hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5036 from MathiasVP/memcpy-models

Browse Source 
C++: Model aliasing of memcpy-like functions and include more functions
This commit is contained in:
Robert Marsh
2021-01-27 14:38:08 -08:00
committed by GitHub
parent a4d7bfbb2b 24f76f9a17
commit 0addce5be4
2 changed files with 64 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
cpp/ql/src/semmle/code/cpp/models/implementations/Memcpy.qll
View File

@@ -6,6 +6,7 @@
import semmle.code.cpp.Function
import semmle.code.cpp.models.interfaces.ArrayFunction
import semmle.code.cpp.models.interfaces.DataFlow
import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.SideEffect
import semmle.code.cpp.models.interfaces.Taint
@@ -13,27 +14,29 @@ import semmle.code.cpp.models.interfaces.Taint
* The standard functions `memcpy`, `memmove` and `bcopy`; and the gcc variant
* `__builtin___memcpy_chk`.
*/
private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction {
private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction,
AliasFunction {
MemcpyFunction() {
// memcpy(dest, src, num)
// memmove(dest, src, num)
// memmove(dest, src, num, remaining)
this.hasName(["memcpy", "memmove", "__builtin___memcpy_chk"])
this.hasGlobalOrStdName(["memcpy", "memmove"])
or
// bcopy(src, dest, num)
this.hasGlobalOrStdName("bcopy")
// mempcpy(dest, src, num)
this.hasGlobalName(["bcopy", mempcpy(), "__builtin___memcpy_chk"])
}
/**
* Gets the index of the parameter that is the source buffer for the copy.
*/
int getParamSrc() { if this.hasGlobalOrStdName("bcopy") then result = 0 else result = 1 }
int getParamSrc() { if this.hasGlobalName("bcopy") then result = 0 else result = 1 }
/**
* Gets the index of the parameter that is the destination buffer for the
* copy.
*/
int getParamDest() { if this.hasGlobalOrStdName("bcopy") then result = 1 else result = 0 }
int getParamDest() { if this.hasGlobalName("bcopy") then result = 1 else result = 0 }
/**
* Gets the index of the parameter that is the size of the copy (in bytes).
@@ -82,4 +85,21 @@ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffect
i = getParamSrc()
)
}
override predicate parameterNeverEscapes(int index) {
index = getParamSrc()
or
this.hasGlobalName("bcopy") and index = getParamDest()
}
override predicate parameterEscapesOnlyViaReturn(int index) {
not this.hasGlobalName("bcopy") and index = getParamDest()
}
override predicate parameterIsAlwaysReturned(int index) {
not this.hasGlobalName(["bcopy", mempcpy()]) and
index = getParamDest()
}
}
private string mempcpy() { result = ["mempcpy", "wmempcpy"] }

84
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
View File

@@ -889,10 +889,8 @@ ssa.cpp:
# 207| m207_4(unknown) = Chi : total:m207_2, partial:m207_3
# 207| r207_5(glval<int>) = VariableAddress[x] :
# 207| m207_6(int) = InitializeParameter[x] : &:r207_5
# 207| m207_7(unknown) = Chi : total:m207_4, partial:m207_6
# 208| r208_1(glval<int>) = VariableAddress[y] :
# 208| m208_2(int) = Uninitialized[y] : &:r208_1
# 208| m208_3(unknown) = Chi : total:m207_7, partial:m208_2
# 209| r209_1(glval<unknown>) = FunctionAddress[memcpy] :
# 209| r209_2(glval<int>) = VariableAddress[y] :
# 209| r209_3(int *) = CopyValue : r209_2
@@ -904,15 +902,15 @@ ssa.cpp:
# 209| r209_9(void *) = Call[memcpy] : func:r209_1, 0:r209_4, 1:r209_7, 2:r209_8
# 209| v209_10(void) = ^SizedBufferReadSideEffect[1] : &:r209_7, r209_8, ~m207_6
# 209| m209_11(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r209_4, r209_8
# 209| m209_12(unknown) = Chi : total:m208_3, partial:m209_11
# 209| m209_12(int) = Chi : total:m208_2, partial:m209_11
# 210| r210_1(glval<int>) = VariableAddress[#return] :
# 210| r210_2(glval<int>) = VariableAddress[y] :
# 210| r210_3(int) = Load[y] : &:r210_2, ~m209_12
# 210| r210_3(int) = Load[y] : &:r210_2, m209_12
# 210| m210_4(int) = Store[#return] : &:r210_1, r210_3
# 207| r207_8(glval<int>) = VariableAddress[#return] :
# 207| v207_9(void) = ReturnValue : &:r207_8, m210_4
# 207| v207_10(void) = AliasedUse : m207_3
# 207| v207_11(void) = ExitFunction :
# 207| r207_7(glval<int>) = VariableAddress[#return] :
# 207| v207_8(void) = ReturnValue : &:r207_7, m210_4
# 207| v207_9(void) = AliasedUse : m207_3
# 207| v207_10(void) = ExitFunction :
# 213| void InitArray()
# 213| Block 0
@@ -1104,51 +1102,49 @@ ssa.cpp:
# 247| m247_6(char *) = InitializeParameter[src] : &:r247_5
# 247| r247_7(char *) = Load[src] : &:r247_5, m247_6
# 247| m247_8(unknown) = InitializeIndirection[src] : &:r247_7
# 247| m247_9(unknown) = Chi : total:m247_4, partial:m247_8
# 247| r247_10(glval<int>) = VariableAddress[size] :
# 247| m247_11(int) = InitializeParameter[size] : &:r247_10
# 247| r247_9(glval<int>) = VariableAddress[size] :
# 247| m247_10(int) = InitializeParameter[size] : &:r247_9
# 248| r248_1(glval<char *>) = VariableAddress[dst] :
# 248| r248_2(glval<unknown>) = FunctionAddress[operator new[]] :
# 248| r248_3(glval<int>) = VariableAddress[size] :
# 248| r248_4(int) = Load[size] : &:r248_3, m247_11
# 248| r248_4(int) = Load[size] : &:r248_3, m247_10
# 248| r248_5(unsigned long) = Convert : r248_4
# 248| r248_6(unsigned long) = Constant[1] :
# 248| r248_7(unsigned long) = Mul : r248_5, r248_6
# 248| r248_8(void *) = Call[operator new[]] : func:r248_2, 0:r248_7
# 248| m248_9(unknown) = ^CallSideEffect : ~m247_9
# 248| m248_10(unknown) = Chi : total:m247_9, partial:m248_9
# 248| m248_9(unknown) = ^CallSideEffect : ~m247_4
# 248| m248_10(unknown) = Chi : total:m247_4, partial:m248_9
# 248| m248_11(unknown) = ^InitializeDynamicAllocation : &:r248_8
# 248| m248_12(unknown) = Chi : total:m248_10, partial:m248_11
# 248| r248_13(char *) = Convert : r248_8
# 248| m248_14(char *) = Store[dst] : &:r248_1, r248_13
# 248| r248_12(char *) = Convert : r248_8
# 248| m248_13(char *) = Store[dst] : &:r248_1, r248_12
# 249| r249_1(char) = Constant[97] :
# 249| r249_2(glval<char *>) = VariableAddress[src] :
# 249| r249_3(char *) = Load[src] : &:r249_2, m247_6
# 249| r249_4(glval<char>) = CopyValue : r249_3
# 249| m249_5(char) = Store[?] : &:r249_4, r249_1
# 249| m249_6(unknown) = Chi : total:m248_12, partial:m249_5
# 249| m249_6(unknown) = Chi : total:m247_8, partial:m249_5
# 250| r250_1(glval<unknown>) = FunctionAddress[memcpy] :
# 250| r250_2(glval<char *>) = VariableAddress[dst] :
# 250| r250_3(char *) = Load[dst] : &:r250_2, m248_14
# 250| r250_3(char *) = Load[dst] : &:r250_2, m248_13
# 250| r250_4(void *) = Convert : r250_3
# 250| r250_5(glval<char *>) = VariableAddress[src] :
# 250| r250_6(char *) = Load[src] : &:r250_5, m247_6
# 250| r250_7(void *) = Convert : r250_6
# 250| r250_8(glval<int>) = VariableAddress[size] :
# 250| r250_9(int) = Load[size] : &:r250_8, m247_11
# 250| r250_9(int) = Load[size] : &:r250_8, m247_10
# 250| r250_10(void *) = Call[memcpy] : func:r250_1, 0:r250_4, 1:r250_7, 2:r250_9
# 250| v250_11(void) = ^SizedBufferReadSideEffect[1] : &:r250_7, r250_9, ~m249_6
# 250| m250_12(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r250_4, r250_9
# 250| m250_13(unknown) = Chi : total:m249_6, partial:m250_12
# 250| m250_13(unknown) = Chi : total:m248_11, partial:m250_12
# 251| r251_1(glval<char *>) = VariableAddress[#return] :
# 251| r251_2(glval<char *>) = VariableAddress[dst] :
# 251| r251_3(char *) = Load[dst] : &:r251_2, m248_14
# 251| r251_3(char *) = Load[dst] : &:r251_2, m248_13
# 251| m251_4(char *) = Store[#return] : &:r251_1, r251_3
# 247| v247_12(void) = ReturnIndirection[src] : &:r247_7, ~m250_13
# 247| r247_13(glval<char *>) = VariableAddress[#return] :
# 247| v247_14(void) = ReturnValue : &:r247_13, m251_4
# 247| v247_15(void) = AliasedUse : ~m250_13
# 247| v247_16(void) = ExitFunction :
# 247| v247_11(void) = ReturnIndirection[src] : &:r247_7, m249_6
# 247| r247_12(glval<char *>) = VariableAddress[#return] :
# 247| v247_13(void) = ReturnValue : &:r247_12, m251_4
# 247| v247_14(void) = AliasedUse : ~m248_10
# 247| v247_15(void) = ExitFunction :
# 254| char StringLiteralAliasing2(bool)
# 254| Block 0
@@ -1206,39 +1202,37 @@ ssa.cpp:
# 268| m268_6(void *) = InitializeParameter[s] : &:r268_5
# 268| r268_7(void *) = Load[s] : &:r268_5, m268_6
# 268| m268_8(unknown) = InitializeIndirection[s] : &:r268_7
# 268| m268_9(unknown) = Chi : total:m268_4, partial:m268_8
# 268| r268_10(glval<int>) = VariableAddress[size] :
# 268| m268_11(int) = InitializeParameter[size] : &:r268_10
# 268| r268_9(glval<int>) = VariableAddress[size] :
# 268| m268_10(int) = InitializeParameter[size] : &:r268_9
# 269| r269_1(glval<void *>) = VariableAddress[buf] :
# 269| r269_2(glval<unknown>) = FunctionAddress[malloc] :
# 269| r269_3(glval<int>) = VariableAddress[size] :
# 269| r269_4(int) = Load[size] : &:r269_3, m268_11
# 269| r269_4(int) = Load[size] : &:r269_3, m268_10
# 269| r269_5(void *) = Call[malloc] : func:r269_2, 0:r269_4
# 269| m269_6(unknown) = ^CallSideEffect : ~m268_9
# 269| m269_7(unknown) = Chi : total:m268_9, partial:m269_6
# 269| m269_6(unknown) = ^CallSideEffect : ~m268_4
# 269| m269_7(unknown) = Chi : total:m268_4, partial:m269_6
# 269| m269_8(unknown) = ^InitializeDynamicAllocation : &:r269_5
# 269| m269_9(unknown) = Chi : total:m269_7, partial:m269_8
# 269| m269_10(void *) = Store[buf] : &:r269_1, r269_5
# 269| m269_9(void *) = Store[buf] : &:r269_1, r269_5
# 270| r270_1(glval<unknown>) = FunctionAddress[memcpy] :
# 270| r270_2(glval<void *>) = VariableAddress[buf] :
# 270| r270_3(void *) = Load[buf] : &:r270_2, m269_10
# 270| r270_3(void *) = Load[buf] : &:r270_2, m269_9
# 270| r270_4(glval<void *>) = VariableAddress[s] :
# 270| r270_5(void *) = Load[s] : &:r270_4, m268_6
# 270| r270_6(glval<int>) = VariableAddress[size] :
# 270| r270_7(int) = Load[size] : &:r270_6, m268_11
# 270| r270_7(int) = Load[size] : &:r270_6, m268_10
# 270| r270_8(void *) = Call[memcpy] : func:r270_1, 0:r270_3, 1:r270_5, 2:r270_7
# 270| v270_9(void) = ^SizedBufferReadSideEffect[1] : &:r270_5, r270_7, ~m269_7
# 270| v270_9(void) = ^SizedBufferReadSideEffect[1] : &:r270_5, r270_7, ~m268_8
# 270| m270_10(unknown) = ^SizedBufferMustWriteSideEffect[0] : &:r270_3, r270_7
# 270| m270_11(unknown) = Chi : total:m269_9, partial:m270_10
# 270| m270_11(unknown) = Chi : total:m269_8, partial:m270_10
# 271| r271_1(glval<void *>) = VariableAddress[#return] :
# 271| r271_2(glval<void *>) = VariableAddress[buf] :
# 271| r271_3(void *) = Load[buf] : &:r271_2, m269_10
# 271| r271_3(void *) = Load[buf] : &:r271_2, m269_9
# 271| m271_4(void *) = Store[#return] : &:r271_1, r271_3
# 268| v268_12(void) = ReturnIndirection[s] : &:r268_7, ~m270_11
# 268| r268_13(glval<void *>) = VariableAddress[#return] :
# 268| v268_14(void) = ReturnValue : &:r268_13, m271_4
# 268| v268_15(void) = AliasedUse : ~m270_11
# 268| v268_16(void) = ExitFunction :
# 268| v268_11(void) = ReturnIndirection[s] : &:r268_7, m268_8
# 268| r268_12(glval<void *>) = VariableAddress[#return] :
# 268| v268_13(void) = ReturnValue : &:r268_12, m271_4
# 268| v268_14(void) = AliasedUse : ~m269_7
# 268| v268_15(void) = ExitFunction :
# 275| void EscapedButNotConflated(bool, Point, int)
# 275| Block 0