Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 1 | //==- CheckSecuritySyntaxOnly.cpp - Basic security checks --------*- C++ -*-==// |
| 2 | // |
| 3 | // The LLVM Compiler Infrastructure |
| 4 | // |
| 5 | // This file is distributed under the University of Illinois Open Source |
| 6 | // License. See LICENSE.TXT for details. |
| 7 | // |
| 8 | //===----------------------------------------------------------------------===// |
| 9 | // |
| 10 | // This file defines a set of flow-insensitive security checks. |
| 11 | // |
| 12 | //===----------------------------------------------------------------------===// |
| 13 | |
| 14 | #include "clang/Analysis/PathSensitive/BugReporter.h" |
| 15 | #include "clang/Analysis/LocalCheckers.h" |
| 16 | #include "clang/AST/StmtVisitor.h" |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 17 | #include "llvm/Support/raw_ostream.h" |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 18 | |
| 19 | using namespace clang; |
| 20 | |
| 21 | namespace { |
Kovarththanan Rajaratnam | ba5fb5a | 2009-11-28 06:07:30 +0000 | [diff] [blame^] | 22 | class WalkAST : public StmtVisitor<WalkAST> { |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 23 | BugReporter &BR; |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 24 | IdentifierInfo *II_gets; |
Zhongxing Xu | bd842e3 | 2009-11-09 12:19:26 +0000 | [diff] [blame] | 25 | IdentifierInfo *II_getpw; |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 26 | enum { num_rands = 9 }; |
| 27 | IdentifierInfo *II_rand[num_rands]; |
| 28 | IdentifierInfo *II_random; |
| 29 | enum { num_setids = 6 }; |
| 30 | IdentifierInfo *II_setid[num_setids]; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 31 | |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 32 | public: |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 33 | WalkAST(BugReporter &br) : BR(br), |
Zhongxing Xu | bd842e3 | 2009-11-09 12:19:26 +0000 | [diff] [blame] | 34 | II_gets(0), II_getpw(0), II_rand(), II_random(0), II_setid() {} |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 35 | |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 36 | // Statement visitor methods. |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 37 | void VisitCallExpr(CallExpr *CE); |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 38 | void VisitForStmt(ForStmt *S); |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 39 | void VisitCompoundStmt (CompoundStmt *S); |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 40 | void VisitStmt(Stmt *S) { VisitChildren(S); } |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 41 | |
| 42 | void VisitChildren(Stmt *S); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 43 | |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 44 | // Helpers. |
| 45 | IdentifierInfo *GetIdentifier(IdentifierInfo *& II, const char *str); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 46 | |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 47 | // Checker-specific methods. |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 48 | void CheckLoopConditionForFloat(const ForStmt *FS); |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 49 | void CheckCall_gets(const CallExpr *CE, const FunctionDecl *FD); |
Zhongxing Xu | bd842e3 | 2009-11-09 12:19:26 +0000 | [diff] [blame] | 50 | void CheckCall_getpw(const CallExpr *CE, const FunctionDecl *FD); |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 51 | void CheckCall_rand(const CallExpr *CE, const FunctionDecl *FD); |
| 52 | void CheckCall_random(const CallExpr *CE, const FunctionDecl *FD); |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 53 | void CheckUncheckedReturnValue(CallExpr *CE); |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 54 | }; |
| 55 | } // end anonymous namespace |
| 56 | |
| 57 | //===----------------------------------------------------------------------===// |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 58 | // Helper methods. |
| 59 | //===----------------------------------------------------------------------===// |
| 60 | |
| 61 | IdentifierInfo *WalkAST::GetIdentifier(IdentifierInfo *& II, const char *str) { |
| 62 | if (!II) |
| 63 | II = &BR.getContext().Idents.get(str); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 64 | |
| 65 | return II; |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 66 | } |
| 67 | |
| 68 | //===----------------------------------------------------------------------===// |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 69 | // AST walking. |
| 70 | //===----------------------------------------------------------------------===// |
| 71 | |
| 72 | void WalkAST::VisitChildren(Stmt *S) { |
| 73 | for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I) |
| 74 | if (Stmt *child = *I) |
| 75 | Visit(child); |
| 76 | } |
| 77 | |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 78 | void WalkAST::VisitCallExpr(CallExpr *CE) { |
| 79 | if (const FunctionDecl *FD = CE->getDirectCallee()) { |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 80 | CheckCall_gets(CE, FD); |
Zhongxing Xu | bd842e3 | 2009-11-09 12:19:26 +0000 | [diff] [blame] | 81 | CheckCall_getpw(CE, FD); |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 82 | CheckCall_rand(CE, FD); |
| 83 | CheckCall_random(CE, FD); |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 84 | } |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 85 | |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 86 | // Recurse and check children. |
| 87 | VisitChildren(CE); |
| 88 | } |
| 89 | |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 90 | void WalkAST::VisitCompoundStmt(CompoundStmt *S) { |
| 91 | for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I) |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 92 | if (Stmt *child = *I) { |
| 93 | if (CallExpr *CE = dyn_cast<CallExpr>(child)) |
| 94 | CheckUncheckedReturnValue(CE); |
| 95 | Visit(child); |
| 96 | } |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 97 | } |
| 98 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 99 | void WalkAST::VisitForStmt(ForStmt *FS) { |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 100 | CheckLoopConditionForFloat(FS); |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 101 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 102 | // Recurse and check children. |
| 103 | VisitChildren(FS); |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 104 | } |
| 105 | |
| 106 | //===----------------------------------------------------------------------===// |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 107 | // Check: floating poing variable used as loop counter. |
Ted Kremenek | 5abeb52 | 2009-07-23 21:44:18 +0000 | [diff] [blame] | 108 | // Originally: <rdar://problem/6336718> |
| 109 | // Implements: CERT security coding advisory FLP-30. |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 110 | //===----------------------------------------------------------------------===// |
| 111 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 112 | static const DeclRefExpr* |
| 113 | GetIncrementedVar(const Expr *expr, const VarDecl *x, const VarDecl *y) { |
| 114 | expr = expr->IgnoreParenCasts(); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 115 | |
| 116 | if (const BinaryOperator *B = dyn_cast<BinaryOperator>(expr)) { |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 117 | if (!(B->isAssignmentOp() || B->isCompoundAssignmentOp() || |
| 118 | B->getOpcode() == BinaryOperator::Comma)) |
| 119 | return NULL; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 120 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 121 | if (const DeclRefExpr *lhs = GetIncrementedVar(B->getLHS(), x, y)) |
| 122 | return lhs; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 123 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 124 | if (const DeclRefExpr *rhs = GetIncrementedVar(B->getRHS(), x, y)) |
| 125 | return rhs; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 126 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 127 | return NULL; |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 128 | } |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 129 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 130 | if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(expr)) { |
| 131 | const NamedDecl *ND = DR->getDecl(); |
| 132 | return ND == x || ND == y ? DR : NULL; |
| 133 | } |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 134 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 135 | if (const UnaryOperator *U = dyn_cast<UnaryOperator>(expr)) |
| 136 | return U->isIncrementDecrementOp() |
| 137 | ? GetIncrementedVar(U->getSubExpr(), x, y) : NULL; |
