CPP: Support taint to return value derefs instead.

cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll

@@ -602,14 +602,9 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
       exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel, int iIn |
         call.getTarget() = f and
         f.hasDataFlow(inModel, outModel) and
-        fromExpr = call.getArgument(iIn) and
-        (
-          inModel.isParameter(iIn) and
-          outModel.isReturnValue()
-          or
-          inModel.isParameterDeref(iIn) and
-          outModel.isReturnValueDeref()
-        )
+        outModel.isReturnValue() and
+        inModel.isParameter(iIn) and
+        fromExpr = call.getArgument(iIn)
       )
     )
 }

cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

@@ -69,6 +69,8 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
   or
   // Taint can flow through modeled functions
   exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
+  or
+  exprToExprStep(nodeFrom.asExpr(), nodeTo.asExpr())
 }
 
 /**
@@ -118,6 +120,36 @@ private predicate noFlowFromChildExpr(Expr e) {
   e instanceof FieldAccess
 }
 
+private predicate exprToExprStep(Expr exprIn, Expr exprOut) {
+  exists(DataFlowFunction f, Call call, FunctionOutput outModel |
+    call.getTarget() = f and
+    exprOut = call and
+    outModel.isReturnValueDeref() and
+    exists(int argInIndex, FunctionInput inModel | f.hasDataFlow(inModel, outModel) |
+      // Taint flows from a pointer to a dereference, which DataFlow does not handle
+      // dest_ptr = strdup(tainted_ptr)
+      inModel.isParameterDeref(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
+    )
+  )
+  or
+  exists(TaintFunction f, Call call, FunctionOutput outModel |
+    call.getTarget() = f and
+    exprOut = call and
+    outModel.isReturnValueDeref() and
+    exists(int argInIndex, FunctionInput inModel | f.hasTaintFlow(inModel, outModel) |
+      inModel.isParameterDeref(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
+      or
+      inModel.isParameterDeref(argInIndex) and
+      call.passesByReference(argInIndex, exprIn)
+      or
+      inModel.isParameter(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
+    )
+  )
+}
+
 private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
   exists(DataFlowFunction f, Call call, FunctionOutput outModel, int argOutIndex |
     call.getTarget() = f and

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -144,7 +144,7 @@
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:171:8:171:13 | buffer |  |
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:172:10:172:15 | buffer |  |
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:173:8:173:13 | buffer |  |
-| taint.cpp:170:18:170:26 | Hello,  | taint.cpp:170:3:170:8 | call to strcpy |  |
+| taint.cpp:170:18:170:26 | Hello,  | taint.cpp:170:3:170:8 | call to strcpy | TAINT |
 | taint.cpp:170:18:170:26 | Hello,  | taint.cpp:170:10:170:15 | ref arg buffer | TAINT |
 | taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:172:10:172:15 | buffer |  |
 | taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:173:8:173:13 | buffer |  |
@@ -164,9 +164,9 @@
 | taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:194:2:194:7 | call to memcpy |  |
 | taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:195:7:195:7 | x |  |
 | taint.cpp:194:10:194:10 | x | taint.cpp:194:9:194:10 | & ... |  |
-| taint.cpp:194:13:194:18 | ref arg source | taint.cpp:194:2:194:7 | call to memcpy |  |
-| taint.cpp:194:13:194:18 | source | taint.cpp:194:2:194:7 | call to memcpy |  |
+| taint.cpp:194:13:194:18 | source | taint.cpp:194:2:194:7 | call to memcpy | TAINT |
 | taint.cpp:194:13:194:18 | source | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
+| taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:2:194:7 | call to memcpy | TAINT |
 | taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
 | taint.cpp:207:6:207:11 | call to source | taint.cpp:207:2:207:13 | ... = ... |  |
 | taint.cpp:207:6:207:11 | call to source | taint.cpp:210:7:210:7 | x |  |
@@ -331,10 +331,10 @@
 | taint.cpp:365:24:365:29 | source | taint.cpp:371:14:371:19 | source |  |
 | taint.cpp:369:6:369:11 | call to strdup | taint.cpp:369:2:369:19 | ... = ... |  |
 | taint.cpp:369:6:369:11 | call to strdup | taint.cpp:372:7:372:7 | a |  |
-| taint.cpp:369:13:369:18 | source | taint.cpp:369:6:369:11 | call to strdup |  |
+| taint.cpp:369:13:369:18 | source | taint.cpp:369:6:369:11 | call to strdup | TAINT |
 | taint.cpp:370:6:370:11 | call to strdup | taint.cpp:370:2:370:27 | ... = ... |  |
 | taint.cpp:370:6:370:11 | call to strdup | taint.cpp:373:7:373:7 | b |  |
-| taint.cpp:370:13:370:26 | hello, world | taint.cpp:370:6:370:11 | call to strdup |  |
+| taint.cpp:370:13:370:26 | hello, world | taint.cpp:370:6:370:11 | call to strdup | TAINT |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:371:2:371:25 | ... = ... |  |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:374:7:374:7 | c |  |
 | taint.cpp:377:23:377:28 | source | taint.cpp:381:30:381:35 | source |  |
@@ -343,7 +343,7 @@
 | taint.cpp:385:27:385:32 | source | taint.cpp:389:13:389:18 | source |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:389:2:389:19 | ... = ... |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:391:7:391:7 | a |  |
-| taint.cpp:389:13:389:18 | source | taint.cpp:389:6:389:11 | call to wcsdup |  |
+| taint.cpp:389:13:389:18 | source | taint.cpp:389:6:389:11 | call to wcsdup | TAINT |
 | taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:390:2:390:28 | ... = ... |  |
 | taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:392:7:392:7 | b |  |
-| taint.cpp:390:13:390:27 | hello, world | taint.cpp:390:6:390:11 | call to wcsdup |  |
+| taint.cpp:390:13:390:27 | hello, world | taint.cpp:390:6:390:11 | call to wcsdup | TAINT |