head 1.1; branch 1.1.1; access; symbols netbsd-11-0-RC4:1.1.1.7 netbsd-11-0-RC3:1.1.1.7 netbsd-11-0-RC2:1.1.1.7 netbsd-11-0-RC1:1.1.1.7 perseant-exfatfs-base-20250801:1.1.1.7 netbsd-11:1.1.1.7.0.10 netbsd-11-base:1.1.1.7 netbsd-10-1-RELEASE:1.1.1.7 perseant-exfatfs-base-20240630:1.1.1.7 perseant-exfatfs:1.1.1.7.0.8 perseant-exfatfs-base:1.1.1.7 netbsd-8-3-RELEASE:1.1.1.5 netbsd-9-4-RELEASE:1.1.1.6 netbsd-10-0-RELEASE:1.1.1.7 netbsd-10-0-RC6:1.1.1.7 netbsd-10-0-RC5:1.1.1.7 netbsd-10-0-RC4:1.1.1.7 netbsd-10-0-RC3:1.1.1.7 netbsd-10-0-RC2:1.1.1.7 netbsd-10-0-RC1:1.1.1.7 netbsd-10:1.1.1.7.0.6 netbsd-10-base:1.1.1.7 netbsd-9-3-RELEASE:1.1.1.6 cjep_sun2x:1.1.1.7.0.4 cjep_sun2x-base:1.1.1.7 cjep_staticlib_x-base1:1.1.1.7 netbsd-9-2-RELEASE:1.1.1.6 cjep_staticlib_x:1.1.1.7.0.2 cjep_staticlib_x-base:1.1.1.7 netbsd-9-1-RELEASE:1.1.1.6 phil-wifi-20200421:1.1.1.7 phil-wifi-20200411:1.1.1.7 phil-wifi-20200406:1.1.1.7 netbsd-8-2-RELEASE:1.1.1.5 netbsd-9-0-RELEASE:1.1.1.6 netbsd-9-0-RC2:1.1.1.6 netbsd-9-0-RC1:1.1.1.6 netbsd-9:1.1.1.6.0.2 netbsd-9-base:1.1.1.6 phil-wifi-20190609:1.1.1.6 netbsd-8-1-RELEASE:1.1.1.5 netbsd-8-1-RC1:1.1.1.5 pgoyette-compat-merge-20190127:1.1.1.5.12.1 pgoyette-compat-20190127:1.1.1.6 pgoyette-compat-20190118:1.1.1.6 pgoyette-compat-1226:1.1.1.6 pgoyette-compat-1126:1.1.1.6 pgoyette-compat-1020:1.1.1.6 pgoyette-compat-0930:1.1.1.6 pgoyette-compat-0906:1.1.1.6 netbsd-7-2-RELEASE:1.1.1.3 pgoyette-compat-0728:1.1.1.6 clang-337282:1.1.1.6 netbsd-8-0-RELEASE:1.1.1.5 phil-wifi:1.1.1.5.0.14 phil-wifi-base:1.1.1.5 pgoyette-compat-0625:1.1.1.5 netbsd-8-0-RC2:1.1.1.5 pgoyette-compat-0521:1.1.1.5 pgoyette-compat-0502:1.1.1.5 pgoyette-compat-0422:1.1.1.5 netbsd-8-0-RC1:1.1.1.5 pgoyette-compat-0415:1.1.1.5 pgoyette-compat-0407:1.1.1.5 pgoyette-compat-0330:1.1.1.5 pgoyette-compat-0322:1.1.1.5 pgoyette-compat-0315:1.1.1.5 netbsd-7-1-2-RELEASE:1.1.1.3 pgoyette-compat:1.1.1.5.0.12 pgoyette-compat-base:1.1.1.5 netbsd-7-1-1-RELEASE:1.1.1.3 clang-319952:1.1.1.5 matt-nb8-mediatek:1.1.1.5.0.10 matt-nb8-mediatek-base:1.1.1.5 clang-309604:1.1.1.5 perseant-stdc-iso10646:1.1.1.5.0.8 perseant-stdc-iso10646-base:1.1.1.5 netbsd-8:1.1.1.5.0.6 netbsd-8-base:1.1.1.5 prg-localcount2-base3:1.1.1.5 prg-localcount2-base2:1.1.1.5 prg-localcount2-base1:1.1.1.5 prg-localcount2:1.1.1.5.0.4 prg-localcount2-base:1.1.1.5 pgoyette-localcount-20170426:1.1.1.5 bouyer-socketcan-base1:1.1.1.5 pgoyette-localcount-20170320:1.1.1.5 netbsd-7-1:1.1.1.3.0.10 netbsd-7-1-RELEASE:1.1.1.3 netbsd-7-1-RC2:1.1.1.3 clang-294123:1.1.1.5 netbsd-7-nhusb-base-20170116:1.1.1.3 bouyer-socketcan:1.1.1.5.0.2 bouyer-socketcan-base:1.1.1.5 clang-291444:1.1.1.5 pgoyette-localcount-20170107:1.1.1.4 netbsd-7-1-RC1:1.1.1.3 pgoyette-localcount-20161104:1.1.1.4 netbsd-7-0-2-RELEASE:1.1.1.3 localcount-20160914:1.1.1.4 netbsd-7-nhusb:1.1.1.3.0.8 netbsd-7-nhusb-base:1.1.1.3 clang-280599:1.1.1.4 pgoyette-localcount-20160806:1.1.1.4 pgoyette-localcount-20160726:1.1.1.4 pgoyette-localcount:1.1.1.4.0.2 pgoyette-localcount-base:1.1.1.4 netbsd-7-0-1-RELEASE:1.1.1.3 clang-261930:1.1.1.4 netbsd-7-0:1.1.1.3.0.6 netbsd-7-0-RELEASE:1.1.1.3 netbsd-7-0-RC3:1.1.1.3 netbsd-7-0-RC2:1.1.1.3 netbsd-7-0-RC1:1.1.1.3 clang-237755:1.1.1.3 clang-232565:1.1.1.3 clang-227398:1.1.1.3 tls-maxphys-base:1.1.1.3 tls-maxphys:1.1.1.3.0.4 netbsd-7:1.1.1.3.0.2 netbsd-7-base:1.1.1.3 clang-215315:1.1.1.3 clang-209886:1.1.1.3 yamt-pagecache:1.1.1.2.0.4 yamt-pagecache-base9:1.1.1.2 