hohn/codeql-sample-polkit
1
0
Fork 0
mirror of https://github.com/hohn/codeql-sample-polkit.git synced 2025-12-16 22:03:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refined argv-out-of-bounds-1 to precise result set

Browse Source
This commit is contained in:
Michael Hohn
2022-03-04 12:11:05 -08:00
committed by =Michael Hohn
parent bc6b32c4c8
commit 3660be0eeb
1 changed files with 53 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
argv-out-of-bounds-1.ql
View File

@@ -6,23 +6,23 @@
import cpp
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.controlflow.SSA
/*
* Use
* https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-cpp/
* to find the codeql class matching c++ syntax
*
* See https://codeql.github.com/docs/codeql-language-guides/using-range-analsis-in-cpp/
* for the entry points to the range analysis library. Namely,
* `import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`
* and
* `lowerBound(expr)`
*/
//
// Use https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-cpp/
// to find the codeql class matching c++ syntax
//
// See https://codeql.github.com/docs/codeql-language-guides/using-range-analsis-in-cpp/
// for the entry points to the range analysis library. Namely,
// `import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`
// and
// `lowerBound(expr)`
//
from
Parameter argc, RelationalOperation cmp, Variable n, Parameter argv, ArrayExpr argvAccess,
AssignExpr argvSet, SsaDefinition invalidN, SsaDefinition invalidNDef
where
where
//
// consider argc and n when they occur in the same comparison
//
@@ -94,15 +94,27 @@ where
cmp.getLesserOperand() = invalidN.getAUse(n) and
cmp.getGreaterOperand() = argc.getAnAccess() and
invalidN.getAnUltimateDefiningValue(n).getValue().toInt() > 0 and
invalidNDef = invalidN.getAnUltimateSsaDefinition(n)
invalidNDef = invalidN.getAnUltimateSsaDefinition(n) and
//
// We still find an access inside the loop,
// opt_user = g_strdup (argv[n]);
// so let's narrow:
and
invalidN.getAUse(n) = argvAccess.getArrayOffset() and
argvSet = cmp.getAFalseSuccessor().getASuccessor*() and
argvAccess = cmp.getAFalseSuccessor().getASuccessor*()
argvAccess = cmp.getAFalseSuccessor().getASuccessor*() and
//
// Reduce to a single invalidNDef location, the n = 1 case.
// //
// // Try one; still get `n = 1` and `n++`
// and exists( Expr t| t = invalidNDef.getDefiningValue(n))
//
// Try two, require an explicit value:
exists(string t | t = invalidNDef.getDefiningValue(n).getValue())
//
// This works! Some clean up/simplification, to be used in the next iteration.
and
invalidNDef = invalidN.getAnUltimateSsaDefinition(n) and
invalidNDef.getDefiningValue(n).getValue().toInt() > 0
select argc, "definition of argc", cmp, "use in comparison", n, "other var in comparison",
argvAccess, "argv indexed", argvSet, "argv assigned", invalidNDef, "invalid n definition"