C++: Replace deallocation models with models from extensible predicates.

2026-04-27 01:35:13 +02:00 · 2024-06-20 14:28:43 +01:00
parent e5c20b13cf
commit 3457551264
5 changed files with 95 additions and 58 deletions
--- a/cpp/ql/lib/ext/deallocation/Bsd.deallocation.model.yml
+++ b/cpp/ql/lib/ext/deallocation/Bsd.deallocation.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: deallocationFunctionModel
+    data:
+      - ["", "", False, "pool_put", "1"]
+      - ["", "", False, "pool_cache_put", "1"]
+      - ["", "", False, "kmem_free", "0"]
--- a/cpp/ql/lib/ext/deallocation/Std.deallocation.model.yml
+++ b/cpp/ql/lib/ext/deallocation/Std.deallocation.model.yml
@@ -0,0 +1,41 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: deallocationFunctionModel
+    data:
+      - ["", "", False, "free", "0"]
+      - ["std", "", False, "free", "0"]
+      - ["", "", False, "realloc", "0"]
+      - ["std", "", False, "realloc", "0"]
+      - ["bsl", "", False, "realloc", "0"]
+      - ["", "", False, "CRYPTO_free", "0"]
+      - ["", "", False, "CRYPTO_secure_free", "0"]
+      - ["", "", False, "g_free", "0"]
+      - ["", "", False, "ExFreePool", "0"]
+      - ["", "", False, "ExFreePoolWithTag", "0"]
+      - ["", "", False, "ExDeleteTimer", "0"]
+      - ["", "", False, "IoFreeIrp", "0"]
+      - ["", "", False, "IoFreeMdl", "0"]
+      - ["", "", False, "IoFreeErrorLogEntry", "0"]
+      - ["", "", False, "IoFreeWorkItem", "0"]
+      - ["", "", False, "MmFreeContiguousMemory", "0"]
+      - ["", "", False, "MmFreeContiguousMemorySpecifyCache", "0"]
+      - ["", "", False, "MmFreeNonCachedMemory", "0"]
+      - ["", "", False, "MmFreeMappingAddress", "0"]
+      - ["", "", False, "MmFreePagesFromMdl", "0"]
+      - ["", "", False, "MmUnmapReservedMapping", "0"]
+      - ["", "", False, "MmUnmapLockedPages", "0"]
+      - ["", "", False, "NdisFreeGenericObject", "0"]
+      - ["", "", False, "NdisFreeMemory", "0"]
+      - ["", "", False, "NdisFreeMemoryWithTag", "0"]
+      - ["", "", False, "NdisFreeMdl", "0"]
+      - ["", "", False, "NdisFreeNetBufferListPool", "0"]
+      - ["", "", False, "NdisFreeNetBufferPool", "0"]
+      - ["", "", False, "LocalFree", "0"]
+      - ["", "", False, "GlobalFree", "0"]
+      - ["", "", False, "LocalReAlloc", "0"]
+      - ["", "", False, "GlobalReAlloc", "0"]
+      - ["", "", False, "VirtualFree", "0"]
+      - ["", "", False, "CoTaskMemFree", "0"]
+      - ["", "", False, "CoTaskMemRealloc", "0"]
+      - ["", "", False, "SysFreeString", "0"]
--- a/cpp/ql/lib/ext/deallocation/Windows.deallocation.model.yml
+++ b/cpp/ql/lib/ext/deallocation/Windows.deallocation.model.yml
@@ -0,0 +1,41 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: deallocationFunctionModel
+    data:
+      - ["", "", False, "ExFreePool", "0"]
+      - ["", "", False, "ExFreePoolWithTag", "0"]
+      - ["", "", False, "ExDeleteTimer", "0"]
+      - ["", "", False, "IoFreeIrp", "0"]
+      - ["", "", False, "IoFreeMdl", "0"]
+      - ["", "", False, "IoFreeErrorLogEntry", "0"]
+      - ["", "", False, "IoFreeWorkItem", "0"]
+      - ["", "", False, "MmFreeContiguousMemory", "0"]
+      - ["", "", False, "MmFreeContiguousMemorySpecifyCache", "0"]
+      - ["", "", False, "MmFreeNonCachedMemory", "0"]
+      - ["", "", False, "MmFreeMappingAddress", "0"]
+      - ["", "", False, "MmFreePagesFromMdl", "0"]
+      - ["", "", False, "MmUnmapReservedMapping", "0"]
+      - ["", "", False, "MmUnmapLockedPages", "0"]
+      - ["", "", False, "NdisFreeGenericObject", "0"]
+      - ["", "", False, "NdisFreeMemory", "0"]
+      - ["", "", False, "NdisFreeMemoryWithTag", "0"]
+      - ["", "", False, "NdisFreeMdl", "0"]
+      - ["", "", False, "NdisFreeNetBufferListPool", "0"]
+      - ["", "", False, "NdisFreeNetBufferPool", "0"]
+      - ["", "", False, "LocalFree", "0"]
+      - ["", "", False, "GlobalFree", "0"]
+      - ["", "", False, "LocalReAlloc", "0"]
+      - ["", "", False, "GlobalReAlloc", "0"]
+      - ["", "", False, "VirtualFree", "0"]
+      - ["", "", False, "CoTaskMemFree", "0"]
+      - ["", "", False, "CoTaskMemRealloc", "0"]
+      - ["", "", False, "SysFreeString", "0"]
+      - ["", "", False, "ExFreeToLookasideListEx", "1"]
+      - ["", "", False, "ExFreeToPagedLookasideList", "1"]
+      - ["", "", False, "ExFreeToNPagedLookasideList", "1"]
+      - ["", "", False, "NdisFreeMemoryWithTagPriority", "1"]
+      - ["", "", False, "StorPortFreeMdl", "1"]
+      - ["", "", False, "StorPortFreePool", "1"]
+      - ["", "", False, "HeapFree", "2"]
+      - ["", "", False, "HeapReAlloc", "2"]
--- a/cpp/ql/lib/ext/deallocation/empty.deallocation.model.yml
+++ b/cpp/ql/lib/ext/deallocation/empty.deallocation.model.yml
@@ -0,0 +1,5 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: deallocationFunctionModel
+    data: []
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll
@@ -6,64 +6,6 @@

