1 //= UnixAPIChecker.h - Checks preconditions for various Unix APIs --*- C++ -*-// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This defines UnixAPIChecker, which is an assortment of checks on calls 10 // to various, widely used UNIX/Posix functions. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 15 #include "clang/Basic/TargetInfo.h" 16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 17 #include "clang/StaticAnalyzer/Core/Checker.h" 18 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 20 #include "llvm/ADT/Optional.h" 21 #include "llvm/ADT/STLExtras.h" 22 #include "llvm/ADT/SmallString.h" 23 #include "llvm/ADT/StringExtras.h" 24 #include "llvm/Support/raw_ostream.h" 25 26 using namespace clang; 27 using namespace ento; 28 29 enum class OpenVariant { 30 /// The standard open() call: 31 /// int open(const char *path, int oflag, ...); 32 Open, 33 34 /// The variant taking a directory file descriptor and a relative path: 35 /// int openat(int fd, const char *path, int oflag, ...); 36 OpenAt 37 }; 38 39 namespace { 40 41 class UnixAPIMisuseChecker : public Checker< check::PreStmt<CallExpr> > { 42 mutable std::unique_ptr<BugType> BT_open, BT_pthreadOnce; 43 mutable Optional<uint64_t> Val_O_CREAT; 44 45 public: 46 DefaultBool CheckMisuse, CheckPortability; 47 48 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; 49 50 void CheckOpen(CheckerContext &C, const CallExpr *CE) const; 51 void CheckOpenAt(CheckerContext &C, const CallExpr *CE) const; 52 void CheckPthreadOnce(CheckerContext &C, const CallExpr *CE) const; 53 54 void CheckOpenVariant(CheckerContext &C, 55 const CallExpr *CE, OpenVariant Variant) const; 56 57 void ReportOpenBug(CheckerContext &C, 58 ProgramStateRef State, 59 const char *Msg, 60 SourceRange SR) const; 61 62 }; 63 64 class UnixAPIPortabilityChecker : public Checker< check::PreStmt<CallExpr> > { 65 public: 66 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; 67 68 private: 69 mutable std::unique_ptr<BugType> BT_mallocZero; 70 71 void CheckCallocZero(CheckerContext &C, const CallExpr *CE) const; 72 void CheckMallocZero(CheckerContext &C, const CallExpr *CE) const; 73 void CheckReallocZero(CheckerContext &C, const CallExpr *CE) const; 74 void CheckReallocfZero(CheckerContext &C, const CallExpr *CE) const; 75 void CheckAllocaZero(CheckerContext &C, const CallExpr *CE) const; 76 void CheckAllocaWithAlignZero(CheckerContext &C, const CallExpr *CE) const; 77 void CheckVallocZero(CheckerContext &C, const CallExpr *CE) const; 78 79 bool ReportZeroByteAllocation(CheckerContext &C, 80 ProgramStateRef falseState, 81 const Expr *arg, 82 const char *fn_name) const; 83 void BasicAllocationCheck(CheckerContext &C, 84 const CallExpr *CE, 85 const unsigned numArgs, 86 const unsigned sizeArg, 87 const char *fn) const; 88 }; 89 90 } //end anonymous namespace 91 92 static void LazyInitialize(const CheckerBase *Checker, 93 std::unique_ptr<BugType> &BT, 94 const char *name) { 95 if (BT) 96 return; 97 BT.reset(new BugType(Checker, name, categories::UnixAPI)); 98 } 99 100 //===----------------------------------------------------------------------===// 101 // "open" (man 2 open) 102 //===----------------------------------------------------------------------===/ 103 104 void UnixAPIMisuseChecker::checkPreStmt(const CallExpr *CE, 105 CheckerContext &C) const { 106 const FunctionDecl *FD = C.getCalleeDecl(CE); 107 if (!FD || FD->getKind() != Decl::Function) 108 return; 109 110 // Don't treat functions in namespaces with the same name a Unix function 111 // as a call to the Unix function. 