1// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This checker tests the 3rd argument of mmap's calls to check if
10// it is writable and executable in the same time. It's somehow
11// an optional checker since for example in JIT libraries it is pretty common.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16
17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18#include "clang/StaticAnalyzer/Core/Checker.h"
19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22
23using namespace clang;
24using namespace ento;
25using llvm::APSInt;
26
27namespace {
28class MmapWriteExecChecker : public Checker<check::PreCall> {
29  CallDescription MmapFn;
30  CallDescription MprotectFn;
31  static int ProtWrite;
32  static int ProtExec;
33  static int ProtRead;
34  mutable std::unique_ptr<BugType> BT;
35public:
36  MmapWriteExecChecker() : MmapFn("mmap", 6), MprotectFn("mprotect", 3) {}
37  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
38  int ProtExecOv;
39  int ProtReadOv;
40};
41}
42
43int MmapWriteExecChecker::ProtWrite = 0x02;
44int MmapWriteExecChecker::ProtExec  = 0x04;
45int MmapWriteExecChecker::ProtRead  = 0x01;
46
47void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
48                                         CheckerContext &C) const {
49  if (Call.isCalled(MmapFn) || Call.isCalled(MprotectFn)) {
50    SVal ProtVal = Call.getArgSVal(2);
51    Optional<nonloc::ConcreteInt> ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
52    int64_t Prot = ProtLoc->getValue().getSExtValue();
53    if (ProtExecOv != ProtExec)
54      ProtExec = ProtExecOv;
55    if (ProtReadOv != ProtRead)
56      ProtRead = ProtReadOv;
57
58    // Wrong settings
59    if (ProtRead == ProtExec)
60      return;
61
62    if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
63      if (!BT)
64        BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security"));
65
66      ExplodedNode *N = C.generateNonFatalErrorNode();
67      if (!N)
68        return;
69
70      auto Report = std::make_unique<PathSensitiveBugReport>(
71          *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can "
72               "lead to exploitable memory regions, which could be overwritten "
73               "with malicious code", N);
74      Report->addRange(Call.getArgSourceRange(2));
75      C.emitReport(std::move(Report));
76    }
77  }
78}
79
80void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
81  MmapWriteExecChecker *Mwec =
82      mgr.registerChecker<MmapWriteExecChecker>();
83  Mwec->ProtExecOv =
84    mgr.getAnalyzerOptions()
85      .getCheckerIntegerOption(Mwec, "MmapProtExec");
86  Mwec->ProtReadOv =
87    mgr.getAnalyzerOptions()
88      .getCheckerIntegerOption(Mwec, "MmapProtRead");
89}
90
91bool ento::shouldRegisterMmapWriteExecChecker(const LangOptions &LO) {
92  return true;
93}
94