danix800 created this revision. danix800 added a reviewer: steakhal. danix800 added a project: clang. Herald added subscribers: manas, ASDenysPetrov, martong, dkrupp, donat.nagy, Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun. Herald added a reviewer: NoQ. Herald added a project: All. danix800 requested review of this revision. Herald added a subscriber: cfe-commits.
MmapWriteExecChecker: use getAs instead of castAs Fixes https://github.com/llvm/llvm-project/issues/62285 Repository: rG LLVM Github Monorepo https://reviews.llvm.org/D158953 Files: clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp clang/test/Analysis/mmap-writeexec.c Index: clang/test/Analysis/mmap-writeexec.c =================================================================== --- clang/test/Analysis/mmap-writeexec.c +++ clang/test/Analysis/mmap-writeexec.c @@ -42,3 +42,17 @@ int m = mprotect(p, 1024, PROT_WRITE | PROT_EXEC); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}} (void)m; } + +// gh62285: no crash on non concrete arg 'prot' +typedef struct malloc_mmap_2 +{ + int prot; +} malloc_mmap_st_2; + +int gh62285(int cmd, void *arg2) +{ + malloc_mmap_st_2* args2 = arg2; + void *buf = ((void*)0); + buf = mmap((void*)0, 1, args2->prot, 1, 1, 1); + return 0; +} Index: clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp =================================================================== --- clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp +++ clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp @@ -48,8 +48,10 @@ CheckerContext &C) const { if (matchesAny(Call, MmapFn, MprotectFn)) { SVal ProtVal = Call.getArgSVal(2); - auto ProtLoc = ProtVal.castAs<nonloc::ConcreteInt>(); - int64_t Prot = ProtLoc.getValue().getSExtValue(); + auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>(); + if (!ProtLoc) + return; + int64_t Prot = ProtLoc->getValue().getSExtValue(); if (ProtExecOv != ProtExec) ProtExec = ProtExecOv; if (ProtReadOv != ProtRead)
Index: clang/test/Analysis/mmap-writeexec.c =================================================================== --- clang/test/Analysis/mmap-writeexec.c +++ clang/test/Analysis/mmap-writeexec.c @@ -42,3 +42,17 @@ int m = mprotect(p, 1024, PROT_WRITE | PROT_EXEC); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}} (void)m; } + +// gh62285: no crash on non concrete arg 'prot' +typedef struct malloc_mmap_2 +{ + int prot; +} malloc_mmap_st_2; + +int gh62285(int cmd, void *arg2) +{ + malloc_mmap_st_2* args2 = arg2; + void *buf = ((void*)0); + buf = mmap((void*)0, 1, args2->prot, 1, 1, 1); + return 0; +} Index: clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp =================================================================== --- clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp +++ clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp @@ -48,8 +48,10 @@ CheckerContext &C) const { if (matchesAny(Call, MmapFn, MprotectFn)) { SVal ProtVal = Call.getArgSVal(2); - auto ProtLoc = ProtVal.castAs<nonloc::ConcreteInt>(); - int64_t Prot = ProtLoc.getValue().getSExtValue(); + auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>(); + if (!ProtLoc) + return; + int64_t Prot = ProtLoc->getValue().getSExtValue(); if (ProtExecOv != ProtExec) ProtExec = ProtExecOv; if (ProtReadOv != ProtRead)
_______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits