caio/clang-p2996
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e8bbc121528b08157bf7457dada4bc87315a2c18
clang-p2996/clang/lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
Douglas Gregor e8bbc12152 Extend the ASTContext constructor to delay the initialization of 
builtin types (When requested). This is another step toward making
ASTUnit build the ASTContext as needed when loading an AST file,
rather than doing so after the fact. No actual functionality change (yet).

llvm-svn: 138985
2011-09-02 00:18:52 +00:00

578 lines
19 KiB
C++
Raw Blame History

//==- CheckSecuritySyntaxOnly.cpp - Basic security checks --------*- C++ -*-==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file defines a set of flow-insensitive security checks.
//
//===----------------------------------------------------------------------===//
#include "ClangSACheckers.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/Basic/TargetInfo.h"
#include "clang/AST/StmtVisitor.h"
#include "llvm/Support/raw_ostream.h"
#include "llvm/ADT/StringSwitch.h"
using namespace clang;
using namespace ento;
static bool isArc4RandomAvailable(const ASTContext &Ctx) {
const llvm::Triple &T = Ctx.getTargetInfo().getTriple();
return T.getVendor() == llvm::Triple::Apple ||
T.getOS() == llvm::Triple::FreeBSD ||
T.getOS() == llvm::Triple::NetBSD ||
T.getOS() == llvm::Triple::OpenBSD ||
T.getOS() == llvm::Triple::DragonFly;
}
namespace {
class WalkAST : public StmtVisitor<WalkAST> {
BugReporter &BR;
enum { num_setids = 6 };
IdentifierInfo *II_setid[num_setids];
const bool CheckRand;
public:
WalkAST(BugReporter &br) : BR(br), II_setid(),
CheckRand(isArc4RandomAvailable(BR.getContext())) {}
// Statement visitor methods.
void VisitCallExpr(CallExpr *CE);
void VisitForStmt(ForStmt *S);
void VisitCompoundStmt (CompoundStmt *S);
void VisitStmt(Stmt *S) { VisitChildren(S); }
void VisitChildren(Stmt *S);
// Helpers.
bool checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD);
typedef void (WalkAST::*FnCheck)(const CallExpr *,
const FunctionDecl *);
// Checker-specific methods.
void checkLoopConditionForFloat(const ForStmt *FS);
void checkCall_gets(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_rand(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_random(const CallExpr *CE, const FunctionDecl *FD);
void checkUncheckedReturnValue(CallExpr *CE);
};
} // end anonymous namespace
//===----------------------------------------------------------------------===//
// AST walking.
//===----------------------------------------------------------------------===//
void WalkAST::VisitChildren(Stmt *S) {
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I)
if (Stmt *child = *I)
Visit(child);
}
void WalkAST::VisitCallExpr(CallExpr *CE) {
// Get the callee.
const FunctionDecl *FD = CE->getDirectCallee();
if (!FD)
return;
// Get the name of the callee. If it's a builtin, strip off the prefix.
IdentifierInfo *II = FD->getIdentifier();
if (!II) // if no identifier, not a simple C function
return;
StringRef Name = II->getName();
if (Name.startswith("__builtin_"))
Name = Name.substr(10);
// Set the evaluation function by switching on the callee name.
FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
.Case("gets", &WalkAST::checkCall_gets)
.Case("getpw", &WalkAST::checkCall_getpw)
.Case("mktemp", &WalkAST::checkCall_mktemp)
.Cases("strcpy", "__strcpy_chk", &WalkAST::checkCall_strcpy)
.Cases("strcat", "__strcat_chk", &WalkAST::checkCall_strcat)
.Case("drand48", &WalkAST::checkCall_rand)
.Case("erand48", &WalkAST::checkCall_rand)
.Case("jrand48", &WalkAST::checkCall_rand)
.Case("lrand48", &WalkAST::checkCall_rand)
.Case("mrand48", &WalkAST::checkCall_rand)
.Case("nrand48", &WalkAST::checkCall_rand)
.Case("lcong48", &WalkAST::checkCall_rand)
.Case("rand", &WalkAST::checkCall_rand)
.Case("rand_r", &WalkAST::checkCall_rand)
.Case("random", &WalkAST::checkCall_random)
.Default(NULL);
// If the callee isn't defined, it is not of security concern.
// Check and evaluate the call.
if (evalFunction)
(this->*evalFunction)(CE, FD);
// Recurse and check children.
VisitChildren(CE);
}
void WalkAST::VisitCompoundStmt(CompoundStmt *S) {
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I)
if (Stmt *child = *I) {
if (CallExpr *CE = dyn_cast<CallExpr>(child))
checkUncheckedReturnValue(CE);
Visit(child);
}
}
void WalkAST::VisitForStmt(ForStmt *FS) {
checkLoopConditionForFloat(FS);
// Recurse and check children.
