danix800 created this revision.
danix800 added a reviewer: steakhal.
danix800 added a project: clang.
Herald added subscribers: manas, ASDenysPetrov, martong, dkrupp, donat.nagy,
Szelethus, mikhail.ramalho, a.sidorin, szepet, baloghadamsoftware, xazax.hun.
Herald added a reviewer: NoQ.
Herald added a project: All.
danix800 requested review of this revision.
Herald added a subscriber: cfe-commits.
MmapWriteExecChecker: use getAs instead of castAs
Fixes https://github.com/llvm/llvm-project/issues/62285
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D158953
Files:
clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
clang/test/Analysis/mmap-writeexec.c
Index: clang/test/Analysis/mmap-writeexec.c
===================================================================
--- clang/test/Analysis/mmap-writeexec.c
+++ clang/test/Analysis/mmap-writeexec.c
@@ -42,3 +42,17 @@
int m = mprotect(p, 1024, PROT_WRITE | PROT_EXEC); // expected-warning{{Both
PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory
regions, which could be overwritten with malicious code}}
(void)m;
}
+
+// gh62285: no crash on non concrete arg 'prot'
+typedef struct malloc_mmap_2
+{
+ int prot;
+} malloc_mmap_st_2;
+
+int gh62285(int cmd, void *arg2)
+{
+ malloc_mmap_st_2* args2 = arg2;
+ void *buf = ((void*)0);
+ buf = mmap((void*)0, 1, args2->prot, 1, 1, 1);
+ return 0;
+}
Index: clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
@@ -48,8 +48,10 @@
CheckerContext &C) const {
if (matchesAny(Call, MmapFn, MprotectFn)) {
SVal ProtVal = Call.getArgSVal(2);
- auto ProtLoc = ProtVal.castAs<nonloc::ConcreteInt>();
- int64_t Prot = ProtLoc.getValue().getSExtValue();
+ auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
+ if (!ProtLoc)
+ return;
+ int64_t Prot = ProtLoc->getValue().getSExtValue();
if (ProtExecOv != ProtExec)
ProtExec = ProtExecOv;
if (ProtReadOv != ProtRead)
Index: clang/test/Analysis/mmap-writeexec.c
===================================================================
--- clang/test/Analysis/mmap-writeexec.c
+++ clang/test/Analysis/mmap-writeexec.c
@@ -42,3 +42,17 @@
int m = mprotect(p, 1024, PROT_WRITE | PROT_EXEC); // expected-warning{{Both PROT_WRITE and PROT_EXEC flags are set. This can lead to exploitable memory regions, which could be overwritten with malicious code}}
(void)m;
}
+
+// gh62285: no crash on non concrete arg 'prot'
+typedef struct malloc_mmap_2
+{
+ int prot;
+} malloc_mmap_st_2;
+
+int gh62285(int cmd, void *arg2)
+{
+ malloc_mmap_st_2* args2 = arg2;
+ void *buf = ((void*)0);
+ buf = mmap((void*)0, 1, args2->prot, 1, 1, 1);
+ return 0;
+}
Index: clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/MmapWriteExecChecker.cpp
@@ -48,8 +48,10 @@
CheckerContext &C) const {
if (matchesAny(Call, MmapFn, MprotectFn)) {
SVal ProtVal = Call.getArgSVal(2);
- auto ProtLoc = ProtVal.castAs<nonloc::ConcreteInt>();
- int64_t Prot = ProtLoc.getValue().getSExtValue();
+ auto ProtLoc = ProtVal.getAs<nonloc::ConcreteInt>();
+ if (!ProtLoc)
+ return;
+ int64_t Prot = ProtLoc->getValue().getSExtValue();
if (ProtExecOv != ProtExec)
ProtExec = ProtExecOv;
if (ProtReadOv != ProtRead)
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