| 138 | |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 139 | return NULL; |
| 140 | } |
| 141 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 142 | /// CheckLoopConditionForFloat - This check looks for 'for' statements that |
| 143 | /// use a floating point variable as a loop counter. |
| 144 | /// CERT: FLP30-C, FLP30-CPP. |
| 145 | /// |
| 146 | void WalkAST::CheckLoopConditionForFloat(const ForStmt *FS) { |
| 147 | // Does the loop have a condition? |
| 148 | const Expr *condition = FS->getCond(); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 149 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 150 | if (!condition) |
| 151 | return; |
| 152 | |
| 153 | // Does the loop have an increment? |
| 154 | const Expr *increment = FS->getInc(); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 155 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 156 | if (!increment) |
| 157 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 158 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 159 | // Strip away '()' and casts. |
| 160 | condition = condition->IgnoreParenCasts(); |
| 161 | increment = increment->IgnoreParenCasts(); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 162 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 163 | // Is the loop condition a comparison? |
| 164 | const BinaryOperator *B = dyn_cast<BinaryOperator>(condition); |
| 165 | |
| 166 | if (!B) |
| 167 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 168 | |
Ted Kremenek | cad9f41 | 2009-07-24 20:26:31 +0000 | [diff] [blame] | 169 | // Is this a comparison? |
| 170 | if (!(B->isRelationalOp() || B->isEqualityOp())) |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 171 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 172 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 173 | // Are we comparing variables? |
| 174 | const DeclRefExpr *drLHS = dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParens()); |
| 175 | const DeclRefExpr *drRHS = dyn_cast<DeclRefExpr>(B->getRHS()->IgnoreParens()); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 176 | |
Ted Kremenek | cad9f41 | 2009-07-24 20:26:31 +0000 | [diff] [blame] | 177 | // Does at least one of the variables have a floating point type? |
| 178 | drLHS = drLHS && drLHS->getType()->isFloatingType() ? drLHS : NULL; |
| 179 | drRHS = drRHS && drRHS->getType()->isFloatingType() ? drRHS : NULL; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 180 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 181 | if (!drLHS && !drRHS) |
| 182 | return; |
| 183 | |
| 184 | const VarDecl *vdLHS = drLHS ? dyn_cast<VarDecl>(drLHS->getDecl()) : NULL; |
| 185 | const VarDecl *vdRHS = drRHS ? dyn_cast<VarDecl>(drRHS->getDecl()) : NULL; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 186 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 187 | if (!vdLHS && !vdRHS) |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 188 | return; |
| 189 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 190 | // Does either variable appear in increment? |
| 191 | const DeclRefExpr *drInc = GetIncrementedVar(increment, vdLHS, vdRHS); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 192 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 193 | if (!drInc) |
| 194 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 195 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 196 | // Emit the error. First figure out which DeclRefExpr in the condition |
| 197 | // referenced the compared variable. |
| 198 | const DeclRefExpr *drCond = vdLHS == drInc->getDecl() ? drLHS : drRHS; |
| 199 | |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 200 | llvm::SmallVector<SourceRange, 2> ranges; |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 201 | std::string sbuf; |
| 202 | llvm::raw_string_ostream os(sbuf); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 203 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 204 | os << "Variable '" << drCond->getDecl()->getNameAsCString() |
| 205 | << "' with floating point type '" << drCond->getType().getAsString() |
| 206 | << "' should not be used as a loop counter"; |
| 207 | |
| 208 | ranges.push_back(drCond->getSourceRange()); |
| 209 | ranges.push_back(drInc->getSourceRange()); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 210 | |
