[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

https://github.com/balazske closed https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 01/10] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 1/9] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,75 @@ +// RUN: %clang_analyze_cc1

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: https://github.com/steakhal edited https://github.com/llvm/llvm-project/pull/91445

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: https://github.com/steakhal approved this pull request. LGTM now, modulo the license

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 1/8] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: https://github.com/steakhal requested changes to this pull request. NoteTags, yeey. Please add tests for the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: https://github.com/steakhal edited https://github.com/llvm/llvm-project/pull/91445

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

balazske wrote: I added the `NoteTag` support now (instead of a next PR). The `checkDeadSymbols` is removed, it does really not matter if the data remains in the GDM and this way it is used to display the note tag only for the last `setuid` call.

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 1/7] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: https://github.com/steakhal edited https://github.com/llvm/llvm-project/pull/91445 ___

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -1179,6 +1179,34 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C) strncpy(buf, "a", 1); // warn }

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: https://github.com/steakhal approved this pull request. I think this looks good now. I think to really reach the full potential of this

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -1011,6 +1011,11 @@ def FloatLoopCounter : Checker<"FloatLoopCounter">, Dependencies<[SecuritySyntaxChecker]>,

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -30,23 +30,20 @@ enum SetPrivilegeFunctionKind { Irrelevant, Setuid, Setgid }; class SetgidSetuidOrderChecker :

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: https://github.com/steakhal edited https://github.com/llvm/llvm-project/pull/91445 ___

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 1/6] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

@@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

@@ -0,0 +1,185 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +typedef int uid_t; +typedef int gid_t; + +int setuid(uid_t); +int setgid(gid_t); +int seteuid(uid_t); +int setegid(gid_t); +int setreuid(uid_t, uid_t); +int

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -1179,6 +1179,34 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C) strncpy(buf, "a", 1); // warn } +security.SetgidSetuidOrder

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

@@ -1179,6 +1179,34 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C) strncpy(buf, "a", 1); // warn } +security.SetgidSetuidOrder (C) +"" balazske wrote: Move the new checker into `unix`, or move the chroot checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder' (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: https://github.com/steakhal edited https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,185 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +typedef int uid_t; +typedef int gid_t;

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -1179,6 +1179,34 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C) strncpy(buf, "a", 1); // warn } +security.SetgidSetuidOrder

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,185 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +typedef int uid_t; +typedef int gid_t;

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,185 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +typedef int uid_t; +typedef int gid_t;

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,170 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +#include

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,170 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +#include

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

=?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= , =?utf-8?q?Balázs_Kéri?= Message-ID: In-Reply-To: @@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat commented: Thanks for updating your commit! Now there are only two remaining issues and they are both very minor (marked by inline comments: renaming `CallExpr *CE` and explaining the reason why "trying to set the gid again" appears as a special case in the

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat edited https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,170 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +#include "Inputs/system-header-simulator-setgid-setuid.h" + +void correct_order() { + if (setgid(getgid()) == -1) +return; + if (setuid(getuid()) == -1) +

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/gamesh411 approved this pull request. Emitting a note to the location where the first part of the detected pattern (the `setuid(getuid())` call) seems like useful information, but this patch is great as it is. You could also add it in another patch if it is not trivial.

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,170 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +#include "Inputs/system-header-simulator-setgid-setuid.h" + +void correct_order() { + if (setgid(getgid()) == -1) +return; + if (setuid(getuid()) == -1) +

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 1/5] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

balazske wrote: Is it useful to add a note tag to the previous `setuid(getuid())` call? It can be (theoretically) in another function or otherwise in a remote place in the source code. https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/balazske deleted https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 1/4] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat commented: You forgot to add `CDM::CLibrary` in the definition of `SetuidDesc` and `SetgidDesc` (see the new inline comment). There are also several inline comments from my previous review where I'm expecting an answer (not necessarily a code change -- in each

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,196 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat edited https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat edited https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat edited https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 1/3] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat edited https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,170 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +#include "Inputs/system-header-simulator-setgid-setuid.h" + +void correct_order() { + if (setgid(getgid()) == -1) +return; + if (setuid(getuid()) == -1) +

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,170 @@ +// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s + +#include "Inputs/system-header-simulator-setgid-setuid.h" + +void correct_order() { + if (setgid(getgid()) == -1) +return; + if (setuid(getuid()) == -1) +

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat edited https://github.com/llvm/llvm-project/pull/91445 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

@@ -0,0 +1,197 @@ +//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls ---===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier:

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

https://github.com/NagyDonat commented: It's good to see that this checker is finished. I added several inline comments, but they are not serious issues -- most are connected to `CallDescription`s where I'm now very familiar with the available options (and I refactored the code, so others are

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/91445 From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH 1/2] [clang][analyzer] Add checker

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

llvmbot wrote: @llvm/pr-subscribers-clang-static-analyzer-1 @llvm/pr-subscribers-clang Author: Balázs Kéri (balazske) Changes --- Full diff: https://github.com/llvm/llvm-project/pull/91445.diff 6 Files Affected: - (modified) clang/docs/analyzer/checkers.rst (+28) - (modified)

[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

https://github.com/balazske created https://github.com/llvm/llvm-project/pull/91445 None From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 8 May 2024 10:10:24 +0200 Subject: [PATCH] [clang][analyzer] Add checker