2009-07-23 09:07:19 +08:00
|
|
|
//==- CheckSecuritySyntaxOnly.cpp - Basic security checks --------*- C++ -*-==//
|
|
|
|
|
//
|
2019-01-19 16:50:56 +08:00
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
2009-07-23 09:07:19 +08:00
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
//
|
|
|
|
|
// This file defines a set of flow-insensitive security checks.
|
|
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
[analyzer][NFC] Move CheckerRegistry from the Core directory to Frontend
ClangCheckerRegistry is a very non-obvious, poorly documented, weird concept.
It derives from CheckerRegistry, and is placed in lib/StaticAnalyzer/Frontend,
whereas it's base is located in lib/StaticAnalyzer/Core. It was, from what I can
imagine, used to circumvent the problem that the registry functions of the
checkers are located in the clangStaticAnalyzerCheckers library, but that
library depends on clangStaticAnalyzerCore. However, clangStaticAnalyzerFrontend
depends on both of those libraries.
One can make the observation however, that CheckerRegistry has no place in Core,
it isn't used there at all! The only place where it is used is Frontend, which
is where it ultimately belongs.
This move implies that since
include/clang/StaticAnalyzer/Checkers/ClangCheckers.h only contained a single function:
class CheckerRegistry;
void registerBuiltinCheckers(CheckerRegistry ®istry);
it had to re purposed, as CheckerRegistry is no longer available to
clangStaticAnalyzerCheckers. It was renamed to BuiltinCheckerRegistration.h,
which actually describes it a lot better -- it does not contain the registration
functions for checkers, but only those generated by the tblgen files.
Differential Revision: https://reviews.llvm.org/D54436
llvm-svn: 349275
2018-12-16 00:23:51 +08:00
|
|
|
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
|
2011-09-21 05:38:35 +08:00
|
|
|
#include "clang/AST/StmtVisitor.h"
|
2017-09-07 05:45:03 +08:00
|
|
|
#include "clang/Analysis/AnalysisDeclContext.h"
|
2011-09-21 05:38:35 +08:00
|
|
|
#include "clang/Basic/TargetInfo.h"
|
2011-02-10 09:03:03 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
|
2012-12-04 17:13:33 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/Checker.h"
|
2011-09-21 05:38:35 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
|
2012-02-04 21:45:25 +08:00
|
|
|
#include "llvm/ADT/SmallString.h"
|
2011-04-03 13:07:11 +08:00
|
|
|
#include "llvm/ADT/StringSwitch.h"
|
2011-09-21 05:38:35 +08:00
|
|
|
#include "llvm/Support/raw_ostream.h"
|
2009-07-23 09:07:19 +08:00
|
|
|
|
|
|
|
|
using namespace clang;
|
2010-12-23 15:20:52 +08:00
|
|
|
using namespace ento;
|
2009-07-23 09:07:19 +08:00
|
|
|
|
2010-01-15 16:20:31 +08:00
|
|
|
static bool isArc4RandomAvailable(const ASTContext &Ctx) {
|
2011-09-02 08:18:52 +08:00
|
|
|
const llvm::Triple &T = Ctx.getTargetInfo().getTriple();
|
2010-01-15 16:20:31 +08:00
|
|
|
return T.getVendor() == llvm::Triple::Apple ||
|
2015-03-11 16:48:55 +08:00
|
|
|
T.getOS() == llvm::Triple::CloudABI ||
|
2018-12-20 21:09:30 +08:00
|
|
|
T.isOSFreeBSD() ||
|
|
|
|
|
T.isOSNetBSD() ||
|
|
|
|
|
T.isOSOpenBSD() ||
|
|
|
|
|
T.isOSDragonFly();
|
2010-01-15 16:20:31 +08:00
|
|
|
}
|
|
|
|
|
|
2009-07-23 09:07:19 +08:00
|
|
|
namespace {
|
2012-01-20 09:44:29 +08:00
|
|
|
struct ChecksFilter {
|
2018-05-26 08:04:26 +08:00
|
|
|
DefaultBool check_bcmp;
|
|
|
|
|
DefaultBool check_bcopy;
|
|
|
|
|
DefaultBool check_bzero;
|
2012-01-20 09:44:29 +08:00
|
|
|
DefaultBool check_gets;
|
|
|
|
|
DefaultBool check_getpw;
|
|
|
|
|
DefaultBool check_mktemp;
|
2012-01-20 13:35:06 +08:00
|
|
|
DefaultBool check_mkstemp;
|
2012-01-20 09:44:29 +08:00
|
|
|
DefaultBool check_strcpy;
|
2019-02-11 21:46:43 +08:00
|
|
|
DefaultBool check_DeprecatedOrUnsafeBufferHandling;
|
2012-01-20 09:44:29 +08:00
|
|
|
DefaultBool check_rand;
|
|
|
|
|
DefaultBool check_vfork;
|
|
|
|
|
DefaultBool check_FloatLoopCounter;
|
2012-01-20 13:35:06 +08:00
|
|
|
DefaultBool check_UncheckedReturn;
|
2019-12-20 06:21:02 +08:00
|
|
|
DefaultBool check_decodeValueOfObjCType;
|
2014-02-12 05:49:21 +08:00
|
|
|
|
2019-09-13 03:09:24 +08:00
|
|
|
CheckerNameRef checkName_bcmp;
|
|
|
|
|
CheckerNameRef checkName_bcopy;
|
|
|
|
|
CheckerNameRef checkName_bzero;
|
|
|
|
|
CheckerNameRef checkName_gets;
|
|
|
|
|
CheckerNameRef checkName_getpw;
|
|
|
|
|
CheckerNameRef checkName_mktemp;
|
|
|
|
|
CheckerNameRef checkName_mkstemp;
|
|
|
|
|
CheckerNameRef checkName_strcpy;
|
|
|
|
|
CheckerNameRef checkName_DeprecatedOrUnsafeBufferHandling;
|
|
|
|
|
CheckerNameRef checkName_rand;
|
|
|
|
|
CheckerNameRef checkName_vfork;
|
|
|
|
|
CheckerNameRef checkName_FloatLoopCounter;
|
|
|
|
|
CheckerNameRef checkName_UncheckedReturn;
|
2019-12-20 06:21:02 +08:00
|
|
|
CheckerNameRef checkName_decodeValueOfObjCType;
|
2012-01-20 09:44:29 +08:00
|
|
|
};
|
2014-02-12 05:49:21 +08:00
|
|
|
|
2009-11-28 14:07:30 +08:00
|
|
|
class WalkAST : public StmtVisitor<WalkAST> {
|
2009-09-09 23:08:12 +08:00
|
|
|
BugReporter &BR;
|
2011-10-24 09:32:45 +08:00
|
|
|
AnalysisDeclContext* AC;
|
2009-09-02 10:47:41 +08:00
|
|
|
enum { num_setids = 6 };
|
|
|
|
|
IdentifierInfo *II_setid[num_setids];
|
2010-03-25 06:39:47 +08:00
|
|
|
|
2010-01-15 16:20:31 +08:00
|
|
|
const bool CheckRand;
|
2012-01-20 09:44:29 +08:00
|
|
|
const ChecksFilter &filter;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-23 09:07:19 +08:00
|
|
|
public:
|
2012-01-20 09:44:29 +08:00
|
|
|
WalkAST(BugReporter &br, AnalysisDeclContext* ac,
|
|
|
|
|
const ChecksFilter &f)
|
2011-09-21 05:38:35 +08:00
|
|
|
: BR(br), AC(ac), II_setid(),
|
2012-01-20 09:44:29 +08:00
|
|
|
CheckRand(isArc4RandomAvailable(BR.getContext())),
|
|
|
|
|
filter(f) {}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-23 09:07:19 +08:00
|
|
|
// Statement visitor methods.
|
2009-07-24 06:29:41 +08:00
|
|
|
void VisitCallExpr(CallExpr *CE);
|
2019-12-20 06:21:02 +08:00
|
|
|
void VisitObjCMessageExpr(ObjCMessageExpr *CE);
|
2009-07-23 09:07:19 +08:00
|
|
|
void VisitForStmt(ForStmt *S);
|
2009-08-28 08:08:09 +08:00
|
|
|
void VisitCompoundStmt (CompoundStmt *S);
|
2009-07-24 05:34:35 +08:00
|
|
|
void VisitStmt(Stmt *S) { VisitChildren(S); }
|
2009-07-23 09:07:19 +08:00
|
|
|
|
|
|
|
|
void VisitChildren(Stmt *S);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 06:29:41 +08:00
|
|
|
// Helpers.
