diff options
| author | Artem Dergachev <artem.dergachev@gmail.com> | 2018-03-09 01:47:24 +0000 |
|---|---|---|
| committer | Artem Dergachev <artem.dergachev@gmail.com> | 2018-03-09 01:47:24 +0000 |
| commit | ce5f2d3d420a6a399e756b565e5a8890de9c167d (patch) | |
| tree | d6e91d5a73f7892d9f3f14c394b81f02c5df042b | |
| parent | 250524f7ed760e6c1c844ad1f1f80d6e1aaee444 (diff) | |
| download | bcm5719-llvm-ce5f2d3d420a6a399e756b565e5a8890de9c167d.tar.gz bcm5719-llvm-ce5f2d3d420a6a399e756b565e5a8890de9c167d.zip | |
[analyzer] MmapWriteExecChecker: Add support for mprotect().
mprotect() allows setting memory access flags similarly to mmap(),
causing similar security issues if these flags are needlessly broad.
Patch by David Carlier!
Differential Revision: https://reviews.llvm.org/D44250
llvm-svn: 327098
| -rw-r--r-- | clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp | 7 | ||||
| -rw-r--r-- | clang/test/Analysis/mmap-writeexec.c | 8 |
2 files changed, 12 insertions, 3 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp index e62fa0f905d..5060b0e0a6e 100644 --- a/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp @@ -28,12 +28,13 @@ using llvm::APSInt; namespace { class MmapWriteExecChecker : public Checker<check::PreCall> { CallDescription MmapFn; + CallDescription MprotectFn; static int ProtWrite; static int ProtExec; static int ProtRead; mutable std::unique_ptr<BugType> BT; public: - MmapWriteExecChecker() : MmapFn("mmap", 6) {} + MmapWriteExecChecker() : MmapFn("mmap", 6), MprotectFn("mprotect", 3) {} void checkPreCall(const CallEvent &Call, CheckerContext &C) const; int ProtExecOv; int ProtReadOv; @@ -46,8 +47,8 @@ int MmapWriteExecChecker::ProtRead = 0x01; void MmapWriteExecChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { - if (Call.isCalled(MmapFn)) { - SVal ProtVal = Call.getArgSVal(2); + if (Call.isCalled(MmapFn) || Call.isCalled(MprotectFn)) { + SVal ProtVal = Call.getArgSVal(2); Optional<nonloc::ConcreteInt> ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>(); int64_t Prot = ProtLoc->getValue().getSExtValue(); if (ProtExecOv != ProtExec) diff --git a/clang/test/Analysis/mmap-writeexec.c b/clang/test/Analysis/mmap-writeexec.c index 2d8ea9b6777..2ebc9611034 100644 --- a/clang/test/Analysis/mmap-writeexec.c +++ b/clang/test/Analysis/mmap-writeexec.c @@ -16,6 +16,7 @@ typedef __typeof(sizeof(int)) size_t; void *mmap(void *, size_t, int, int, int, long); +int mprotect(void *, size_t, int); void f1() { @@ -34,3 +35,10 @@ void f2() int prot = PROT_WRITE | PROT_EXEC; (void)callm(NULL, 1024, prot, MAP_PRIVATE | MAP_ANON, -1, 0); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}} } + +void f3() +{ + void *p = mmap(NULL, 1024, PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0); // no-warning + int m = mprotect(p, 1024, PROT_WRITE | PROT_EXEC); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}} + (void)m; +} |
