1 // MallocOverflowSecurityChecker.cpp - Check for malloc overflows -*- C++ -*-=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker detects a common memory allocation security flaw.
10 // Suppose 'unsigned int n' comes from an untrusted source. If the
11 // code looks like 'malloc (n * 4)', and an attacker can make 'n' be
12 // say MAX_UINT/4+2, then instead of allocating the correct 'n' 4-byte
13 // elements, this will actually allocate only two because of overflow.
14 // Then when the rest of the program attempts to store values past the
15 // second element, these values will actually overwrite other items in
16 // the heap, probably allowing the attacker to execute arbitrary code.
17 //
18 //===----------------------------------------------------------------------===//
19
20 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
21 #include "clang/AST/EvaluatedExprVisitor.h"
22 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
23 #include "clang/StaticAnalyzer/Core/Checker.h"
24 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
25 #include "llvm/ADT/APSInt.h"
26 #include "llvm/ADT/SmallVector.h"
27 #include <utility>
28
29 using namespace clang;
30 using namespace ento;
31 using llvm::APSInt;
32
33 namespace {
34 struct MallocOverflowCheck {
35 const BinaryOperator *mulop;
36 const Expr *variable;
37 APSInt maxVal;
38
MallocOverflowCheck__anonf243fbfe0111::MallocOverflowCheck39 MallocOverflowCheck(const BinaryOperator *m, const Expr *v, APSInt val)
40 : mulop(m), variable(v), maxVal(std::move(val)) {}
41 };
42
43 class MallocOverflowSecurityChecker : public Checker<check::ASTCodeBody> {
44 public:
45 void checkASTCodeBody(const Decl *D, AnalysisManager &mgr,
46 BugReporter &BR) const;
47
48 void CheckMallocArgument(
49 SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
50 const Expr *TheArgument, ASTContext &Context) const;
51
52 void OutputPossibleOverflows(
53 SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
54 const Decl *D, BugReporter &BR, AnalysisManager &mgr) const;
55
56 };
57 } // end anonymous namespace
58
59 // Return true for computations which evaluate to zero: e.g., mult by 0.
EvaluatesToZero(APSInt & Val,BinaryOperatorKind op)60 static inline bool EvaluatesToZero(APSInt &Val, BinaryOperatorKind op) {
61 return (op == BO_Mul) && (Val == 0);
62 }
63
CheckMallocArgument(SmallVectorImpl<MallocOverflowCheck> & PossibleMallocOverflows,const Expr * TheArgument,ASTContext & Context) const64 void MallocOverflowSecurityChecker::CheckMallocArgument(
65 SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
66 const Expr *TheArgument,
67 ASTContext &Context) const {
68
69 /* Look for a linear combination with a single variable, and at least
70 one multiplication.
71 Reject anything that applies to the variable: an explicit cast,
72 conditional expression, an operation that could reduce the range
73 of the result, or anything too complicated :-). */
74 const Expr *e = TheArgument;
75 const BinaryOperator * mulop = nullptr;
76 APSInt maxVal;
77
78 for (;;) {
79 maxVal = 0;
80 e = e->IgnoreParenImpCasts();
81 if (const BinaryOperator *binop = dyn_cast<BinaryOperator>(e)) {
82 BinaryOperatorKind opc = binop->getOpcode();
83 // TODO: ignore multiplications by 1, reject if multiplied by 0.
84 if (mulop == nullptr && opc == BO_Mul)
85 mulop = binop;
86 if (opc != BO_Mul && opc != BO_Add && opc != BO_Sub && opc != BO_Shl)
87 return;
88
89 const Expr *lhs = binop->getLHS();
90 const Expr *rhs = binop->getRHS();
91 if (rhs->isEvaluatable(Context)) {
92 e = lhs;
93 maxVal = rhs->EvaluateKnownConstInt(Context);
94 if (EvaluatesToZero(maxVal, opc))
95 return;
96 } else if ((opc == BO_Add || opc == BO_Mul) &&
97 lhs->isEvaluatable(Context)) {
98 maxVal = lhs->EvaluateKnownConstInt(Context);
99 if (EvaluatesToZero(maxVal, opc))
100 return;
101 e = rhs;
102 } else
103 return;
104 }
105 else if (isa<DeclRefExpr>(e) || isa<MemberExpr>(e))
106 break;
107 else
108 return;
109 }
110
111 if (mulop == nullptr)
112 return;
113
114 // We've found the right structure of malloc argument, now save
115 // the data so when the body of the function is completely available
116 // we can check for comparisons.
117
118 // TODO: Could push this into the innermost scope where 'e' is
119 // defined, rather than the whole function.
120 PossibleMallocOverflows.push_back(MallocOverflowCheck(mulop, e, maxVal));
121 }
122
123 namespace {
124 // A worker class for OutputPossibleOverflows.