|
2011-04-06 04:18:46 +08:00
|
|
|
bool checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2015-11-27 06:08:58 +08:00
|
|
|
typedef void (WalkAST::*FnCheck)(const CallExpr *, const FunctionDecl *);
|
2019-12-20 06:21:02 +08:00
|
|
|
typedef void (WalkAST::*MsgCheck)(const ObjCMessageExpr *);
|
2011-04-03 13:07:11 +08:00
|
|
|
|
2009-07-23 09:07:19 +08:00
|
|
|
// Checker-specific methods.
|
2011-04-06 04:18:46 +08:00
|
|
|
void checkLoopConditionForFloat(const ForStmt *FS);
|
2018-05-26 08:04:26 +08:00
|
|
|
void checkCall_bcmp(const CallExpr *CE, const FunctionDecl *FD);
|
|
|
|
|
void checkCall_bcopy(const CallExpr *CE, const FunctionDecl *FD);
|
|
|
|
|
void checkCall_bzero(const CallExpr *CE, const FunctionDecl *FD);
|
2011-04-06 04:18:46 +08:00
|
|
|
void checkCall_gets(const CallExpr *CE, const FunctionDecl *FD);
|
|
|
|
|
void checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD);
|
|
|
|
|
void checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD);
|
2012-01-20 13:35:06 +08:00
|
|
|
void checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD);
|
2011-04-06 04:18:46 +08:00
|
|
|
void checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD);
|
|
|
|
|
void checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD);
|
2019-02-11 21:46:43 +08:00
|
|
|
void checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE,
|
|
|
|
|
const FunctionDecl *FD);
|
2011-04-06 04:18:46 +08:00
|
|
|
void checkCall_rand(const CallExpr *CE, const FunctionDecl *FD);
|
|
|
|
|
void checkCall_random(const CallExpr *CE, const FunctionDecl *FD);
|
2011-10-11 12:34:54 +08:00
|
|
|
void checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD);
|
2019-12-20 06:21:02 +08:00
|
|
|
void checkMsg_decodeValueOfObjCType(const ObjCMessageExpr *ME);
|
2011-04-06 04:18:46 +08:00
|
|
|
void checkUncheckedReturnValue(CallExpr *CE);
|
2009-07-23 09:07:19 +08:00
|
|
|
};
|
|
|
|
|
} // end anonymous namespace
|
|
|
|
|
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// AST walking.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
void WalkAST::VisitChildren(Stmt *S) {
|
2015-07-03 23:12:24 +08:00
|
|
|
for (Stmt *Child : S->children())
|
|
|
|
|
if (Child)
|
|
|
|
|
Visit(Child);
|
2009-07-23 09:07:19 +08:00
|
|
|
}
|
|
|
|
|
|
2009-07-24 06:29:41 +08:00
|
|
|
void WalkAST::VisitCallExpr(CallExpr *CE) {
|
2015-09-08 11:50:52 +08:00
|
|
|
// Get the callee.
|
2011-04-03 13:07:11 +08:00
|
|
|
const FunctionDecl *FD = CE->getDirectCallee();
|
|
|
|
|
|
|
|
|
|
if (!FD)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Get the name of the callee. If it's a builtin, strip off the prefix.
|
|
|
|
|
IdentifierInfo *II = FD->getIdentifier();
|
|
|
|
|
if (!II) // if no identifier, not a simple C function
|
|
|
|
|
return;
|
2011-07-23 18:55:15 +08:00
|
|
|
StringRef Name = II->getName();
|
2011-04-03 13:07:11 +08:00
|
|
|
if (Name.startswith("__builtin_"))
|
|
|
|
|
Name = Name.substr(10);
|
|
|
|
|
|
|
|
|
|
// Set the evaluation function by switching on the callee name.
|
|
|
|
|
FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
|
2018-05-26 08:04:26 +08:00
|
|
|
.Case("bcmp", &WalkAST::checkCall_bcmp)
|
|
|
|
|
.Case("bcopy", &WalkAST::checkCall_bcopy)
|
|
|
|
|
.Case("bzero", &WalkAST::checkCall_bzero)
|
2011-04-06 04:18:46 +08:00
|
|
|
.Case("gets", &WalkAST::checkCall_gets)
|
|
|
|
|
.Case("getpw", &WalkAST::checkCall_getpw)
|
|
|
|
|
.Case("mktemp", &WalkAST::checkCall_mktemp)
|
2012-01-20 13:35:06 +08:00
|
|
|
.Case("mkstemp", &WalkAST::checkCall_mkstemp)
|
|
|
|
|
.Case("mkdtemp", &WalkAST::checkCall_mkstemp)
|
|
|
|
|
.Case("mkstemps", &WalkAST::checkCall_mkstemp)
|
2011-04-06 04:18:46 +08:00
|
|
|
.Cases("strcpy", "__strcpy_chk", &WalkAST::checkCall_strcpy)
|
|
|
|
|
.Cases("strcat", "__strcat_chk", &WalkAST::checkCall_strcat)
|
2019-02-11 21:46:43 +08:00
|
|
|
.Cases("sprintf", "vsprintf", "scanf", "wscanf", "fscanf", "fwscanf",
|
|
|
|
|
"vscanf", "vwscanf", "vfscanf", "vfwscanf",
|
|
|
|
|
&WalkAST::checkDeprecatedOrUnsafeBufferHandling)
|
|
|
|
|
.Cases("sscanf", "swscanf", "vsscanf", "vswscanf", "swprintf",
|
|
|
|
|
"snprintf", "vswprintf", "vsnprintf", "memcpy", "memmove",
|
|
|
|
|
&WalkAST::checkDeprecatedOrUnsafeBufferHandling)
|
|
|
|
|
.Cases("strncpy", "strncat", "memset",
|
|
|
|
|
&WalkAST::checkDeprecatedOrUnsafeBufferHandling)
|
2011-04-06 04:18:46 +08:00
|
|
|
.Case("drand48", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("erand48", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("jrand48", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("lrand48", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("mrand48", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("nrand48", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("lcong48", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("rand", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("rand_r", &WalkAST::checkCall_rand)
|
|
|
|
|
.Case("random", &WalkAST::checkCall_random)
|
2011-10-11 12:34:54 +08:00
|
|
|
.Case("vfork", &WalkAST::checkCall_vfork)
|
2014-05-27 10:45:47 +08:00
|
|
|
.Default(nullptr);
|
2011-04-03 13:07:11 +08:00
|
|
|
|
|
|
|
|
// If the callee isn't defined, it is not of security concern.
|
|
|
|
|
// Check and evaluate the call.
|
|
|
|
|
if (evalFunction)
|
|
|
|
|
(this->*evalFunction)(CE, FD);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 06:29:41 +08:00
|
|
|
// Recurse and check children.
|
|
|
|
|
VisitChildren(CE);
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-20 06:21:02 +08:00
|
|
|
void WalkAST::VisitObjCMessageExpr(ObjCMessageExpr *ME) {
|
|
|
|
|
MsgCheck evalFunction =
|
|
|
|
|
llvm::StringSwitch<MsgCheck>(ME->getSelector().getAsString())
|
|
|
|
|
.Case("decodeValueOfObjCType:at:",
|
|
|
|
|
&WalkAST::checkMsg_decodeValueOfObjCType)
|
|
|
|
|
.Default(nullptr);
|
|
|
|
|
|
|
|
|
|
if (evalFunction)
|
|
|
|
|
(this->*evalFunction)(ME);
|
|
|
|
|
|
|
|
|
|
// Recurse and check children.
|
|
|
|
|
VisitChildren(ME);
|
|
|
|
|
}
|
|
|
|
|
|
2009-08-28 08:08:09 +08:00
|
|
|
void WalkAST::VisitCompoundStmt(CompoundStmt *S) {
|
2015-07-03 23:12:24 +08:00
|
|
|
for (Stmt *Child : S->children())
|
|
|
|
|
if (Child) {
|
|
|
|
|
if (CallExpr *CE = dyn_cast<CallExpr>(Child))
|
2011-04-06 04:18:46 +08:00
|
|
|
checkUncheckedReturnValue(CE);
|
2015-07-03 23:12:24 +08:00
|
|
|
Visit(Child);
|
2009-09-09 23:08:12 +08:00
|
|
|
}
|
2009-08-28 08:08:09 +08:00
|
|
|
}
|
|
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
void WalkAST::VisitForStmt(ForStmt *FS) {
|
2011-04-06 04:18:46 +08:00
|
|
|
checkLoopConditionForFloat(FS);
|
2009-07-23 09:07:19 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
// Recurse and check children.
