| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 1 | //=== CastToStructChecker.cpp ----------------------------------*- C++ -*--===// | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 2 | // | 
|  | 3 | //                     The LLVM Compiler Infrastructure | 
|  | 4 | // | 
|  | 5 | // This file is distributed under the University of Illinois Open Source | 
|  | 6 | // License. See LICENSE.TXT for details. | 
|  | 7 | // | 
|  | 8 | //===----------------------------------------------------------------------===// | 
|  | 9 | // | 
|  | 10 | // This files defines CastToStructChecker, a builtin checker that checks for | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 11 | // cast from non-struct pointer to struct pointer and widening struct data cast. | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 12 | // This check corresponds to CWE-588. | 
|  | 13 | // | 
|  | 14 | //===----------------------------------------------------------------------===// | 
|  | 15 |  | 
| Argyrios Kyrtzidis | a921528 | 2011-02-15 22:55:20 +0000 | [diff] [blame] | 16 | #include "ClangSACheckers.h" | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 17 | #include "clang/AST/RecursiveASTVisitor.h" | 
| Chandler Carruth | 3a02247 | 2012-12-04 09:13:33 +0000 | [diff] [blame] | 18 | #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" | 
| Argyrios Kyrtzidis | 6a5674f | 2011-03-01 01:16:21 +0000 | [diff] [blame] | 19 | #include "clang/StaticAnalyzer/Core/Checker.h" | 
| Argyrios Kyrtzidis | 507ff53 | 2011-02-17 21:39:17 +0000 | [diff] [blame] | 20 | #include "clang/StaticAnalyzer/Core/CheckerManager.h" | 
| Argyrios Kyrtzidis | dff865d | 2011-02-23 01:05:36 +0000 | [diff] [blame] | 21 | #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 22 |  | 
|  | 23 | using namespace clang; | 
| Ted Kremenek | 98857c9 | 2010-12-23 07:20:52 +0000 | [diff] [blame] | 24 | using namespace ento; | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 25 |  | 
|  | 26 | namespace { | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 27 | class CastToStructVisitor : public RecursiveASTVisitor<CastToStructVisitor> { | 
|  | 28 | BugReporter &BR; | 
|  | 29 | const CheckerBase *Checker; | 
|  | 30 | AnalysisDeclContext *AC; | 
| Argyrios Kyrtzidis | dff865d | 2011-02-23 01:05:36 +0000 | [diff] [blame] | 31 |  | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 32 | public: | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 33 | explicit CastToStructVisitor(BugReporter &B, const CheckerBase *Checker, | 
|  | 34 | AnalysisDeclContext *A) | 
|  | 35 | : BR(B), Checker(Checker), AC(A) {} | 
|  | 36 | bool VisitCastExpr(const CastExpr *CE); | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 37 | }; | 
|  | 38 | } | 
|  | 39 |  | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 40 | bool CastToStructVisitor::VisitCastExpr(const CastExpr *CE) { | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 41 | const Expr *E = CE->getSubExpr(); | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 42 | ASTContext &Ctx = AC->getASTContext(); | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 43 | QualType OrigTy = Ctx.getCanonicalType(E->getType()); | 
|  | 44 | QualType ToTy = Ctx.getCanonicalType(CE->getType()); | 
|  | 45 |  | 
| John McCall | 424cec9 | 2011-01-19 06:33:43 +0000 | [diff] [blame] | 46 | const PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr()); | 
|  | 47 | const PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr()); | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 48 |  | 
|  | 49 | if (!ToPTy || !OrigPTy) | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 50 | return true; | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 51 |  | 
|  | 52 | QualType OrigPointeeTy = OrigPTy->getPointeeType(); | 
|  | 53 | QualType ToPointeeTy = ToPTy->getPointeeType(); | 
|  | 54 |  | 
