hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16797 from MathiasVP/yml-for-allocation-and-deallocation

Browse Source 
C++: Add extensible predicates to `Allocation` and `Deallocation`
This commit is contained in:
Mathias Vorreiter Pedersen
2024-06-24 15:34:27 +01:00
committed by GitHub
parent 25d520a7f1 36d59cef7e
commit 5b1b60cc92
16 changed files with 280 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/change-notes/2024-06-20-extensible-allocation-deallocation.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* It is now possible to extend the classes `AllocationFunction` and `DeallocationFunction` via data extensions. Extensions of these classes should be added to the `lib/ext/allocation` and `lib/ext/deallocation` directories respectively.

7
cpp/ql/lib/ext/allocation/Bsd.allocation.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: allocationFunctionModel
data:
- ["", "", False, "kmem_alloc", "0", "", "", True]
- ["", "", False, "kmem_zalloc", "0", "", "", True]

7
cpp/ql/lib/ext/allocation/Glibc.allocation.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: allocationFunctionModel
data:
- ["", "", False, "g_malloc", "0", "", "", True]
- ["", "", False, "g_try_malloc", "0", "", "", True]

10
cpp/ql/lib/ext/allocation/OpenSSL.allocation.model.yml Normal file
View File

@@ -0,0 +1,10 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: allocationFunctionModel
data:
- ["", "", False, "CRYPTO_malloc", "0", "", "", True]
- ["", "", False, "CRYPTO_zalloc", "0", "", "", True]
- ["", "", False, "CRYPTO_secure_malloc", "0", "", "", True]
- ["", "", False, "CRYPTO_secure_zalloc", "0", "", "", True]

15
cpp/ql/lib/ext/allocation/Std.allocation.model.yml Normal file
View File

@@ -0,0 +1,15 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: allocationFunctionModel
data:
- ["", "", False, "malloc", "0", "", "", True]
- ["std", "", False, "malloc", "0", "", "", True]
- ["bsl", "", False, "malloc", "0", "", "", True]
- ["", "", False, "alloca", "0", "", "", False]
- ["", "", False, "__builtin_alloca", "0", "", "", False]
- ["", "", False, "_alloca", "0", "", "", False]
- ["", "", False, "_malloca", "0", "", "", False]
- ["", "", False, "calloc", "1", "0", "", True]
- ["std", "", False, "calloc", "1", "0", "", True]
- ["bsl", "", False, "calloc", "1", "0", "", True]

29
cpp/ql/lib/ext/allocation/Windows.allocation.model.yml Normal file
View File

@@ -0,0 +1,29 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: allocationFunctionModel
data:
- ["", "", False, "MmAllocateContiguousMemory", "0", "", "", True]
- ["", "", False, "MmAllocateContiguousNodeMemory", "0", "", "", True]
- ["", "", False, "MmAllocateContiguousMemorySpecifyCache", "0", "", "", True]
- ["", "", False, "MmAllocateContiguousMemorySpecifyCacheNode", "0", "", "", True]
- ["", "", False, "MmAllocateNonCachedMemory", "0", "", "", True]
- ["", "", False, "MmAllocateMappingAddress", "0", "", "", True]
- ["", "", False, "CoTaskMemAlloc", "0", "", "", True]
- ["", "", False, "ExAllocatePool", "1", "", "", True]
- ["", "", False, "ExAllocatePool2", "1", "", "", True]
- ["", "", False, "ExAllocatePool3", "1", "", "", True]
- ["", "", False, "ExAllocatePoolWithTag", "1", "", "", True]
- ["", "", False, "ExAllocatePoolWithTagPriority", "1", "", "", True]
- ["", "", False, "ExAllocatePoolWithQuota", "1", "", "", True]
- ["", "", False, "ExAllocatePoolWithQuotaTag", "1", "", "", True]
- ["", "", False, "ExAllocatePoolZero", "1", "", "", True]
- ["", "", False, "IoAllocateMdl", "1", "", "", True]
- ["", "", False, "IoAllocateErrorLogEntry", "1", "", "", True]
- ["", "", False, "LocalAlloc", "1", "", "", True]
- ["", "", False, "GlobalAlloc", "1", "", "", True]
- ["", "", False, "VirtualAlloc", "1", "", "", True]
- ["", "", False, "HeapAlloc", "2", "", "", True]
- ["", "", False, "MmAllocatePagesForMdl", "3", "", "", True]
- ["", "", False, "MmAllocatePagesForMdlEx", "3", "", "", True]
- ["", "", False, "MmAllocateNodePagesForMdlEx", "3", "", "", True]

5
cpp/ql/lib/ext/allocation/empty.allocation.model.yml Normal file
View File

@@ -0,0 +1,5 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: allocationFunctionModel
data: []

8
cpp/ql/lib/ext/deallocation/Bsd.deallocation.model.yml Normal file
View File

@@ -0,0 +1,8 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: deallocationFunctionModel
data:
- ["", "", False, "pool_put", "1"]
- ["", "", False, "pool_cache_put", "1"]
- ["", "", False, "kmem_free", "0"]