|
|
|
|
|
VisitChildren(FS);
|
2009-07-23 09:07:19 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
Misc typos fixes in ./lib folder
Summary: Found via `codespell -q 3 -I ../clang-whitelist.txt -L uint,importd,crasher,gonna,cant,ue,ons,orign,ned`
Reviewers: teemperor
Reviewed By: teemperor
Subscribers: teemperor, jholewinski, jvesely, nhaehnle, whisperity, jfb, cfe-commits
Differential Revision: https://reviews.llvm.org/D55475
llvm-svn: 348755
2018-12-10 20:37:46 +08:00
|
|
|
// Check: floating point variable used as loop counter.
|
2009-07-24 05:44:18 +08:00
|
|
|
// Originally: <rdar://problem/6336718>
|
|
|
|
|
// Implements: CERT security coding advisory FLP-30.
|
2009-07-23 09:07:19 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2019-08-29 02:44:38 +08:00
|
|
|
// Returns either 'x' or 'y', depending on which one of them is incremented
|
|
|
|
|
// in 'expr', or nullptr if none of them is incremented.
|
2009-07-24 05:34:35 +08:00
|
|
|
static const DeclRefExpr*
|
2011-04-06 04:18:46 +08:00
|
|
|
getIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) {
|
2009-07-24 05:34:35 +08:00
|
|
|
expr = expr->IgnoreParenCasts();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
|
|
|
|
if (const BinaryOperator *B = dyn_cast<BinaryOperator>(expr)) {
|
2009-07-24 05:34:35 +08:00
|
|
|
if (!(B->isAssignmentOp() || B->isCompoundAssignmentOp() ||
|
2010-08-25 19:45:40 +08:00
|
|
|
B->getOpcode() == BO_Comma))
|
2014-05-27 10:45:47 +08:00
|
|
|
return nullptr;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
if (const DeclRefExpr *lhs = getIncrementedVar(B->getLHS(), x, y))
|
2009-07-24 05:34:35 +08:00
|
|
|
return lhs;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
if (const DeclRefExpr *rhs = getIncrementedVar(B->getRHS(), x, y))
|
2009-07-24 05:34:35 +08:00
|
|
|
return rhs;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2014-05-27 10:45:47 +08:00
|
|
|
return nullptr;
|
2009-07-23 09:07:19 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(expr)) {
|
|
|
|
|
const NamedDecl *ND = DR->getDecl();
|
2014-05-27 10:45:47 +08:00
|
|
|
return ND == x || ND == y ? DR : nullptr;
|
2009-07-24 05:34:35 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
if (const UnaryOperator *U = dyn_cast<UnaryOperator>(expr))
|
|
|
|
|
return U->isIncrementDecrementOp()
|
2014-05-27 10:45:47 +08:00
|
|
|
? getIncrementedVar(U->getSubExpr(), x, y) : nullptr;
|
2009-07-24 05:34:35 +08:00
|
|
|
|
2014-05-27 10:45:47 +08:00
|
|
|
return nullptr;
|
2009-07-23 09:07:19 +08:00
|
|
|
}
|
|
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
/// CheckLoopConditionForFloat - This check looks for 'for' statements that
|
|
|
|
|
/// use a floating point variable as a loop counter.
|
|
|
|
|
/// CERT: FLP30-C, FLP30-CPP.
|
|
|
|
|
///
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkLoopConditionForFloat(const ForStmt *FS) {
|
2012-01-20 09:44:29 +08:00
|
|
|
if (!filter.check_FloatLoopCounter)
|
|
|
|
|
return;
|
|
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
// Does the loop have a condition?
|
|
|
|
|
const Expr *condition = FS->getCond();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
if (!condition)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Does the loop have an increment?
|
|
|
|
|
const Expr *increment = FS->getInc();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
if (!increment)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
// Strip away '()' and casts.
|
|
|
|
|
condition = condition->IgnoreParenCasts();
|
|
|
|
|
increment = increment->IgnoreParenCasts();
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
// Is the loop condition a comparison?
|
|
|
|
|
const BinaryOperator *B = dyn_cast<BinaryOperator>(condition);
|
|
|
|
|
|
|
|
|
|
if (!B)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-25 04:26:31 +08:00
|
|
|
// Is this a comparison?
|
|
|
|
|
if (!(B->isRelationalOp() || B->isEqualityOp()))
|
2009-07-24 05:34:35 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
// Are we comparing variables?
|
2010-12-04 11:47:34 +08:00
|
|
|
const DeclRefExpr *drLHS =
|
|
|
|
|
dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenLValueCasts());
|
|
|
|
|
const DeclRefExpr *drRHS =
|
|
|
|
|
dyn_cast<DeclRefExpr>(B->getRHS()->IgnoreParenLValueCasts());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-25 04:26:31 +08:00
|
|
|
// Does at least one of the variables have a floating point type?
|
2014-05-27 10:45:47 +08:00
|
|
|
drLHS = drLHS && drLHS->getType()->isRealFloatingType() ? drLHS : nullptr;
|
|
|
|
|
drRHS = drRHS && drRHS->getType()->isRealFloatingType() ? drRHS : nullptr;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
if (!drLHS && !drRHS)
|
|
|
|
|
return;
|
|
|
|
|
|
2014-05-27 10:45:47 +08:00
|
|
|
const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(drLHS->getDecl()) : nullptr;
|
|
|
|
|
const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(drRHS->getDecl()) : nullptr;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
if (!vdLHS && !vdRHS)
|
2009-09-09 23:08:12 +08:00
|
|
|
return;
|
|
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
// Does either variable appear in increment?
|
2011-04-06 04:18:46 +08:00
|
|
|
const DeclRefExpr *drInc = getIncrementedVar(increment, vdLHS, vdRHS);
|
2009-07-24 05:34:35 +08:00
|
|
|
if (!drInc)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2019-08-29 02:44:38 +08:00
|
|
|
const VarDecl *vdInc = cast<VarDecl>(drInc->getDecl());
|
|
|
|
|
assert(vdInc && (vdInc == vdLHS || vdInc == vdRHS));
|
|
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
// Emit the error. First figure out which DeclRefExpr in the condition
|
|
|
|
|
// referenced the compared variable.
|
2019-08-29 02:44:38 +08:00
|
|
|
const DeclRefExpr *drCond = vdLHS == vdInc ? drLHS : drRHS;
|
2009-07-24 05:34:35 +08:00
|
|
|
|
2011-07-23 18:55:15 +08:00
|
|
|
SmallVector<SourceRange, 2> ranges;
|
2012-02-05 10:13:05 +08:00
|
|
|
SmallString<256> sbuf;
|
2010-03-25 06:39:47 +08:00
|
|
|
llvm::raw_svector_ostream os(sbuf);
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2010-08-18 06:39:59 +08:00
|
|
|
os << "Variable '" << drCond->getDecl()->getName()
|
2009-07-24 05:34:35 +08:00
|
|
|
<< "' with floating point type '" << drCond->getType().getAsString()
|
|
|
|
|
<< "' should not be used as a loop counter";
|
|
|
|
|
|
|
|
|
|
ranges.push_back(drCond->getSourceRange());
|
|
|
|
|
ranges.push_back(drInc->getSourceRange());
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 05:34:35 +08:00
|
|
|
const char *bugType = "Floating point variable used as loop counter";
|
2011-09-21 05:38:35 +08:00
|
|
|
|
|
|
|
|
PathDiagnosticLocation FSLoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(FS, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_FloatLoopCounter,
|
2012-04-05 02:11:35 +08:00
|
|
|
bugType, "Security", os.str(),
|
2013-10-08 01:16:59 +08:00
|
|
|
FSLoc, ranges);
|
2009-07-23 09:07:19 +08:00
|
|
|
}
|
|
|
|
|
|
2018-05-26 08:04:26 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Any use of bcmp.
|
|
|
|
|
// CWE-477: Use of Obsolete Functions
|
|
|
|
|
// bcmp was deprecated in POSIX.1-2008
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
void WalkAST::checkCall_bcmp(const CallExpr *CE, const FunctionDecl *FD) {
|
|
|
|
|
if (!filter.check_bcmp)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
|
|
|
|
|
if (!FPT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify that the function takes three arguments.
