This is an archive of the discontinued LLVM Phabricator instance.

Differential D71728

[analyzer] Add a syntactic security check for ObjC NSCoder API.
ClosedPublic

Authored by NoQ on Dec 19 2019, 2:25 PM.

Details

Reviewers
dcoughlin
Commits
rGb28400507212: [analyzer] Add a syntactic security check for ObjC NSCoder API.
Summary

Method -[NSCoder decodeValueOfObjCType:at:] is not only deprecated but also a security hazard, hence a loud check.

Diff Detail

Event Timeline

NoQ created this revision.Dec 19 2019, 2:25 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 19 2019, 2:25 PM
Herald added subscribers: cfe-commits, Charusso, dkrupp and 7 others. · View Herald Transcript
dcoughlin accepted this revision.Dec 19 2019, 2:33 PM

This looks good to me, but I think we need a deployment target check on the diagnostic since the safe API is only available in iOS 11+, macOS 10.13+, tvOS 11+, and watchOS 4.0+. If the deployment target is early than those versions then we should not diagnose.

This revision is now accepted and ready to land.Dec 19 2019, 2:33 PM
Closed by commit rGb28400507212: [analyzer] Add a syntactic security check for ObjC NSCoder API. (authored by dergachev.a). · Explain WhyDec 19 2019, 3:00 PM
This revision was automatically updated to reflect the committed changes.
NoQ mentioned this in D73966: [analyzer] Add 10.0.0 release notes..Feb 4 2020, 10:15 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
5 lines
lib/
Driver/
ToolChains/
5 lines
StaticAnalyzer/
Checkers/
68 lines
test/
Analysis/
36 lines
www/
analyzer/
16 lines

Diff 234794

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 767 Lines▼ Show 20 Lines
def DeprecatedOrUnsafeBufferHandling : def DeprecatedOrUnsafeBufferHandling :
Checker<"DeprecatedOrUnsafeBufferHandling">, Checker<"DeprecatedOrUnsafeBufferHandling">,
HelpText<"Warn on uses of unsecure or deprecated buffer manipulating " HelpText<"Warn on uses of unsecure or deprecated buffer manipulating "
"functions">, "functions">,
Dependencies<[SecuritySyntaxChecker]>, Dependencies<[SecuritySyntaxChecker]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def decodeValueOfObjCType : Checker<"decodeValueOfObjCType">,
HelpText<"Warn on uses of the '-decodeValueOfObjCType:at:' method">,
Dependencies<[SecuritySyntaxChecker]>,
Documentation<HasDocumentation>;
} // end "security.insecureAPI" } // end "security.insecureAPI"
let ParentPackage = Security in { let ParentPackage = Security in {
def FloatLoopCounter : Checker<"FloatLoopCounter">, def FloatLoopCounter : Checker<"FloatLoopCounter">,
HelpText<"Warn on using a floating point value as a loop counter (CERT: " HelpText<"Warn on using a floating point value as a loop counter (CERT: "
"FLP30-C, FLP30-CPP)">, "FLP30-C, FLP30-CPP)">,
Dependencies<[SecuritySyntaxChecker]>, Dependencies<[SecuritySyntaxChecker]>,
▲ Show 20 LinesShow All 637 LinesShow Last 20 Lines