| Douglas Gregor | 8385a06 | 2010-04-26 21:31:17 +0000 | [diff] [blame] | 55 | if (!ToPointeeTy->isStructureOrClassType()) | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 56 | return true; | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 57 |  | 
|  | 58 | // We allow cast from void*. | 
|  | 59 | if (OrigPointeeTy->isVoidType()) | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 60 | return true; | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 61 |  | 
|  | 62 | // Now the cast-to-type is struct pointer, the original type is not void*. | 
|  | 63 | if (!OrigPointeeTy->isRecordType()) { | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 64 | SourceRange Sr[1] = {CE->getSourceRange()}; | 
|  | 65 | PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC); | 
|  | 66 | BR.EmitBasicReport( | 
|  | 67 | AC->getDecl(), Checker, "Cast from non-struct type to struct type", | 
|  | 68 | categories::LogicError, "Casting a non-structure type to a structure " | 
|  | 69 | "type and accessing a field can lead to memory " | 
|  | 70 | "access errors or data corruption.", | 
|  | 71 | Loc, Sr); | 
|  | 72 | } else { | 
|  | 73 | // Don't warn when size of data is unknown. | 
|  | 74 | const auto *U = dyn_cast<UnaryOperator>(E); | 
|  | 75 | if (!U || U->getOpcode() != UO_AddrOf) | 
|  | 76 | return true; | 
|  | 77 |  | 
|  | 78 | // Don't warn for references | 
|  | 79 | const ValueDecl *VD = nullptr; | 
|  | 80 | if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr())) | 
| George Burgess IV | 00f70bd | 2018-03-01 05:43:23 +0000 | [diff] [blame] | 81 | VD = SE->getDecl(); | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 82 | else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr())) | 
|  | 83 | VD = SE->getMemberDecl(); | 
|  | 84 | if (!VD || VD->getType()->isReferenceType()) | 
|  | 85 | return true; | 
|  | 86 |  | 
| Daniel Marjamaki | cf715bd | 2017-03-07 19:20:48 +0000 | [diff] [blame] | 87 | if (ToPointeeTy->isIncompleteType() || | 
|  | 88 | OrigPointeeTy->isIncompleteType()) | 
|  | 89 | return true; | 
|  | 90 |  | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 91 | // Warn when there is widening cast. | 
|  | 92 | unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width; | 
|  | 93 | unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width; | 
|  | 94 | if (ToWidth <= OrigWidth) | 
|  | 95 | return true; | 
|  | 96 |  | 
|  | 97 | PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC); | 
|  | 98 | BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type", | 
|  | 99 | categories::LogicError, | 
|  | 100 | "Casting data to a larger structure type and accessing " | 
|  | 101 | "a field can lead to memory access errors or data " | 
|  | 102 | "corruption.", | 
|  | 103 | Loc, CE->getSourceRange()); | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 104 | } | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 105 |  | 
|  | 106 | return true; | 
| Zhongxing Xu | f06c684 | 2009-11-09 08:07:38 +0000 | [diff] [blame] | 107 | } | 
|  | 108 |  | 
| Daniel Marjamaki | 13264eb | 2016-09-26 15:17:18 +0000 | [diff] [blame] | 109 | namespace { | 
|  | 110 | class CastToStructChecker : public Checker<check::ASTCodeBody> { | 
|  | 111 | public: | 
|  | 112 | void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr, | 
|  | 113 | BugReporter &BR) const { | 
|  | 114 | CastToStructVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D)); | 
|  | 115 | Visitor.TraverseDecl(const_cast<Decl *>(D)); | 
|  | 116 | } | 
|  | 117 | }; | 
|  | 118 | } // end anonymous namespace | 
|  | 119 |  | 
| Argyrios Kyrtzidis | 507ff53 | 2011-02-17 21:39:17 +0000 | [diff] [blame] | 120 | void ento::registerCastToStructChecker(CheckerManager &mgr) { | 
| Argyrios Kyrtzidis | dff865d | 2011-02-23 01:05:36 +0000 | [diff] [blame] | 121 | mgr.registerChecker<CastToStructChecker>(); | 
| Argyrios Kyrtzidis | 507ff53 | 2011-02-17 21:39:17 +0000 | [diff] [blame] | 122 | } |