clang  9.0.0
CStringSyntaxChecker.cpp
Go to the documentation of this file.
1 //== CStringSyntaxChecker.cpp - CoreFoundation containers API *- C++ -*-==//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // An AST checker that looks for common pitfalls when using C string APIs.
10 // - Identifies erroneous patterns in the last argument to strncat - the number
11 // of bytes to copy.
12 //
13 //===----------------------------------------------------------------------===//
15 #include "clang/AST/Expr.h"
17 #include "clang/AST/StmtVisitor.h"
19 #include "clang/Basic/TargetInfo.h"
20 #include "clang/Basic/TypeTraits.h"
25 #include "llvm/ADT/SmallString.h"
26 #include "llvm/Support/raw_ostream.h"
27 
28 using namespace clang;
29 using namespace ento;
30 
31 namespace {
32 class WalkAST: public StmtVisitor<WalkAST> {
33  const CheckerBase *Checker;
34  BugReporter &BR;
36 
37  /// Check if two expressions refer to the same declaration.
38  bool sameDecl(const Expr *A1, const Expr *A2) {
39  if (const auto *D1 = dyn_cast<DeclRefExpr>(A1->IgnoreParenCasts()))
40  if (const auto *D2 = dyn_cast<DeclRefExpr>(A2->IgnoreParenCasts()))
41  return D1->getDecl() == D2->getDecl();
42  return false;
43  }
44 
45  /// Check if the expression E is a sizeof(WithArg).
46  bool isSizeof(const Expr *E, const Expr *WithArg) {
47  if (const auto *UE = dyn_cast<UnaryExprOrTypeTraitExpr>(E))
48  if (UE->getKind() == UETT_SizeOf && !UE->isArgumentType())
49  return sameDecl(UE->getArgumentExpr(), WithArg);
50  return false;
51  }
52 
53  /// Check if the expression E is a strlen(WithArg).
54  bool isStrlen(const Expr *E, const Expr *WithArg) {
55  if (const auto *CE = dyn_cast<CallExpr>(E)) {
56  const FunctionDecl *FD = CE->getDirectCallee();
57  if (!FD)
58  return false;
59  return (CheckerContext::isCLibraryFunction(FD, "strlen") &&
60  sameDecl(CE->getArg(0), WithArg));
61  }
62  return false;
63  }
64 
65  /// Check if the expression is an integer literal with value 1.
66  bool isOne(const Expr *E) {
67  if (const auto *IL = dyn_cast<IntegerLiteral>(E))
68  return (IL->getValue().isIntN(1));
69  return false;
70  }
71 
72  StringRef getPrintableName(const Expr *E) {
73  if (const auto *D = dyn_cast<DeclRefExpr>(E->IgnoreParenCasts()))
74  return D->getDecl()->getName();
75  return StringRef();
76  }
77 
78  /// Identify erroneous patterns in the last argument to strncat - the number
79  /// of bytes to copy.
80  bool containsBadStrncatPattern(const CallExpr *CE);
81 
82  /// Identify erroneous patterns in the last argument to strlcpy - the number
83  /// of bytes to copy.
84  /// The bad pattern checked is when the size is known
85  /// to be larger than the destination can handle.
86  /// char dst[2];
87  /// size_t cpy = 4;
88  /// strlcpy(dst, "abcd", sizeof("abcd") - 1);
89  /// strlcpy(dst, "abcd", 4);
90  /// strlcpy(dst + 3, "abcd", 2);
91  /// strlcpy(dst, "abcd", cpy);
92  /// Identify erroneous patterns in the last argument to strlcat - the number
93  /// of bytes to copy.
94  /// The bad pattern checked is when the last argument is basically
95  /// pointing to the destination buffer size or argument larger or
96  /// equal to.
97  /// char dst[2];
98  /// strlcat(dst, src2, sizeof(dst));
99  /// strlcat(dst, src2, 2);
100  /// strlcat(dst, src2, 10);
101  bool containsBadStrlcpyStrlcatPattern(const CallExpr *CE);
102 
103 public:
104  WalkAST(const CheckerBase *Checker, BugReporter &BR, AnalysisDeclContext *AC)
105  : Checker(Checker), BR(BR), AC(AC) {}
106 
107  // Statement visitor methods.
