, mulop, e, maxVal)); 120 } 121 122 namespace { 123 // A worker class for OutputPossibleOverflows. 124 class CheckOverflowOps : 125 public EvaluatedExprVisitor<CheckOverflowOps> { 126 public: 127 typedef SmallVectorImpl<MallocOverflowCheck> theVecType; 128 129 private: 130 theVecType &toScanFor; 131 ASTContext &Context; 132 133 bool isIntZeroExpr(const Expr *E) const { 134 if (!E->getType()->isIntegralOrEnumerationType()) 135 return false; 136 Expr::EvalResult Result; 137 if (E->EvaluateAsInt(Result, Context)) 138 return Result.Val.getInt() == 0; 139 return false; 140 } 141 142 static const Decl *getDecl(const DeclRefExpr *DR) { return DR->getDecl(); } 143 static const Decl *getDecl(const MemberExpr *ME) { 144 return ME->getMemberDecl(); 145 } 146 147 template <typename T1> 148 void Erase(const T1 *DR, 149 llvm::function_ref<bool(const MallocOverflowCheck &)> Pred) { 150 auto P = [DR, Pred](const MallocOverflowCheck &Check) { 151 if (const auto *CheckDR = dyn_cast<T1>(Check.variable)) 152 return getDecl(CheckDR) == getDecl(DR) && Pred(Check); 153 return false; 154 }; 155 llvm::erase_if(toScanFor, P); 156 } 157 158 void CheckExpr(const Expr *E_p) { 159 const Expr *E = E_p->IgnoreParenImpCasts(); 160 const auto PrecedesMalloc = [E, this](const MallocOverflowCheck &c) { 161 return Context.getSourceManager().isBeforeInTranslationUnit( 162 E->getExprLoc(), c.call->getExprLoc()); 163 }; 164 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E)) 165 Erase<DeclRefExpr>(DR, PrecedesMalloc); 166 else if (const auto *ME = dyn_cast<MemberExpr>(E)) { 167 Erase<MemberExpr>(ME, PrecedesMalloc); 168 } 169 } 170 171 // Check if the argument to malloc is assigned a value 172 // which cannot cause an overflow. 173 // e.g., malloc (mul * x) and, 174 // case 1: mul = <constant value> 175 // case 2: mul = a/b, where b > x 176 void CheckAssignmentExpr(BinaryOperator *AssignEx) { 177 bool assignKnown = false; 178 bool numeratorKnown = false, denomKnown = false; 179 APSInt denomVal; 180 denomVal = 0; 181 182 // Erase if the multiplicand was assigned a constant value. 183 const Expr *rhs = AssignEx->getRHS(); 184 if (rhs->isEvaluatable(Context)) 185 assignKnown = true; 186 187 // Discard the report if the multiplicand was assigned a value, 188 // that can never overflow after multiplication. e.g., the assignment 189 // is a division operator and the denominator is > other multiplicand. 190 const Expr *rhse = rhs->IgnoreParenImpCasts(); 191 if (const BinaryOperator *BOp = dyn_cast<BinaryOperator>(rhse)) { 192 if (BOp->getOpcode() == BO_Div) { 193 const Expr *denom = BOp->getRHS()->IgnoreParenImpCasts(); 194 Expr::EvalResult Result; 195 if (denom->EvaluateAsInt(Result, Context)) { 196 denomVal = Result.Val.getInt(); 197 denomKnown = true; 198 } 199 const Expr *numerator = BOp->getLHS()->IgnoreParenImpCasts(); 200 if (numerator->isEvaluatable(Context)) 201 numeratorKnown = true; 202 } 203 } 204 if (!assignKnown && !denomKnown) 205 return; 206 auto denomExtVal = denomVal.getExtValue(); 207 208 // Ignore negative denominator. 209 if (denomExtVal < 0) 210 return; 211 212 const Expr *lhs = AssignEx->getLHS(); 213 const Expr *E = lhs->IgnoreParenImpCasts(); 214 215 auto pred = [assignKnown, numeratorKnown, 216 denomExtVal](const MallocOverflowCheck &Check) { 217 return assignKnown || 218 (numeratorKnown && (denomExtVal >= Check.maxVal.getExtValue())); 219 }; 220 221 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E)) 222 Erase<DeclRefExpr>(DR, pred); 223 else if (const auto *ME = dyn_cast<MemberExpr>(E)) 224 Erase<MemberExpr>(ME, pred); 225 } 226 227 public: 228 void VisitBinaryOperator(BinaryOperator *E) { 229 if (E->isComparisonOp()) { 230 const Expr * lhs = E->getLHS(); 231 const Expr * rhs = E->getRHS(); 232 // Ignore comparisons against zero, since they generally don't 233 // protect against an overflow. 