1// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===// 2// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6// 7//===----------------------------------------------------------------------===// 8// 9// This checker tests the 3rd argument of mmap's calls to check if 10// it is writable and executable in the same time. It's somehow 11// an optional checker since for example in JIT libraries it is pretty common. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 16 17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 18#include "clang/StaticAnalyzer/Core/Checker.h" 19#include "clang/StaticAnalyzer/Core/CheckerManager.h" 20#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 22 23using namespace clang; 24using namespace ento; 25using llvm::APSInt; 26 27namespace { 28class MmapWriteExecChecker : public Checker<check::PreCall> { 29 CallDescription MmapFn; 30 CallDescription MprotectFn; 31 static int ProtWrite; 32 static int ProtExec; 33 static int ProtRead; 34 mutable std::unique_ptr<BugType> BT; 35public: 36 MmapWriteExecChecker() : MmapFn("mmap", 6), MprotectFn("mprotect", 3) {} 37 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 38 int ProtExecOv; 39 int ProtReadOv; 40}; 41} 42 43int MmapWriteExecChecker::ProtWrite = 0x02; 44int MmapWriteExecChecker::ProtExec = 0x04; 45int MmapWriteExecChecker::ProtRead = 0x01; 46 47void MmapWriteExecChecker::checkPreCall(const CallEvent &Call, 48 CheckerContext &C) const { 49 if (Call.isCalled(MmapFn) || Call.isCalled(MprotectFn)) { 50 SVal ProtVal = Call.getArgSVal(2); 51 Optional<nonloc::ConcreteInt> ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>(); 52 int64_t Prot = ProtLoc->getValue().getSExtValue(); 53 if (ProtExecOv != ProtExec) 54 ProtExec = ProtExecOv; 55 if (ProtReadOv != ProtRead) 56 ProtRead = ProtReadOv; 57 58 // Wrong settings 59 if (ProtRead == ProtExec) 60 return; 61 62 if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) { 63 if (!BT) 64 BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security")); 65 66 ExplodedNode *N = C.generateNonFatalErrorNode(); 67 if (!N) 68 return; 69 70 auto Report = std::make_unique<PathSensitiveBugReport>( 71 *BT, "Both PROT_WRITE and PROT_EXEC flags are set. This can " 72 "lead to exploitable memory regions, which could be overwritten " 73 "with malicious code", N); 74 Report->addRange(Call.getArgSourceRange(2)); 75 C.emitReport(std::move(Report)); 76 } 77 } 78} 79 80void ento::registerMmapWriteExecChecker(CheckerManager &mgr) { 81 MmapWriteExecChecker *Mwec = 82 mgr.registerChecker<MmapWriteExecChecker>(); 83 Mwec->ProtExecOv = 84 mgr.getAnalyzerOptions() 85 .getCheckerIntegerOption(Mwec, "MmapProtExec"); 86 Mwec->ProtReadOv = 87 mgr.getAnalyzerOptions() 88 .getCheckerIntegerOption(Mwec, "MmapProtRead"); 89} 90 91bool ento::shouldRegisterMmapWriteExecChecker(const LangOptions &LO) { 92 return true; 93} 94