108  void VisitChildren(Stmt *S);
109  void VisitStmt(Stmt *S) {
110  VisitChildren(S);
111  }
112  void VisitCallExpr(CallExpr *CE);
113 };
114 } // end anonymous namespace
115 
116 // The correct size argument should look like following:
117 // strncat(dst, src, sizeof(dst) - strlen(dest) - 1);
118 // We look for the following anti-patterns:
119 // - strncat(dst, src, sizeof(dst) - strlen(dst));
120 // - strncat(dst, src, sizeof(dst) - 1);
121 // - strncat(dst, src, sizeof(dst));
122 bool WalkAST::containsBadStrncatPattern(const CallExpr *CE) {
123  if (CE->getNumArgs() != 3)
124  return false;
125  const Expr *DstArg = CE->getArg(0);
126  const Expr *SrcArg = CE->getArg(1);
127  const Expr *LenArg = CE->getArg(2);
128 
129  // Identify wrong size expressions, which are commonly used instead.
130  if (const auto *BE = dyn_cast<BinaryOperator>(LenArg->IgnoreParenCasts())) {
131  // - sizeof(dst) - strlen(dst)
132  if (BE->getOpcode() == BO_Sub) {
133  const Expr *L = BE->getLHS();
134  const Expr *R = BE->getRHS();
135  if (isSizeof(L, DstArg) && isStrlen(R, DstArg))
136  return true;
137 
138  // - sizeof(dst) - 1
139  if (isSizeof(L, DstArg) && isOne(R->IgnoreParenCasts()))
140  return true;
141  }
142  }
143  // - sizeof(dst)
144  if (isSizeof(LenArg, DstArg))
145  return true;
146 
147  // - sizeof(src)
148  if (isSizeof(LenArg, SrcArg))
149  return true;
150  return false;
151 }
152 
153 bool WalkAST::containsBadStrlcpyStrlcatPattern(const CallExpr *CE) {
154  if (CE->getNumArgs() != 3)
155  return false;
156  const Expr *DstArg = CE->getArg(0);
157  const Expr *LenArg = CE->getArg(2);
158 
159  const auto *DstArgDecl = dyn_cast<DeclRefExpr>(DstArg->IgnoreParenImpCasts());
160  const auto *LenArgDecl = dyn_cast<DeclRefExpr>(LenArg->IgnoreParenLValueCasts());
161  uint64_t DstOff = 0;
162  if (isSizeof(LenArg, DstArg))
163  return false;
164  // - size_t dstlen = sizeof(dst)
165  if (LenArgDecl) {
166  const auto *LenArgVal = dyn_cast<VarDecl>(LenArgDecl->getDecl());
167  if (LenArgVal->getInit())
168  LenArg = LenArgVal->getInit();
169  }
170 
171  // - integral value
172  // We try to figure out if the last argument is possibly longer
173  // than the destination can possibly handle if its size can be defined.
174  if (const auto *IL = dyn_cast<IntegerLiteral>(LenArg->IgnoreParenImpCasts())) {
175  uint64_t ILRawVal = IL->getValue().getZExtValue();
176 
177  // Case when there is pointer arithmetic on the destination buffer
178  // especially when we offset from the base decreasing the
179  // buffer length accordingly.
180  if (!DstArgDecl) {
181  if (const auto *BE = dyn_cast<BinaryOperator>(DstArg->IgnoreParenImpCasts())) {
182  DstArgDecl = dyn_cast<DeclRefExpr>(BE->getLHS()->IgnoreParenImpCasts());
183  if (BE->getOpcode() == BO_Add) {
184  if ((IL = dyn_cast<IntegerLiteral>(BE->getRHS()->IgnoreParenImpCasts()))) {
185  DstOff = IL->getValue().getZExtValue();
186  }
187  }
188  }
189  }
190  if (DstArgDecl) {
191  if (const auto *Buffer = dyn_cast<ConstantArrayType>(DstArgDecl->getType())) {
192  ASTContext &C = BR.getContext();
193  uint64_t BufferLen = C.getTypeSize(Buffer) / 8;
194  auto RemainingBufferLen = BufferLen - DstOff;
195  if (RemainingBufferLen < ILRawVal)
196  return true;
197  }
198  }
199  }
200 
201  return false;
202 }
203 
204 void WalkAST::VisitCallExpr(CallExpr *CE) {
205  const FunctionDecl *FD = CE->getDirectCallee();
206  if (!FD)
207  return;
208 
209  if (CheckerContext::isCLibraryFunction(FD, "strncat")) {
210  if (containsBadStrncatPattern(CE)) {
211  const Expr *DstArg = CE->getArg(0);
212  const Expr *LenArg = CE->getArg(2);
213  PathDiagnosticLocation Loc =
214  PathDiagnosticLocation::createBegin(LenArg, BR.getSourceManager(), AC);
215 
216  StringRef DstName = getPrintableName(DstArg);
217 
219  llvm::raw_svector_ostream os(S);
220  os << "Potential buffer overflow. ";
221  if (!DstName.empty()) {
222  os << "Replace with 'sizeof(" << DstName << ") "
223  "- strlen(" << DstName <<") - 1'";
224  os << " or u";
225  } else
226  os << "U";
