1 // MmapWriteExecChecker.cpp - Check for the prot argument -----------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This checker tests the 3rd argument of mmap's calls to check if 10 // it is writable and executable in the same time. It's somehow 11 // an optional checker since for example in JIT libraries it is pretty common. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 16 17 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 18 #include "clang/StaticAnalyzer/Core/Checker.h" 19 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" 21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 23 24 using namespace clang; 25 using namespace ento; 26 27 namespace { 28 class MmapWriteExecChecker : public Checker<check::PreCall> { 29 CallDescription MmapFn; 30 CallDescription MprotectFn; 31 static int ProtWrite; 32 static int ProtExec; 33 static int ProtRead; 34 mutable std::unique_ptr<BugType> BT; 35 public: 36 MmapWriteExecChecker() : MmapFn({"mmap"}, 6), MprotectFn({"mprotect"}, 3) {} 37 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 38 int ProtExecOv; 39 int ProtReadOv; 40 }; 41 } 42 43 int MmapWriteExecChecker::ProtWrite = 0x02; 44 int MmapWriteExecChecker::ProtExec = 0x04; 45 int MmapWriteExecChecker::ProtRead = 0x01; 46 47 void MmapWriteExecChecker::checkPreCall(const CallEvent &Call, 48 CheckerContext &C) const { 49 if (matchesAny(Call, MmapFn, MprotectFn)) { 50 SVal ProtVal = Call.getArgSVal(2); 51 auto ProtLoc = ProtVal.castAs<nonloc::ConcreteInt>(); 52 int64_t Prot = ProtLoc.getValue().getSExtValue(); 53 if (ProtExecOv != ProtExec) 54 ProtExec = ProtExecOv; 55 if (ProtReadOv != ProtRead) 56 ProtRead = ProtReadOv; 57 58 // Wrong settings 59 if (ProtRead == ProtExec) 60 return; 61 62 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) { 63 if (!BT) 64 BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security")); 65 66 ExplodedNode *N = C.generateNonFatalErrorNode(); 67 if (!N) 68 return; 69 70 auto Report = std::make_unique<PathSensitiveBugReport>( 71 *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can " 72 "lead to exploitable memory regions, which could be overwritten " 73 "with malicious code", N); 74 Report->addRange(Call.getArgSourceRange(2)); 75 C.emitReport(std::move(Report)); 76 } 77 } 78 } 79 80 void ento::registerMmapWriteExecChecker(CheckerManager &mgr) { 81 MmapWriteExecChecker *Mwec = 82 mgr.registerChecker<MmapWriteExecChecker>(); 83 Mwec->ProtExecOv = 84 mgr.getAnalyzerOptions() 85 .getCheckerIntegerOption(Mwec, "MmapProtExec"); 86 Mwec->ProtReadOv = 87 mgr.getAnalyzerOptions() 88 .getCheckerIntegerOption(Mwec, "MmapProtRead"); 89 } 90 91 bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &mgr) { 92 return true; 93 } 94