 import semmle.code.cpp.models.interfaces.Deallocation

-/**
- * A deallocation function such as `free`.
- */
-private class StandardDeallocationFunction extends DeallocationFunction {
-  int freedArg;
-
-  StandardDeallocationFunction() {
-    this.hasGlobalOrStdOrBslName([
-        // --- C library allocation
-        "free", "realloc"
-      ]) and
-    freedArg = 0
-    or
-    this.hasGlobalName([
-        // --- OpenSSL memory deallocation
-        "CRYPTO_free", "CRYPTO_secure_free",
-        // --- glib memory deallocation
-        "g_free"
-      ]) and
-    freedArg = 0
-    or
-    this.hasGlobalOrStdName([
-        // --- Windows Memory Management for Windows Drivers
-        "ExFreePool", "ExFreePoolWithTag", "ExDeleteTimer", "IoFreeIrp", "IoFreeMdl",
-        "IoFreeErrorLogEntry", "IoFreeWorkItem", "MmFreeContiguousMemory",
-        "MmFreeContiguousMemorySpecifyCache", "MmFreeNonCachedMemory", "MmFreeMappingAddress",
-        "MmFreePagesFromMdl", "MmUnmapReservedMapping", "MmUnmapLockedPages",
-        "NdisFreeGenericObject", "NdisFreeMemory", "NdisFreeMemoryWithTag", "NdisFreeMdl",
-        "NdisFreeNetBufferListPool", "NdisFreeNetBufferPool",
-        // --- Windows Global / Local legacy allocation
-        "LocalFree", "GlobalFree", "LocalReAlloc", "GlobalReAlloc",
-        // --- Windows System Services allocation
-        "VirtualFree",
-        // --- Windows COM allocation
-        "CoTaskMemFree", "CoTaskMemRealloc",
-        // --- Windows Automation
-        "SysFreeString",
-        // --- Solaris/BSD kernel memory allocator
-        "kmem_free"
-      ]) and
-    freedArg = 0
-    or
-    this.hasGlobalOrStdName([
-        // --- Windows Memory Management for Windows Drivers
-        "ExFreeToLookasideListEx", "ExFreeToPagedLookasideList", "ExFreeToNPagedLookasideList",
-        "NdisFreeMemoryWithTagPriority", "StorPortFreeMdl", "StorPortFreePool",
-        // --- NetBSD pool manager
-        "pool_put", "pool_cache_put"
-      ]) and
-    freedArg = 1
-    or
-    this.hasGlobalOrStdName(["HeapFree", "HeapReAlloc"]) and
-    freedArg = 2
-  }
-
-  override int getFreedArg() { result = freedArg }
-}
-
 /**
 * Holds if `f` is an deallocation function according to the
 * extensible `deallocationFunctionModel` predicate.