r324167 - Revert r324166 "[analyzer] Add a checker for mmap()...".

Artem Dergachev via cfe-commits cfe-commits at lists.llvm.org
Fri Feb 2 19:57:33 PST 2018


Author: dergachev
Date: Fri Feb  2 19:57:32 2018
New Revision: 324167

URL: http://llvm.org/viewvc/llvm-project?rev=324167&view=rev
Log:
Revert r324166 "[analyzer] Add a checker for mmap()...".

Due to Buildbot failures - most likely that's because target triples were not
specified in the tests, even though the checker behaves differently with
different target triples.

Removed:
    cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
    cfe/trunk/test/Analysis/mmap-writeexec.c
Modified:
    cfe/trunk/include/clang/StaticAnalyzer/Checkers/Checkers.td
    cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Modified: cfe/trunk/include/clang/StaticAnalyzer/Checkers/Checkers.td
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Checkers/Checkers.td?rev=324167&r1=324166&r2=324167&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/Checkers/Checkers.td (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/Checkers/Checkers.td Fri Feb  2 19:57:32 2018
@@ -394,10 +394,6 @@ let ParentPackage = Security in {
   def FloatLoopCounter : Checker<"FloatLoopCounter">,
     HelpText<"Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP)">,
     DescFile<"CheckSecuritySyntaxOnly.cpp">;
-
-  def MmapWriteExecChecker : Checker<"MmapWriteExec">,
-    HelpText<"Check if mmap() call is not both writable and executable">,
-    DescFile<"MmapWriteExecChecker.cpp">;
 }
 
 let ParentPackage = SecurityAlpha in {

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt?rev=324167&r1=324166&r2=324167&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt Fri Feb  2 19:57:32 2018
@@ -50,7 +50,6 @@ add_clang_library(clangStaticAnalyzerChe
   MallocOverflowSecurityChecker.cpp
   MallocSizeofChecker.cpp
   MisusedMovedObjectChecker.cpp
-  MmapWriteExecChecker.cpp
   MPI-Checker/MPIBugReporter.cpp
   MPI-Checker/MPIChecker.cpp
   MPI-Checker/MPIFunctionClassifier.cpp

Removed: cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp?rev=324166&view=auto
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp (removed)
@@ -1,75 +0,0 @@
-// MmapWriteExecChecker.cpp - Check for the prot argument -----------------===//
-//
-//                     The LLVM Compiler Infrastructure
-//
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-//
-//===----------------------------------------------------------------------===//
-//
-// This checker tests the 3rd argument of mmap's calls to check if
-// it is writable and executable in the same time. It's somehow
-// an optional checker since for example in JIT libraries it is pretty common.
-//
-//===----------------------------------------------------------------------===//
-
-#include "ClangSACheckers.h"
-
-#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
-#include "clang/StaticAnalyzer/Core/Checker.h"
-#include "clang/StaticAnalyzer/Core/CheckerManager.h"
-#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
-#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
-
-using namespace clang;
-using namespace ento;
-using llvm::APSInt;
-
-namespace {
-class MmapWriteExecChecker : public Checker<check::PreCall> {
-  CallDescription MmapFn;
-  static int ProtWrite;
-  static int ProtExec;
-  mutable std::unique_ptr<BugType> BT;
-public:
-  MmapWriteExecChecker() : MmapFn("mmap", 6) {}
-  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
-};
-}
-
-int MmapWriteExecChecker::ProtWrite = 0x02;
-int MmapWriteExecChecker::ProtExec  = 0x04;
-
-void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
-                                         CheckerContext &C) const {
-  if (Call.isCalled(MmapFn)) {
-    llvm::Triple Triple = C.getASTContext().getTargetInfo().getTriple();
-
-    if (Triple.isOSGlibc())
-      ProtExec = 0x01;
-
-    SVal ProtVal = Call.getArgSVal(2); 
-    Optional<nonloc::ConcreteInt> ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
-    int64_t Prot = ProtLoc->getValue().getSExtValue();
-
-    if ((Prot & (ProtWrite | ProtExec)) == (ProtWrite | ProtExec)) {
-      if (!BT)
-        BT.reset(new BugType(this, "W^X check fails, Write Exec prot flags set", "Security"));
-
-      ExplodedNode *N = C.generateNonFatalErrorNode();
-      if (!N)
-        return;
-
-      auto Report = llvm::make_unique<BugReport>(
-          *BT, "Both PROT_WRITE and PROT_EXEC flags had been set. It can "
-               "lead to exploitable memory regions, overwritten with malicious code"
-         , N);
-      Report->addRange(Call.getArgSourceRange(2));
-      C.emitReport(std::move(Report));
-    }
-  }
-}
-
-void ento::registerMmapWriteExecChecker(CheckerManager &mgr) {
-  mgr.registerChecker<MmapWriteExecChecker>();
-}

Removed: cfe/trunk/test/Analysis/mmap-writeexec.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/mmap-writeexec.c?rev=324166&view=auto
==============================================================================
--- cfe/trunk/test/Analysis/mmap-writeexec.c (original)
+++ cfe/trunk/test/Analysis/mmap-writeexec.c (removed)
@@ -1,27 +0,0 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=security.MmapWriteExec -verify %s
-
-#define PROT_READ   0x01
-#define PROT_WRITE  0x02
-#define PROT_EXEC   0x04
-#define MAP_PRIVATE 0x0002
-#define MAP_ANON    0x1000
-#define MAP_FIXED   0x0010
-#define NULL        ((void *)0)
-
-typedef __typeof(sizeof(int)) size_t;
-void *mmap(void *, size_t, int, int, int, long);
-
-void f1()
-{
-  void *a = mmap(NULL, 16, PROT_READ | PROT_EXEC, MAP_PRIVATE | MAP_ANON, -1, 0); // no-warning
-  void *b = mmap(a, 16, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_ANON, -1, 0); // no-warning
-  void *c = mmap(NULL, 32, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANON, -1, 0); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags had been set. It can lead to exploitable memory regions, overwritten with malicious code}}
-}
-
-void f2()
-{
-  void *(*callm)(void *, size_t, int, int, int, long);
-  callm = mmap;
-  int prot = PROT_WRITE | PROT_EXEC;
-  (void)callm(NULL, 1024, prot, MAP_PRIVATE | MAP_ANON, -1, 0); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags had been set. It can lead to exploitable memory regions, overwritten with malicious code}}
-}




More information about the cfe-commits mailing list