1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
|
// MallocOverflowSecurityChecker.cpp - Check for malloc overflows -*- C++ -*-=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This checker detects a common memory allocation security flaw.
// Suppose 'unsigned int n' comes from an untrusted source. If the
// code looks like 'malloc (n * 4)', and an attacker can make 'n' be
// say MAX_UINT/4+2, then instead of allocating the correct 'n' 4-byte
// elements, this will actually allocate only two because of overflow.
// Then when the rest of the program attempts to store values past the
// second element, these values will actually overwrite other items in
// the heap, probably allowing the attacker to execute arbitrary code.
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/EvaluatedExprVisitor.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "llvm/ADT/APSInt.h"
#include "llvm/ADT/SmallVector.h"
#include <utility>
using namespace clang;
using namespace ento;
using llvm::APSInt;
namespace {
struct MallocOverflowCheck {
const CallExpr *call;
const BinaryOperator *mulop;
const Expr *variable;
APSInt maxVal;
MallocOverflowCheck(const CallExpr *call, const BinaryOperator *m,
const Expr *v, APSInt val)
: call(call), mulop(m), variable(v), maxVal(std::move(val)) {}
};
class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> {
public:
void checkASTCodeBody(const Decl *D, AnalysisManager &mgr,
BugReporter &BR) const;
void CheckMallocArgument(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const CallExpr *TheCall, ASTContext &Context) const;
void OutputPossibleOverflows(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Decl *D, BugReporter &BR, AnalysisManager &mgr) const;
};
} // end anonymous namespace
// Return true for computations which evaluate to zero: e.g., mult by 0.
static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) {
return (op == BO_Mul) && (Val == 0);
}
void MallocOverflowSecurityChecker::CheckMallocArgument(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const CallExpr *TheCall, ASTContext &Context) const {
/* Look for a linear combination with a single variable, and at least
one multiplication.
Reject anything that applies to the variable: an explicit cast,
conditional expression, an operation that could reduce the range
of the result, or anything too complicated :-). */
const Expr *e = TheCall->getArg(0);
const BinaryOperator * mulop = nullptr;
APSInt maxVal;
for (;;) {
maxVal = 0;
e = e->IgnoreParenImpCasts();
if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) {
BinaryOperatorKind opc = binop->getOpcode();
// TODO: ignore multiplications by 1, reject if multiplied by 0.
if (mulop == nullptr && opc == BO_Mul)
mulop = binop;
if (opc != BO_Mul && opc != BO_Add && opc != BO_Sub && opc != BO_Shl)
return;
const Expr *lhs = binop->getLHS();
const Expr *rhs = binop->getRHS();
if (rhs->isEvaluatable(Context)) {
e = lhs;
maxVal = rhs->EvaluateKnownConstInt(Context);
if (EvaluatesToZero(maxVal, opc))
return;
} else if ((opc == BO_Add || opc == BO_Mul) &&
lhs->isEvaluatable(Context)) {
maxVal = lhs->EvaluateKnownConstInt(Context);
if (EvaluatesToZero(maxVal, opc))
return;
e = rhs;
} else
return;
} else if (isa<DeclRefExpr, MemberExpr>(e))
break;
else
return;
}
if (mulop == nullptr)
return;
// We've found the right structure of malloc argument, now save
// the data so when the body of the function is completely available
// we can check for comparisons.
PossibleMallocOverflows.push_back(
MallocOverflowCheck(TheCall, mulop, e, maxVal));
}
namespace {
// A worker class for OutputPossibleOverflows.
class CheckOverflowOps :
public EvaluatedExprVisitor<CheckOverflowOps> {
public:
typedef SmallVectorImpl<MallocOverflowCheck> theVecType;
private:
theVecType &toScanFor;
ASTContext &Context;
bool isIntZeroExpr(const Expr *E) const {
if (!E->getType()->isIntegralOrEnumerationType())
return false;
Expr::EvalResult Result;
if (E->EvaluateAsInt(Result, Context))
return Result.Val.getInt() == 0;
return false;
}
static const Decl *getDecl(const DeclRefExpr *DR) { return DR->getDecl(); }
static const Decl *getDecl(const MemberExpr *ME) {
return ME->getMemberDecl();
}
template <typename T1>
void Erase(const T1 *DR,
llvm::function_ref<bool(const MallocOverflowCheck &)> Pred) {
auto P = [DR, Pred](const MallocOverflowCheck &Check) {
if (const auto *CheckDR = dyn_cast<T1>(Check.variable))
return getDecl(CheckDR) == getDecl(DR) && Pred(Check);
return false;
};
llvm::erase_if(toScanFor, P);
}
void CheckExpr(const Expr *E_p) {
const Expr *E = E_p->IgnoreParenImpCasts();
const auto PrecedesMalloc = [E, this](const MallocOverflowCheck &c) {
return Context.getSourceManager().isBeforeInTranslationUnit(
E->getExprLoc(), c.call->getExprLoc());
};
if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E))
Erase<DeclRefExpr>(DR, PrecedesMalloc);
else if (const auto *ME = dyn_cast<MemberExpr>(E)) {
Erase<MemberExpr>(ME, PrecedesMalloc);
}
}
// Check if the argument to malloc is assigned a value
// which cannot cause an overflow.
