Author: yawanng Date: Fri Jun 23 16:37:29 2017 New Revision: 306165 URL: http://llvm.org/viewvc/llvm-project?rev=306165&view=rev Log: [clang-tidy][Part1] Add a new module Android and three new checks.
Summary: A common source of security bugs is code that opens a file descriptors without using the O_CLOEXEC flag. (Without that flag, an opened sensitive file would remain open across a fork+exec to a lower-privileged SELinux domain, leaking that sensitive data.). Add a new Android module and one checks in clang-tidy. -- open(), openat(), and open64() should include O_CLOEXEC in their flags argument. [android-file-open-flag] Links to part2 and part3: https://reviews.llvm.org/D33745 https://reviews.llvm.org/D33747 Reviewers: chh, alexfh, aaron.ballman, hokein Reviewed By: alexfh, hokein Subscribers: jbcoe, joerg, malcolm.parsons, Eugene.Zelenko, srhines, mgorny, xazax.hun, cfe-commits, krytarowski Tags: #clang-tools-extra Differential Revision: https://reviews.llvm.org/D33304 Added: clang-tools-extra/trunk/clang-tidy/android/ clang-tools-extra/trunk/clang-tidy/android/AndroidTidyModule.cpp clang-tools-extra/trunk/clang-tidy/android/CMakeLists.txt clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.cpp clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.h clang-tools-extra/trunk/docs/clang-tidy/checks/android-file-open-flag.rst clang-tools-extra/trunk/test/clang-tidy/android-file-open-flag.cpp Modified: clang-tools-extra/trunk/clang-tidy/CMakeLists.txt clang-tools-extra/trunk/clang-tidy/plugin/CMakeLists.txt clang-tools-extra/trunk/clang-tidy/tool/CMakeLists.txt clang-tools-extra/trunk/clang-tidy/tool/ClangTidyMain.cpp clang-tools-extra/trunk/docs/ReleaseNotes.rst clang-tools-extra/trunk/docs/clang-tidy/checks/list.rst clang-tools-extra/trunk/docs/clang-tidy/index.rst clang-tools-extra/trunk/unittests/clang-tidy/CMakeLists.txt Modified: clang-tools-extra/trunk/clang-tidy/CMakeLists.txt URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/clang-tidy/CMakeLists.txt?rev=306165&r1=306164&r2=306165&view=diff ============================================================================== --- clang-tools-extra/trunk/clang-tidy/CMakeLists.txt (original) +++ clang-tools-extra/trunk/clang-tidy/CMakeLists.txt Fri Jun 23 16:37:29 2017 @@ -26,6 +26,7 @@ add_clang_library(clangTidy clangToolingCore ) +add_subdirectory(android) add_subdirectory(boost) add_subdirectory(cert) add_subdirectory(cppcoreguidelines) Added: clang-tools-extra/trunk/clang-tidy/android/AndroidTidyModule.cpp URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/clang-tidy/android/AndroidTidyModule.cpp?rev=306165&view=auto ============================================================================== --- clang-tools-extra/trunk/clang-tidy/android/AndroidTidyModule.cpp (added) +++ clang-tools-extra/trunk/clang-tidy/android/AndroidTidyModule.cpp Fri Jun 23 16:37:29 2017 @@ -0,0 +1,40 @@ +//===--- AndroidTidyModule.cpp - clang-tidy--------------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// + +#include "../ClangTidy.h" +#include "../ClangTidyModule.h" +#include "../ClangTidyModuleRegistry.h" +#include "FileOpenFlagCheck.h" + +using namespace clang::ast_matchers; + +namespace clang { +namespace tidy { +namespace android { + +/// This module is for Android specific checks. +class AndroidModule : public ClangTidyModule { +public: + void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override { + CheckFactories.registerCheck<FileOpenFlagCheck>("android-file-open-flag"); + } +}; + +// Register the AndroidTidyModule using this statically initialized variable. +static ClangTidyModuleRegistry::Add<AndroidModule> + X("android-module", "Adds Android platform checks."); + +} // namespace android + +// This anchor is used to force the linker to link in the generated object file +// and thus register the AndroidModule. +volatile int AndroidModuleAnchorSource = 0; + +} // namespace tidy +} // namespace clang Added: clang-tools-extra/trunk/clang-tidy/android/CMakeLists.txt URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/clang-tidy/android/CMakeLists.txt?rev=306165&view=auto ============================================================================== --- clang-tools-extra/trunk/clang-tidy/android/CMakeLists.txt (added) +++ clang-tools-extra/trunk/clang-tidy/android/CMakeLists.txt Fri Jun 23 16:37:29 2017 @@ -0,0 +1,14 @@ +set(LLVM_LINK_COMPONENTS support) + +add_clang_library(clangTidyAndroidModule + AndroidTidyModule.cpp + FileOpenFlagCheck.cpp + + LINK_LIBS + clangAST + clangASTMatchers + clangBasic + clangLex + clangTidy + clangTidyUtils + ) Added: clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.cpp URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.cpp?rev=306165&view=auto ============================================================================== --- clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.cpp (added) +++ clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.cpp Fri Jun 23 16:37:29 2017 @@ -0,0 +1,98 @@ +//===--- FileOpenFlagCheck.cpp - clang-tidy--------------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// + +#include "FileOpenFlagCheck.h" +#include "clang/AST/ASTContext.h" +#include "clang/ASTMatchers/ASTMatchFinder.h" +#include "clang/Lex/Lexer.h" + +using namespace clang::ast_matchers; + +namespace clang { +namespace tidy { +namespace android { + +namespace { +static constexpr const char *O_CLOEXEC = "O_CLOEXEC"; + +bool HasCloseOnExecFlag(const Expr *Flags, const SourceManager &SM, + const LangOptions &LangOpts) { + // If the Flag is an integer constant, check it. + if (isa<IntegerLiteral>(Flags)) { + if (!SM.isMacroBodyExpansion(Flags->getLocStart())) + return false; + + // Get the Marco name. + auto MacroName = Lexer::getSourceText( + CharSourceRange::getTokenRange(Flags->getSourceRange()), SM, LangOpts); + + return MacroName == O_CLOEXEC; + } + // If it's a binary OR operation. + if (const auto *BO = dyn_cast<BinaryOperator>(Flags)) + if (BO->getOpcode() == clang::BinaryOperatorKind::BO_Or) + return HasCloseOnExecFlag(BO->getLHS()->IgnoreParenCasts(), SM, + LangOpts) || + HasCloseOnExecFlag(BO->getRHS()->IgnoreParenCasts(), SM, LangOpts); + + // Otherwise, assume it has the flag. + return true; +} +} // namespace + +void FileOpenFlagCheck::registerMatchers(MatchFinder *Finder) { + auto CharPointerType = hasType(pointerType(pointee(isAnyCharacter()))); + + Finder->addMatcher( + callExpr(callee(functionDecl(isExternC(), returns(isInteger()), + hasAnyName("open", "open64"), + hasParameter(0, CharPointerType), + hasParameter(1, hasType(isInteger()))) + .bind("funcDecl"))) + .bind("openFn"), + this); + Finder->addMatcher( + callExpr(callee(functionDecl(isExternC(), returns(isInteger()), + hasName("openat"), + hasParameter(0, hasType(isInteger())), + hasParameter(1, CharPointerType), + hasParameter(2, hasType(isInteger()))) + .bind("funcDecl"))) + .bind("openatFn"), + this); +} + +void FileOpenFlagCheck::check(const MatchFinder::MatchResult &Result) { + const Expr *FlagArg = nullptr; + if (const auto *OpenFnCall = Result.Nodes.getNodeAs<CallExpr>("openFn")) + FlagArg = OpenFnCall->getArg(1); + else if (const auto *OpenFnCall = + Result.Nodes.getNodeAs<CallExpr>("openatFn")) + FlagArg = OpenFnCall->getArg(2); + assert(FlagArg); + + const auto *FD = Result.Nodes.getNodeAs<FunctionDecl>("funcDecl"); + + // Check the required flag. + SourceManager &SM = *Result.SourceManager; + if (HasCloseOnExecFlag(FlagArg->IgnoreParenCasts(), SM, + Result.Context->getLangOpts())) + return; + + SourceLocation EndLoc = Lexer::getLocForEndOfToken( + FlagArg->getLocEnd(), 0, SM, Result.Context->getLangOpts()); + + diag(EndLoc, "%0 should use %1 where possible") + << FD << O_CLOEXEC + << FixItHint::CreateInsertion(EndLoc, (Twine(" | ") + O_CLOEXEC).str()); +} + +} // namespace android +} // namespace tidy +} // namespace clang Added: clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.h URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.h?rev=306165&view=auto ============================================================================== --- clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.h (added) +++ clang-tools-extra/trunk/clang-tidy/android/FileOpenFlagCheck.h Fri Jun 23 16:37:29 2017 @@ -0,0 +1,40 @@ +//===--- FileOpenFlagCheck.h - clang-tidy----------------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// + +#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H +#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H + +#include "../ClangTidy.h" + +namespace clang { +namespace tidy { +namespace android { + +/// Finds code that opens file without using the O_CLOEXEC flag. +/// +/// open(), openat(), and open64() had better to include O_CLOEXEC in their +/// flags argument. Only consider simple cases that the corresponding argument +/// is constant or binary operation OR among constants like 'O_CLOEXEC' or +/// 'O_CLOEXEC | O_RDONLY'. No constant propagation is performed. +/// +/// Only the symbolic 'O_CLOEXEC' macro definition is checked, not the concrete +/// value. +class FileOpenFlagCheck : public ClangTidyCheck { +public: + FileOpenFlagCheck(StringRef Name, ClangTidyContext *Context) + : ClangTidyCheck(Name, Context) {} + void registerMatchers(ast_matchers::MatchFinder *Finder) override; + void check(const ast_matchers::MatchFinder::MatchResult &Result) override; +}; + +} // namespace android +} // namespace tidy +} // namespace clang + +#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_FILE_OPEN_FLAG_H Modified: clang-tools-extra/trunk/clang-tidy/plugin/CMakeLists.txt URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/clang-tidy/plugin/CMakeLists.txt?rev=306165&r1=306164&r2=306165&view=diff ============================================================================== --- clang-tools-extra/trunk/clang-tidy/plugin/CMakeLists.txt (original) +++ clang-tools-extra/trunk/clang-tidy/plugin/CMakeLists.txt Fri Jun 23 16:37:29 2017 @@ -8,6 +8,7 @@ add_clang_library(clangTidyPlugin clangFrontend clangSema clangTidy + clangTidyAndroidModule clangTidyBoostModule clangTidyCERTModule clangTidyCppCoreGuidelinesModule Modified: clang-tools-extra/trunk/clang-tidy/tool/CMakeLists.txt URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/clang-tidy/tool/CMakeLists.txt?rev=306165&r1=306164&r2=306165&view=diff ============================================================================== --- clang-tools-extra/trunk/clang-tidy/tool/CMakeLists.txt (original) +++ clang-tools-extra/trunk/clang-tidy/tool/CMakeLists.txt Fri Jun 23 16:37:29 2017 @@ -13,6 +13,7 @@ target_link_libraries(clang-tidy clangASTMatchers clangBasic clangTidy + clangTidyAndroidModule clangTidyBoostModule clangTidyCERTModule clangTidyCppCoreGuidelinesModule Modified: clang-tools-extra/trunk/clang-tidy/tool/ClangTidyMain.cpp URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/clang-tidy/tool/ClangTidyMain.cpp?rev=306165&r1=306164&r2=306165&view=diff ============================================================================== --- clang-tools-extra/trunk/clang-tidy/tool/ClangTidyMain.cpp (original) +++ clang-tools-extra/trunk/clang-tidy/tool/ClangTidyMain.cpp Fri Jun 23 16:37:29 2017 @@ -477,6 +477,11 @@ extern volatile int GoogleModuleAnchorSo static int LLVM_ATTRIBUTE_UNUSED GoogleModuleAnchorDestination = GoogleModuleAnchorSource; +// This anchor is used to force the linker to link the AndroidModule. +extern volatile int AndroidModuleAnchorSource; +static int LLVM_ATTRIBUTE_UNUSED AndroidModuleAnchorDestination = + AndroidModuleAnchorSource; + // This anchor is used to force the linker to link the MiscModule. extern volatile int MiscModuleAnchorSource; static int LLVM_ATTRIBUTE_UNUSED MiscModuleAnchorDestination = Modified: clang-tools-extra/trunk/docs/ReleaseNotes.rst URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/docs/ReleaseNotes.rst?rev=306165&r1=306164&r2=306165&view=diff ============================================================================== --- clang-tools-extra/trunk/docs/ReleaseNotes.rst (original) +++ clang-tools-extra/trunk/docs/ReleaseNotes.rst Fri Jun 23 16:37:29 2017 @@ -57,6 +57,12 @@ The improvements are... Improvements to clang-tidy -------------------------- +- New `android-file-open-flag + <http://clang.llvm.org/extra/clang-tidy/checks/android-file-open-flag>`_ check + + Checks if the required file flag ``O_CLOEXEC`` exists in ``open()``, + ``open64()`` and ``openat()``. + - New `cert-dcl21-cpp <http://clang.llvm.org/extra/clang-tidy/checks/cert-dcl21-cpp.html>`_ check Added: clang-tools-extra/trunk/docs/clang-tidy/checks/android-file-open-flag.rst URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/docs/clang-tidy/checks/android-file-open-flag.rst?rev=306165&view=auto ============================================================================== --- clang-tools-extra/trunk/docs/clang-tidy/checks/android-file-open-flag.rst (added) +++ clang-tools-extra/trunk/docs/clang-tidy/checks/android-file-open-flag.rst Fri Jun 23 16:37:29 2017 @@ -0,0 +1,24 @@ +.. title:: clang-tidy - android-file-open-flag + +android-file-open-flag +====================== + +A common source of security bugs is code that opens a file without using the +``O_CLOEXEC`` flag. Without that flag, an opened sensitive file would remain +open across a fork+exec to a lower-privileged SELinux domain, leaking that +sensitive data. Open-like functions including ``open()``, ``openat()``, and +``open64()`` should include ``O_CLOEXEC`` in their flags argument. + +Examples: + +.. code-block:: c++ + + open("filename", O_RDWR); + open64("filename", O_RDWR); + openat(0, "filename", O_RDWR); + + // becomes + + open("filename", O_RDWR | O_CLOEXEC); + open64("filename", O_RDWR | O_CLOEXEC); + openat(0, "filename", O_RDWR | O_CLOEXEC); Modified: clang-tools-extra/trunk/docs/clang-tidy/checks/list.rst URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/docs/clang-tidy/checks/list.rst?rev=306165&r1=306164&r2=306165&view=diff ============================================================================== --- clang-tools-extra/trunk/docs/clang-tidy/checks/list.rst (original) +++ clang-tools-extra/trunk/docs/clang-tidy/checks/list.rst Fri Jun 23 16:37:29 2017 @@ -4,6 +4,7 @@ Clang-Tidy Checks ================= .. toctree:: + android-file-open-flag boost-use-to-string cert-dcl03-c (redirects to misc-static-assert) <cert-dcl03-c> cert-dcl21-cpp Modified: clang-tools-extra/trunk/docs/clang-tidy/index.rst URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/docs/clang-tidy/index.rst?rev=306165&r1=306164&r2=306165&view=diff ============================================================================== --- clang-tools-extra/trunk/docs/clang-tidy/index.rst (original) +++ clang-tools-extra/trunk/docs/clang-tidy/index.rst Fri Jun 23 16:37:29 2017 @@ -55,6 +55,7 @@ There are currently the following groups ====================== ========================================================= Name prefix Description ====================== ========================================================= +``android-`` Checks related to Android. ``boost-`` Checks related to Boost library. ``cert-`` Checks related to CERT Secure Coding Guidelines. ``cppcoreguidelines-`` Checks related to C++ Core Guidelines. Added: clang-tools-extra/trunk/test/clang-tidy/android-file-open-flag.cpp URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/test/clang-tidy/android-file-open-flag.cpp?rev=306165&view=auto ============================================================================== --- clang-tools-extra/trunk/test/clang-tidy/android-file-open-flag.cpp (added) +++ clang-tools-extra/trunk/test/clang-tidy/android-file-open-flag.cpp Fri Jun 23 16:37:29 2017 @@ -0,0 +1,110 @@ +// RUN: %check_clang_tidy %s android-file-open-flag %t + +#define O_RDWR 1 +#define O_EXCL 2 +#define __O_CLOEXEC 3 +#define O_CLOEXEC __O_CLOEXEC + +extern "C" int open(const char *fn, int flags, ...); +extern "C" int open64(const char *fn, int flags, ...); +extern "C" int openat(int dirfd, const char *pathname, int flags, ...); + +void