234 if (!isIntZeroExpr(lhs) && !isIntZeroExpr(rhs)) { 235 CheckExpr(lhs); 236 CheckExpr(rhs); 237 } 238 } 239 if (E->isAssignmentOp()) 240 CheckAssignmentExpr(E); 241 EvaluatedExprVisitor<CheckOverflowOps>::VisitBinaryOperator(E); 242 } 243 244 /* We specifically ignore loop conditions, because they're typically 245 not error checks. */ 246 void VisitWhileStmt(WhileStmt *S) { 247 return this->Visit(S->getBody()); 248 } 249 void VisitForStmt(ForStmt *S) { 250 return this->Visit(S->getBody()); 251 } 252 void VisitDoStmt(DoStmt *S) { 253 return this->Visit(S->getBody()); 254 } 255 256 CheckOverflowOps(theVecType &v, ASTContext &ctx) 257 : EvaluatedExprVisitor<CheckOverflowOps>(ctx), 258 toScanFor(v), Context(ctx) 259 { } 260 }; 261 } 262 263 // OutputPossibleOverflows - We've found a possible overflow earlier, 264 // now check whether Body might contain a comparison which might be 265 // preventing the overflow. 266 // This doesn't do flow analysis, range analysis, or points-to analysis; it's 267 // just a dumb "is there a comparison" scan. The aim here is to 268 // detect the most blatent cases of overflow and educate the 269 // programmer. 270 void MallocOverflowSecurityChecker::OutputPossibleOverflows( 271 SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows, 272 const Decl *D, BugReporter &BR, AnalysisManager &mgr) const { 273 // By far the most common case: nothing to check. 274 if (PossibleMallocOverflows.empty()) 275 return; 276 277 // Delete any possible overflows which have a comparison. 278 CheckOverflowOps c(PossibleMallocOverflows, BR.getContext()); 279 c.Visit(mgr.getAnalysisDeclContext(D)->getBody()); 280 281 // Output warnings for all overflows that are left. 282 for (CheckOverflowOps::theVecType::iterator 283 i = PossibleMallocOverflows.begin(), 284 e = PossibleMallocOverflows.end(); 285 i != e; 286 ++i) { 287 BR.EmitBasicReport( 288 D, this, "malloc() size overflow", categories::UnixAPI, 289 "the computation of the size of the memory allocation may overflow", 290 PathDiagnosticLocation::createOperatorLoc(i->mulop, 291 BR.getSourceManager()), 292 i->mulop->getSourceRange()); 293 } 294 } 295 296 void MallocOverflowSecurityChecker::checkASTCodeBody(const Decl *D, 297 AnalysisManager &mgr, 298 BugReporter &BR) const { 299 300 CFG *cfg = mgr.getCFG(D); 301 if (!cfg) 302 return; 303 304 // A list of variables referenced in possibly overflowing malloc operands. 305 SmallVector<MallocOverflowCheck, 2> PossibleMallocOverflows; 306 307 for (CFG::iterator it = cfg->begin(), ei = cfg->end(); it != ei; ++it) { 308 CFGBlock *block = *it; 309 for (CFGBlock::iterator bi = block->begin(), be = block->end(); 310 bi != be; ++bi) { 311 if (Optional<CFGStmt> CS = bi->getAs<CFGStmt>()) { 312 if (const CallExpr *TheCall = dyn_cast<CallExpr>(CS->getStmt())) { 313 // Get the callee. 314 const FunctionDecl *FD = TheCall->getDirectCallee(); 315 316 if (!FD) 317 continue; 318 319 // Get the name of the callee. If it's a builtin, strip off the prefix. 320 IdentifierInfo *FnInfo = FD->getIdentifier(); 321 if (!FnInfo) 322 continue; 323 324 if (FnInfo->isStr ("malloc") || FnInfo->isStr ("_MALLOC")) { 325 if (TheCall->getNumArgs() == 1) 326 CheckMallocArgument(PossibleMallocOverflows, TheCall, 327 mgr.getASTContext()); 328 } 329 } 330 } 331 } 332 } 333 334 OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr); 335 } 336 337 void ento::registerMallocOverflowSecurityChecker(CheckerManager &mgr) { 338 mgr.registerChecker<MallocOverflowSecurityChecker>(); 339 } 340 341 bool ento::shouldRegisterMallocOverflowSecurityChecker(const CheckerManager &mgr) { 342 return true; 343 } 344