hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: tests for alias analysis of malloc

Browse Source
This commit is contained in:
Robert Marsh
2020-02-07 16:22:09 -08:00
parent 3c8aeb946a
commit 05c8610bbc
9 changed files with 217 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cpp/ql/test/library-tests/dataflow/security-taint/tainted.expected
View File

@@ -52,3 +52,18 @@
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi | |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv | |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy | |

9
cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected
View File

@@ -8,3 +8,12 @@
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy | AST only |

6
cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected
View File

@@ -40,3 +40,9 @@
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi | |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv | |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName | |

13
cpp/ql/test/library-tests/dataflow/security-taint/test.cpp
View File

@@ -76,3 +76,16 @@ void guard() {
if (len > 1000) return;
char **node = (char **) malloc(len * sizeof(char *));
}
const char *alias_global;
void mallocBuffer() {
const char *userName = getenv("USER_NAME");
char *alias = (char*)malloc(4096);
char *copy = (char*)malloc(4096);
strcpy(copy, userName);
alias_global = alias; // to force a Chi node on all aliased memory
if (!strcmp(copy, "admin")) { // copy should be tainted
isAdmin = true;
}
}

43
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
View File

@@ -1240,3 +1240,46 @@ ssa.cpp:
# 254| v254_10(void) = UnmodeledUse : mu*
# 254| v254_11(void) = AliasedUse : ~m262_1
# 254| v254_12(void) = ExitFunction :
# 268| void* MallocAliasing(void*, int)
# 268| Block 0
# 268| v268_1(void) = EnterFunction :
# 268| m268_2(unknown) = AliasedDefinition :
# 268| m268_3(unknown) = InitializeNonLocal :
# 268| m268_4(unknown) = Chi : total:m268_2, partial:m268_3
# 268| mu268_5(unknown) = UnmodeledDefinition :
# 268| r268_6(glval<void *>) = VariableAddress[s] :
# 268| m268_7(void *) = InitializeParameter[s] : &:r268_6
# 268| r268_8(void *) = Load : &:r268_6, m268_7
# 268| m268_9(unknown) = InitializeIndirection[s] : &:r268_8
# 268| r268_10(glval<int>) = VariableAddress[size] :
# 268| m268_11(int) = InitializeParameter[size] : &:r268_10
# 269| r269_1(glval<void *>) = VariableAddress[buf] :
# 269| r269_2(glval<unknown>) = FunctionAddress[malloc] :
# 269| r269_3(glval<int>) = VariableAddress[size] :
# 269| r269_4(int) = Load : &:r269_3, m268_11
# 269| r269_5(void *) = Call : func:r269_2, 0:r269_4
# 269| m269_6(unknown) = ^CallSideEffect : ~m268_9
# 269| m269_7(unknown) = Chi : total:m268_9, partial:m269_6
# 269| m269_8(void *) = Store : &:r269_1, r269_5
# 270| r270_1(glval<unknown>) = FunctionAddress[memcpy] :
# 270| r270_2(glval<void *>) = VariableAddress[buf] :
# 270| r270_3(void *) = Load : &:r270_2, m269_8
# 270| r270_4(glval<void *>) = VariableAddress[s] :
# 270| r270_5(void *) = Load : &:r270_4, m268_7
# 270| r270_6(glval<int>) = VariableAddress[size] :
# 270| r270_7(int) = Load : &:r270_6, m268_11
# 270| r270_8(void *) = Call : func:r270_1, 0:r270_3, 1:r270_5, 2:r270_7
# 270| v270_9(void) = ^SizedBufferReadSideEffect[1] : &:r270_5, r270_7, ~m269_7
# 270| m270_10(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r270_3, r270_7
# 270| m270_11(unknown) = Chi : total:m269_7, partial:m270_10
# 271| r271_1(glval<void *>) = VariableAddress[#return] :
# 271| r271_2(glval<void *>) = VariableAddress[buf] :
# 271| r271_3(void *) = Load : &:r271_2, m269_8
# 271| m271_4(void *) = Store : &:r271_1, r271_3
# 268| v268_12(void) = ReturnIndirection : &:r268_8, ~m270_11
# 268| r268_13(glval<void *>) = VariableAddress[#return] :
# 268| v268_14(void) = ReturnValue : &:r268_13, m271_4
# 268| v268_15(void) = UnmodeledUse : mu*
# 268| v268_16(void) = AliasedUse : ~m270_11
# 268| v268_17(void) = ExitFunction :

