projects / platform / upstream / llvm.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 250524f)
[analyzer] MmapWriteExecChecker: Add support for mprotect().
authorArtem Dergachev <artem.dergachev@gmail.com>
Fri, 9 Mar 2018 01:47:24 +0000 (01:47 +0000)
committerArtem Dergachev <artem.dergachev@gmail.com>
Fri, 9 Mar 2018 01:47:24 +0000 (01:47 +0000)
mprotect() allows setting memory access flags similarly to mmap(),
causing similar security issues if these flags are needlessly broad.

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D44250

llvm-svn: 327098

clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp patch | blob | history
clang/test/Analysis/mmap-writeexec.c patch | blob | history

diff --git a/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
index e62fa0f..5060b0e 100644 (file)
--- a/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
@@ -28,12 +28,13 @@ using llvm::APSInt;
 namespace {
 class MmapWriteExecChecker : public Checker<check::PreCall> {
   CallDescription MmapFn;
+  CallDescription MprotectFn;
   static int ProtWrite;
   static int ProtExec;
   static int ProtRead;
   mutable std::unique_ptr<BugType> BT;
 public:
-  MmapWriteExecChecker() : MmapFn("mmap", 6) {}
+  MmapWriteExecChecker() : MmapFn("mmap", 6), MprotectFn("mprotect", 3) {}
   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
   int ProtExecOv;
   int ProtReadOv;
@@ -46,8 +47,8 @@ int MmapWriteExecChecker::ProtRead  = 0x01;
 
 void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
                                          CheckerContext &C) const {
-  if (Call.isCalled(MmapFn)) {
-    SVal ProtVal = Call.getArgSVal(2); 
+  if (Call.isCalled(MmapFn) || Call.isCalled(MprotectFn)) {
+    SVal ProtVal = Call.getArgSVal(2);
     Optional<nonloc::ConcreteInt> ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
     int64_t Prot = ProtLoc->getValue().getSExtValue();
     if (ProtExecOv != ProtExec)
diff --git a/clang/test/Analysis/mmap-writeexec.c b/clang/test/Analysis/mmap-writeexec.c
index 2d8ea9b..2ebc961 100644 (file)
--- a/clang/test/Analysis/mmap-writeexec.c
+++ b/clang/test/Analysis/mmap-writeexec.c
@@ -16,6 +16,7 @@
 
 typedef __typeof(sizeof(int)) size_t;
 void *mmap(void *, size_t, int, int, int, long);
+int mprotect(void *, size_t, int);
 
 void f1()
 {
@@ -34,3 +35,10 @@ void f2()
   int prot = PROT_WRITE | PROT_EXEC;
   (void)callm(NULL, 1024, prot, MAP_PRIVATE | MAP_ANON, -1, 0); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}}
 }
+
+void f3()
+{
+  void *p = mmap(NULL, 1024, PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0); // no-warning
+  int m = mprotect(p, 1024, PROT_WRITE | PROT_EXEC); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}}
+  (void)m;
+}
Domain: System / Toolchain;