hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into dbartol/NoEscape

Browse Source
This commit is contained in:
Dave Bartolomeo
2020-01-27 13:29:18 -07:00
parent 40952f85a9 79a72a3496
commit 3b3502060b
35 changed files with 522 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -132,6 +132,9 @@ private predicate exprToExprStep(Expr exprIn, Expr exprOut) {
// dest_ptr = strdup(tainted_ptr)
inModel.isParameterDeref(argInIndex) and
exprIn = call.getArgument(argInIndex)
or
inModel.isParameter(argInIndex) and
exprIn = call.getArgument(argInIndex)
)
)
or
@@ -173,6 +176,9 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
// memcpy(&dest_var, tainted_ptr, len)
inModel.isParameterDeref(argInIndex) and
exprIn = call.getArgument(argInIndex)
or
inModel.isParameter(argInIndex) and
exprIn = call.getArgument(argInIndex)
)
)
or

5
cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
View File

@@ -83,6 +83,11 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideE
override predicate hasOnlySpecificReadSideEffects() { none() }
override predicate hasOnlySpecificWriteSideEffects() { any() }
override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
getParameter(i).getUnspecifiedType() instanceof PointerType and
buffer = true
}
}
class PureFunction extends TaintFunction, SideEffectFunction {

24
cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
View File

@@ -47,20 +47,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
}
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
(
// These always copy the full value of the input buffer to the output
// buffer
this.hasName("strcpy") or
this.hasName("_mbscpy") or
this.hasName("wcscpy")
) and
(
input.isParameterDeref(1) and
output.isParameterDeref(0)
or
input.isParameterDeref(1) and
output.isReturnValueDeref()
)
input.isParameterDeref(1) and
output.isParameterDeref(0)
or
input.isParameterDeref(1) and
output.isReturnValueDeref()
or
input.isParameter(0) and
output.isReturnValue()
@@ -77,10 +68,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
this.hasName("wcsncpy") or
this.hasName("_wcsncpy_l")
) and
(
input.isParameter(2) or
input.isParameterDeref(1)
) and
input.isParameter(2) and
(
output.isParameterDeref(0) or
output.isReturnValueDeref()

34
cpp/ql/src/semmle/code/cpp/models/implementations/Strdup.qll
View File

@@ -9,17 +9,14 @@ import semmle.code.cpp.models.interfaces.Taint
class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction {
StrdupFunction() {
exists(string name |
hasGlobalOrStdName(name) and
hasGlobalName(name) and
(
// strdup(str)
name = "strdup"
or
// wcsdup(str)
name = "wcsdup"
)
or
hasGlobalName(name) and
(
or
// _strdup(str)
name = "_strdup"
or
@@ -37,9 +34,32 @@ class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction
override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
// These always copy the full value of the input buffer to the result
// buffer
input.isParameterDeref(0) and
output.isReturnValueDeref()
}
}
/**
* A `strndup` style allocation function.
*/
class StrndupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction {
StrndupFunction() {
exists(string name |
hasGlobalName(name) and
// strndup(str, maxlen)
name = "strndup"
)
}
override predicate hasArrayInput(int bufParam) { bufParam = 0 }
override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
(
input.isParameterDeref(0) or
input.isParameter(1)
) and
output.isReturnValueDeref()
}
}

4
cpp/ql/src/semmle/code/cpp/models/interfaces/DataFlow.qll
View File

@@ -12,8 +12,8 @@ import FunctionInputsAndOutputs
import semmle.code.cpp.models.Models
/**
* A library function for which a value is copied from a parameter or qualifier
* to an output buffer, return value, or qualifier.
* A library function for which a value is or may be copied from a parameter
* or qualifier to an output buffer, return value, or qualifier.
*
* Note that this does not include partial copying of values or partial writes
* to destinations; that is covered by `TaintModel.qll`.