clang/lib/Driver/ToolChains/Clang.cpp

Show First 20 LinesShow All 2,783 Lines▼ Show 20 Lines if (!Args.hasArg(options::OPT__analyzer_no_default_checks)) {
} }
// Disable some unix checkers for PS4. // Disable some unix checkers for PS4.
if (Triple.isPS4CPU()) { if (Triple.isPS4CPU()) {
CmdArgs.push_back("-analyzer-disable-checker=unix.API"); CmdArgs.push_back("-analyzer-disable-checker=unix.API");
CmdArgs.push_back("-analyzer-disable-checker=unix.Vfork"); CmdArgs.push_back("-analyzer-disable-checker=unix.Vfork");
} }
if (Triple.isOSDarwin()) if (Triple.isOSDarwin()) {
CmdArgs.push_back("-analyzer-checker=osx"); CmdArgs.push_back("-analyzer-checker=osx");
CmdArgs.push_back(
"-analyzer-checker=security.insecureAPI.decodeValueOfObjCType");
}
CmdArgs.push_back("-analyzer-checker=deadcode"); CmdArgs.push_back("-analyzer-checker=deadcode");
if (types::isCXX(Input.getType())) if (types::isCXX(Input.getType()))
CmdArgs.push_back("-analyzer-checker=cplusplus"); CmdArgs.push_back("-analyzer-checker=cplusplus");
if (!Triple.isPS4CPU()) { if (!Triple.isPS4CPU()) {
CmdArgs.push_back("-analyzer-checker=security.insecureAPI.UncheckedReturn"); CmdArgs.push_back("-analyzer-checker=security.insecureAPI.UncheckedReturn");
▲ Show 20 LinesShow All 4,018 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp

Show First 20 LinesShow All 43 Lines▼ Show 20 Linesstruct ChecksFilter {
DefaultBool check_mktemp; DefaultBool check_mktemp;
DefaultBool check_mkstemp; DefaultBool check_mkstemp;
DefaultBool check_strcpy; DefaultBool check_strcpy;
DefaultBool check_DeprecatedOrUnsafeBufferHandling; DefaultBool check_DeprecatedOrUnsafeBufferHandling;
DefaultBool check_rand; DefaultBool check_rand;
DefaultBool check_vfork; DefaultBool check_vfork;
DefaultBool check_FloatLoopCounter; DefaultBool check_FloatLoopCounter;
DefaultBool check_UncheckedReturn; DefaultBool check_UncheckedReturn;
DefaultBool check_decodeValueOfObjCType;
CheckerNameRef checkName_bcmp; CheckerNameRef checkName_bcmp;
CheckerNameRef checkName_bcopy; CheckerNameRef checkName_bcopy;
CheckerNameRef checkName_bzero; CheckerNameRef checkName_bzero;
CheckerNameRef checkName_gets; CheckerNameRef checkName_gets;
CheckerNameRef checkName_getpw; CheckerNameRef checkName_getpw;
CheckerNameRef checkName_mktemp; CheckerNameRef checkName_mktemp;
CheckerNameRef checkName_mkstemp; CheckerNameRef checkName_mkstemp;
CheckerNameRef checkName_strcpy; CheckerNameRef checkName_strcpy;
CheckerNameRef checkName_DeprecatedOrUnsafeBufferHandling; CheckerNameRef checkName_DeprecatedOrUnsafeBufferHandling;
CheckerNameRef checkName_rand; CheckerNameRef checkName_rand;
CheckerNameRef checkName_vfork; CheckerNameRef checkName_vfork;
CheckerNameRef checkName_FloatLoopCounter; CheckerNameRef checkName_FloatLoopCounter;
CheckerNameRef checkName_UncheckedReturn; CheckerNameRef checkName_UncheckedReturn;
CheckerNameRef checkName_decodeValueOfObjCType;
}; };
class WalkAST : public StmtVisitor<WalkAST> { class WalkAST : public StmtVisitor<WalkAST> {
BugReporter &BR; BugReporter &BR;
AnalysisDeclContext* AC; AnalysisDeclContext* AC;
enum { num_setids = 6 }; enum { num_setids = 6 };
IdentifierInfo *II_setid[num_setids]; IdentifierInfo *II_setid[num_setids];
const bool CheckRand; const bool CheckRand;
const ChecksFilter &filter; const ChecksFilter &filter;
public: public:
WalkAST(BugReporter &br, AnalysisDeclContext* ac, WalkAST(BugReporter &br, AnalysisDeclContext* ac,
const ChecksFilter &f) const ChecksFilter &f)
: BR(br), AC(ac), II_setid(), : BR(br), AC(ac), II_setid(),
CheckRand(isArc4RandomAvailable(BR.getContext())), CheckRand(isArc4RandomAvailable(BR.getContext())),
filter(f) {} filter(f) {}
// Statement visitor methods. // Statement visitor methods.
void VisitCallExpr(CallExpr *CE); void VisitCallExpr(CallExpr *CE);
void VisitObjCMessageExpr(ObjCMessageExpr *CE);
void VisitForStmt(ForStmt *S); void VisitForStmt(ForStmt *S);
void VisitCompoundStmt (CompoundStmt *S); void VisitCompoundStmt (CompoundStmt *S);
void VisitStmt(Stmt *S) { VisitChildren(S); } void VisitStmt(Stmt *S) { VisitChildren(S); }
void VisitChildren(Stmt *S); void VisitChildren(Stmt *S);
// Helpers. // Helpers.
bool checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD); bool checkCall_strCommon(const CallExpr *CE, const FunctionDecl *FD);
typedef void (WalkAST::*FnCheck)(const CallExpr *, const FunctionDecl *); typedef void (WalkAST::*FnCheck)(const CallExpr *, const FunctionDecl *);
typedef void (WalkAST::*MsgCheck)(const ObjCMessageExpr *);
// Checker-specific methods. // Checker-specific methods.
void checkLoopConditionForFloat(const ForStmt *FS); void checkLoopConditionForFloat(const ForStmt *FS);
void checkCall_bcmp(const CallExpr *CE, const FunctionDecl *FD); void checkCall_bcmp(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_bcopy(const CallExpr *CE, const FunctionDecl *FD); void checkCall_bcopy(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_bzero(const CallExpr *CE, const FunctionDecl *FD); void checkCall_bzero(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_gets(const CallExpr *CE, const FunctionDecl *FD); void checkCall_gets(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD); void checkCall_getpw(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD); void checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD); void checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD); void checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD); void checkCall_strcat(const CallExpr *CE, const FunctionDecl *FD);
void checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE, void checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE,
const FunctionDecl *FD); const FunctionDecl *FD);
void checkCall_rand(const CallExpr *CE, const FunctionDecl *FD); void checkCall_rand(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_random(const CallExpr *CE, const FunctionDecl *FD); void checkCall_random(const CallExpr *CE, const FunctionDecl *FD);
void checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD); void checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD);
void checkMsg_decodeValueOfObjCType(const ObjCMessageExpr *ME);
void checkUncheckedReturnValue(CallExpr *CE); void checkUncheckedReturnValue(CallExpr *CE);
}; };
} // end anonymous namespace } // end anonymous namespace
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// AST walking. // AST walking.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Linesvoid WalkAST::VisitCallExpr(CallExpr *CE) {
// Check and evaluate the call. // Check and evaluate the call.
if (evalFunction) if (evalFunction)
(this->*evalFunction)(CE, FD); (this->*evalFunction)(CE, FD);
// Recurse and check children. // Recurse and check children.
VisitChildren(CE); VisitChildren(CE);
} }
void WalkAST::VisitObjCMessageExpr(ObjCMessageExpr *ME) {
MsgCheck evalFunction =
llvm::StringSwitch<MsgCheck>(ME->getSelector().getAsString())
.Case("decodeValueOfObjCType:at:",
&WalkAST::checkMsg_decodeValueOfObjCType)
.Default(nullptr);
if (evalFunction)
(this->*evalFunction)(ME);
// Recurse and check children.
VisitChildren(ME);
}
void WalkAST::VisitCompoundStmt(CompoundStmt *S) { void WalkAST::VisitCompoundStmt(CompoundStmt *S) {
for (Stmt *Child : S->children()) for (Stmt *Child : S->children())
if (Child) { if (Child) {
if (CallExpr *CE = dyn_cast<CallExpr>(Child)) if (CallExpr *CE = dyn_cast<CallExpr>(Child))
checkUncheckedReturnValue(CE); checkUncheckedReturnValue(CE);
Visit(Child); Visit(Child);
} }
} }
▲ Show 20 LinesShow All 726 Lines▼ Show 20 Lines BR.EmitBasicReport(AC->getDecl(), filter.checkName_vfork,
"Call to function 'vfork' is insecure as it can lead to " "Call to function 'vfork' is insecure as it can lead to "
"denial of service situations in the parent process. " "denial of service situations in the parent process. "
"Replace calls to vfork with calls to the safer " "Replace calls to vfork with calls to the safer "
"'posix_spawn' function", "'posix_spawn' function",
CELoc, CE->getCallee()->getSourceRange()); CELoc, CE->getCallee()->getSourceRange());
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Check: '-decodeValueOfObjCType:at:' should not be used.
// It is deprecated in favor of '-decodeValueOfObjCType:at:size:' due to
// likelihood of buffer overflows.
//===----------------------------------------------------------------------===//
void WalkAST::checkMsg_decodeValueOfObjCType(const ObjCMessageExpr *ME) {
if (!filter.check_decodeValueOfObjCType)
return;
// Check availability of the secure alternative:
// iOS 11+, macOS 10.13+, tvOS 11+, and watchOS 4.0+
// FIXME: We probably shouldn't register the check if it's not available.
const TargetInfo &TI = AC->getASTContext().getTargetInfo();
const llvm::Triple &T = TI.getTriple();
const VersionTuple &VT = TI.getPlatformMinVersion();
switch (T.getOS()) {
case llvm::Triple::IOS:
if (VT < VersionTuple(11, 0))
return;
break;
case llvm::Triple::MacOSX:
if (VT < VersionTuple(10, 13))
return;
break;
case llvm::Triple::WatchOS:
if (VT < VersionTuple(4, 0))
return;
break;
case llvm::Triple::TvOS:
if (VT < VersionTuple(11, 0))
return;
break;
default:
return;
}
PathDiagnosticLocation MELoc =
PathDiagnosticLocation::createBegin(ME, BR.getSourceManager(), AC);
BR.EmitBasicReport(
AC->getDecl(), filter.checkName_decodeValueOfObjCType,
"Potential buffer overflow in '-decodeValueOfObjCType:at:'", "Security",
"Deprecated method '-decodeValueOfObjCType:at:' is insecure "
"as it can lead to potential buffer overflows. Use the safer "
"'-decodeValueOfObjCType:at:size:' method.",
MELoc, ME->getSourceRange());
}
//===----------------------------------------------------------------------===//
// Check: Should check whether privileges are dropped successfully. // Check: Should check whether privileges are dropped successfully.
// Originally: <rdar://problem/6337132> // Originally: <rdar://problem/6337132>
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void WalkAST::checkUncheckedReturnValue(CallExpr *CE) { void WalkAST::checkUncheckedReturnValue(CallExpr *CE) {
if (!filter.check_UncheckedReturn) if (!filter.check_UncheckedReturn)
return; return;
▲ Show 20 LinesShow All 95 Lines▼ Show 20 Lines
REGISTER_CHECKER(mkstemp) REGISTER_CHECKER(mkstemp)
REGISTER_CHECKER(mktemp) REGISTER_CHECKER(mktemp)
REGISTER_CHECKER(strcpy) REGISTER_CHECKER(strcpy)
REGISTER_CHECKER(rand) REGISTER_CHECKER(rand)
REGISTER_CHECKER(vfork) REGISTER_CHECKER(vfork)
REGISTER_CHECKER(FloatLoopCounter) REGISTER_CHECKER(FloatLoopCounter)
REGISTER_CHECKER(UncheckedReturn) REGISTER_CHECKER(UncheckedReturn)
REGISTER_CHECKER(DeprecatedOrUnsafeBufferHandling) REGISTER_CHECKER(DeprecatedOrUnsafeBufferHandling)
REGISTER_CHECKER(decodeValueOfObjCType)

