xref: /freebsd/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp (revision 770cf0a5f02dc8983a89c6568d741fbc25baa999) 
1 // MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker tests the 3rd argument of mmap's calls to check if
10 // it is writable and executable in the same time. It's somehow
11 // an optional checker since for example in JIT libraries it is pretty common.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16 
17 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18 #include "clang/StaticAnalyzer/Core/Checker.h"
19 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
24 
25 using namespace clang;
26 using namespace ento;
27 
28 namespace {
29 class MmapWriteExecChecker
30     : public Checker<check::ASTDecl<TranslationUnitDecl>, check::PreCall> {
31   CallDescription MmapFn{CDM::CLibrary, {"mmap"}, 6};
32   CallDescription MprotectFn{CDM::CLibrary, {"mprotect"}, 3};
33   const BugType BT{this, "W^X check fails, Write Exec prot flags set",
34                    "Security"};
35 
36   // Default values are used if definition of the flags is not found.
37   mutable int ProtRead = 0x01;
38   mutable int ProtWrite = 0x02;
39   mutable int ProtExec = 0x04;
40 
41 public:
42   void checkASTDecl(const TranslationUnitDecl *TU, AnalysisManager &Mgr,
43                     BugReporter &BR) const;
44   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
45 };
46 }
47 
48 void MmapWriteExecChecker::checkASTDecl(const TranslationUnitDecl *TU,
49                                         AnalysisManager &Mgr,
50                                         BugReporter &BR) const {
51   Preprocessor &PP = Mgr.getPreprocessor();
52   const std::optional<int> FoundProtRead = tryExpandAsInteger("PROT_READ", PP);
53   const std::optional<int> FoundProtWrite =
54       tryExpandAsInteger("PROT_WRITE", PP);
55   const std::optional<int> FoundProtExec = tryExpandAsInteger("PROT_EXEC", PP);
56   if (FoundProtRead && FoundProtWrite && FoundProtExec) {
57     ProtRead = *FoundProtRead;
58     ProtWrite = *FoundProtWrite;
59     ProtExec = *FoundProtExec;
60   }
61 }
62 
63 void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
64                                         CheckerContext &C) const {
65   if (matchesAny(Call, MmapFn, MprotectFn)) {
66     SVal ProtVal = Call.getArgSVal(2);
67     auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
68     if (!ProtLoc)
69       return;
70     int64_t Prot = ProtLoc->getValue()->getSExtValue();
71 
72     if ((Prot & ProtWrite) && (Prot & ProtExec)) {
73       ExplodedNode *N = C.generateNonFatalErrorNode();
74       if (!N)
75         return;
76 
77       auto Report = std::make_unique<PathSensitiveBugReport>(
78           BT,
79           "Both PROT_WRITE and PROT_EXEC flags are set. This can "
80           "lead to exploitable memory regions, which could be overwritten "
81           "with malicious code",
82           N);
83       Report->addRange(Call.getArgSourceRange(2));
84       C.emitReport(std::move(Report));
85     }
86   }
87 }
88 
89 void ento::registerMmapWriteExecChecker(CheckerManager &Mgr) {
90   Mgr.registerChecker<MmapWriteExecChecker>();
91 }
92 
93 bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &) {
94   return true;
95 }
96