VisitChildren(FS);
}
//===----------------------------------------------------------------------===//
// Check: floating poing variable used as loop counter.
// Originally: <rdar://problem/6336718>
// Implements: CERT security coding advisory FLP-30.
//===----------------------------------------------------------------------===//
static const DeclRefExpr*
getIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) {
expr = expr->IgnoreParenCasts();
if (const BinaryOperator *B = dyn_cast<BinaryOperator>(expr)) {
if (!(B->isAssignmentOp() || B->isCompoundAssignmentOp() ||
B->getOpcode() == BO_Comma))
return NULL;
if (const DeclRefExpr *lhs = getIncrementedVar(B->getLHS(), x, y))
return lhs;
if (const DeclRefExpr *rhs = getIncrementedVar(B->getRHS(), x, y))
return rhs;
return NULL;
}
if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(expr)) {
const NamedDecl *ND = DR->getDecl();
return ND == x || ND == y ? DR : NULL;
}
if (const UnaryOperator *U = dyn_cast<UnaryOperator>(expr))
return U->isIncrementDecrementOp()
? getIncrementedVar(U->getSubExpr(), x, y) : NULL;
return NULL;
}
/// CheckLoopConditionForFloat - This check looks for 'for' statements that
/// use a floating point variable as a loop counter.
/// CERT: FLP30-C, FLP30-CPP.
///
void WalkAST::checkLoopConditionForFloat(const ForStmt *FS) {
// Does the loop have a condition?
const Expr *condition = FS->getCond();
if (!condition)
return;
// Does the loop have an increment?
const Expr *increment = FS->getInc();
if (!increment)
return;
// Strip away '()' and casts.
condition = condition->IgnoreParenCasts();
increment = increment->IgnoreParenCasts();
// Is the loop condition a comparison?
const BinaryOperator *B = dyn_cast<BinaryOperator>(condition);
if (!B)
return;
// Is this a comparison?
if (!(B->isRelationalOp() || B->isEqualityOp()))
return;
// Are we comparing variables?
const DeclRefExpr *drLHS =
dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenLValueCasts());
const DeclRefExpr *drRHS =
dyn_cast<DeclRefExpr>(B->getRHS()->IgnoreParenLValueCasts());
// Does at least one of the variables have a floating point type?
drLHS = drLHS && drLHS->getType()->isRealFloatingType() ? drLHS : NULL;
drRHS = drRHS && drRHS->getType()->isRealFloatingType() ? drRHS : NULL;
if (!drLHS && !drRHS)
return;
const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(drLHS->getDecl()) : NULL;
const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(drRHS->getDecl()) : NULL;
if (!vdLHS && !vdRHS)
return;
// Does either variable appear in increment?
const DeclRefExpr *drInc = getIncrementedVar(increment, vdLHS, vdRHS);
if (!drInc)
return;
// Emit the error. First figure out which DeclRefExpr in the condition
// referenced the compared variable.
const DeclRefExpr *drCond = vdLHS == drInc->getDecl() ? drLHS : drRHS;
SmallVector<SourceRange, 2> ranges;
llvm::SmallString<256> sbuf;
llvm::raw_svector_ostream os(sbuf);
os << "Variable '" << drCond->getDecl()->getName()
<< "' with floating point type '" << drCond->getType().getAsString()
<< "' should not be used as a loop counter";
ranges.push_back(drCond->getSourceRange());
ranges.push_back(drInc->getSourceRange());
const char *bugType = "Floating point variable used as loop counter";
BR.EmitBasicReport(bugType, "Security", os.str(),
FS->getLocStart(), ranges.data(), ranges.size());
}
//===----------------------------------------------------------------------===//
// Check: Any use of 'gets' is insecure.
// Originally: <rdar://problem/6335715>
// Implements (part of): 300-BSI (buildsecurityin.us-cert.gov)
// CWE-242: Use of Inherently Dangerous Function
//===----------------------------------------------------------------------===//
void WalkAST::checkCall_gets(const CallExpr *CE, const FunctionDecl *FD) {
const FunctionProtoType *FPT
= dyn_cast<FunctionProtoType>(FD->getType().IgnoreParens());
if (!FPT)
return;
// Verify that the function takes a single argument.
if (FPT->getNumArgs() != 1)
return;
// Is the argument a 'char*'?
const PointerType *PT = dyn_cast<PointerType>(FPT->getArgType(0));
if (!PT)
return;
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
return;
// Issue a warning.