|
|
|
|
|
if (FPT->getNumParams() != 3)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < 2; i++) {
|
|
|
|
|
// Verify the first and second argument type is void*.
|
|
|
|
|
const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>();
|
|
|
|
|
if (!PT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy)
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify the third argument type is integer.
|
|
|
|
|
if (!FPT->getParamType(2)->isIntegralOrUnscopedEnumerationType())
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Issue a warning.
|
|
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
|
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_bcmp,
|
|
|
|
|
"Use of deprecated function in call to 'bcmp()'",
|
|
|
|
|
"Security",
|
|
|
|
|
"The bcmp() function is obsoleted by memcmp().",
|
|
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Any use of bcopy.
|
|
|
|
|
// CWE-477: Use of Obsolete Functions
|
|
|
|
|
// bcopy was deprecated in POSIX.1-2008
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
void WalkAST::checkCall_bcopy(const CallExpr *CE, const FunctionDecl *FD) {
|
|
|
|
|
if (!filter.check_bcopy)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
|
|
|
|
|
if (!FPT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify that the function takes three arguments.
|
|
|
|
|
if (FPT->getNumParams() != 3)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < 2; i++) {
|
|
|
|
|
// Verify the first and second argument type is void*.
|
|
|
|
|
const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>();
|
|
|
|
|
if (!PT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy)
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify the third argument type is integer.
|
|
|
|
|
if (!FPT->getParamType(2)->isIntegralOrUnscopedEnumerationType())
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Issue a warning.
|
|
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
|
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_bcopy,
|
|
|
|
|
"Use of deprecated function in call to 'bcopy()'",
|
|
|
|
|
"Security",
|
|
|
|
|
"The bcopy() function is obsoleted by memcpy() "
|
2018-07-20 16:19:20 +08:00
|
|
|
"or memmove().",
|
2018-05-26 08:04:26 +08:00
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Any use of bzero.
|
|
|
|
|
// CWE-477: Use of Obsolete Functions
|
|
|
|
|
// bzero was deprecated in POSIX.1-2008
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
void WalkAST::checkCall_bzero(const CallExpr *CE, const FunctionDecl *FD) {
|
|
|
|
|
if (!filter.check_bzero)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
|
|
|
|
|
if (!FPT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify that the function takes two arguments.
|
|
|
|
|
if (FPT->getNumParams() != 2)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify the first argument type is void*.
|
|
|
|
|
const PointerType *PT = FPT->getParamType(0)->getAs<PointerType>();
|
|
|
|
|
if (!PT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().VoidTy)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify the second argument type is integer.
|
|
|
|
|
if (!FPT->getParamType(1)->isIntegralOrUnscopedEnumerationType())
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Issue a warning.
|
|
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
|
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_bzero,
|
|
|
|
|
"Use of deprecated function in call to 'bzero()'",
|
|
|
|
|
"Security",
|
|
|
|
|
"The bzero() function is obsoleted by memset().",
|
|
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2009-07-24 06:29:41 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Any use of 'gets' is insecure.
|
|
|
|
|
// Originally: <rdar://problem/6335715>
|
|
|
|
|
// Implements (part of): 300-BSI (buildsecurityin.us-cert.gov)
|
2009-11-09 16:13:04 +08:00
|
|
|
// CWE-242: Use of Inherently Dangerous Function
|
2009-07-24 06:29:41 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkCall_gets(const CallExpr *CE, const FunctionDecl *FD) {
|
2012-01-20 09:44:29 +08:00
|
|
|
if (!filter.check_gets)
|
|
|
|
|
return;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2013-06-25 02:47:11 +08:00
|
|
|
const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
|
2009-11-09 20:19:26 +08:00
|
|
|
if (!FPT)
|
2009-07-24 06:29:41 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 06:29:41 +08:00
|
|
|
// Verify that the function takes a single argument.
|
2014-01-21 04:26:09 +08:00
|
|
|
if (FPT->getNumParams() != 1)
|
2009-07-24 06:29:41 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Is the argument a 'char*'?
|
2014-01-21 04:26:09 +08:00
|
|
|
const PointerType *PT = FPT->getParamType(0)->getAs<PointerType>();
|
2009-07-24 06:29:41 +08:00
|
|
|
if (!PT)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 06:29:41 +08:00
|
|
|
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-07-24 06:29:41 +08:00
|
|
|
// Issue a warning.
|
2011-09-21 05:38:35 +08:00
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_gets,
|
2012-04-05 02:11:35 +08:00
|
|
|
"Potential buffer overflow in call to 'gets'",
|
2009-07-24 06:29:41 +08:00
|
|
|
"Security",
|
|
|
|
|
"Call to function 'gets' is extremely insecure as it can "
|
|
|
|
|
"always result in a buffer overflow",
|
2013-10-08 01:16:59 +08:00
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
2009-07-24 06:29:41 +08:00
|
|
|
}
|
|
|
|
|
|
2009-11-09 20:19:26 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Any use of 'getpwd' is insecure.
|
|
|
|
|
// CWE-477: Use of Obsolete Functions
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD) {
|
2012-01-20 09:44:29 +08:00
|
|
|
if (!filter.check_getpw)
|
|
|
|
|
return;
|
|
|
|
|
|
2013-06-25 02:47:11 +08:00
|
|
|
const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
|
2009-11-09 20:19:26 +08:00
|
|
|
if (!FPT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify that the function takes two arguments.
|
2014-01-21 04:26:09 +08:00
|
|
|
if (FPT->getNumParams() != 2)
|
2009-11-09 20:19:26 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify the first argument type is integer.
|
2014-01-21 04:26:09 +08:00
|
|
|
if (!FPT->getParamType(0)->isIntegralOrUnscopedEnumerationType())
|
2009-11-09 20:19:26 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify the second argument type is char*.
|
2014-01-21 04:26:09 +08:00
|
|
|
const PointerType *PT = FPT->getParamType(1)->getAs<PointerType>();
|
2009-11-09 20:19:26 +08:00
|
|
|
if (!PT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Issue a warning.
|
2011-09-21 05:38:35 +08:00
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_getpw,
|
2012-04-05 02:11:35 +08:00
|
|
|
"Potential buffer overflow in call to 'getpw'",
|
2009-11-09 20:19:26 +08:00
|
|
|
"Security",
|
|
|
|
|
"The getpw() function is dangerous as it may overflow the "
|
|
|
|
|
"provided buffer. It is obsoleted by getpwuid().",
|
2013-10-08 01:16:59 +08:00
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
2009-11-09 20:19:26 +08:00
|
|
|
}
|
|
|
|
|
|
2009-12-03 17:15:23 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
2012-01-20 13:35:06 +08:00
|
|
|
// Check: Any use of 'mktemp' is insecure. It is obsoleted by mkstemp().
|
2009-12-03 17:15:23 +08:00
|
|
|
// CWE-377: Insecure Temporary File
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD) {
|
2012-06-30 05:01:35 +08:00
|
|
|
if (!filter.check_mktemp) {
|
|
|
|
|
// Fall back to the security check of looking for enough 'X's in the
|
|
|
|
|
// format string, since that is a less severe warning.
|
|
|
|
|
checkCall_mkstemp(CE, FD);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2013-06-25 02:47:11 +08:00
|
|
|
const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
|
2009-12-03 17:15:23 +08:00
|
|
|
if(!FPT)
|
|
|
|
|
return;
|
2010-03-25 06:39:47 +08:00
|
|
|
|
2011-04-01 05:26:55 +08:00
|
|
|
// Verify that the function takes a single argument.
|
2014-01-21 04:26:09 +08:00
|
|
|
if (FPT->getNumParams() != 1)
|
2009-12-03 17:15:23 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify that the argument is Pointer Type.
|
2014-01-21 04:26:09 +08:00
|
|
|
const PointerType *PT = FPT->getParamType(0)->getAs<PointerType>();
|
2009-12-03 17:15:23 +08:00
|
|
|
if (!PT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Verify that the argument is a 'char*'.
|
|
|
|
|
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
|
|
|
|
|
return;
|
2010-03-25 06:39:45 +08:00
|
|
|
|
2014-05-15 09:35:53 +08:00
|
|
|
// Issue a warning.