112 const DeclContext *NamespaceCtx = FD->getEnclosingNamespaceContext(); 113 if (isa_and_nonnull<NamespaceDecl>(NamespaceCtx)) 114 return; 115 116 StringRef FName = C.getCalleeName(FD); 117 if (FName.empty()) 118 return; 119 120 if (FName == "open") 121 CheckOpen(C, CE); 122 123 else if (FName == "openat") 124 CheckOpenAt(C, CE); 125 126 else if (FName == "pthread_once") 127 CheckPthreadOnce(C, CE); 128 } 129 void UnixAPIMisuseChecker::ReportOpenBug(CheckerContext &C, 130 ProgramStateRef State, 131 const char *Msg, 132 SourceRange SR) const { 133 ExplodedNode *N = C.generateErrorNode(State); 134 if (!N) 135 return; 136 137 LazyInitialize(this, BT_open, "Improper use of 'open'"); 138 139 auto Report = std::make_unique<PathSensitiveBugReport>(*BT_open, Msg, N); 140 Report->addRange(SR); 141 C.emitReport(std::move(Report)); 142 } 143 144 void UnixAPIMisuseChecker::CheckOpen(CheckerContext &C, 145 const CallExpr *CE) const { 146 CheckOpenVariant(C, CE, OpenVariant::Open); 147 } 148 149 void UnixAPIMisuseChecker::CheckOpenAt(CheckerContext &C, 150 const CallExpr *CE) const { 151 CheckOpenVariant(C, CE, OpenVariant::OpenAt); 152 } 153 154 void UnixAPIMisuseChecker::CheckOpenVariant(CheckerContext &C, 155 const CallExpr *CE, 156 OpenVariant Variant) const { 157 // The index of the argument taking the flags open flags (O_RDONLY, 158 // O_WRONLY, O_CREAT, etc.), 159 unsigned int FlagsArgIndex; 160 const char *VariantName; 161 switch (Variant) { 162 case OpenVariant::Open: 163 FlagsArgIndex = 1; 164 VariantName = "open"; 165 break; 166 case OpenVariant::OpenAt: 167 FlagsArgIndex = 2; 168 VariantName = "openat"; 169 break; 170 }; 171 172 // All calls should at least provide arguments up to the 'flags' parameter. 173 unsigned int MinArgCount = FlagsArgIndex + 1; 174 175 // If the flags has O_CREAT set then open/openat() require an additional 176 // argument specifying the file mode (permission bits) for the created file. 177 unsigned int CreateModeArgIndex = FlagsArgIndex + 1; 178 179 // The create mode argument should be the last argument. 180 unsigned int MaxArgCount = CreateModeArgIndex + 1; 181 182 ProgramStateRef state = C.getState(); 183 184 if (CE->getNumArgs() < MinArgCount) { 185 // The frontend should issue a warning for this case. Just return. 186 return; 187 } else if (CE->getNumArgs() == MaxArgCount) { 188 const Expr *Arg = CE->getArg(CreateModeArgIndex); 189 QualType QT = Arg->getType(); 190 if (!QT->isIntegerType()) { 191 SmallString<256> SBuf; 192 llvm::raw_svector_ostream OS(SBuf); 193 OS << "The " << CreateModeArgIndex + 1 194 << llvm::getOrdinalSuffix(CreateModeArgIndex + 1) 195 << " argument to '" << VariantName << "' is not an integer"; 196 197 ReportOpenBug(C, state, 198 SBuf.c_str(), 199 Arg->getSourceRange()); 200 return; 201 } 202 } else if (CE->getNumArgs() > MaxArgCount) { 203 SmallString<256> SBuf; 204 llvm::raw_svector_ostream OS(SBuf); 205 OS << "Call to '" << VariantName << "' with more than " << MaxArgCount 206 << " arguments"; 207 208 ReportOpenBug(C, state, 209 SBuf.c_str(), 210 CE->getArg(MaxArgCount)->getSourceRange()); 211 return; 212 } 213 214 // The definition of O_CREAT is platform specific. We need a better way 215 // of querying this information from the checking environment. 