tls-earlyentropy:1.1.1.2.0.2 tls-earlyentropy-base:1.1.1.3 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.1.1.2 riastradh-drm2-base3:1.1.1.2 clang-202566:1.1.1.2 clang-201163:1.1.1.1 clang-199312:1.1.1.1 clang-198450:1.1.1.1 clang-196603:1.1.1.1 clang-195771:1.1.1.1 LLVM:1.1.1; locks; strict; comment @// @; 1.1 date 2013.11.28.14.14.52; author joerg; state Exp; branches 1.1.1.1; next ; commitid ow8OybrawrB1f3fx; 1.1.1.1 date 2013.11.28.14.14.52; author joerg; state Exp; branches; next 1.1.1.2; commitid ow8OybrawrB1f3fx; 1.1.1.2 date 2014.03.04.19.55.00; author joerg; state Exp; branches 1.1.1.2.2.1 1.1.1.2.4.1; next 1.1.1.3; commitid 29z1hJonZISIXprx; 1.1.1.3 date 2014.05.30.18.14.44; author joerg; state Exp; branches 1.1.1.3.4.1; next 1.1.1.4; commitid 8q0kdlBlCn09GACx; 1.1.1.4 date 2016.02.27.22.12.07; author joerg; state Exp; branches 1.1.1.4.2.1; next 1.1.1.5; commitid tIimz3oDlh1NpBWy; 1.1.1.5 date 2017.01.11.10.35.37; author joerg; state Exp; branches 1.1.1.5.12.1 1.1.1.5.14.1; next 1.1.1.6; commitid CNnUNfII1jgNmxBz; 1.1.1.6 date 2018.07.17.18.31.07; author joerg; state Exp; branches; next 1.1.1.7; commitid wDzL46ALjrCZgwKA; 1.1.1.7 date 2019.11.13.22.19.28; author joerg; state dead; branches; next ; commitid QD8YATxuNG34YJKB; 1.1.1.2.2.1 date 2014.08.10.07.08.10; author tls; state Exp; branches; next ; commitid t01A1TLTYxkpGMLx; 1.1.1.2.4.1 date 2014.03.04.19.55.00; author yamt; state dead; branches; next 1.1.1.2.4.2; commitid WSrDtL5nYAUyiyBx; 1.1.1.2.4.2 date 2014.05.22.16.18.30; author yamt; state Exp; branches; next ; commitid WSrDtL5nYAUyiyBx; 1.1.1.3.4.1 date 2014.05.30.18.14.44; author tls; state dead; branches; next 1.1.1.3.4.2; commitid jTnpym9Qu0o4R1Nx; 1.1.1.3.4.2 date 2014.08.19.23.47.31; author tls; state Exp; branches; next ; commitid jTnpym9Qu0o4R1Nx; 1.1.1.4.2.1 date 2017.03.20.06.52.42; author pgoyette; state Exp; branches; next ; commitid jjw7cAwgyKq7RfKz; 1.1.1.5.12.1 date 2018.07.28.04.33.23; author pgoyette; state Exp; branches; next ; commitid 1UP1xAIUxv1ZgRLA; 1.1.1.5.14.1 date 2019.06.10.21.45.28; author christos; state Exp; branches; next 1.1.1.5.14.2; commitid jtc8rnCzWiEEHGqB; 1.1.1.5.14.2 date 2020.04.13.07.46.38; author martin; state dead; branches; next ; commitid X01YhRUPVUDaec4C; desc @@ 1.1 log @Initial revision @ text @//===- Chrootchecker.cpp -------- Basic security checks ----------*- C++ -*-==// // // The LLVM Compiler Infrastructure // // This file is distributed under the University of Illinois Open Source // License. See LICENSE.TXT for details. // //===----------------------------------------------------------------------===// // // This file defines chroot checker, which checks improper use of chroot. // //===----------------------------------------------------------------------===// #include "ClangSACheckers.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "llvm/ADT/ImmutableMap.h" using namespace clang; using namespace ento; namespace { // enum value that represent the jail state enum Kind { NO_CHROOT, ROOT_CHANGED, JAIL_ENTERED }; bool isRootChanged(intptr_t k) { return k == ROOT_CHANGED; } //bool isJailEntered(intptr_t k) { return k == JAIL_ENTERED; } // This checker checks improper use of chroot. // The state transition: // NO_CHROOT ---chroot(path)--> ROOT_CHANGED ---chdir(/) --> JAIL_ENTERED // | | // ROOT_CHANGED<--chdir(..)-- JAIL_ENTERED<--chdir(..)