125 class CheckOverflowOps :
126 public EvaluatedExprVisitor<CheckOverflowOps> {
127 public:
128 typedef SmallVectorImpl<MallocOverflowCheck> theVecType;
129
130 private:
131 theVecType &toScanFor;
132 ASTContext &Context;
133
isIntZeroExpr(const Expr * E) const134 bool isIntZeroExpr(const Expr *E) const {
135 if (!E->getType()->isIntegralOrEnumerationType())
136 return false;
137 Expr::EvalResult Result;
138 if (E->EvaluateAsInt(Result, Context))
139 return Result.Val.getInt() == 0;
140 return false;
141 }
142
getDecl(const DeclRefExpr * DR)143 static const Decl *getDecl(const DeclRefExpr *DR) { return DR->getDecl(); }
getDecl(const MemberExpr * ME)144 static const Decl *getDecl(const MemberExpr *ME) {
145 return ME->getMemberDecl();
146 }
147
148 template <typename T1>
Erase(const T1 * DR,llvm::function_ref<bool (const MallocOverflowCheck &)> Pred)149 void Erase(const T1 *DR,
150 llvm::function_ref<bool(const MallocOverflowCheck &)> Pred) {
151 auto P = [DR, Pred](const MallocOverflowCheck &Check) {
152 if (const auto *CheckDR = dyn_cast<T1>(Check.variable))
153 return getDecl(CheckDR) == getDecl(DR) && Pred(Check);
154 return false;
155 };
156 toScanFor.erase(std::remove_if(toScanFor.begin(), toScanFor.end(), P),
157 toScanFor.end());
158 }
159
CheckExpr(const Expr * E_p)160 void CheckExpr(const Expr *E_p) {
161 auto PredTrue = [](const MallocOverflowCheck &) { return true; };
162 const Expr *E = E_p->IgnoreParenImpCasts();
163 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E))
164 Erase<DeclRefExpr>(DR, PredTrue);
165 else if (const auto *ME = dyn_cast<MemberExpr>(E)) {
166 Erase<MemberExpr>(ME, PredTrue);
167 }
168 }
169
170 // Check if the argument to malloc is assigned a value
171 // which cannot cause an overflow.
172 // e.g., malloc (mul * x) and,
173 // case 1: mul = <constant value>
174 // case 2: mul = a/b, where b > x
CheckAssignmentExpr(BinaryOperator * AssignEx)175 void CheckAssignmentExpr(BinaryOperator *AssignEx) {
176 bool assignKnown = false;
177 bool numeratorKnown = false, denomKnown = false;
178 APSInt denomVal;
179 denomVal = 0;
180
181 // Erase if the multiplicand was assigned a constant value.
182 const Expr *rhs = AssignEx->getRHS();
183 if (rhs->isEvaluatable(Context))
184 assignKnown = true;
185
186 // Discard the report if the multiplicand was assigned a value,
187 // that can never overflow after multiplication. e.g., the assignment
188 // is a division operator and the denominator is > other multiplicand.
189 const Expr *rhse = rhs->IgnoreParenImpCasts();
190 if (const BinaryOperator *BOp = dyn_cast<BinaryOperator>(rhse)) {
191 if (BOp->getOpcode() == BO_Div) {
192 const Expr *denom = BOp->getRHS()->IgnoreParenImpCasts();
193 Expr::EvalResult Result;
194 if (denom->EvaluateAsInt(Result, Context)) {
195 denomVal = Result.Val.getInt();
196 denomKnown = true;
197 }
198 const Expr *numerator = BOp->getLHS()->IgnoreParenImpCasts();
199 if (numerator->isEvaluatable(Context))
200 numeratorKnown = true;
201 }
202 }
203 if (!assignKnown && !denomKnown)
204 return;
205 auto denomExtVal = denomVal.getExtValue();
206
207 // Ignore negative denominator.
208 if (denomExtVal < 0)
209 return;
210
211 const Expr *lhs = AssignEx->getLHS();
212 const Expr *E = lhs->IgnoreParenImpCasts();
213
214 auto pred = [assignKnown, numeratorKnown,
215 denomExtVal](const MallocOverflowCheck &Check) {
216 return assignKnown ||
217 (numeratorKnown && (denomExtVal >= Check.maxVal.getExtValue()));
218 };
219
220 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E))
221 Erase<DeclRefExpr>(DR, pred);
222 else if (const auto *ME = dyn_cast<MemberExpr>(E))
223 Erase<MemberExpr>(ME, pred);
224 }
225
226 public:
VisitBinaryOperator(BinaryOperator * E)227 void VisitBinaryOperator(BinaryOperator *E) {
228 if (E->isComparisonOp()) {
229 const Expr * lhs = E->getLHS();
230 const Expr * rhs = E->getRHS();
231 // Ignore comparisons against zero, since they generally don't
232 // protect against an overflow.