227  os << "se a safer 'strlcat' API";
228 
229  BR.EmitBasicReport(FD, Checker, "Anti-pattern in the argument",
230  "C String API", os.str(), Loc,
231  LenArg->getSourceRange());
232  }
233  } else if (CheckerContext::isCLibraryFunction(FD, "strlcpy") ||
234  CheckerContext::isCLibraryFunction(FD, "strlcat")) {
235  if (containsBadStrlcpyStrlcatPattern(CE)) {
236  const Expr *DstArg = CE->getArg(0);
237  const Expr *LenArg = CE->getArg(2);
238  PathDiagnosticLocation Loc =
239  PathDiagnosticLocation::createBegin(LenArg, BR.getSourceManager(), AC);
240 
241  StringRef DstName = getPrintableName(DstArg);
242 
244  llvm::raw_svector_ostream os(S);
245  os << "The third argument allows to potentially copy more bytes than it should. ";
246  os << "Replace with the value ";
247  if (!DstName.empty())
248  os << "sizeof(" << DstName << ")";
249  else
250  os << "sizeof(<destination buffer>)";
251  os << " or lower";
252 
253  BR.EmitBasicReport(FD, Checker, "Anti-pattern in the argument",
254  "C String API", os.str(), Loc,
255  LenArg->getSourceRange());
256  }
257  }
258 
259  // Recurse and check children.
260  VisitChildren(CE);
261 }
262 
263 void WalkAST::VisitChildren(Stmt *S) {
264  for (Stmt *Child : S->children())
265  if (Child)
266  Visit(Child);
267 }
268 
269 namespace {
270 class CStringSyntaxChecker: public Checker<check::ASTCodeBody> {
271 public:
272 
273  void checkASTCodeBody(const Decl *D, AnalysisManager& Mgr,
274  BugReporter &BR) const {
275  WalkAST walker(this, BR, Mgr.getAnalysisDeclContext(D));
276  walker.Visit(D->getBody());
277  }
278 };
279 }
280 
281 void ento::registerCStringSyntaxChecker(CheckerManager &mgr) {
282  mgr.registerChecker<CStringSyntaxChecker>();
283 }
284 
285 bool ento::shouldRegisterCStringSyntaxChecker(const LangOptions &LO) {
286  return true;
287 }
Represents a function declaration or definition.
Definition: Decl.h:1748
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2673
Defines enumerations for the type traits support.
virtual Stmt * getBody() const
getBody - If this Decl represents a declaration for a body of code, such as a function or method defi...
Definition: DeclBase.h:986
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2660
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:88
Represents a variable declaration or definition.
Definition: Decl.h:812
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:154
AnalysisDeclContext contains the context data for the function or method under analysis.
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:49
child_range children()
Definition: Stmt.cpp:212
Expr * IgnoreParenCasts() LLVM_READONLY
Skip past any parentheses and casts which might surround this expression until reaching a fixed point...
Definition: Expr.cpp:2947
This represents one expression.
Definition: Expr.h:108
static bool isCLibraryFunction(const FunctionDecl *FD, StringRef Name=StringRef())
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
FunctionDecl * getDirectCallee()
If the callee is a FunctionDecl, return it. Otherwise return null.
Definition: Expr.h:2652
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
StmtVisitor - This class implements a simple visitor for Stmt subclasses.
Definition: StmtVisitor.h:182
const Decl * getDecl() const
Dataflow Directional Tag Classes.
Expr * IgnoreParenImpCasts() LLVM_READONLY
Skip past any parentheses and implicit casts which might surround this expression until reaching a fi...
Definition: Expr.cpp:2942
Expr * IgnoreParenLValueCasts() LLVM_READONLY
Skip past any parentheses and lvalue casts which might surround this expression until reaching a fixe...
Definition: Expr.cpp:2959
uint64_t getTypeSize(QualType T) const
Return the size of the specified (complete) type T, in bits.
Definition: ASTContext.h:2079
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:251
Defines the clang::TargetInfo interface.
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2516
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:275
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:1141