|
2011-09-21 05:38:35 +08:00
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_mktemp,
|
2012-04-05 02:11:35 +08:00
|
|
|
"Potential insecure temporary file in call 'mktemp'",
|
2010-08-22 09:00:03 +08:00
|
|
|
"Security",
|
|
|
|
|
"Call to function 'mktemp' is insecure as it always "
|
2012-04-05 02:11:35 +08:00
|
|
|
"creates or uses insecure temporary file. Use 'mkstemp' "
|
|
|
|
|
"instead",
|
2013-10-08 01:16:59 +08:00
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
2009-12-03 17:15:23 +08:00
|
|
|
}
|
|
|
|
|
|
2012-01-20 13:35:06 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Use of 'mkstemp', 'mktemp', 'mkdtemp' should contain at least 6 X's.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
void WalkAST::checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD) {
|
|
|
|
|
if (!filter.check_mkstemp)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
StringRef Name = FD->getIdentifier()->getName();
|
|
|
|
|
std::pair<signed, signed> ArgSuffix =
|
|
|
|
|
llvm::StringSwitch<std::pair<signed, signed> >(Name)
|
|
|
|
|
.Case("mktemp", std::make_pair(0,-1))
|
|
|
|
|
.Case("mkstemp", std::make_pair(0,-1))
|
|
|
|
|
.Case("mkdtemp", std::make_pair(0,-1))
|
|
|
|
|
.Case("mkstemps", std::make_pair(0,1))
|
|
|
|
|
.Default(std::make_pair(-1, -1));
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2012-01-20 13:35:06 +08:00
|
|
|
assert(ArgSuffix.first >= 0 && "Unsupported function");
|
|
|
|
|
|
|
|
|
|
// Check if the number of arguments is consistent with out expectations.
|
|
|
|
|
unsigned numArgs = CE->getNumArgs();
|
|
|
|
|
if ((signed) numArgs <= ArgSuffix.first)
|
|
|
|
|
return;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2012-01-20 13:35:06 +08:00
|
|
|
const StringLiteral *strArg =
|
|
|
|
|
dyn_cast<StringLiteral>(CE->getArg((unsigned)ArgSuffix.first)
|
|
|
|
|
->IgnoreParenImpCasts());
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2012-01-20 13:35:06 +08:00
|
|
|
// Currently we only handle string literals. It is possible to do better,
|
|
|
|
|
// either by looking at references to const variables, or by doing real
|
|
|
|
|
// flow analysis.
|
|
|
|
|
if (!strArg || strArg->getCharByteWidth() != 1)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Count the number of X's, taking into account a possible cutoff suffix.
|
|
|
|
|
StringRef str = strArg->getString();
|
|
|
|
|
unsigned numX = 0;
|
|
|
|
|
unsigned n = str.size();
|
|
|
|
|
|
|
|
|
|
// Take into account the suffix.
|
|
|
|
|
unsigned suffix = 0;
|
|
|
|
|
if (ArgSuffix.second >= 0) {
|
|
|
|
|
const Expr *suffixEx = CE->getArg((unsigned)ArgSuffix.second);
|
2018-12-01 07:41:18 +08:00
|
|
|
Expr::EvalResult EVResult;
|
|
|
|
|
if (!suffixEx->EvaluateAsInt(EVResult, BR.getContext()))
|
2012-01-20 13:35:06 +08:00
|
|
|
return;
|
2018-12-01 07:41:18 +08:00
|
|
|
llvm::APSInt Result = EVResult.Val.getInt();
|
2012-01-20 13:35:06 +08:00
|
|
|
// FIXME: Issue a warning.
|
|
|
|
|
if (Result.isNegative())
|
|
|
|
|
return;
|
|
|
|
|
suffix = (unsigned) Result.getZExtValue();
|
|
|
|
|
n = (n > suffix) ? n - suffix : 0;
|
|
|
|
|
}
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2012-01-20 13:35:06 +08:00
|
|
|
for (unsigned i = 0; i < n; ++i)
|
|
|
|
|
if (str[i] == 'X') ++numX;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2012-01-20 13:35:06 +08:00
|
|
|
if (numX >= 6)
|
|
|
|
|
return;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2012-01-20 13:35:06 +08:00
|
|
|
// Issue a warning.
|
|
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2012-02-05 10:13:05 +08:00
|
|
|
SmallString<512> buf;
|
2012-01-20 13:35:06 +08:00
|
|
|
llvm::raw_svector_ostream out(buf);
|
|
|
|
|
out << "Call to '" << Name << "' should have at least 6 'X's in the"
|
|
|
|
|
" format string to be secure (" << numX << " 'X'";
|
|
|
|
|
if (numX != 1)
|
|
|
|
|
out << 's';
|
|
|
|
|
out << " seen";
|
|
|
|
|
if (suffix) {
|
|
|
|
|
out << ", " << suffix << " character";
|
|
|
|
|
if (suffix > 1)
|
|
|
|
|
out << 's';
|
|
|
|
|
out << " used as a suffix";
|
|
|
|
|
}
|
|
|
|
|
out << ')';
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_mkstemp,
|
2012-04-05 02:11:35 +08:00
|
|
|
"Insecure temporary file creation", "Security",
|
2013-10-08 01:16:59 +08:00
|
|
|
out.str(), CELoc, strArg->getSourceRange());
|
2012-01-20 13:35:06 +08:00
|
|
|
}
|
|
|
|
|
|
2011-04-01 06:09:14 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Any use of 'strcpy' is insecure.
|
|
|
|
|
//
|
2015-09-08 11:50:52 +08:00
|
|
|
// CWE-119: Improper Restriction of Operations within
|
|
|
|
|
// the Bounds of a Memory Buffer
|
2011-04-01 06:09:14 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
2019-02-11 21:46:43 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) {
|
2012-01-20 09:44:29 +08:00
|
|
|
if (!filter.check_strcpy)
|
|
|
|
|
return;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
if (!checkCall_strCommon(CE, FD))
|
|
|
|
|
return;
|
|
|
|
|
|
2018-01-13 06:12:11 +08:00
|
|
|
const auto *Target = CE->getArg(0)->IgnoreImpCasts(),
|
|
|
|
|
*Source = CE->getArg(1)->IgnoreImpCasts();
|
2019-01-15 02:54:48 +08:00
|
|
|
|
|
|
|
|
if (const auto *Array = dyn_cast<ConstantArrayType>(Target->getType())) {
|
|
|
|
|
uint64_t ArraySize = BR.getContext().getTypeSize(Array) / 8;
|
|
|
|
|
if (const auto *String = dyn_cast<StringLiteral>(Source)) {
|
|
|
|
|
if (ArraySize >= String->getLength() + 1)
|
|
|
|
|
return;
|
2018-01-13 06:12:11 +08:00
|
|
|
}
|
2019-01-15 02:54:48 +08:00
|
|
|
}
|
2018-01-13 06:12:11 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
// Issue a warning.
|
2011-09-21 05:38:35 +08:00
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
|
2012-04-05 02:11:35 +08:00
|
|
|
"Potential insecure memory buffer bounds restriction in "
|
2011-04-06 04:18:46 +08:00
|
|
|
"call 'strcpy'",
|
|
|
|
|
"Security",
|
|
|
|
|
"Call to function 'strcpy' is insecure as it does not "
|
2012-04-05 02:11:35 +08:00
|
|
|
"provide bounding of the memory buffer. Replace "
|
|
|
|
|
"unbounded copy functions with analogous functions that "
|
|
|
|
|
"support length arguments such as 'strlcpy'. CWE-119.",
|
2013-10-08 01:16:59 +08:00
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
2011-04-06 04:18:46 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Any use of 'strcat' is insecure.
|
|
|
|
|
//
|
2015-09-08 11:50:52 +08:00
|
|
|
// CWE-119: Improper Restriction of Operations within
|
|
|
|
|
// the Bounds of a Memory Buffer
|
2011-04-06 04:18:46 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
2019-02-11 21:46:43 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD) {
|
2012-01-20 09:44:29 +08:00
|
|
|
if (!filter.check_strcpy)
|
|
|
|
|
return;
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
if (!checkCall_strCommon(CE, FD))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Issue a warning.