4
cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll
View File

@@ -16,7 +16,9 @@ import semmle.code.cpp.models.Models
* from a parameter or qualifier to an output buffer, return value, or qualifier.
*
* Note that this does not include direct copying of values; that is covered by
* DataFlowModel.qll
* DataFlowModel.qll. If a value is sometimes copied in full, and sometimes
* altered (for example copying a string with `strncpy`), this is also considered
* data flow.
*/
abstract class TaintFunction extends Function {
abstract predicate hasTaintFlow(FunctionInput input, FunctionOutput output);

4
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -337,9 +337,13 @@
| taint.cpp:370:13:370:26 | hello, world | taint.cpp:370:6:370:11 | call to strdup | TAINT |
| taint.cpp:371:6:371:12 | call to strndup | taint.cpp:371:2:371:25 | ... = ... | |
| taint.cpp:371:6:371:12 | call to strndup | taint.cpp:374:7:374:7 | c | |
| taint.cpp:371:14:371:19 | source | taint.cpp:371:6:371:12 | call to strndup | TAINT |
| taint.cpp:371:22:371:24 | 100 | taint.cpp:371:6:371:12 | call to strndup | TAINT |
| taint.cpp:377:23:377:28 | source | taint.cpp:381:30:381:35 | source | |
| taint.cpp:381:6:381:12 | call to strndup | taint.cpp:381:2:381:36 | ... = ... | |
| taint.cpp:381:6:381:12 | call to strndup | taint.cpp:382:7:382:7 | a | |
| taint.cpp:381:14:381:27 | hello, world | taint.cpp:381:6:381:12 | call to strndup | TAINT |
| taint.cpp:381:30:381:35 | source | taint.cpp:381:6:381:12 | call to strndup | TAINT |
| taint.cpp:385:27:385:32 | source | taint.cpp:389:13:389:18 | source | |
| taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:389:2:389:19 | ... = ... | |
| taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:391:7:391:7 | a | |

4
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -371,7 +371,7 @@ void test_strdup(char *source)
c = strndup(source, 100);
sink(a); // tainted
sink(b);
sink(c); // tainted [NOT DETECTED]
sink(c); // tainted
}
void test_strndup(int source)
@@ -379,7 +379,7 @@ void test_strndup(int source)
char *a;
a = strndup("hello, world", source);
sink(a);
sink(a); // tainted
}
void test_wcsdup(wchar_t *source)

2
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -38,6 +38,8 @@
| taint.cpp:351:7:351:7 | a | taint.cpp:330:6:330:11 | call to source |
| taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source |
| taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
| taint.cpp:374:7:374:7 | c | taint.cpp:365:24:365:29 | source |
| taint.cpp:382:7:382:7 | a | taint.cpp:377:23:377:28 | source |
| taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |
| taint.cpp:423:7:423:7 | a | taint.cpp:422:14:422:19 | call to source |
| taint.cpp:424:9:424:17 | call to getMember | taint.cpp:422:14:422:19 | call to source |

2
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -23,6 +23,8 @@
| taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only |
| taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |
| taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
| taint.cpp:374:7:374:7 | taint.cpp:365:24:365:29 | AST only |
| taint.cpp:382:7:382:7 | taint.cpp:377:23:377:28 | AST only |
| taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |
| taint.cpp:423:7:423:7 | taint.cpp:422:14:422:19 | AST only |
| taint.cpp:424:9:424:17 | taint.cpp:422:14:422:19 | AST only |

15
cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
View File

@@ -850,23 +850,26 @@ ssa.cpp:
# 199| r199_8(char *) = Convert : r199_7
# 199| r199_9(int) = Call : func:r199_2, 0:r199_5, 1:r199_8
# 199| v199_10(void) = ^CallReadSideEffect : ~m198_13
# 199| m199_11(int) = Store : &:r199_1, r199_9
# 199| v199_11(void) = ^BufferReadSideEffect[0] : &:r199_5, ~m198_13
# 199| v199_12(void) = ^BufferReadSideEffect[1] : &:r199_8, ~m198_13
# 199| m199_13(int) = Store : &:r199_1, r199_9
# 200| r200_1(glval<unknown>) = FunctionAddress[strlen] :
# 200| r200_2(glval<char *>) = VariableAddress[str1] :
# 200| r200_3(char *) = Load : &:r200_2, m198_5
# 200| r200_4(char *) = Convert : r200_3
# 200| r200_5(int) = Call : func:r200_1, 0:r200_4
# 200| v200_6(void) = ^CallReadSideEffect : ~m198_13
# 200| r200_7(glval<int>) = VariableAddress[ret] :
# 200| r200_8(int) = Load : &:r200_7, m199_11
# 200| r200_9(int) = Add : r200_8, r200_5
# 200| m200_10(int) = Store : &:r200_7, r200_9
# 200| v200_7(void) = ^BufferReadSideEffect[0] : &:r200_4, ~m198_13
# 200| r200_8(glval<int>) = VariableAddress[ret] :
# 200| r200_9(int) = Load : &:r200_8, m199_13
# 200| r200_10(int) = Add : r200_9, r200_5
# 200| m200_11(int) = Store : &:r200_8, r200_10
# 201| r201_1(glval<unknown>) = FunctionAddress[abs] :
# 201| r201_2(glval<int>) = VariableAddress[x] :
# 201| r201_3(int) = Load : &:r201_2, m198_15
# 201| r201_4(int) = Call : func:r201_1, 0:r201_3
# 201| r201_5(glval<int>) = VariableAddress[ret] :
# 201| r201_6(int) = Load : &:r201_5, m200_10
# 201| r201_6(int) = Load : &:r201_5, m200_11
# 201| r201_7(int) = Add : r201_6, r201_4
# 201| m201_8(int) = Store : &:r201_5, r201_7
# 202| r202_1(glval<int>) = VariableAddress[#return] :