-- // | | // bug<--foo()-- JAIL_ENTERED<--foo()-- class ChrootChecker : public Checker > { mutable IdentifierInfo *II_chroot, *II_chdir; // This bug refers to possibly break out of a chroot() jail. mutable OwningPtr BT_BreakJail; public: ChrootChecker() : II_chroot(0), II_chdir(0) {} static void *getTag() { static int x; return &x; } bool evalCall(const CallExpr *CE, CheckerContext &C) const; void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; private: void Chroot(CheckerContext &C, const CallExpr *CE) const; void Chdir(CheckerContext &C, const CallExpr *CE) const; }; } // end anonymous namespace bool ChrootChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { const FunctionDecl *FD = C.getCalleeDecl(CE); if (!FD) return false; ASTContext &Ctx = C.getASTContext(); if (!II_chroot) II_chroot = &Ctx.Idents.get("chroot"); if (!II_chdir) II_chdir = &Ctx.Idents.get("chdir"); if (FD->getIdentifier() == II_chroot) { Chroot(C, CE); return true; } if (FD->getIdentifier() == II_chdir) { Chdir(C, CE); return true; } return false; } void ChrootChecker::Chroot(CheckerContext &C, const CallExpr *CE) const { ProgramStateRef state = C.getState(); ProgramStateManager &Mgr = state->getStateManager(); // Once encouter a chroot(), set the enum value ROOT_CHANGED directly in // the GDM. state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) ROOT_CHANGED); C.addTransition(state); } void ChrootChecker::Chdir(CheckerContext &C, const CallExpr *CE) const { ProgramStateRef state = C.getState(); ProgramStateManager &Mgr = state->getStateManager(); // If there are no jail state in the GDM, just return. const void *k = state->FindGDM(ChrootChecker::getTag()); if (!k) return; // After chdir("/"), enter the jail, set the enum value JAIL_ENTERED. const Expr *ArgExpr = CE->getArg(0); SVal ArgVal = state->getSVal(ArgExpr, C.getLocationContext()); if (const MemRegion *R = ArgVal.getAsRegion()) { R = R->StripCasts(); if (const StringRegion* StrRegion= dyn_cast(R)) { const StringLiteral* Str = StrRegion->getStringLiteral(); if (Str->getString() == "/") state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) JAIL_ENTERED); } } C.addTransition(state); } // Check the jail state before any function call except chroot and chdir(). void ChrootChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { const FunctionDecl *FD = C.getCalleeDecl(CE); if (!FD) return; ASTContext &Ctx = C.getASTContext(); if (!II_chroot) II_chroot = &Ctx.Idents.get("chroot"); if (!II_chdir) II_chdir = &Ctx.Idents.get("chdir"); // Ingnore chroot and chdir. if (FD->getIdentifier() == II_chroot || FD->getIdentifier() == II_chdir) return; // If jail state is ROOT_CHANGED, generate BugReport. void *const* k = C.getState()->FindGDM(ChrootChecker::getTag()); if (k) if (isRootChanged((intptr_t) *k)) if (ExplodedNode *N = C.addTransition()) { if (!BT_BreakJail) BT_BreakJail.reset(new BuiltinBug("Break out of jail", "No call of chdir(\"/\") immediately " "after chroot")); BugReport *R = new BugReport(*BT_BreakJail, BT_BreakJail->getDescription(), N); C.emitReport(R); } return; } void ento::registerChrootChecker(CheckerManager &mgr) { mgr.registerChecker(); } @ 1.1.1.1 log @Import Clang 3.4rc1 r195771. @ text @@ 1.1.1.2 log @Import Clang 3.5svn r202566. @ text @d145 3 a147 3 BT_BreakJail.reset(new BuiltinBug( this, "Break out of jail", "No call of chdir(\"/\") immediately " "after chroot")); @ 1.1.1.2.2.1 log @Rebase. @ text @d44 1 a44 1 mutable std::unique_ptr BT_BreakJail; d47 2 a48 2 