43
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
View File

@@ -1235,3 +1235,46 @@ ssa.cpp:
# 254| v254_10(void) = UnmodeledUse : mu*
# 254| v254_11(void) = AliasedUse : ~m262_1
# 254| v254_12(void) = ExitFunction :
# 268| void* MallocAliasing(void*, int)
# 268| Block 0
# 268| v268_1(void) = EnterFunction :
# 268| m268_2(unknown) = AliasedDefinition :
# 268| m268_3(unknown) = InitializeNonLocal :
# 268| m268_4(unknown) = Chi : total:m268_2, partial:m268_3
# 268| mu268_5(unknown) = UnmodeledDefinition :
# 268| r268_6(glval<void *>) = VariableAddress[s] :
# 268| m268_7(void *) = InitializeParameter[s] : &:r268_6
# 268| r268_8(void *) = Load : &:r268_6, m268_7
# 268| m268_9(unknown) = InitializeIndirection[s] : &:r268_8
# 268| r268_10(glval<int>) = VariableAddress[size] :
# 268| m268_11(int) = InitializeParameter[size] : &:r268_10
# 269| r269_1(glval<void *>) = VariableAddress[buf] :
# 269| r269_2(glval<unknown>) = FunctionAddress[malloc] :
# 269| r269_3(glval<int>) = VariableAddress[size] :
# 269| r269_4(int) = Load : &:r269_3, m268_11
# 269| r269_5(void *) = Call : func:r269_2, 0:r269_4
# 269| m269_6(unknown) = ^CallSideEffect : ~m268_4
# 269| m269_7(unknown) = Chi : total:m268_4, partial:m269_6
# 269| m269_8(void *) = Store : &:r269_1, r269_5
# 270| r270_1(glval<unknown>) = FunctionAddress[memcpy] :
# 270| r270_2(glval<void *>) = VariableAddress[buf] :
# 270| r270_3(void *) = Load : &:r270_2, m269_8
# 270| r270_4(glval<void *>) = VariableAddress[s] :
# 270| r270_5(void *) = Load : &:r270_4, m268_7
# 270| r270_6(glval<int>) = VariableAddress[size] :
# 270| r270_7(int) = Load : &:r270_6, m268_11
# 270| r270_8(void *) = Call : func:r270_1, 0:r270_3, 1:r270_5, 2:r270_7
# 270| v270_9(void) = ^SizedBufferReadSideEffect[1] : &:r270_5, r270_7, ~m268_9
# 270| m270_10(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r270_3, r270_7
# 270| m270_11(unknown) = Chi : total:m269_7, partial:m270_10
# 271| r271_1(glval<void *>) = VariableAddress[#return] :
# 271| r271_2(glval<void *>) = VariableAddress[buf] :
# 271| r271_3(void *) = Load : &:r271_2, m269_8
# 271| m271_4(void *) = Store : &:r271_1, r271_3
# 268| v268_12(void) = ReturnIndirection : &:r268_8, m268_9
# 268| r268_13(glval<void *>) = VariableAddress[#return] :
# 268| v268_14(void) = ReturnValue : &:r268_13, m271_4
# 268| v268_15(void) = UnmodeledUse : mu*
# 268| v268_16(void) = AliasedUse : ~m270_11
# 268| v268_17(void) = ExitFunction :

8
cpp/ql/test/library-tests/ir/ssa/ssa.cpp
View File

@@ -262,3 +262,11 @@ char StringLiteralAliasing2(bool b) {
const char* s = "Literal";
return s[2];
}
void *malloc(int size);
void *MallocAliasing(void *s, int size) {
void *buf = malloc(size);
memcpy(buf, s, size);
return buf;
}