SourceRange R = CE->getCallee()->getSourceRange();
BR.EmitBasicReport("Potential buffer overflow in call to 'gets'",
"Security",
"Call to function 'gets' is extremely insecure as it can "
"always result in a buffer overflow",
CE->getLocStart(), &R, 1);
}
//===----------------------------------------------------------------------===//
// Check: Any use of 'getpwd' is insecure.
// CWE-477: Use of Obsolete Functions
//===----------------------------------------------------------------------===//
void WalkAST::checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD) {
const FunctionProtoType *FPT
= dyn_cast<FunctionProtoType>(FD->getType().IgnoreParens());
if (!FPT)
return;
// Verify that the function takes two arguments.
if (FPT->getNumArgs() != 2)
return;
// Verify the first argument type is integer.
if (!FPT->getArgType(0)->isIntegerType())
return;
// Verify the second argument type is char*.
const PointerType *PT = dyn_cast<PointerType>(FPT->getArgType(1));
if (!PT)
return;
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
return;
// Issue a warning.
SourceRange R = CE->getCallee()->getSourceRange();
BR.EmitBasicReport("Potential buffer overflow in call to 'getpw'",
"Security",
"The getpw() function is dangerous as it may overflow the "
"provided buffer. It is obsoleted by getpwuid().",
CE->getLocStart(), &R, 1);
}
//===----------------------------------------------------------------------===//
// Check: Any use of 'mktemp' is insecure.It is obsoleted by mkstemp().
// CWE-377: Insecure Temporary File
//===----------------------------------------------------------------------===//
void WalkAST::checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD) {
const FunctionProtoType *FPT
= dyn_cast<FunctionProtoType>(FD->getType().IgnoreParens());
if(!FPT)
return;
// Verify that the function takes a single argument.
if (FPT->getNumArgs() != 1)
return;
// Verify that the argument is Pointer Type.
const PointerType *PT = dyn_cast<PointerType>(FPT->getArgType(0));
if (!PT)
return;
// Verify that the argument is a 'char*'.
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
return;
// Issue a waring.
SourceRange R = CE->getCallee()->getSourceRange();
BR.EmitBasicReport("Potential insecure temporary file in call 'mktemp'",
"Security",
"Call to function 'mktemp' is insecure as it always "
"creates or uses insecure temporary file. Use 'mkstemp' instead",
CE->getLocStart(), &R, 1);
}
//===----------------------------------------------------------------------===//
// Check: Any use of 'strcpy' is insecure.
//
// CWE-119: Improper Restriction of Operations within
// the Bounds of a Memory Buffer
//===----------------------------------------------------------------------===//
void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) {
if (!checkCall_strCommon(CE, FD))
return;
// Issue a warning.
SourceRange R = CE->getCallee()->getSourceRange();
BR.EmitBasicReport("Potential insecure memory buffer bounds restriction in "
"call 'strcpy'",
"Security",
"Call to function 'strcpy' is insecure as it does not "
"provide bounding of the memory buffer. Replace "
"unbounded copy functions with analogous functions that "
"support length arguments such as 'strncpy'. CWE-119.",
CE->getLocStart(), &R, 1);
}
//===----------------------------------------------------------------------===//
// Check: Any use of 'strcat' is insecure.
//
// CWE-119: Improper Restriction of Operations within
// the Bounds of a Memory Buffer
//===----------------------------------------------------------------------===//
void WalkAST::checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD) {
if (!checkCall_strCommon(CE, FD))
return;
// Issue a warning.
SourceRange R = CE->getCallee()->getSourceRange();
BR.EmitBasicReport("Potential insecure memory buffer bounds restriction in "
"call 'strcat'",
"Security",
"Call to function 'strcat' is insecure as it does not "
"provide bounding of the memory buffer. Replace "
"unbounded copy functions with analogous functions that "
"support length arguments such as 'strncat'. CWE-119.",
CE->getLocStart(), &R, 1);
}
//===----------------------------------------------------------------------===//
// Common check for str* functions with no bounds parameters.
//===----------------------------------------------------------------------===//
bool WalkAST::checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD) {
const FunctionProtoType *FPT
= dyn_cast<FunctionProtoType>(FD->getType().IgnoreParens());
if (!FPT)
return false;
// Verify the function takes two arguments, three in the _chk version.
int numArgs = FPT->getNumArgs();
if (numArgs != 2 && numArgs != 3)
return false;
// Verify the type for both arguments.
for (int i = 0; i < 2; i++) {
// Verify that the arguments are pointers.
const PointerType *PT = dyn_cast<PointerType>(FPT->getArgType(i));
if (!PT)
return false;
// Verify that the argument is a 'char*'.