216 if (!Val_O_CREAT.hasValue()) { 217 if (C.getASTContext().getTargetInfo().getTriple().getVendor() 218 == llvm::Triple::Apple) 219 Val_O_CREAT = 0x0200; 220 else { 221 // FIXME: We need a more general way of getting the O_CREAT value. 222 // We could possibly grovel through the preprocessor state, but 223 // that would require passing the Preprocessor object to the ExprEngine. 224 // See also: MallocChecker.cpp / M_ZERO. 225 return; 226 } 227 } 228 229 // Now check if oflags has O_CREAT set. 230 const Expr *oflagsEx = CE->getArg(FlagsArgIndex); 231 const SVal V = C.getSVal(oflagsEx); 232 if (!V.getAs<NonLoc>()) { 233 // The case where 'V' can be a location can only be due to a bad header, 234 // so in this case bail out. 235 return; 236 } 237 NonLoc oflags = V.castAs<NonLoc>(); 238 NonLoc ocreateFlag = C.getSValBuilder() 239 .makeIntVal(Val_O_CREAT.getValue(), oflagsEx->getType()).castAs<NonLoc>(); 240 SVal maskedFlagsUC = C.getSValBuilder().evalBinOpNN(state, BO_And, 241 oflags, ocreateFlag, 242 oflagsEx->getType()); 243 if (maskedFlagsUC.isUnknownOrUndef()) 244 return; 245 DefinedSVal maskedFlags = maskedFlagsUC.castAs<DefinedSVal>(); 246 247 // Check if maskedFlags is non-zero. 248 ProgramStateRef trueState, falseState; 249 std::tie(trueState, falseState) = state->assume(maskedFlags); 250 251 // Only emit an error if the value of 'maskedFlags' is properly 252 // constrained; 253 if (!(trueState && !falseState)) 254 return; 255 256 if (CE->getNumArgs() < MaxArgCount) { 257 SmallString<256> SBuf; 258 llvm::raw_svector_ostream OS(SBuf); 259 OS << "Call to '" << VariantName << "' requires a " 260 << CreateModeArgIndex + 1 261 << llvm::getOrdinalSuffix(CreateModeArgIndex + 1) 262 << " argument when the 'O_CREAT' flag is set"; 263 ReportOpenBug(C, trueState, 264 SBuf.c_str(), 265 oflagsEx->getSourceRange()); 266 } 267 } 268 269 //===----------------------------------------------------------------------===// 270 // pthread_once 271 //===----------------------------------------------------------------------===// 272 273 void UnixAPIMisuseChecker::CheckPthreadOnce(CheckerContext &C, 274 const CallExpr *CE) const { 275 276 // This is similar to 'CheckDispatchOnce' in the MacOSXAPIChecker. 277 // They can possibly be refactored. 278 279 if (CE->getNumArgs() < 1) 280 return; 281 282 // Check if the first argument is stack allocated. If so, issue a warning 283 // because that's likely to be bad news. 284 ProgramStateRef state = C.getState(); 285 const MemRegion *R = C.getSVal(CE->getArg(0)).getAsRegion(); 286 if (!R || !isa<StackSpaceRegion>(R->getMemorySpace())) 287 return; 288 289 ExplodedNode *N = C.generateErrorNode(state); 290 if (!N) 291 return; 292 293 SmallString<256> S; 294 llvm::raw_svector_ostream os(S); 295 os << "Call to 'pthread_once' uses"; 296 if (const VarRegion *VR = dyn_cast<VarRegion>(R)) 297 os << " the local variable '" << VR->getDecl()->getName() << '\''; 298 else 299 os << " stack allocated memory"; 300 os << " for the \"control\" value. Using such transient memory for " 301 "the control value is potentially dangerous."; 302 if (isa<VarRegion>(R) && isa<StackLocalsSpaceRegion>(R->getMemorySpace())) 303 os << " Perhaps you intended to declare the variable as 'static'?"; 304 305 LazyInitialize(this, BT_pthreadOnce, "Improper use of 'pthread_once'"); 306 307 auto report = 308 std::make_unique<PathSensitiveBugReport>(*BT_pthreadOnce, os.str(), N); 309 report->addRange(CE->getArg(0)->getSourceRange()); 310 C.emitReport(std::move(report)); 311 } 312 313 //===----------------------------------------------------------------------===// 314 // "calloc", "malloc", "realloc", "reallocf", "alloca" and "valloc" 315 // with allocation size 0 316 //===----------------------------------------------------------------------===// 317 318 // FIXME: Eventually these should be rolled into the MallocChecker, but right now 319 // they're more basic and valuable for widespread use. 320 321 // Returns true if we try to do a zero byte allocation, false otherwise. 322 // Fills in trueState and falseState. 323 static bool IsZeroByteAllocation(ProgramStateRef state, 324 const SVal argVal, 325 ProgramStateRef *trueState, 326 ProgramStateRef *falseState) { 327 std::tie(*trueState, *falseState) = 328 state->assume(argVal.castAs<DefinedSVal>()); 329 330 return (*falseState && !*trueState); 331 } 332 333 // Generates an error report, indicating that the function whose name is given 334 // will perform a zero byte allocation. 335 // Returns false if an error occurred, true otherwise. 336 bool UnixAPIPortabilityChecker::ReportZeroByteAllocation( 337 CheckerContext &C, 338 ProgramStateRef falseState, 339 const Expr *arg, 340 const char *fn_name) const { 341 ExplodedNode *N = C.generateErrorNode(falseState); 342 if (!N) 343 return false; 344 345 LazyInitialize(this, BT_mallocZero, 346 "Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)"); 347 348 SmallString<256> S; 349 llvm::raw_svector_ostream os(S); 350 os << "Call to '" << fn_name << "' has an allocation size of 0 bytes"; 351 auto report = 352 std::make_unique<PathSensitiveBugReport>(*BT_mallocZero, os.str(), N); 353 354 report->addRange(arg->getSourceRange()); 355 bugreporter::trackExpressionValue(N, arg, *report); 356 C.emitReport(std::move(report)); 357 358 return true; 359 } 360 361 // Does a basic check for 0-sized allocations suitable for most of the below 362 // functions (modulo "calloc") 363 void UnixAPIPortabilityChecker::BasicAllocationCheck(CheckerContext &C, 364 const CallExpr *CE, 365 const unsigned numArgs, 366 const unsigned sizeArg, 367 const char *fn) const { 368 // Check for the correct number of arguments. 369 if (CE->getNumArgs() != numArgs) 370 return; 371 372 // Check if the allocation size is 0. 373 ProgramStateRef state = C.getState(); 374 ProgramStateRef trueState = nullptr, falseState = nullptr; 375 const Expr *arg = CE->getArg(sizeArg); 376 SVal argVal = C.getSVal(arg); 377 378 if (argVal.isUnknownOrUndef()) 379 return; 380 381 // Is the value perfectly constrained to zero? 382 if (IsZeroByteAllocation(state, argVal, &trueState, &falseState)) { 383 (void) ReportZeroByteAllocation(C, falseState, arg, fn); 384 return; 385 } 386 // Assume the value is non-zero going forward. 