40
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
View File

@@ -1149,3 +1149,43 @@ ssa.cpp:
# 254| v254_9(void) = UnmodeledUse : mu*
# 254| v254_10(void) = AliasedUse : ~mu254_4
# 254| v254_11(void) = ExitFunction :
# 268| void* MallocAliasing(void*, int)
# 268| Block 0
# 268| v268_1(void) = EnterFunction :
# 268| mu268_2(unknown) = AliasedDefinition :
# 268| mu268_3(unknown) = InitializeNonLocal :
# 268| mu268_4(unknown) = UnmodeledDefinition :
# 268| r268_5(glval<void *>) = VariableAddress[s] :
# 268| m268_6(void *) = InitializeParameter[s] : &:r268_5
# 268| r268_7(void *) = Load : &:r268_5, m268_6
# 268| mu268_8(unknown) = InitializeIndirection[s] : &:r268_7
# 268| r268_9(glval<int>) = VariableAddress[size] :
# 268| m268_10(int) = InitializeParameter[size] : &:r268_9
# 269| r269_1(glval<void *>) = VariableAddress[buf] :
# 269| r269_2(glval<unknown>) = FunctionAddress[malloc] :
# 269| r269_3(glval<int>) = VariableAddress[size] :
# 269| r269_4(int) = Load : &:r269_3, m268_10
# 269| r269_5(void *) = Call : func:r269_2, 0:r269_4
# 269| mu269_6(unknown) = ^CallSideEffect : ~mu268_4
# 269| m269_7(void *) = Store : &:r269_1, r269_5
# 270| r270_1(glval<unknown>) = FunctionAddress[memcpy] :
# 270| r270_2(glval<void *>) = VariableAddress[buf] :
# 270| r270_3(void *) = Load : &:r270_2, m269_7
# 270| r270_4(glval<void *>) = VariableAddress[s] :
# 270| r270_5(void *) = Load : &:r270_4, m268_6
# 270| r270_6(glval<int>) = VariableAddress[size] :
# 270| r270_7(int) = Load : &:r270_6, m268_10
# 270| r270_8(void *) = Call : func:r270_1, 0:r270_3, 1:r270_5, 2:r270_7
# 270| v270_9(void) = ^SizedBufferReadSideEffect[1] : &:r270_5, r270_7, ~mu268_4
# 270| mu270_10(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r270_3, r270_7
# 271| r271_1(glval<void *>) = VariableAddress[#return] :
# 271| r271_2(glval<void *>) = VariableAddress[buf] :
# 271| r271_3(void *) = Load : &:r271_2, m269_7
# 271| m271_4(void *) = Store : &:r271_1, r271_3
# 268| v268_11(void) = ReturnIndirection : &:r268_7, ~mu268_4
# 268| r268_12(glval<void *>) = VariableAddress[#return] :
# 268| v268_13(void) = ReturnValue : &:r268_12, m271_4
# 268| v268_14(void) = UnmodeledUse : mu*
# 268| v268_15(void) = AliasedUse : ~mu268_4
# 268| v268_16(void) = ExitFunction :

40
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
View File

@@ -1149,3 +1149,43 @@ ssa.cpp:
# 254| v254_9(void) = UnmodeledUse : mu*
# 254| v254_10(void) = AliasedUse : ~mu254_4
# 254| v254_11(void) = ExitFunction :
# 268| void* MallocAliasing(void*, int)
# 268| Block 0
# 268| v268_1(void) = EnterFunction :
# 268| mu268_2(unknown) = AliasedDefinition :
# 268| mu268_3(unknown) = InitializeNonLocal :
# 268| mu268_4(unknown) = UnmodeledDefinition :
# 268| r268_5(glval<void *>) = VariableAddress[s] :
# 268| m268_6(void *) = InitializeParameter[s] : &:r268_5
# 268| r268_7(void *) = Load : &:r268_5, m268_6
# 268| mu268_8(unknown) = InitializeIndirection[s] : &:r268_7
# 268| r268_9(glval<int>) = VariableAddress[size] :
# 268| m268_10(int) = InitializeParameter[size] : &:r268_9
# 269| r269_1(glval<void *>) = VariableAddress[buf] :
# 269| r269_2(glval<unknown>) = FunctionAddress[malloc] :
# 269| r269_3(glval<int>) = VariableAddress[size] :
# 269| r269_4(int) = Load : &:r269_3, m268_10
# 269| r269_5(void *) = Call : func:r269_2, 0:r269_4
# 269| mu269_6(unknown) = ^CallSideEffect : ~mu268_4
# 269| m269_7(void *) = Store : &:r269_1, r269_5
# 270| r270_1(glval<unknown>) = FunctionAddress[memcpy] :
# 270| r270_2(glval<void *>) = VariableAddress[buf] :
# 270| r270_3(void *) = Load : &:r270_2, m269_7
# 270| r270_4(glval<void *>) = VariableAddress[s] :
# 270| r270_5(void *) = Load : &:r270_4, m268_6
# 270| r270_6(glval<int>) = VariableAddress[size] :
# 270| r270_7(int) = Load : &:r270_6, m268_10
# 270| r270_8(void *) = Call : func:r270_1, 0:r270_3, 1:r270_5, 2:r270_7
# 270| v270_9(void) = ^SizedBufferReadSideEffect[1] : &:r270_5, r270_7, ~mu268_4
# 270| mu270_10(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r270_3, r270_7
# 271| r271_1(glval<void *>) = VariableAddress[#return] :
# 271| r271_2(glval<void *>) = VariableAddress[buf] :
# 271| r271_3(void *) = Load : &:r271_2, m269_7
# 271| m271_4(void *) = Store : &:r271_1, r271_3
# 268| v268_11(void) = ReturnIndirection : &:r268_7, ~mu268_4
# 268| r268_12(glval<void *>) = VariableAddress[#return] :
# 268| v268_13(void) = ReturnValue : &:r268_12, m271_4
# 268| v268_14(void) = UnmodeledUse : mu*
# 268| v268_15(void) = AliasedUse : ~mu268_4
# 268| v268_16(void) = ExitFunction :