1// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This checker tests the 3rd argument of mmap's calls to check if
10// it is writable and executable in the same time. It's somehow
11// an optional checker since for example in JIT libraries it is pretty common.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16
17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18#include "clang/StaticAnalyzer/Core/Checker.h"
19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
24
25using namespace clang;
26using namespace ento;
27
28namespace {
29class MmapWriteExecChecker
30 : public Checker<check::ASTDecl<TranslationUnitDecl>, check::PreCall> {
31 CallDescription MmapFn{CDM::CLibrary, {"mmap"}, 6};
32 CallDescription MprotectFn{CDM::CLibrary, {"mprotect"}, 3};
33 const BugType BT{this, "W^X check fails, Write Exec prot flags set",
34 "Security"};
35
36 // Default values are used if definition of the flags is not found.
37 mutable int ProtRead = 0x01;
38 mutable int ProtWrite = 0x02;
39 mutable int ProtExec = 0x04;
40
41public:
42 void checkASTDecl(const TranslationUnitDecl *TU, AnalysisManager &Mgr,
43 BugReporter &BR) const;
44 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
45};
46}
47
48void MmapWriteExecChecker::checkASTDecl(const TranslationUnitDecl *TU,
49 AnalysisManager &Mgr,
50 BugReporter &BR) const {
51 Preprocessor &PP = Mgr.getPreprocessor();
52 const std::optional<int> FoundProtRead = tryExpandAsInteger(Macro: "PROT_READ", PP);
53 const std::optional<int> FoundProtWrite =
54 tryExpandAsInteger(Macro: "PROT_WRITE", PP);
55 const std::optional<int> FoundProtExec = tryExpandAsInteger(Macro: "PROT_EXEC", PP);
56 if (FoundProtRead && FoundProtWrite && FoundProtExec) {
57 ProtRead = *FoundProtRead;
58 ProtWrite = *FoundProtWrite;
59 ProtExec = *FoundProtExec;
60 }
61}
62
63void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
64 CheckerContext &C) const {
65 if (matchesAny(Call, CD1: MmapFn, CDs: MprotectFn)) {
66 SVal ProtVal = Call.getArgSVal(Index: 2);
67 auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
68 if (!ProtLoc)
69 return;
70 int64_t Prot = ProtLoc->getValue()->getSExtValue();
71
72 if ((Prot & ProtWrite) && (Prot & ProtExec)) {
73 ExplodedNode *N = C.generateNonFatalErrorNode();
74 if (!N)
75 return;
76
77 auto Report = std::make_unique<PathSensitiveBugReport>(
78 args: BT,
79 args: "Both PROT_WRITE and PROT_EXEC flags are set. This can "
80 "lead to exploitable memory regions, which could be overwritten "
81 "with malicious code",
82 args&: N);
83 Report->addRange(R: Call.getArgSourceRange(Index: 2));
84 C.emitReport(R: std::move(Report));
85 }
86 }
87}
88
89void ento::registerMmapWriteExecChecker(CheckerManager &Mgr) {
90 Mgr.registerChecker<MmapWriteExecChecker>();
91}
92
93bool ento::shouldRegisterMmapWriteExecChecker(const CheckerManager &) {
94 return true;
95}
96