clang/test/Analysis/security-syntax-checks-nscoder.m

  • This file was added.
// RUN: %clang_analyze_cc1 -triple thumbv7-apple-ios11.0 -verify=available \
// RUN: -analyzer-checker=security.insecureAPI.decodeValueOfObjCType %s
// RUN: %clang_analyze_cc1 -triple thumbv7-apple-ios10.0 -verify=notavailable \
// RUN: -analyzer-checker=security.insecureAPI.decodeValueOfObjCType %s
// RUN: %clang_analyze_cc1 -triple x86_64-apple-macos10.13 -verify=available \
// RUN: -analyzer-checker=security.insecureAPI.decodeValueOfObjCType %s
// RUN: %clang_analyze_cc1 -triple x86_64-apple-macos10.12 -verify=notavailable \
// RUN: -analyzer-checker=security.insecureAPI.decodeValueOfObjCType %s
// RUN: %clang_analyze_cc1 -triple thumbv7-apple-watchos4.0 -verify=available \
// RUN: -analyzer-checker=security.insecureAPI.decodeValueOfObjCType %s
// RUN: %clang_analyze_cc1 -triple thumbv7-apple-watchos3.0 -verify=notavailable \
// RUN: -analyzer-checker=security.insecureAPI.decodeValueOfObjCType %s
// RUN: %clang_analyze_cc1 -triple thumbv7-apple-tvos11.0 -verify=available \
// RUN: -analyzer-checker=security.insecureAPI.decodeValueOfObjCType %s
// RUN: %clang_analyze_cc1 -triple thumbv7-apple-tvos10.0 -verify=notavailable \
// RUN: -analyzer-checker=security.insecureAPI.decodeValueOfObjCType %s
// notavailable-no-diagnostics
typedef unsigned long NSUInteger;
@interface NSCoder
- (void)decodeValueOfObjCType:(const char *)type
at:(void *)data;
- (void)decodeValueOfObjCType:(const char *)type
at:(void *)data
size:(NSUInteger)size;
@end
void test(NSCoder *decoder) {
// This would be a vulnerability on 64-bit platforms
// but not on 32-bit platforms.
NSUInteger x;
[decoder decodeValueOfObjCType:"I" at:&x]; // available-warning{{Deprecated method '-decodeValueOfObjCType:at:' is insecure as it can lead to potential buffer overflows. Use the safer '-decodeValueOfObjCType:at:size:' method}}
[decoder decodeValueOfObjCType:"I" at:&x size:sizeof(x)]; // no-warning
}

clang/www/analyzer/available_checks.html

Show First 20 LinesShow All 1,440 Lines▼ Show 20 Lines
Warn on uses of the <code>vfork</code> function.</div></div></a></td> Warn on uses of the <code>vfork</code> function.</div></div></a></td>
<td><div class="exampleContainer expandable"> <td><div class="exampleContainer expandable">
<div class="example"><pre> <div class="example"><pre>
void test() { void test() {
vfork(); // warn vfork(); // warn
} }
</pre></div></div></td></tr> </pre></div></div></td></tr>
<tr><td><a id="security.insecureAPI.decodeValueOfObjCType"><div class="namedescr expandable"><span class="name">
security.insecureAPI.decodeValueOfObjCType</span><span class="lang">
(ObjC)</span><div class="descr">
Warn on uses of the <code>-[NSCoder decodeValueOfObjCType:at:]</code> method.
The safe alternative is <code>-[NSCoder decodeValueOfObjCType:at:size:]</code>.</div></div></a></td>
<td><div class="exampleContainer expandable">
<div class="example"><pre>
void test(NSCoder *decoder) {
// This would be a vulnerability on 64-bit platforms
// but not on 32-bit platforms.
NSUInteger x;
[decoder decodeValueOfObjCType:"I" at:&x]; // warn
}
</pre></div></div></td></tr>
</tbody></table> </tbody></table>
<!-- =========================== unix =========================== --> <!-- =========================== unix =========================== -->
<h3 id="unix_checkers">Unix Checkers</h3> <h3 id="unix_checkers">Unix Checkers</h3>
<table class="checkers"> <table class="checkers">
<colgroup><col class="namedescr"><col class="example"></colgroup> <colgroup><col class="namedescr"><col class="example"></colgroup>
<thead><tr><td>Name, Description</td><td>Example</td></tr></thead> <thead><tr><td>Name, Description</td><td>Example</td></tr></thead>
▲ Show 20 LinesShow All 261 LinesShow Last 20 Lines