Ted Kremenek | 8baf86d | 2009-07-23 21:34:35 +0000 | [diff] [blame] | 211 | const char *bugType = "Floating point variable used as loop counter"; |
| 212 | BR.EmitBasicReport(bugType, "Security", os.str().c_str(), |
| 213 | FS->getLocStart(), ranges.data(), ranges.size()); |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 214 | } |
| 215 | |
| 216 | //===----------------------------------------------------------------------===// |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 217 | // Check: Any use of 'gets' is insecure. |
| 218 | // Originally: <rdar://problem/6335715> |
| 219 | // Implements (part of): 300-BSI (buildsecurityin.us-cert.gov) |
Zhongxing Xu | aa30b3b | 2009-11-09 08:13:04 +0000 | [diff] [blame] | 220 | // CWE-242: Use of Inherently Dangerous Function |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 221 | //===----------------------------------------------------------------------===// |
| 222 | |
| 223 | void WalkAST::CheckCall_gets(const CallExpr *CE, const FunctionDecl *FD) { |
| 224 | if (FD->getIdentifier() != GetIdentifier(II_gets, "gets")) |
| 225 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 226 | |
Zhongxing Xu | bd842e3 | 2009-11-09 12:19:26 +0000 | [diff] [blame] | 227 | const FunctionProtoType *FPT = dyn_cast<FunctionProtoType>(FD->getType()); |
| 228 | if (!FPT) |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 229 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 230 | |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 231 | // Verify that the function takes a single argument. |
Zhongxing Xu | bd842e3 | 2009-11-09 12:19:26 +0000 | [diff] [blame] | 232 | if (FPT->getNumArgs() != 1) |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 233 | return; |
| 234 | |
| 235 | // Is the argument a 'char*'? |
Zhongxing Xu | bd842e3 | 2009-11-09 12:19:26 +0000 | [diff] [blame] | 236 | const PointerType *PT = dyn_cast<PointerType>(FPT->getArgType(0)); |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 237 | if (!PT) |
| 238 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 239 | |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 240 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) |
| 241 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 242 | |
Ted Kremenek | efcbb15 | 2009-07-23 22:29:41 +0000 | [diff] [blame] | 243 | // Issue a warning. |
| 244 | SourceRange R = CE->getCallee()->getSourceRange(); |
| 245 | BR.EmitBasicReport("Potential buffer overflow in call to 'gets'", |
| 246 | "Security", |
| 247 | "Call to function 'gets' is extremely insecure as it can " |
| 248 | "always result in a buffer overflow", |
| 249 | CE->getLocStart(), &R, 1); |
| 250 | } |
| 251 | |
| 252 | //===----------------------------------------------------------------------===// |
Zhongxing Xu | bd842e3 | 2009-11-09 12:19:26 +0000 | [diff] [blame] | 253 | // Check: Any use of 'getpwd' is insecure. |
| 254 | // CWE-477: Use of Obsolete Functions |
| 255 | //===----------------------------------------------------------------------===// |
| 256 | |
| 257 | void WalkAST::CheckCall_getpw(const CallExpr *CE, const FunctionDecl *FD) { |
| 258 | if (FD->getIdentifier() != GetIdentifier(II_getpw, "getpw")) |
| 259 | return; |
| 260 | |
| 261 | const FunctionProtoType *FPT = dyn_cast<FunctionProtoType>(FD->getType()); |
| 262 | if (!FPT) |
| 263 | return; |
| 264 | |
| 265 | // Verify that the function takes two arguments. |
| 266 | if (FPT->getNumArgs() != 2) |
| 267 | return; |
| 268 | |
| 269 | // Verify the first argument type is integer. |
| 270 | if (!FPT->getArgType(0)->isIntegerType()) |
| 271 | return; |
| 272 | |
| 273 | // Verify the second argument type is char*. |
| 274 | const PointerType *PT = dyn_cast<PointerType>(FPT->getArgType(1)); |
| 275 | if (!PT) |
| 276 | return; |
| 277 | |
| 278 | if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) |
| 279 | return; |
| 280 | |
| 281 | // Issue a warning. |
| 282 | SourceRange R = CE->getCallee()->getSourceRange(); |
| 283 | BR.EmitBasicReport("Potential buffer overflow in call to 'getpw'", |
| 284 | "Security", |
| 285 | "The getpw() function is dangerous as it may overflow the " |
| 286 | "provided buffer. It is obsoleted by getpwuid().", |
| 287 | CE->getLocStart(), &R, 1); |
| 288 | } |
| 289 | |
| 290 | //===----------------------------------------------------------------------===// |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 291 | // Check: Linear congruent random number generators should not be used |
