[PATCH] D73629: [analyzer] vfork checker: allow execve after vfork

Jan Včelák via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Wed Jan 29 07:31:06 PST 2020 

janvcelak created this revision.
janvcelak added a reviewer: dcoughlin.
Herald added subscribers: cfe-commits, Charusso, dkrupp, donat.nagy, Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun.
Herald added a project: clang.

`execve` is missing in the list of functions that are allowed after `vfork()`. As a result, clang analyzer reports the following false positive:

  #include <unistd.h>
  
  int main(int argc, char *argv[])
  {
  	char *a[] = {"true", NULL};
  	char *e[] = {NULL};
  	if (vfork() == 0) {
  		execve("/bin/true", a, e);
  		_exit(1);
  	}
  	return 0;
  }



  $ scan-build clang -Wall -c repro.c      
  scan-build: Using '/usr/bin/clang-9' for static analysis
  repro.c:7:6: warning: Call to function 'vfork' is insecure as it can lead to denial of service situations in the parent process. Replace calls to vfork with calls to the safer 'posix_spawn' function
          if (vfork() == 0) {
              ^~~~~
  repro.c:8:3: warning: This function call is prohibited after a successful vfork
                  execve("/bin/true", a, e);
                  ^~~~~~~~~~~~~~~~~~~~~~~~~
  2 warnings generated.
  scan-build: 2 bugs found.
  scan-build: Run 'scan-view /tmp/scan-build-2020-01-29-162705-3770808-1' to examine bug reports.

The list of exec functions in the code is take from the `exec(3)` man page which are just a fronted for `execve(2)`. Quoting the manual page:

> The  exec() family of functions replaces the current process image with a new process image.  The functions escribed in this manual page are front-ends for execve(2).  (See the manual page for execve(2) for further details about the replacement of the current process image.)


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D73629

Files:
  clang/lib/StaticAnalyzer/Checkers/VforkChecker.cpp


Index: clang/lib/StaticAnalyzer/Checkers/VforkChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/VforkChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/VforkChecker.cpp
@@ -106,6 +106,7 @@
       "execv",
       "execvp",
       "execvpe",
+      "execve",
       nullptr
     };
 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D73629.241159.patch
Type: text/x-patch
Size: 349 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20200129/ce0141f3/attachment.bin>

More information about the cfe-commits mailing list