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
return false;
}
return true;
}
//===----------------------------------------------------------------------===//
// Check: Linear congruent random number generators should not be used
// Originally: <rdar://problem/63371000>
// CWE-338: Use of cryptographically weak prng
//===----------------------------------------------------------------------===//
void WalkAST::checkCall_rand(const CallExpr *CE, const FunctionDecl *FD) {
if (!CheckRand)
return;
const FunctionProtoType *FTP
= dyn_cast<FunctionProtoType>(FD->getType().IgnoreParens());
if (!FTP)
return;
if (FTP->getNumArgs() == 1) {
// Is the argument an 'unsigned short *'?
// (Actually any integer type is allowed.)
const PointerType *PT = dyn_cast<PointerType>(FTP->getArgType(0));
if (!PT)
return;
if (! PT->getPointeeType()->isIntegerType())
return;
}
else if (FTP->getNumArgs() != 0)
return;
// Issue a warning.
llvm::SmallString<256> buf1;
llvm::raw_svector_ostream os1(buf1);
os1 << '\'' << FD << "' is a poor random number generator";
llvm::SmallString<256> buf2;
llvm::raw_svector_ostream os2(buf2);
os2 << "Function '" << FD
<< "' is obsolete because it implements a poor random number generator."
<< " Use 'arc4random' instead";
SourceRange R = CE->getCallee()->getSourceRange();
BR.EmitBasicReport(os1.str(), "Security", os2.str(),CE->getLocStart(), &R, 1);
}
//===----------------------------------------------------------------------===//
// Check: 'random' should not be used
// Originally: <rdar://problem/63371000>
//===----------------------------------------------------------------------===//
void WalkAST::checkCall_random(const CallExpr *CE, const FunctionDecl *FD) {
if (!CheckRand)
return;
const FunctionProtoType *FTP
= dyn_cast<FunctionProtoType>(FD->getType().IgnoreParens());
if (!FTP)
return;
// Verify that the function takes no argument.
if (FTP->getNumArgs() != 0)
return;
// Issue a warning.
SourceRange R = CE->getCallee()->getSourceRange();
BR.EmitBasicReport("'random' is not a secure random number generator",
"Security",
"The 'random' function produces a sequence of values that "
"an adversary may be able to predict. Use 'arc4random' "
"instead", CE->getLocStart(), &R, 1);
}
//===----------------------------------------------------------------------===//
// Check: Should check whether privileges are dropped successfully.
// Originally: <rdar://problem/6337132>
//===----------------------------------------------------------------------===//
void WalkAST::checkUncheckedReturnValue(CallExpr *CE) {
const FunctionDecl *FD = CE->getDirectCallee();
if (!FD)
return;
if (II_setid[0] == NULL) {
static const char * const identifiers[num_setids] = {
"setuid", "setgid", "seteuid", "setegid",
"setreuid", "setregid"
};
for (size_t i = 0; i < num_setids; i++)
II_setid[i] = &BR.getContext().Idents.get(identifiers[i]);
}
const IdentifierInfo *id = FD->getIdentifier();
size_t identifierid;
for (identifierid = 0; identifierid < num_setids; identifierid++)
if (id == II_setid[identifierid])
break;
if (identifierid >= num_setids)
return;
const FunctionProtoType *FTP
= dyn_cast<FunctionProtoType>(FD->getType().IgnoreParens());
if (!FTP)
return;
// Verify that the function takes one or two arguments (depending on
// the function).
if (FTP->getNumArgs() != (identifierid < 4 ? 1 : 2))
return;
// The arguments must be integers.
for (unsigned i = 0; i < FTP->getNumArgs(); i++)
if (! FTP->getArgType(i)->isIntegerType())
return;
// Issue a warning.
llvm::SmallString<256> buf1;
llvm::raw_svector_ostream os1(buf1);
os1 << "Return value is not checked in call to '" << FD << '\'';
llvm::SmallString<256> buf2;
llvm::raw_svector_ostream os2(buf2);
os2 << "The return value from the call to '" << FD
<< "' is not checked. If an error occurs in '" << FD
<< "', the following code may execute with unexpected privileges";
SourceRange R = CE->getCallee()->getSourceRange();
BR.EmitBasicReport(os1.str(), "Security", os2.str(),CE->getLocStart(), &R, 1);
}
//===----------------------------------------------------------------------===//
// SecuritySyntaxChecker
//===----------------------------------------------------------------------===//
namespace {
class SecuritySyntaxChecker : public Checker<check::ASTCodeBody> {
public:
void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
BugReporter &BR) const {
WalkAST walker(BR);
walker.Visit(D->getBody());
}
};
}
void ento::registerSecuritySyntaxChecker(CheckerManager &mgr) {
mgr.registerChecker<SecuritySyntaxChecker>();
}
Reference in New Issue View Git Blame Copy Permalink