| 292 | // Originally: <rdar://problem/63371000> |
| 293 | // CWE-338: Use of cryptographically weak prng |
| 294 | //===----------------------------------------------------------------------===// |
| 295 | |
| 296 | void WalkAST::CheckCall_rand(const CallExpr *CE, const FunctionDecl *FD) { |
| 297 | if (II_rand[0] == NULL) { |
| 298 | // This check applies to these functions |
| 299 | static const char * const identifiers[num_rands] = { |
| 300 | "drand48", "erand48", "jrand48", "lrand48", "mrand48", "nrand48", |
| 301 | "lcong48", |
| 302 | "rand", "rand_r" |
| 303 | }; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 304 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 305 | for (size_t i = 0; i < num_rands; i++) |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 306 | II_rand[i] = &BR.getContext().Idents.get(identifiers[i]); |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 307 | } |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 308 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 309 | const IdentifierInfo *id = FD->getIdentifier(); |
| 310 | size_t identifierid; |
| 311 | |
| 312 | for (identifierid = 0; identifierid < num_rands; identifierid++) |
| 313 | if (id == II_rand[identifierid]) |
| 314 | break; |
| 315 | |
| 316 | if (identifierid >= num_rands) |
| 317 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 318 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 319 | const FunctionProtoType *FTP = dyn_cast<FunctionProtoType>(FD->getType()); |
| 320 | if (!FTP) |
| 321 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 322 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 323 | if (FTP->getNumArgs() == 1) { |
| 324 | // Is the argument an 'unsigned short *'? |
| 325 | // (Actually any integer type is allowed.) |
| 326 | const PointerType *PT = dyn_cast<PointerType>(FTP->getArgType(0)); |
| 327 | if (!PT) |
| 328 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 329 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 330 | if (! PT->getPointeeType()->isIntegerType()) |
| 331 | return; |
| 332 | } |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 333 | else if (FTP->getNumArgs() != 0) |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 334 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 335 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 336 | // Issue a warning. |
| 337 | std::string buf1; |
| 338 | llvm::raw_string_ostream os1(buf1); |
| 339 | os1 << "'" << FD->getNameAsString() << "' is a poor random number generator"; |
| 340 | |
| 341 | std::string buf2; |
| 342 | llvm::raw_string_ostream os2(buf2); |
| 343 | os2 << "Function '" << FD->getNameAsString() |
| 344 | << "' is obsolete because it implements a poor random number generator." |
| 345 | << " Use 'arc4random' instead"; |
| 346 | |
| 347 | SourceRange R = CE->getCallee()->getSourceRange(); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 348 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 349 | BR.EmitBasicReport(os1.str().c_str(), "Security", os2.str().c_str(), |
| 350 | CE->getLocStart(), &R, 1); |
| 351 | } |
| 352 | |
| 353 | //===----------------------------------------------------------------------===// |
| 354 | // Check: 'random' should not be used |
| 355 | // Originally: <rdar://problem/63371000> |
| 356 | //===----------------------------------------------------------------------===// |
| 357 | |
| 358 | void WalkAST::CheckCall_random(const CallExpr *CE, const FunctionDecl *FD) { |
| 359 | if (FD->getIdentifier() != GetIdentifier(II_random, "random")) |
| 360 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 361 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 362 | const FunctionProtoType *FTP = dyn_cast<FunctionProtoType>(FD->getType()); |
| 363 | if (!FTP) |
| 364 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 365 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 366 | // Verify that the function takes no argument. |
| 367 | if (FTP->getNumArgs() != 0) |
| 368 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 369 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 370 | // Issue a warning. |
| 371 | SourceRange R = CE->getCallee()->getSourceRange(); |
| 372 | BR.EmitBasicReport("'random' is not a secure random number generator", |
| 373 | "Security", |