387 assert(trueState); 388 if (trueState != state) 389 C.addTransition(trueState); 390 } 391 392 void UnixAPIPortabilityChecker::CheckCallocZero(CheckerContext &C, 393 const CallExpr *CE) const { 394 unsigned int nArgs = CE->getNumArgs(); 395 if (nArgs != 2) 396 return; 397 398 ProgramStateRef state = C.getState(); 399 ProgramStateRef trueState = nullptr, falseState = nullptr; 400 401 unsigned int i; 402 for (i = 0; i < nArgs; i++) { 403 const Expr *arg = CE->getArg(i); 404 SVal argVal = C.getSVal(arg); 405 if (argVal.isUnknownOrUndef()) { 406 if (i == 0) 407 continue; 408 else 409 return; 410 } 411 412 if (IsZeroByteAllocation(state, argVal, &trueState, &falseState)) { 413 if (ReportZeroByteAllocation(C, falseState, arg, "calloc")) 414 return; 415 else if (i == 0) 416 continue; 417 else 418 return; 419 } 420 } 421 422 // Assume the value is non-zero going forward. 423 assert(trueState); 424 if (trueState != state) 425 C.addTransition(trueState); 426 } 427 428 void UnixAPIPortabilityChecker::CheckMallocZero(CheckerContext &C, 429 const CallExpr *CE) const { 430 BasicAllocationCheck(C, CE, 1, 0, "malloc"); 431 } 432 433 void UnixAPIPortabilityChecker::CheckReallocZero(CheckerContext &C, 434 const CallExpr *CE) const { 435 BasicAllocationCheck(C, CE, 2, 1, "realloc"); 436 } 437 438 void UnixAPIPortabilityChecker::CheckReallocfZero(CheckerContext &C, 439 const CallExpr *CE) const { 440 BasicAllocationCheck(C, CE, 2, 1, "reallocf"); 441 } 442 443 void UnixAPIPortabilityChecker::CheckAllocaZero(CheckerContext &C, 444 const CallExpr *CE) const { 445 BasicAllocationCheck(C, CE, 1, 0, "alloca"); 446 } 447 448 void UnixAPIPortabilityChecker::CheckAllocaWithAlignZero( 449 CheckerContext &C, 450 const CallExpr *CE) const { 451 BasicAllocationCheck(C, CE, 2, 0, "__builtin_alloca_with_align"); 452 } 453 454 void UnixAPIPortabilityChecker::CheckVallocZero(CheckerContext &C, 455 const CallExpr *CE) const { 456 BasicAllocationCheck(C, CE, 1, 0, "valloc"); 457 } 458 459 void UnixAPIPortabilityChecker::checkPreStmt(const CallExpr *CE, 460 CheckerContext &C) const { 461 const FunctionDecl *FD = C.getCalleeDecl(CE); 462 if (!FD || FD->getKind() != Decl::Function) 463 return; 464 465 // Don't treat functions in namespaces with the same name a Unix function 466 // as a call to the Unix function. 467 const DeclContext *NamespaceCtx = FD->getEnclosingNamespaceContext(); 468 if (isa_and_nonnull<NamespaceDecl>(NamespaceCtx)) 469 return; 470 471 StringRef FName = C.getCalleeName(FD); 472 if (FName.empty()) 473 return; 474 475 if (FName == "calloc") 476 CheckCallocZero(C, CE); 477 478 else if (FName == "malloc") 479 CheckMallocZero(C, CE); 480 481 else if (FName == "realloc") 482 CheckReallocZero(C, CE); 483 484 else if (FName == "reallocf") 485 CheckReallocfZero(C, CE); 486 487 else if (FName == "alloca" || FName == "__builtin_alloca") 488 CheckAllocaZero(C, CE); 489 490 else if (FName == "__builtin_alloca_with_align") 491 CheckAllocaWithAlignZero(C, CE); 492 493 else if (FName == "valloc") 494 CheckVallocZero(C, CE); 495 } 496 497 //===----------------------------------------------------------------------===// 498 // Registration. 499 //===----------------------------------------------------------------------===// 500 501 #define REGISTER_CHECKER(CHECKERNAME) \ 502 void ento::register##CHECKERNAME(CheckerManager &mgr) { \ 503 mgr.registerChecker<CHECKERNAME>(); \ 504 } \ 505 \ 506 bool ento::shouldRegister##CHECKERNAME(const CheckerManager &mgr) { \ 507 return true; \ 508 } 509 510 REGISTER_CHECKER(UnixAPIMisuseChecker) 511 REGISTER_CHECKER(UnixAPIPortabilityChecker) 512