|
2011-09-21 05:38:35 +08:00
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
|
2012-04-05 02:11:35 +08:00
|
|
|
"Potential insecure memory buffer bounds restriction in "
|
|
|
|
|
"call 'strcat'",
|
|
|
|
|
"Security",
|
|
|
|
|
"Call to function 'strcat' is insecure as it does not "
|
|
|
|
|
"provide bounding of the memory buffer. Replace "
|
|
|
|
|
"unbounded copy functions with analogous functions that "
|
|
|
|
|
"support length arguments such as 'strlcat'. CWE-119.",
|
2013-10-08 01:16:59 +08:00
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
2011-04-06 04:18:46 +08:00
|
|
|
}
|
|
|
|
|
|
2019-02-11 21:46:43 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Any use of 'sprintf', 'vsprintf', 'scanf', 'wscanf', 'fscanf',
|
|
|
|
|
// 'fwscanf', 'vscanf', 'vwscanf', 'vfscanf', 'vfwscanf', 'sscanf',
|
|
|
|
|
// 'swscanf', 'vsscanf', 'vswscanf', 'swprintf', 'snprintf', 'vswprintf',
|
|
|
|
|
// 'vsnprintf', 'memcpy', 'memmove', 'strncpy', 'strncat', 'memset'
|
|
|
|
|
// is deprecated since C11.
|
|
|
|
|
//
|
|
|
|
|
// Use of 'sprintf', 'vsprintf', 'scanf', 'wscanf','fscanf',
|
|
|
|
|
// 'fwscanf', 'vscanf', 'vwscanf', 'vfscanf', 'vfwscanf', 'sscanf',
|
|
|
|
|
// 'swscanf', 'vsscanf', 'vswscanf' without buffer limitations
|
|
|
|
|
// is insecure.
|
|
|
|
|
//
|
|
|
|
|
// CWE-119: Improper Restriction of Operations within
|
|
|
|
|
// the Bounds of a Memory Buffer
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
void WalkAST::checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE,
|
|
|
|
|
const FunctionDecl *FD) {
|
|
|
|
|
if (!filter.check_DeprecatedOrUnsafeBufferHandling)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (!BR.getContext().getLangOpts().C11)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Issue a warning. ArgIndex == -1: Deprecated but not unsafe (has size
|
|
|
|
|
// restrictions).
|
|
|
|
|
enum { DEPR_ONLY = -1, UNKNOWN_CALL = -2 };
|
2019-04-18 03:56:40 +08:00
|
|
|
|
2019-02-11 21:46:43 +08:00
|
|
|
StringRef Name = FD->getIdentifier()->getName();
|
2019-04-18 03:56:40 +08:00
|
|
|
if (Name.startswith("__builtin_"))
|
|
|
|
|
Name = Name.substr(10);
|
|
|
|
|
|
2019-02-11 21:46:43 +08:00
|
|
|
int ArgIndex =
|
|
|
|
|
llvm::StringSwitch<int>(Name)
|
|
|
|
|
.Cases("scanf", "wscanf", "vscanf", "vwscanf", 0)
|
|
|
|
|
.Cases("sprintf", "vsprintf", "fscanf", "fwscanf", "vfscanf",
|
|
|
|
|
"vfwscanf", "sscanf", "swscanf", "vsscanf", "vswscanf", 1)
|
|
|
|
|
.Cases("swprintf", "snprintf", "vswprintf", "vsnprintf", "memcpy",
|
|
|
|
|
"memmove", "memset", "strncpy", "strncat", DEPR_ONLY)
|
|
|
|
|
.Default(UNKNOWN_CALL);
|
|
|
|
|
|
|
|
|
|
assert(ArgIndex != UNKNOWN_CALL && "Unsupported function");
|
|
|
|
|
bool BoundsProvided = ArgIndex == DEPR_ONLY;
|
|
|
|
|
|
|
|
|
|
if (!BoundsProvided) {
|
|
|
|
|
// Currently we only handle (not wide) string literals. It is possible to do
|
|
|
|
|
// better, either by looking at references to const variables, or by doing
|
|
|
|
|
// real flow analysis.
|
|
|
|
|
auto FormatString =
|
|
|
|
|
dyn_cast<StringLiteral>(CE->getArg(ArgIndex)->IgnoreParenImpCasts());
|
|
|
|
|
if (FormatString &&
|
|
|
|
|
FormatString->getString().find("%s") == StringRef::npos &&
|
|
|
|
|
FormatString->getString().find("%[") == StringRef::npos)
|
|
|
|
|
BoundsProvided = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SmallString<128> Buf1;
|
|
|
|
|
SmallString<512> Buf2;
|
|
|
|
|
llvm::raw_svector_ostream Out1(Buf1);
|
|
|
|
|
llvm::raw_svector_ostream Out2(Buf2);
|
|
|
|
|
|
|
|
|
|
Out1 << "Potential insecure memory buffer bounds restriction in call '"
|
|
|
|
|
<< Name << "'";
|
|
|
|
|
Out2 << "Call to function '" << Name
|
|
|
|
|
<< "' is insecure as it does not provide ";
|
|
|
|
|
|
|
|
|
|
if (!BoundsProvided) {
|
|
|
|
|
Out2 << "bounding of the memory buffer or ";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Out2 << "security checks introduced "
|
|
|
|
|
"in the C11 standard. Replace with analogous functions that "
|
|
|
|
|
"support length arguments or provides boundary checks such as '"
|
|
|
|
|
<< Name << "_s' in case of C11";
|
|
|
|
|
|
|
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
|
|
|
|
BR.EmitBasicReport(AC->getDecl(),
|
|
|
|
|
filter.checkName_DeprecatedOrUnsafeBufferHandling,
|
|
|
|
|
Out1.str(), "Security", Out2.str(), CELoc,
|
|
|
|
|
CE->getCallee()->getSourceRange());
|
|
|
|
|
}
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Common check for str* functions with no bounds parameters.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
2019-02-11 21:46:43 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
bool WalkAST::checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD) {
|
2013-06-25 02:47:11 +08:00
|
|
|
const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
|
2011-04-01 06:09:14 +08:00
|
|
|
if (!FPT)
|
2011-04-06 04:18:46 +08:00
|
|
|
return false;
|
2011-04-01 06:09:14 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
// Verify the function takes two arguments, three in the _chk version.
|
2014-01-21 04:26:09 +08:00
|
|
|
int numArgs = FPT->getNumParams();
|
2011-04-01 06:09:14 +08:00
|
|
|
if (numArgs != 2 && numArgs != 3)
|
2011-04-06 04:18:46 +08:00
|
|
|
return false;
|
2011-04-01 06:09:14 +08:00
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
// Verify the type for both arguments.
|
2011-04-01 06:09:14 +08:00
|
|
|
for (int i = 0; i < 2; i++) {
|
2011-04-06 04:18:46 +08:00
|
|
|
// Verify that the arguments are pointers.
|
2014-01-21 04:26:09 +08:00
|
|
|
const PointerType *PT = FPT->getParamType(i)->getAs<PointerType>();
|
2011-04-01 06:09:14 +08:00
|
|
|
if (!PT)
|
2011-04-06 04:18:46 +08:00
|
|
|
return false;
|
2011-04-01 06:09:14 +08:00
|
|
|
|
|
|
|
|
// Verify that the argument is a 'char*'.
|
|
|
|
|
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
|
2011-04-06 04:18:46 +08:00
|
|
|
return false;
|
2011-04-01 06:09:14 +08:00
|
|
|
}
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
return true;
|
2011-04-01 06:09:14 +08:00
|
|
|
}
|
|
|
|
|
|
2009-09-02 10:47:41 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Linear congruent random number generators should not be used
|
|
|
|
|
// Originally: <rdar://problem/63371000>
|
|
|
|
|
// CWE-338: Use of cryptographically weak prng
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkCall_rand(const CallExpr *CE, const FunctionDecl *FD) {
|
2012-01-20 09:44:29 +08:00
|
|
|
if (!filter.check_rand || !CheckRand)
|
2009-09-02 10:47:41 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2013-06-25 02:47:11 +08:00
|
|
|
const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();
|
2009-09-02 10:47:41 +08:00
|
|
|
if (!FTP)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2014-01-21 04:26:09 +08:00
|
|
|
if (FTP->getNumParams() == 1) {
|
2009-09-02 10:47:41 +08:00
|
|
|
// Is the argument an 'unsigned short *'?
|
|
|
|
|
// (Actually any integer type is allowed.)
|
2014-01-21 04:26:09 +08:00
|
|
|
const PointerType *PT = FTP->getParamType(0)->getAs<PointerType>();
|
2009-09-02 10:47:41 +08:00
|
|
|
if (!PT)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2013-04-09 10:30:33 +08:00
|
|
|
if (! PT->getPointeeType()->isIntegralOrUnscopedEnumerationType())
|
2009-09-02 10:47:41 +08:00
|
|
|
return;
|
2014-01-21 04:26:09 +08:00
|
|
|
} else if (FTP->getNumParams() != 0)
|
2009-09-02 10:47:41 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-09-02 10:47:41 +08:00
|
|
|
// Issue a warning.