| 374 | "The 'random' function produces a sequence of values that " |
| 375 | "an adversary may be able to predict. Use 'arc4random' " |
| 376 | "instead", |
| 377 | CE->getLocStart(), &R, 1); |
| 378 | } |
| 379 | |
| 380 | //===----------------------------------------------------------------------===// |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 381 | // Check: Should check whether privileges are dropped successfully. |
| 382 | // Originally: <rdar://problem/6337132> |
| 383 | //===----------------------------------------------------------------------===// |
| 384 | |
| 385 | void WalkAST::CheckUncheckedReturnValue(CallExpr *CE) { |
| 386 | const FunctionDecl *FD = CE->getDirectCallee(); |
| 387 | if (!FD) |
| 388 | return; |
| 389 | |
| 390 | if (II_setid[0] == NULL) { |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 391 | static const char * const identifiers[num_setids] = { |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 392 | "setuid", "setgid", "seteuid", "setegid", |
| 393 | "setreuid", "setregid" |
| 394 | }; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 395 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 396 | for (size_t i = 0; i < num_setids; i++) |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 397 | II_setid[i] = &BR.getContext().Idents.get(identifiers[i]); |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 398 | } |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 399 | |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 400 | const IdentifierInfo *id = FD->getIdentifier(); |
| 401 | size_t identifierid; |
| 402 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 403 | for (identifierid = 0; identifierid < num_setids; identifierid++) |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 404 | if (id == II_setid[identifierid]) |
| 405 | break; |
| 406 | |
Ted Kremenek | 2465047 | 2009-09-02 02:47:41 +0000 | [diff] [blame] | 407 | if (identifierid >= num_setids) |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 408 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 409 | |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 410 | const FunctionProtoType *FTP = dyn_cast<FunctionProtoType>(FD->getType()); |
| 411 | if (!FTP) |
| 412 | return; |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 413 | |
Ted Kremenek | a818783 | 2009-08-28 00:24:55 +0000 | [diff] [blame] | 414 | // Verify that the function takes one or two arguments (depending on |
| 415 | // the function). |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 416 | if (FTP->getNumArgs() != (identifierid < 4 ? 1 : 2)) |
| 417 | return; |
| 418 | |
| 419 | // The arguments must be integers. |
| 420 | for (unsigned i = 0; i < FTP->getNumArgs(); i++) |
| 421 | if (! FTP->getArgType(i)->isIntegerType()) |
| 422 | return; |
| 423 | |
| 424 | // Issue a warning. |
| 425 | std::string buf1; |
| 426 | llvm::raw_string_ostream os1(buf1); |
| 427 | os1 << "Return value is not checked in call to '" << FD->getNameAsString() |
| 428 | << "'"; |
| 429 | |
| 430 | std::string buf2; |
| 431 | llvm::raw_string_ostream os2(buf2); |
| 432 | os2 << "The return value from the call to '" << FD->getNameAsString() |
| 433 | << "' is not checked. If an error occurs in '" |
| 434 | << FD->getNameAsString() |
| 435 | << "', the following code may execute with unexpected privileges"; |
| 436 | |
| 437 | SourceRange R = CE->getCallee()->getSourceRange(); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 438 | |
Ted Kremenek | 65a81a9 | 2009-08-28 00:08:09 +0000 | [diff] [blame] | 439 | BR.EmitBasicReport(os1.str().c_str(), "Security", os2.str().c_str(), |
| 440 | CE->getLocStart(), &R, 1); |
| 441 | } |
| 442 | |
| 443 | //===----------------------------------------------------------------------===// |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 444 | // Entry point for check. |
| 445 | //===----------------------------------------------------------------------===// |
| 446 | |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 447 | void clang::CheckSecuritySyntaxOnly(const Decl *D, BugReporter &BR) { |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 448 | WalkAST walker(BR); |
Mike Stump | 1eb4433 | 2009-09-09 15:08:12 +0000 | [diff] [blame] | 449 | walker.Visit(D->getBody()); |
Ted Kremenek | dbfb5f8 | 2009-07-23 01:07:19 +0000 | [diff] [blame] | 450 | } |