ChrootChecker() : II_chroot(nullptr), II_chdir(nullptr) {} @ 1.1.1.3 log @Import Clang 3.5svn r209886. @ text @d44 1 a44 1 mutable std::unique_ptr BT_BreakJail; d47 2 a48 2 ChrootChecker() : II_chroot(nullptr), II_chdir(nullptr) {} @ 1.1.1.4 log @Import Clang 3.8.0rc3 r261930. @ text @d30 1 a30 1 d53 1 a53 1 d90 2 a91 2 // Once encouter a chroot(), set the enum value ROOT_CHANGED directly in d109 1 a109 1 d138 1 a138 1 d143 1 a143 1 if (ExplodedNode *N = C.generateNonFatalErrorNode()) { d148 3 a150 2 C.emitReport(llvm::make_unique( *BT_BreakJail, BT_BreakJail->getDescription(), N)); d152 1 a152 1 @ 1.1.1.4.2.1 log @Sync with HEAD @ text @d1 1 a1 1 //===- Chrootchecker.cpp -------- Basic security checks ---------*- C++ -*-===// d22 1 a22 1 d151 2 @ 1.1.1.5 log @Import Clang pre-4.0.0 r291444. @ text @d1 1 a1 1 //===- Chrootchecker.cpp -------- Basic security checks ---------*- C++ -*-===// d22 1 a22 1 d151 2 @ 1.1.1.5.14.1 log @Sync with HEAD @ text @d108 1 a108 1 SVal ArgVal = C.getSVal(ArgExpr); d135 1 a135 1 // Ignore chroot and chdir. @ 1.1.1.5.14.2 log @Mostly merge changes from HEAD upto 20200411 @ text @@ 1.1.1.5.12.1 log @Sync with HEAD @ text @d108 1 a108 1 SVal ArgVal = C.getSVal(ArgExpr); d135 1 a135 1 // Ignore chroot and chdir. @ 1.1.1.6 log @Import clang r337282 from trunk @ text @d108 1 a108 1 SVal ArgVal = C.getSVal(ArgExpr); d135 1 a135 1 // Ignore chroot and chdir. @ 1.1.1.7 log @Mark old LLVM instance as dead. @ text @@ 1.1.1.3.4.1 log @file ChrootChecker.cpp was added on branch tls-maxphys on 2014-08-19 23:47:31 +0000 @ text @d1 158 @ 1.1.1.3.4.2 log @Rebase to HEAD as of a few days ago. @ text @a0 158 //===- Chrootchecker.cpp -------- Basic security checks ----------*- C++ -*-==// // // The LLVM Compiler Infrastructure // // This file is distributed under the University of Illinois Open Source // License. See LICENSE.TXT for details. // //===----------------------------------------------------------------------===// // // This file defines chroot checker, which checks improper use of chroot. // //===----------------------------------------------------------------------===// #include "ClangSACheckers.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "llvm/ADT/ImmutableMap.h" using namespace clang; using namespace ento; namespace { // enum value that represent the jail state enum Kind { NO_CHROOT, ROOT_CHANGED, JAIL_ENTERED }; bool isRootChanged(intptr_t k) { return k == ROOT_CHANGED; } //bool isJailEntered(intptr_t k) { return k == JAIL_ENTERED; } // This checker checks improper use of chroot. // The state transition: // NO_CHROOT ---chroot(path)--> ROOT_CHANGED ---chdir(/) --> JAIL_ENTERED // | | // ROOT_CHANGED<--chdir(..)-- JAIL_ENTERED<--chdir(..)-- // | | // bug<--foo()-- JAIL_ENTERED<--foo()-- class ChrootChecker : public Checker > { mutable IdentifierInfo *II_chroot, *II_chdir; // This bug refers to possibly break out of a chroot() jail. mutable std::unique_ptr BT_BreakJail; public: ChrootChecker() : II_chroot(nullptr), II_chdir(nullptr) {} static void *getTag() { static int x; return &x; } bool evalCall(const CallExpr *CE, CheckerContext &C) const; void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; private: void Chroot(CheckerContext &C, const CallExpr *CE) const; void Chdir(CheckerContext &C, const CallExpr *CE) const; }; } // end anonymous namespace bool ChrootChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { const FunctionDecl *FD = C.getCalleeDecl(CE); if (!FD) return false; ASTContext &Ctx = C.getASTContext(); if (!II_chroot) II_chroot = &Ctx.Idents.get("chroot"); if (!II_chdir) II_chdir = &Ctx.Idents.get("chdir"); if (FD->getIdentifier() == II_chroot) { Chroot(C, CE); return true; } if (FD->getIdentifier() == II_chdir) { Chdir(C, CE); return true; } return false; } void ChrootChecker::Chroot(CheckerContext &C, const CallExpr *CE) const { ProgramStateRef state = C.getState(); ProgramStateManager &Mgr = state->getStateManager(); // Once encouter a chroot(), set the enum value ROOT_CHANGED directly in // the GDM. state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) ROOT_CHANGED); C.addTransition(state); } void ChrootChecker::Chdir(CheckerContext &C, const CallExpr *CE) const { ProgramStateRef state = C.getState(); ProgramStateManager &Mgr = state->getStateManager(); // If there are no jail state in the GDM, just return. const void *k = state->FindGDM(ChrootChecker::getTag()); if (!k) return; // After chdir("/"), enter the jail, set the enum value JAIL_ENTERED. const Expr *ArgExpr = CE->getArg(0); SVal ArgVal = state->getSVal(ArgExpr, C.getLocationContext()); if (const MemRegion *R = ArgVal.getAsRegion()) { R = R->StripCasts(); if (const StringRegion* StrRegion= dyn_cast(R)) { const StringLiteral* Str = StrRegion->getStringLiteral(); if (Str->getString() == "/") state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) JAIL_ENTERED); } } C.addTransition(state); } // Check the jail state before any function call except chroot and chdir(). void ChrootChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { const FunctionDecl *FD = C.getCalleeDecl(CE); if (!FD) return; ASTContext &Ctx = C.getASTContext(); if (!II_chroot) II_chroot = &Ctx.Idents.get("chroot"); if (!II_chdir) II_chdir = &Ctx.Idents.get("chdir"); // Ingnore chroot and chdir. if (FD->getIdentifier() == II_chroot || FD->getIdentifier() == II_chdir) return; // If jail state is ROOT_CHANGED, generate BugReport. void *const* k = C.getState()->FindGDM(ChrootChecker::getTag()); if (k) if (isRootChanged((intptr_t) *k)) if (ExplodedNode *N = C.addTransition()) { if (!BT_BreakJail) BT_BreakJail.reset(new BuiltinBug( this, "Break out of jail", "No call of chdir(\"/\") immediately " "after chroot")); BugReport *R = new BugReport(*BT_BreakJail, BT_BreakJail->getDescription(), N); C.emitReport(R); } return; } void ento::registerChrootChecker(CheckerManager &mgr) { mgr.registerChecker(); } @ 1.1.1.2.4.1 log @file ChrootChecker.cpp was added on branch yamt-pagecache on 2014-05-22 16:18:30 +0000 @ text @d1 158 @ 1.1.1.2.4.2 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @a0 158 //===- Chrootchecker.cpp -------- Basic security checks ----------*- C++ -*-==// // // The LLVM Compiler Infrastructure // // This file is distributed under the University of Illinois Open Source // License. See LICENSE.TXT for details. // //===----------------------------------------------------------------------===// // // This file defines chroot checker, which checks improper use of chroot. // //===----------------------------------------------------------------------===// #include "ClangSACheckers.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "llvm/ADT/ImmutableMap.h" using namespace clang; using namespace ento; namespace { // enum value that represent the jail state enum Kind { NO_CHROOT, ROOT_CHANGED, JAIL_ENTERED }; bool isRootChanged(intptr_t k) { return k == ROOT_CHANGED; } //bool isJailEntered(intptr_t k) { return k == JAIL_ENTERED; } // This checker checks improper use of chroot. // The state transition: // NO_CHROOT ---chroot(path)--> ROOT_CHANGED ---chdir(/) --> JAIL_ENTERED // | | // ROOT_CHANGED<--chdir(..)