15
cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
View File

@@ -808,23 +808,26 @@ ssa.cpp:
# 199| r199_8(char *) = Convert : r199_7
# 199| r199_9(int) = Call : func:r199_2, 0:r199_5, 1:r199_8
# 199| v199_10(void) = ^CallReadSideEffect : ~mu198_3
# 199| m199_11(int) = Store : &:r199_1, r199_9
# 199| v199_11(void) = ^BufferReadSideEffect[0] : &:r199_5, ~mu198_3
# 199| v199_12(void) = ^BufferReadSideEffect[1] : &:r199_8, ~mu198_3
# 199| m199_13(int) = Store : &:r199_1, r199_9
# 200| r200_1(glval<unknown>) = FunctionAddress[strlen] :
# 200| r200_2(glval<char *>) = VariableAddress[str1] :
# 200| r200_3(char *) = Load : &:r200_2, m198_5
# 200| r200_4(char *) = Convert : r200_3
# 200| r200_5(int) = Call : func:r200_1, 0:r200_4
# 200| v200_6(void) = ^CallReadSideEffect : ~mu198_3
# 200| r200_7(glval<int>) = VariableAddress[ret] :
# 200| r200_8(int) = Load : &:r200_7, m199_11
# 200| r200_9(int) = Add : r200_8, r200_5
# 200| m200_10(int) = Store : &:r200_7, r200_9
# 200| v200_7(void) = ^BufferReadSideEffect[0] : &:r200_4, ~mu198_3
# 200| r200_8(glval<int>) = VariableAddress[ret] :
# 200| r200_9(int) = Load : &:r200_8, m199_13
# 200| r200_10(int) = Add : r200_9, r200_5
# 200| m200_11(int) = Store : &:r200_8, r200_10
# 201| r201_1(glval<unknown>) = FunctionAddress[abs] :
# 201| r201_2(glval<int>) = VariableAddress[x] :
# 201| r201_3(int) = Load : &:r201_2, m198_13
# 201| r201_4(int) = Call : func:r201_1, 0:r201_3
# 201| r201_5(glval<int>) = VariableAddress[ret] :
# 201| r201_6(int) = Load : &:r201_5, m200_10
# 201| r201_6(int) = Load : &:r201_5, m200_11
# 201| r201_7(int) = Add : r201_6, r201_4
# 201| m201_8(int) = Store : &:r201_5, r201_7
# 202| r202_1(glval<int>) = VariableAddress[#return] :

2
cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected
View File

@@ -108,7 +108,7 @@ instructionWithoutSuccessor
| stmt_in_type.cpp:5:53:5:53 | Constant: 1 |
| vla.c:5:9:5:14 | Uninitialized: definition of matrix |
| vla.c:5:16:5:19 | Load: argc |
| vla.c:5:22:5:25 | CallReadSideEffect: call to atoi |
| vla.c:5:27:5:33 | BufferReadSideEffect: (const char *)... |
| vla.c:11:6:11:16 | UnmodeledDefinition: vla_typedef |
| vla.c:12:33:12:44 | Add: ... + ... |
| vla.c:12:50:12:62 | Mul: ... * ... |