|
2012-02-05 10:13:05 +08:00
|
|
|
SmallString<256> buf1;
|
2010-03-25 06:39:47 +08:00
|
|
|
llvm::raw_svector_ostream os1(buf1);
|
2011-10-15 02:45:37 +08:00
|
|
|
os1 << '\'' << *FD << "' is a poor random number generator";
|
2009-09-02 10:47:41 +08:00
|
|
|
|
2012-02-05 10:13:05 +08:00
|
|
|
SmallString<256> buf2;
|
2010-03-25 06:39:47 +08:00
|
|
|
llvm::raw_svector_ostream os2(buf2);
|
2011-10-15 02:45:37 +08:00
|
|
|
os2 << "Function '" << *FD
|
2009-09-02 10:47:41 +08:00
|
|
|
<< "' is obsolete because it implements a poor random number generator."
|
|
|
|
|
<< " Use 'arc4random' instead";
|
|
|
|
|
|
2011-09-21 05:38:35 +08:00
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_rand, os1.str(),
|
|
|
|
|
"Security", os2.str(), CELoc,
|
|
|
|
|
CE->getCallee()->getSourceRange());
|
2009-09-02 10:47:41 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: 'random' should not be used
|
|
|
|
|
// Originally: <rdar://problem/63371000>
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkCall_random(const CallExpr *CE, const FunctionDecl *FD) {
|
2012-01-20 13:35:06 +08:00
|
|
|
if (!CheckRand || !filter.check_rand)
|
2009-09-02 10:47:41 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2013-06-25 02:47:11 +08:00
|
|
|
const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();
|
2009-09-02 10:47:41 +08:00
|
|
|
if (!FTP)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-09-02 10:47:41 +08:00
|
|
|
// Verify that the function takes no argument.
|
2014-01-21 04:26:09 +08:00
|
|
|
if (FTP->getNumParams() != 0)
|
2009-09-02 10:47:41 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-09-02 10:47:41 +08:00
|
|
|
// Issue a warning.
|
2011-09-21 05:38:35 +08:00
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_rand,
|
2012-04-05 02:11:35 +08:00
|
|
|
"'random' is not a secure random number generator",
|
2009-09-02 10:47:41 +08:00
|
|
|
"Security",
|
|
|
|
|
"The 'random' function produces a sequence of values that "
|
|
|
|
|
"an adversary may be able to predict. Use 'arc4random' "
|
2013-10-08 01:16:59 +08:00
|
|
|
"instead", CELoc, CE->getCallee()->getSourceRange());
|
2009-09-02 10:47:41 +08:00
|
|
|
}
|
|
|
|
|
|
2011-10-11 12:34:54 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: 'vfork' should not be used.
|
|
|
|
|
// POS33-C: Do not use vfork().
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
void WalkAST::checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD) {
|
2012-01-20 09:44:29 +08:00
|
|
|
if (!filter.check_vfork)
|
|
|
|
|
return;
|
|
|
|
|
|
2011-10-11 12:34:54 +08:00
|
|
|
// All calls to vfork() are insecure, issue a warning.
|
|
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_vfork,
|
2012-04-05 02:11:35 +08:00
|
|
|
"Potential insecure implementation-specific behavior in "
|
2011-10-11 12:34:54 +08:00
|
|
|
"call 'vfork'",
|
|
|
|
|
"Security",
|
|
|
|
|
"Call to function 'vfork' is insecure as it can lead to "
|
|
|
|
|
"denial of service situations in the parent process. "
|
|
|
|
|
"Replace calls to vfork with calls to the safer "
|
|
|
|
|
"'posix_spawn' function",
|
2013-10-08 01:16:59 +08:00
|
|
|
CELoc, CE->getCallee()->getSourceRange());
|
2011-10-11 12:34:54 +08:00
|
|
|
}
|
|
|
|
|
|
2019-12-20 06:21:02 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: '-decodeValueOfObjCType:at:' should not be used.
|
|
|
|
|
// It is deprecated in favor of '-decodeValueOfObjCType:at:size:' due to
|
|
|
|
|
// likelihood of buffer overflows.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
void WalkAST::checkMsg_decodeValueOfObjCType(const ObjCMessageExpr *ME) {
|
|
|
|
|
if (!filter.check_decodeValueOfObjCType)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Check availability of the secure alternative:
|
|
|
|
|
// iOS 11+, macOS 10.13+, tvOS 11+, and watchOS 4.0+
|
|
|
|
|
// FIXME: We probably shouldn't register the check if it's not available.
|
|
|
|
|
const TargetInfo &TI = AC->getASTContext().getTargetInfo();
|
|
|
|
|
const llvm::Triple &T = TI.getTriple();
|
|
|
|
|
const VersionTuple &VT = TI.getPlatformMinVersion();
|
|
|
|
|
switch (T.getOS()) {
|
|
|
|
|
case llvm::Triple::IOS:
|
|
|
|
|
if (VT < VersionTuple(11, 0))
|
|
|
|
|
return;
|
|
|
|
|
break;
|
|
|
|
|
case llvm::Triple::MacOSX:
|
|
|
|
|
if (VT < VersionTuple(10, 13))
|
|
|
|
|
return;
|
|
|
|
|
break;
|
|
|
|
|
case llvm::Triple::WatchOS:
|
|
|
|
|
if (VT < VersionTuple(4, 0))
|
|
|
|
|
return;
|
|
|
|
|
break;
|
|
|
|
|
case llvm::Triple::TvOS:
|
|
|
|
|
if (VT < VersionTuple(11, 0))
|
|
|
|
|
return;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PathDiagnosticLocation MELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(ME, BR.getSourceManager(), AC);
|
|
|
|
|
BR.EmitBasicReport(
|
|
|
|
|
AC->getDecl(), filter.checkName_decodeValueOfObjCType,
|
|
|
|
|
"Potential buffer overflow in '-decodeValueOfObjCType:at:'", "Security",
|
|
|
|
|
"Deprecated method '-decodeValueOfObjCType:at:' is insecure "
|
|
|
|
|
"as it can lead to potential buffer overflows. Use the safer "
|
|
|
|
|
"'-decodeValueOfObjCType:at:size:' method.",
|
|
|
|
|
MELoc, ME->getSourceRange());
|
|
|
|
|
}
|
|
|
|
|
|
2009-08-28 08:08:09 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Check: Should check whether privileges are dropped successfully.
|
|
|
|
|
// Originally: <rdar://problem/6337132>
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2011-04-06 04:18:46 +08:00
|
|
|
void WalkAST::checkUncheckedReturnValue(CallExpr *CE) {
|
2012-01-20 13:35:06 +08:00
|
|
|
if (!filter.check_UncheckedReturn)
|
|
|
|
|
return;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2009-08-28 08:08:09 +08:00
|
|
|
const FunctionDecl *FD = CE->getDirectCallee();
|
|
|
|
|
if (!FD)
|
|
|
|
|
return;
|
|
|
|
|
|
2014-05-27 10:45:47 +08:00
|
|
|
if (II_setid[0] == nullptr) {
|
2009-09-02 10:47:41 +08:00
|
|
|
static const char * const identifiers[num_setids] = {
|
2009-08-28 08:08:09 +08:00
|
|
|
"setuid", "setgid", "seteuid", "setegid",
|
|
|
|
|
"setreuid", "setregid"
|
|
|
|
|
};
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-09-02 10:47:41 +08:00
|
|
|
for (size_t i = 0; i < num_setids; i++)
|
2009-09-09 23:08:12 +08:00
|
|
|
II_setid[i] = &BR.getContext().Idents.get(identifiers[i]);
|
2009-08-28 08:08:09 +08:00
|
|
|
}
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-28 08:08:09 +08:00
|
|
|
const IdentifierInfo *id = FD->getIdentifier();
|
|
|
|
|
size_t identifierid;
|
|
|
|
|
|
2009-09-02 10:47:41 +08:00
|
|
|
for (identifierid = 0; identifierid < num_setids; identifierid++)
|
2009-08-28 08:08:09 +08:00
|
|
|
if (id == II_setid[identifierid])
|
|
|
|
|
break;
|
|
|
|
|
|
2009-09-02 10:47:41 +08:00
|
|
|
if (identifierid >= num_setids)
|
2009-08-28 08:08:09 +08:00
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2013-06-25 02:47:11 +08:00
|
|
|
const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();
|
2009-08-28 08:08:09 +08:00
|
|
|
if (!FTP)
|
|
|
|
|
return;
|
2009-09-09 23:08:12 +08:00
|
|
|
|
2009-08-28 08:24:55 +08:00
|
|
|
// Verify that the function takes one or two arguments (depending on
|
|
|
|
|
// the function).