-- JAIL_ENTERED<--chdir(..)-- // | | // bug<--foo()-- JAIL_ENTERED<--foo()-- class ChrootChecker : public Checker > { mutable IdentifierInfo *II_chroot, *II_chdir; // This bug refers to possibly break out of a chroot() jail. mutable OwningPtr BT_BreakJail; public: ChrootChecker() : II_chroot(0), II_chdir(0) {} static void *getTag() { static int x; return &x; } bool evalCall(const CallExpr *CE, CheckerContext &C) const; void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; private: void Chroot(CheckerContext &C, const CallExpr *CE) const; void Chdir(CheckerContext &C, const CallExpr *CE) const; }; } // end anonymous namespace bool ChrootChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { const FunctionDecl *FD = C.getCalleeDecl(CE); if (!FD) return false; ASTContext &Ctx = C.getASTContext(); if (!II_chroot) II_chroot = &Ctx.Idents.get("chroot"); if (!II_chdir) II_chdir = &Ctx.Idents.get("chdir"); if (FD->getIdentifier() == II_chroot) { Chroot(C, CE); return true; } if (FD->getIdentifier() == II_chdir) { Chdir(C, CE); return true; } return false; } void ChrootChecker::Chroot(CheckerContext &C, const CallExpr *CE) const { ProgramStateRef state = C.getState(); ProgramStateManager &Mgr = state->getStateManager(); // Once encouter a chroot(), set the enum value ROOT_CHANGED directly in // the GDM. state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) ROOT_CHANGED); C.addTransition(state); } void ChrootChecker::Chdir(CheckerContext &C, const CallExpr *CE) const { ProgramStateRef state = C.getState(); ProgramStateManager &Mgr = state->getStateManager(); // If there are no jail state in the GDM, just return. const void *k = state->FindGDM(ChrootChecker::getTag()); if (!k) return; // After chdir("/"), enter the jail, set the enum value JAIL_ENTERED. const Expr *ArgExpr = CE->getArg(0); SVal ArgVal = state->getSVal(ArgExpr, C.getLocationContext()); if (const MemRegion *R = ArgVal.getAsRegion()) { R = R->StripCasts(); if (const StringRegion* StrRegion= dyn_cast(R)) { const StringLiteral* Str = StrRegion->getStringLiteral(); if (Str->getString() == "/") state = Mgr.addGDM(state, ChrootChecker::getTag(), (void*) JAIL_ENTERED); } } C.addTransition(state); } // Check the jail state before any function call except chroot and chdir(). void ChrootChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { const FunctionDecl *FD = C.getCalleeDecl(CE); if (!FD) return; ASTContext &Ctx = C.getASTContext(); if (!II_chroot) II_chroot = &Ctx.Idents.get("chroot"); if (!II_chdir) II_chdir = &Ctx.Idents.get("chdir"); // Ingnore chroot and chdir. if (FD->getIdentifier() == II_chroot || FD->getIdentifier() == II_chdir) return; // If jail state is ROOT_CHANGED, generate BugReport. void *const* k = C.getState()->FindGDM(ChrootChecker::getTag()); if (k) if (isRootChanged((intptr_t) *k)) if (ExplodedNode *N = C.addTransition()) { if (!BT_BreakJail) BT_BreakJail.reset(new BuiltinBug( this, "Break out of jail", "No call of chdir(\"/\") immediately " "after chroot")); BugReport *R = new BugReport(*BT_BreakJail, BT_BreakJail->getDescription(), N); C.emitReport(R); } return; } void ento::registerChrootChecker(CheckerManager &mgr) { mgr.registerChecker(); } @