hohn/codeql-workshop-dataflow-c
1
0
Fork 0
mirror of https://github.com/hohn/codeql-workshop-dataflow-c.git synced 2025-12-16 10:33:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
39ba0713b8eed2a2bd6c4f2ba8ed64e480ce9d0d
codeql-workshop-dataflow-c/readme-low-level.org
Michael Hohn f0cae3c212 inline svgs of graphs for comparison
2025-03-17 19:36:58 -07:00

3.6 KiB
Raw Blame History

CodeQL AST in dot and pdf

The control flow graph is narrowed to the function of interest,

  int copy_mem(unsigned int unused, dyn_input_t *input,
               unsigned int input_types) {...}

from ./tests-common/test_part1.c, so we do the same for the AST.

  # Produce ast in dot format
  codeql database analyze                             \
         --format=dot --output=ast.dot                \
         -j8 -v --ram=16000                           \
         --rerun                                      \
         --                                           \
         cpp-dataflow-part1-database                  \
         graphs/ast.ql                            

  # Convert dot to pdf
  dot -Tpdf < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.pdf
  dot -Tsvg < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.svg

  # View the graph
  open ast.dot/cpp/print-ast.pdf

  # This comes from
  tests-common/test_part1.c

CodeQL CFG in dot and pdf

The whole control flow graph is very large, so the query narrows it to the function of interest,

  int copy_mem(unsigned int unused, dyn_input_t *input,
               unsigned int input_types) {...}

from ./tests-common/test_part1.c

  # Produce CFG in dot format
  codeql database analyze                             \
         --format=dot --output=cfg.dot                \
         -j8 -v --ram=16000                           \
         --rerun                                      \
         --                                           \
         cpp-dataflow-part1-database                  \
         graphs/cfg.ql                            


  # Convert dot to pdf
  dot -Tpdf < cfg.dot/cpp/print-cfg.dot > cfg.dot/cpp/print-cfg.pdf
  dot -Tsvg < cfg.dot/cpp/print-cfg.dot > cfg.dot/cpp/print-cfg.svg

  # View the graph
  open cfg.dot/cpp/print-cfg.pdf

Original source code 

  int copy_mem(unsigned int unused, dyn_input_t *input,
               unsigned int input_types) {
    memcpy(input[0].ptr.buf, input[1].ptr.buf,
           input[1].ptr.size); // NON_COMPLIANT - type not checked
    copy_mem_nested(input);    // NON_COMPLIANT - type not checked

    if (input_types != DYN_INPUT_TYPE(DYN_INPUT_TYPE_MEM, DYN_INPUT_TYPE_MEM)) {
    }

    memcpy(input[0].ptr.buf, input[1].ptr.buf,
           input[1].ptr.size); // NON_COMPLIANT - guard doesn't control all paths
    copy_mem_nested(input);    // NON_COMPLIANT - guard doesn't control all paths

    if (DYN_INPUT_TYPE(DYN_INPUT_TYPE_MEM, DYN_INPUT_TYPE_MEM) == 100) {
      memcpy(input[0].ptr.buf, input[1].ptr.buf,
             input[1].ptr.size); // NON_COMPLIANT - useless type check
    }

    if (input_types != DYN_INPUT_TYPE(DYN_INPUT_TYPE_MEM, DYN_INPUT_TYPE_MEM)) {
      return 1;
    }

    memcpy(input[0].ptr.buf, input[1].ptr.buf,
           input[1].ptr.size); // COMPLIANT - type checked
    copy_mem_nested(input);    // COMPLIANT - type checked

    return 0;
  }

AST

The ast is inlined here. For better viewing, open the pdf (./ast.dot/cpp/print-ast.pdf) separately.

./ast.dot/cpp/print-ast.svg

CFG

The cfg is inlined here. For better viewing, open the pdf (./cfg.dot/cpp/print-cfg.pdf) separately.

./cfg.dot/cpp/print-cfg.svg