233 if (!isIntZeroExpr(lhs) && !isIntZeroExpr(rhs)) {
234 CheckExpr(lhs);
235 CheckExpr(rhs);
236 }
237 }
238 if (E->isAssignmentOp())
239 CheckAssignmentExpr(E);
240 EvaluatedExprVisitor<CheckOverflowOps>::VisitBinaryOperator(E);
241 }
242
243 /* We specifically ignore loop conditions, because they're typically
244 not error checks. */
VisitWhileStmt(WhileStmt * S)245 void VisitWhileStmt(WhileStmt *S) {
246 return this->Visit(S->getBody());
247 }
VisitForStmt(ForStmt * S)248 void VisitForStmt(ForStmt *S) {
249 return this->Visit(S->getBody());
250 }
VisitDoStmt(DoStmt * S)251 void VisitDoStmt(DoStmt *S) {
252 return this->Visit(S->getBody());
253 }
254
CheckOverflowOps(theVecType & v,ASTContext & ctx)255 CheckOverflowOps(theVecType &v, ASTContext &ctx)
256 : EvaluatedExprVisitor<CheckOverflowOps>(ctx),
257 toScanFor(v), Context(ctx)
258 { }
259 };
260 }
261
262 // OutputPossibleOverflows - We've found a possible overflow earlier,
263 // now check whether Body might contain a comparison which might be
264 // preventing the overflow.
265 // This doesn't do flow analysis, range analysis, or points-to analysis; it's
266 // just a dumb "is there a comparison" scan. The aim here is to
267 // detect the most blatent cases of overflow and educate the
268 // programmer.
OutputPossibleOverflows(SmallVectorImpl<MallocOverflowCheck> & PossibleMallocOverflows,const Decl * D,BugReporter & BR,AnalysisManager & mgr) const269 void MallocOverflowSecurityChecker::OutputPossibleOverflows(
270 SmallVectorImpl<MallocOverflowCheck> &PossibleMallocOverflows,
271 const Decl *D, BugReporter &BR, AnalysisManager &mgr) const {
272 // By far the most common case: nothing to check.
273 if (PossibleMallocOverflows.empty())
274 return;
275
276 // Delete any possible overflows which have a comparison.
277 CheckOverflowOps c(PossibleMallocOverflows, BR.getContext());
278 c.Visit(mgr.getAnalysisDeclContext(D)->getBody());
279
280 // Output warnings for all overflows that are left.
281 for (CheckOverflowOps::theVecType::iterator
282 i = PossibleMallocOverflows.begin(),
283 e = PossibleMallocOverflows.end();
284 i != e;
285 ++i) {
286 BR.EmitBasicReport(
287 D, this, "malloc() size overflow", categories::UnixAPI,
288 "the computation of the size of the memory allocation may overflow",
289 PathDiagnosticLocation::createOperatorLoc(i->mulop,
290 BR.getSourceManager()),
291 i->mulop->getSourceRange());
292 }
293 }
294
checkASTCodeBody(const Decl * D,AnalysisManager & mgr,BugReporter & BR) const295 void MallocOverflowSecurityChecker::checkASTCodeBody(const Decl *D,
296 AnalysisManager &mgr,
297 BugReporter &BR) const {
298
299 CFG *cfg = mgr.getCFG(D);
300 if (!cfg)
301 return;
302
303 // A list of variables referenced in possibly overflowing malloc operands.
304 SmallVector<MallocOverflowCheck, 2> PossibleMallocOverflows;
305
306 for (CFG::iterator it = cfg->begin(), ei = cfg->end(); it != ei; ++it) {
307 CFGBlock *block = *it;
308 for (CFGBlock::iterator bi = block->begin(), be = block->end();
309 bi != be; ++bi) {
310 if (Optional<CFGStmt> CS = bi->getAs<CFGStmt>()) {
311 if (const CallExpr *TheCall = dyn_cast<CallExpr>(CS->getStmt())) {
312 // Get the callee.
313 const FunctionDecl *FD = TheCall->getDirectCallee();
314
315 if (!FD)
316 continue;
317
318 // Get the name of the callee. If it's a builtin, strip off the prefix.
319 IdentifierInfo *FnInfo = FD->getIdentifier();
320 if (!FnInfo)
321 continue;
322
323 if (FnInfo->isStr ("malloc") || FnInfo->isStr ("_MALLOC")) {
324 if (TheCall->getNumArgs() == 1)
325 CheckMallocArgument(PossibleMallocOverflows, TheCall->getArg(0),
326 mgr.getASTContext());
327 }
328 }
329 }
330 }
331 }
332
333 OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr);
334 }
335
registerMallocOverflowSecurityChecker(CheckerManager & mgr)336 void ento::registerMallocOverflowSecurityChecker(CheckerManager &mgr) {
337 mgr.registerChecker<MallocOverflowSecurityChecker>();
338 }
339
shouldRegisterMallocOverflowSecurityChecker(const CheckerManager & mgr)340 bool ento::shouldRegisterMallocOverflowSecurityChecker(const CheckerManager &mgr) {
341 return true;
342 }
343