This clang analyzer checkers looks for kernel-to-userland memory disclosure, it was a toy starter project described here.
In a screen session, run sh build.sh. It will place the LLVM source tree into a directory named llvm and place the new build against it in the directory build.
To run tests, run ~/build/bin/llvm-lit llvm/tools/clang/test/Analysis/kernel-memory-disclosure-checker-tests/*.c
To run with the z3 constraint manager (very slow!) add the -constraints z3 flag to the scan-build invocation.
Note (12/28/18): The #define malloc() macro in sys/malloc.h can confuse clang analyzer and cause false positives. Removing its definition will not change program semantics and will improve analyzer results.
Run in a screen session in bash:
cd /usr/src
time sudo ~/build/bin/scan-build \
--use-cc=/usr/bin/cc \
-disable-checker core,unix,deadcode,nullability \
-enable-checker alpha.security.KernelMemoryDisclosure \
-o ~/analyzer \
make -i -j `sysctl -n hw.ncpu` buildkernel COMPILER_TYPE=clang 2>&1 | tee ~/buildlog
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.16.7.tar.xz
tar -xf linux-4.16.7.tar.xz
patch -p0 < ~/kernel-uninitialized-memory-checker/linux-4.16.7.patch
make mrproper allyesconfig
sed -i 's/CONFIG_KASAN=y/CONFIG_KASAN=n/' .config
sed -i 's/CONFIG_UBSAN=y/CONFIG_UBSAN=n/' .config
sed -i 's/CONFIG_READABLE_ASM=y/CONFIG_READABLE_ASM=n/' .config
sed -i 's/CONFIG_HARDENED_USERCOPY=y/CONFIG_HARDENED_USERCOPY=n/' .config
sed -i 's/CONFIG_FORTIFY_SOURCE=y/CONFIG_FORTIFY_SOURCE=n/' .config
yes "" | make oldconfig
time ~/build/bin/scan-build \
-disable-checker core,unix,deadcode,nullability \
-enable-checker alpha.security.KernelMemoryDisclosure \
-o ~/analyzer \
make -i -j `grep -c ^processor /proc/cpuinfo` KBUILD_VERBOSE=1 2>&1 | tee ~/buildlog
If you running the build on a newer (>10.14.1) version of XNU, you may want to run the mig-parser to generate a fresh MachInterface.h. Run the following in the source tree:
rm -rf BUILD
time ~/build/bin/scan-build \
-disable-checker core,unix,deadcode,nullability \
-enable-checker alpha.security.KernelMemoryDisclosure \
-o ~/analyzer \
make -i SDKROOT=macosx ARCH_CONFIGS=X86_64 KERNEL_CONFIGS=RELEASE VERBOSE=YES USE_WERROR=0 2>&1 | tee ~/buildlog
Download and set-up an appropriate cross-compiler.
ARM32
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6
export ARCH=arm
export CROSS_COMPILE=$PWD/arm-eabi-4.6/bin/arm-eabi-
export CLANG_TARGET=armv5te-none-eabi
ARM64
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/
export ARCH=arm64
export CROSS_COMPILE=$PWD/aarch64-linux-android-4.9/bin/aarch64-linux-android-
export CLANG_TARGET=aarch64-none-eabi
Select and download a kernel repo, e.g. kernel/msm. At this point you will want to check out some branch to build, there will likely be some build errors you will want to fix to make clang build happily. Very hacky (just to get the build to work as quickly as possible, not to make functional builds!) patches I made to get builds to succeed are included in android_build_with_clang/${KERNEL_REPO}/${BRANCH_NAME}.patch
git checkout SOME_BRANCH
make clean mrproper SOMECONFIGURATION_defconfig
time ~/build/bin/scan-build \
--analyzer-target $CLANG_TARGET \
--use-cc=${CROSS_COMPILE}gcc \
-disable-checker core,unix,deadcode,nullability \
-enable-checker alpha.security.KernelMemoryDisclosure \
-o ~/analyzer \
make -i -j `grep -c ^processor /proc/cpuinfo` V=1 2>&1 | tee ~/buildlog.android