// e.g., malloc (mul * x) and,
// case 1: mul = <constant value>
// case 2: mul = a/b, where b > x
void CheckAssignmentExpr(BinaryOperator *AssignEx) {
bool assignKnown = false;
bool numeratorKnown = false, denomKnown = false;
APSInt denomVal;
denomVal = 0;
// Erase if the multiplicand was assigned a constant value.
const Expr *rhs = AssignEx->getRHS();
if (rhs->isEvaluatable(Context))
assignKnown = true;
// Discard the report if the multiplicand was assigned a value,
// that can never overflow after multiplication. e.g., the assignment
// is a division operator and the denominator is > other multiplicand.
const Expr *rhse = rhs->IgnoreParenImpCasts();
if (const BinaryOperator *BOp = dyn_cast<BinaryOperator>(rhse)) {
if (BOp->getOpcode() == BO_Div) {
const Expr *denom = BOp->getRHS()->IgnoreParenImpCasts();
Expr::EvalResult Result;
if (denom->EvaluateAsInt(Result, Context)) {
denomVal = Result.Val.getInt();
denomKnown = true;
}
const Expr *numerator = BOp->getLHS()->IgnoreParenImpCasts();
if (numerator->isEvaluatable(Context))
numeratorKnown = true;
}
}
if (!assignKnown && !denomKnown)
return;
auto denomExtVal = denomVal.getExtValue();
// Ignore negative denominator.
if (denomExtVal < 0)
return;
const Expr *lhs = AssignEx->getLHS();
const Expr *E = lhs->IgnoreParenImpCasts();
auto pred = [assignKnown, numeratorKnown,
denomExtVal](const MallocOverflowCheck &Check) {
return assignKnown ||
(numeratorKnown && (denomExtVal >= Check.maxVal.getExtValue()));
};
if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E))
Erase<DeclRefExpr>(DR, pred);
else if (const auto *ME = dyn_cast<MemberExpr>(E))
Erase<MemberExpr>(ME, pred);
}
public:
void VisitBinaryOperator(BinaryOperator *E) {
if (E->isComparisonOp()) {
const Expr * lhs = E->getLHS();
const Expr * rhs = E->getRHS();
// Ignore comparisons against zero, since they generally don't
// protect against an overflow.
if (!isIntZeroExpr(lhs) && !isIntZeroExpr(rhs)) {
CheckExpr(lhs);
CheckExpr(rhs);
}
}
if (E->isAssignmentOp())
CheckAssignmentExpr(E);
EvaluatedExprVisitor<CheckOverflowOps>::VisitBinaryOperator(E);
}
/* We specifically ignore loop conditions, because they're typically
not error checks. */
void VisitWhileStmt(WhileStmt *S) {
return this->Visit(S->getBody());
}
void VisitForStmt(ForStmt *S) {
return this->Visit(S->getBody());
}
void VisitDoStmt(DoStmt *S) {
return this->Visit(S->getBody());
}
CheckOverflowOps(theVecType &v, ASTContext &ctx)
: EvaluatedExprVisitor<CheckOverflowOps>(ctx),
toScanFor(v), Context(ctx)
{ }
};
}
// OutputPossibleOverflows - We've found a possible overflow earlier,
// now check whether Body might contain a comparison which might be
// preventing the overflow.
// This doesn't do flow analysis, range analysis, or points-to analysis; it's
// just a dumb "is there a comparison" scan. The aim here is to
// detect the most blatent cases of overflow and educate the
// programmer.
void MallocOverflowSecurityChecker::OutputPossibleOverflows(
SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
const Decl *D, BugReporter &BR, AnalysisManager &mgr) const {
// By far the most common case: nothing to check.
if (PossibleMallocOverflows.empty())
return;
// Delete any possible overflows which have a comparison.
CheckOverflowOps c(PossibleMallocOverflows, BR.getContext());
c.Visit(mgr.getAnalysisDeclContext(D)->getBody());
// Output warnings for all overflows that are left.
for (CheckOverflowOps::theVecType::iterator
i = PossibleMallocOverflows.begin(),
e = PossibleMallocOverflows.end();
i != e;
++i) {
BR.EmitBasicReport(
D, this, "malloc() size overflow", categories::UnixAPI,
"the computation of the size of the memory allocation may overflow",
PathDiagnosticLocation::createOperatorLoc(i->mulop,
BR.getSourceManager()),
i->mulop->getSourceRange());
}
}
void MallocOverflowSecurityChecker::checkASTCodeBody(const Decl *D,
AnalysisManager &mgr,
BugReporter &BR) const {
CFG *cfg = mgr.getCFG(D);
if (!cfg)
return;
// A list of variables referenced in possibly overflowing malloc operands.
SmallVector<MallocOverflowCheck, 2> PossibleMallocOverflows;
for (CFG::iterator it = cfg->begin(), ei = cfg->end(); it != ei; ++it) {
CFGBlock *block = *it;
for (CFGBlock::iterator bi = block->begin(), be = block->end();
bi != be; ++bi) {
if (Optional<CFGStmt> CS = bi->getAs<CFGStmt>()) {
if (const CallExpr *TheCall = dyn_cast<CallExpr>(CS->getStmt())) {
// Get the callee.
const FunctionDecl *FD = TheCall->getDirectCallee();
if (!FD)
continue;
// Get the name of the callee. If it's a builtin, strip off the prefix.
IdentifierInfo *FnInfo = FD->getIdentifier();
if (!FnInfo)
continue;
if (FnInfo->isStr ("malloc") || FnInfo->isStr ("_MALLOC")) {
if (TheCall->getNumArgs() == 1)
CheckMallocArgument(PossibleMallocOverflows, TheCall,
mgr.getASTContext());
}
}
}
}
}
OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr);
}
void ento::registerMallocOverflowSecurityChecker(CheckerManager &mgr) {
mgr.registerChecker<MallocOverflowSecurityChecker>();
}
bool ento::shouldRegisterMallocOverflowSecurityChecker(const CheckerManager &mgr) {
return true;
}
|