hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Remove underflow detection.

Browse Source
This commit is contained in:
Geoffrey White
2021-07-29 15:19:48 +01:00
parent 9e0411238b
commit 13823df5a1
4 changed files with 4 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
View File

@@ -74,10 +74,6 @@ private class RandS extends RandomFunction {
predicate missingGuard(VariableAccess va, string effect) {
exists(Operation op | op.getAnOperand() = va |
missingGuardAgainstUnderflow(op, va) and
effect = "underflow" and
not op instanceof MulExpr // random numbers are usually non-negative, so multiplication doesn't underflow.
or
missingGuardAgainstOverflow(op, va) and effect = "overflow"
)
}

22
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
View File

@@ -2,11 +2,6 @@ edges
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
| test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r |
| test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
@@ -19,7 +14,6 @@ edges
| test.cpp:30:13:30:14 | get_rand2 output argument [[]] | test.cpp:30:13:30:14 | Chi |
| test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
| test.cpp:36:13:36:13 | get_rand3 output argument [[]] | test.cpp:36:13:36:13 | Chi |
| test.cpp:54:10:54:13 | call to rand | test.cpp:57:9:57:9 | x |
| test.cpp:78:10:78:13 | call to rand | test.cpp:82:10:82:10 | x |
| test.cpp:90:10:90:13 | call to rand | test.cpp:94:10:94:10 | x |
| test.cpp:129:10:129:13 | call to rand | test.cpp:132:10:132:10 | b |
@@ -32,14 +26,6 @@ nodes
| test.c:35:5:35:5 | r | semmle.label | r |
| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
| test.c:45:5:45:5 | r | semmle.label | r |
| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
| test.c:77:9:77:9 | r | semmle.label | r |
| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
| test.c:83:9:83:9 | r | semmle.label | r |
| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
| test.c:100:5:100:5 | r | semmle.label | r |
| test.c:125:13:125:16 | call to rand | semmle.label | call to rand |
| test.c:127:9:127:9 | r | semmle.label | r |
| test.cpp:8:9:8:12 | Store | semmle.label | Store |
@@ -56,8 +42,6 @@ nodes
| test.cpp:36:13:36:13 | Chi | semmle.label | Chi |
| test.cpp:36:13:36:13 | get_rand3 output argument [[]] | semmle.label | get_rand3 output argument [[]] |
| test.cpp:37:7:37:7 | r | semmle.label | r |
| test.cpp:54:10:54:13 | call to rand | semmle.label | call to rand |
| test.cpp:57:9:57:9 | x | semmle.label | x |
| test.cpp:78:10:78:13 | call to rand | semmle.label | call to rand |
| test.cpp:82:10:82:10 | x | semmle.label | x |
| test.cpp:90:10:90:13 | call to rand | semmle.label | call to rand |
@@ -71,16 +55,10 @@ nodes
| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | Uncontrolled value |
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
| test.cpp:57:9:57:9 | x | test.cpp:54:10:54:13 | call to rand | test.cpp:57:9:57:9 | x | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:54:10:54:13 | call to rand | Uncontrolled value |
| test.cpp:82:10:82:10 | x | test.cpp:78:10:78:13 | call to rand | test.cpp:82:10:82:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:78:10:78:13 | call to rand | Uncontrolled value |
| test.cpp:94:10:94:10 | x | test.cpp:90:10:90:13 | call to rand | test.cpp:94:10:94:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:90:10:90:13 | call to rand | Uncontrolled value |
| test.cpp:132:10:132:10 | b | test.cpp:129:10:129:13 | call to rand | test.cpp:132:10:132:10 | b | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:129:10:129:13 | call to rand | Uncontrolled value |

6
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
View File

@@ -74,13 +74,13 @@ void randomTester() {
{
int r = RAND2();
r = r - 100; // BAD
r = r - 100; // GOOD
}
{
int r = (rand() ^ rand());
r = r - 100; // BAD
r = r - 100; // GOOD
}
{
@@ -97,7 +97,7 @@ void randomTester() {
int r = 0;
int *ptr_r = &r;
*ptr_r = RAND();
r -= 100; // BAD
r -= 100; // GOOD
}
{

2
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
View File

@@ -54,7 +54,7 @@ int test_remainder_subtract()
int x = rand();
int y = x % 100; // y <= x
return x - y; // GOOD (as y <= x) [FALSE POSITIVE]
return x - y; // GOOD (as y <= x)
}
typedef unsigned long size_t;