r327098 - [analyzer] MmapWriteExecChecker: Add support for mprotect().
Artem Dergachev via cfe-commits
cfe-commits at lists.llvm.org
Thu Mar 8 17:47:24 PST 2018
Author: dergachev
Date: Thu Mar 8 17:47:24 2018
New Revision: 327098
URL: http://llvm.org/viewvc/llvm-project?rev=327098&view=rev
Log:
[analyzer] MmapWriteExecChecker: Add support for mprotect().
mprotect() allows setting memory access flags similarly to mmap(),
causing similar security issues if these flags are needlessly broad.
Patch by David Carlier!
Differential Revision: https://reviews.llvm.org/D44250
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
cfe/trunk/test/Analysis/mmap-writeexec.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp?rev=327098&r1=327097&r2=327098&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp Thu Mar 8 17:47:24 2018
@@ -28,12 +28,13 @@ using llvm::APSInt;
namespace {
class MmapWriteExecChecker : public Checker<check::PreCall> {
CallDescription MmapFn;
+ CallDescription MprotectFn;
static int ProtWrite;
static int ProtExec;
static int ProtRead;
mutable std::unique_ptr<BugType> BT;
public:
- MmapWriteExecChecker() : MmapFn("mmap", 6) {}
+ MmapWriteExecChecker() : MmapFn("mmap", 6), MprotectFn("mprotect", 3) {}
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
int ProtExecOv;
int ProtReadOv;
@@ -46,8 +47,8 @@ int MmapWriteExecChecker::ProtRead = 0x
void MmapWriteExecChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const {
- if (Call.isCalled(MmapFn)) {
- SVal ProtVal = Call.getArgSVal(2);
+ if (Call.isCalled(MmapFn) || Call.isCalled(MprotectFn)) {
+ SVal ProtVal = Call.getArgSVal(2);
Optional<nonloc::ConcreteInt> ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
int64_t Prot = ProtLoc->getValue().getSExtValue();
if (ProtExecOv != ProtExec)
Modified: cfe/trunk/test/Analysis/mmap-writeexec.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/mmap-writeexec.c?rev=327098&r1=327097&r2=327098&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/mmap-writeexec.c (original)
+++ cfe/trunk/test/Analysis/mmap-writeexec.c Thu Mar 8 17:47:24 2018
@@ -16,6 +16,7 @@
typedef __typeof(sizeof(int)) size_t;
void *mmap(void *, size_t, int, int, int, long);
+int mprotect(void *, size_t, int);
void f1()
{
@@ -34,3 +35,10 @@ void f2()
int prot = PROT_WRITE | PROT_EXEC;
(void)callm(NULL, 1024, prot, MAP_PRIVATE | MAP_ANON, -1, 0); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}}
}
+
+void f3()
+{
+ void *p = mmap(NULL, 1024, PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0); // no-warning
+ int m = mprotect(p, 1024, PROT_WRITE | PROT_EXEC); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}}
+ (void)m;
+}
More information about the cfe-commits
mailing list