a() { + open("filename", O_RDWR); + // CHECK-MESSAGES: :[[@LINE-1]]:26: warning: 'open' should use O_CLOEXEC where possible [android-file-open-flag] + // CHECK-FIXES: O_RDWR | O_CLOEXEC + open("filename", O_RDWR | O_EXCL); + // CHECK-MESSAGES: :[[@LINE-1]]:35: warning: 'open' should use O_CLOEXEC where + // CHECK-FIXES: O_RDWR | O_EXCL | O_CLOEXEC +} + +void b() { + open64("filename", O_RDWR); + // CHECK-MESSAGES: :[[@LINE-1]]:28: warning: 'open64' should use O_CLOEXEC where possible [android-file-open-flag] + // CHECK-FIXES: O_RDWR | O_CLOEXEC + open64("filename", O_RDWR | O_EXCL); + // CHECK-MESSAGES: :[[@LINE-1]]:37: warning: 'open64' should use O_CLOEXEC where + // CHECK-FIXES: O_RDWR | O_EXCL | O_CLOEXEC +} + +void c() { + openat(0, "filename", O_RDWR); + // CHECK-MESSAGES: :[[@LINE-1]]:31: warning: 'openat' should use O_CLOEXEC where possible [android-file-open-flag] + // CHECK-FIXES: O_RDWR | O_CLOEXEC + openat(0, "filename", O_RDWR | O_EXCL); + // CHECK-MESSAGES: :[[@LINE-1]]:40: warning: 'openat' should use O_CLOEXEC where + // CHECK-FIXES: O_RDWR | O_EXCL | O_CLOEXEC +} + +void f() { + open("filename", 3); + // CHECK-MESSAGES: :[[@LINE-1]]:21: warning: 'open' should use O_CLOEXEC where possible [android-file-open-flag] + // CHECK-FIXES: 3 | O_CLOEXEC + open64("filename", 3); + // CHECK-MESSAGES: :[[@LINE-1]]:23: warning: 'open64' should use O_CLOEXEC where possible [android-file-open-flag] + // CHECK-FIXES: 3 | O_CLOEXEC + openat(0, "filename", 3); + // CHECK-MESSAGES: :[[@LINE-1]]:26: warning: 'openat' should use O_CLOEXEC where possible [android-file-open-flag] + // CHECK-FIXES: 3 | O_CLOEXEC + + int flag = 3; + open("filename", flag); + // CHECK-MESSAGES-NOT: warning: + open64("filename", flag); + // CHECK-MESSAGES-NOT: warning: + openat(0, "filename", flag); + // CHECK-MESSAGES-NOT: warning: +} + +namespace i { +int open(const char *pathname, int flags, ...); +int open64(const char *pathname, int flags, ...); +int openat(int dirfd, const char *pathname, int flags, ...); + +void d() { + open("filename", O_RDWR); + // CHECK-MESSAGES-NOT: warning: + open64("filename", O_RDWR); + // CHECK-MESSAGES-NOT: warning: + openat(0, "filename", O_RDWR); + // CHECK-MESSAGES-NOT: warning: +} + +} // namespace i + +void e() { + open("filename", O_CLOEXEC); + // CHECK-MESSAGES-NOT: warning: + open("filename", O_RDWR | O_CLOEXEC); + // CHECK-MESSAGES-NOT: warning: + open("filename", O_RDWR | O_CLOEXEC | O_EXCL); + // CHECK-MESSAGES-NOT: warning: + open64("filename", O_CLOEXEC); + // CHECK-MESSAGES-NOT: warning: + open64("filename", O_RDWR | O_CLOEXEC); + // CHECK-MESSAGES-NOT: warning: + open64("filename", O_RDWR | O_CLOEXEC | O_EXCL); + // CHECK-MESSAGES-NOT: warning: + openat(0, "filename", O_CLOEXEC); + // CHECK-MESSAGES-NOT: warning: + openat(0, "filename", O_RDWR | O_CLOEXEC); + // CHECK-MESSAGES-NOT: warning: + openat(0, "filename", O_RDWR | O_CLOEXEC | O_EXCL); + // CHECK-MESSAGES-NOT: warning: +} + +class G { +public: + int open(const char *pathname, int flags, ...); + int open64(const char *pathname, int flags, ...); + int openat(int dirfd, const char *pathname, int flags, ...); + + void h() { + open("filename", O_RDWR); + // CHECK-MESSAGES-NOT: warning: + open64("filename", O_RDWR); + // CHECK-MESSAGES-NOT: warning: + openat(0, "filename", O_RDWR); + // CHECK-MESSAGES-NOT: warning: + } +}; Modified: clang-tools-extra/trunk/unittests/clang-tidy/CMakeLists.txt URL: http://llvm.org/viewvc/llvm-project/clang-tools-extra/trunk/unittests/clang-tidy/CMakeLists.txt?rev=306165&r1=306164&r2=306165&view=diff ============================================================================== --- clang-tools-extra/trunk/unittests/clang-tidy/CMakeLists.txt (original) +++ clang-tools-extra/trunk/unittests/clang-tidy/CMakeLists.txt Fri Jun 23 16:37:29 2017 @@ -25,6 +25,7 @@ target_link_libraries(ClangTidyTests clangFrontend clangLex clangTidy + clangTidyAndroidModule clangTidyGoogleModule clangTidyLLVMModule clangTidyMiscModule _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