|
2014-01-21 04:26:09 +08:00
|
|
|
if (FTP->getNumParams() != (identifierid < 4 ? 1 : 2))
|
2009-08-28 08:08:09 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// The arguments must be integers.
|
2014-01-21 04:26:09 +08:00
|
|
|
for (unsigned i = 0; i < FTP->getNumParams(); i++)
|
|
|
|
|
if (!FTP->getParamType(i)->isIntegralOrUnscopedEnumerationType())
|
2009-08-28 08:08:09 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
// Issue a warning.
|
2012-02-05 10:13:05 +08:00
|
|
|
SmallString<256> buf1;
|
2010-03-25 06:39:47 +08:00
|
|
|
llvm::raw_svector_ostream os1(buf1);
|
2011-10-15 02:45:37 +08:00
|
|
|
os1 << "Return value is not checked in call to '" << *FD << '\'';
|
2009-08-28 08:08:09 +08:00
|
|
|
|
2012-02-05 10:13:05 +08:00
|
|
|
SmallString<256> buf2;
|
2010-03-25 06:39:47 +08:00
|
|
|
llvm::raw_svector_ostream os2(buf2);
|
2011-10-15 02:45:37 +08:00
|
|
|
os2 << "The return value from the call to '" << *FD
|
|
|
|
|
<< "' is not checked. If an error occurs in '" << *FD
|
2009-08-28 08:08:09 +08:00
|
|
|
<< "', the following code may execute with unexpected privileges";
|
|
|
|
|
|
2011-09-21 05:38:35 +08:00
|
|
|
PathDiagnosticLocation CELoc =
|
|
|
|
|
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
|
2014-02-12 05:49:21 +08:00
|
|
|
BR.EmitBasicReport(AC->getDecl(), filter.checkName_UncheckedReturn, os1.str(),
|
|
|
|
|
"Security", os2.str(), CELoc,
|
|
|
|
|
CE->getCallee()->getSourceRange());
|
2009-08-28 08:08:09 +08:00
|
|
|
}
|
|
|
|
|
|
2009-07-23 09:07:19 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
2011-02-18 05:39:33 +08:00
|
|
|
// SecuritySyntaxChecker
|
2009-07-23 09:07:19 +08:00
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2011-02-18 05:39:33 +08:00
|
|
|
namespace {
|
2011-03-01 09:16:21 +08:00
|
|
|
class SecuritySyntaxChecker : public Checker<check::ASTCodeBody> {
|
2011-02-18 05:39:33 +08:00
|
|
|
public:
|
2012-01-20 09:44:29 +08:00
|
|
|
ChecksFilter filter;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2011-02-18 05:39:33 +08:00
|
|
|
void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
|
|
|
|
|
BugReporter &BR) const {
|
2012-01-20 09:44:29 +08:00
|
|
|
WalkAST walker(BR, mgr.getAnalysisDeclContext(D), filter);
|
2011-02-18 05:39:33 +08:00
|
|
|
walker.Visit(D->getBody());
|
|
|
|
|
}
|
|
|
|
|
};
|
2015-06-23 07:07:51 +08:00
|
|
|
}
|
2011-02-18 05:39:33 +08:00
|
|
|
|
[analyzer] Reimplement dependencies between checkers
Unfortunately, up until now, the fact that certain checkers depended on one
another was known, but how these actually unfolded was hidden deep within the
implementation. For example, many checkers (like RetainCount, Malloc or CString)
modelled a certain functionality, and exposed certain reportable bug types to
the user. For example, while MallocChecker models many many different types of
memory handling, the actual "unix.MallocChecker" checker the user was exposed to
was merely and option to this modeling part.
Other than this being an ugly mess, this issue made resolving the checker naming
issue almost impossible. (The checker naming issue being that if a checker
registered more than one checker within its registry function, both checker
object recieved the same name) Also, if the user explicitly disabled a checker
that was a dependency of another that _was_ explicitly enabled, it implicitly,
without "telling" the user, reenabled it.
Clearly, changing this to a well structured, declarative form, where the
handling of dependencies are done on a higher level is very much preferred.
This patch, among the detailed things later, makes checkers declare their
dependencies within the TableGen file Checkers.td, and exposes the same
functionality to plugins and statically linked non-generated checkers through
CheckerRegistry::addDependency. CheckerRegistry now resolves these dependencies,
makes sure that checkers are added to CheckerManager in the correct order,
and makes sure that if a dependency is disabled, so will be every checker that
depends on it.
In detail:
* Add a new field to the Checker class in CheckerBase.td called Dependencies,
which is a list of Checkers.
* Move unix checkers before cplusplus, as there is no forward declaration in
tblgen :/
* Add the following new checkers:
- StackAddrEscapeBase
- StackAddrEscapeBase
- CStringModeling
- DynamicMemoryModeling (base of the MallocChecker family)
- IteratorModeling (base of the IteratorChecker family)
- ValistBase
- SecuritySyntaxChecker (base of bcmp, bcopy, etc...)
- NSOrCFErrorDerefChecker (base of NSErrorChecker and CFErrorChecker)
- IvarInvalidationModeling (base of IvarInvalidation checker family)
- RetainCountBase (base of RetainCount and OSObjectRetainCount)
* Clear up and registry functions in MallocChecker, happily remove old FIXMEs.
* Add a new addDependency function to CheckerRegistry.
* Neatly format RUN lines in files I looked at while debugging.
Big thanks to Artem Degrachev for all the guidance through this project!
Differential Revision: https://reviews.llvm.org/D54438
llvm-svn: 352287
2019-01-27 04:06:54 +08:00
|
|
|
void ento::registerSecuritySyntaxChecker(CheckerManager &mgr) {
|
|
|
|
|
mgr.registerChecker<SecuritySyntaxChecker>();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool ento::shouldRegisterSecuritySyntaxChecker(const LangOptions &LO) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-12 05:49:21 +08:00
|
|
|
#define REGISTER_CHECKER(name) \
|
|
|
|
|
void ento::register##name(CheckerManager &mgr) { \
|
2019-09-13 03:09:24 +08:00
|
|
|
SecuritySyntaxChecker *checker = mgr.getChecker<SecuritySyntaxChecker>(); \
|
2014-02-12 05:49:21 +08:00
|
|
|
checker->filter.check_##name = true; \
|
2019-09-13 03:09:24 +08:00
|
|
|
checker->filter.checkName_##name = mgr.getCurrentCheckerName(); \
|
2019-01-26 22:23:08 +08:00
|
|
|
} \
|
|
|
|
|
\
|
2019-09-13 03:09:24 +08:00
|
|
|
bool ento::shouldRegister##name(const LangOptions &LO) { return true; }
|
2012-01-20 09:44:29 +08:00
|
|
|
|
2018-05-26 08:04:26 +08:00
|
|
|
REGISTER_CHECKER(bcmp)
|
|
|
|
|
REGISTER_CHECKER(bcopy)
|
|
|
|
|
REGISTER_CHECKER(bzero)
|
2012-01-20 09:44:29 +08:00
|
|
|
REGISTER_CHECKER(gets)
|
|
|
|
|
REGISTER_CHECKER(getpw)
|
2012-01-20 13:35:06 +08:00
|
|
|
REGISTER_CHECKER(mkstemp)
|
2012-01-20 09:44:29 +08:00
|
|
|
REGISTER_CHECKER(mktemp)
|
|
|
|
|
REGISTER_CHECKER(strcpy)
|
|
|
|
|
REGISTER_CHECKER(rand)
|
|
|
|
|
REGISTER_CHECKER(vfork)
|
|
|
|
|
REGISTER_CHECKER(FloatLoopCounter)
|
2012-01-20 13:35:06 +08:00
|
|
|
REGISTER_CHECKER(UncheckedReturn)
|
2019-02-11 21:46:43 +08:00
|
|
|
REGISTER_CHECKER(DeprecatedOrUnsafeBufferHandling)
|
2019-12-20 06:21:02 +08:00
|
|
|
REGISTER_CHECKER(decodeValueOfObjCType)
|