42
cpp/ql/lib/ext/deallocation/Std.deallocation.model.yml Normal file
View File

@@ -0,0 +1,42 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: deallocationFunctionModel
data:
- ["", "", False, "free", "0"]
- ["std", "", False, "free", "0"]
- ["bsl", "", False, "free", "0"]
- ["", "", False, "realloc", "0"]
- ["std", "", False, "realloc", "0"]
- ["bsl", "", False, "realloc", "0"]
- ["", "", False, "CRYPTO_free", "0"]
- ["", "", False, "CRYPTO_secure_free", "0"]
- ["", "", False, "g_free", "0"]
- ["", "", False, "ExFreePool", "0"]
- ["", "", False, "ExFreePoolWithTag", "0"]
- ["", "", False, "ExDeleteTimer", "0"]
- ["", "", False, "IoFreeIrp", "0"]
- ["", "", False, "IoFreeMdl", "0"]
- ["", "", False, "IoFreeErrorLogEntry", "0"]
- ["", "", False, "IoFreeWorkItem", "0"]
- ["", "", False, "MmFreeContiguousMemory", "0"]
- ["", "", False, "MmFreeContiguousMemorySpecifyCache", "0"]
- ["", "", False, "MmFreeNonCachedMemory", "0"]
- ["", "", False, "MmFreeMappingAddress", "0"]
- ["", "", False, "MmFreePagesFromMdl", "0"]
- ["", "", False, "MmUnmapReservedMapping", "0"]
- ["", "", False, "MmUnmapLockedPages", "0"]
- ["", "", False, "NdisFreeGenericObject", "0"]
- ["", "", False, "NdisFreeMemory", "0"]
- ["", "", False, "NdisFreeMemoryWithTag", "0"]
- ["", "", False, "NdisFreeMdl", "0"]
- ["", "", False, "NdisFreeNetBufferListPool", "0"]
- ["", "", False, "NdisFreeNetBufferPool", "0"]
- ["", "", False, "LocalFree", "0"]
- ["", "", False, "GlobalFree", "0"]
- ["", "", False, "LocalReAlloc", "0"]
- ["", "", False, "GlobalReAlloc", "0"]
- ["", "", False, "VirtualFree", "0"]
- ["", "", False, "CoTaskMemFree", "0"]
- ["", "", False, "CoTaskMemRealloc", "0"]
- ["", "", False, "SysFreeString", "0"]

41
cpp/ql/lib/ext/deallocation/Windows.deallocation.model.yml Normal file
View File

@@ -0,0 +1,41 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: deallocationFunctionModel
data:
- ["", "", False, "ExFreePool", "0"]
- ["", "", False, "ExFreePoolWithTag", "0"]
- ["", "", False, "ExDeleteTimer", "0"]
- ["", "", False, "IoFreeIrp", "0"]
- ["", "", False, "IoFreeMdl", "0"]
- ["", "", False, "IoFreeErrorLogEntry", "0"]
- ["", "", False, "IoFreeWorkItem", "0"]
- ["", "", False, "MmFreeContiguousMemory", "0"]
- ["", "", False, "MmFreeContiguousMemorySpecifyCache", "0"]
- ["", "", False, "MmFreeNonCachedMemory", "0"]
- ["", "", False, "MmFreeMappingAddress", "0"]
- ["", "", False, "MmFreePagesFromMdl", "0"]
- ["", "", False, "MmUnmapReservedMapping", "0"]
- ["", "", False, "MmUnmapLockedPages", "0"]
- ["", "", False, "NdisFreeGenericObject", "0"]
- ["", "", False, "NdisFreeMemory", "0"]
- ["", "", False, "NdisFreeMemoryWithTag", "0"]
- ["", "", False, "NdisFreeMdl", "0"]
- ["", "", False, "NdisFreeNetBufferListPool", "0"]
- ["", "", False, "NdisFreeNetBufferPool", "0"]
- ["", "", False, "LocalFree", "0"]
- ["", "", False, "GlobalFree", "0"]
- ["", "", False, "LocalReAlloc", "0"]
- ["", "", False, "GlobalReAlloc", "0"]
- ["", "", False, "VirtualFree", "0"]
- ["", "", False, "CoTaskMemFree", "0"]
- ["", "", False, "CoTaskMemRealloc", "0"]
- ["", "", False, "SysFreeString", "0"]
- ["", "", False, "ExFreeToLookasideListEx", "1"]
- ["", "", False, "ExFreeToPagedLookasideList", "1"]
- ["", "", False, "ExFreeToNPagedLookasideList", "1"]
- ["", "", False, "NdisFreeMemoryWithTagPriority", "1"]
- ["", "", False, "StorPortFreeMdl", "1"]
- ["", "", False, "StorPortFreePool", "1"]
- ["", "", False, "HeapFree", "2"]
- ["", "", False, "HeapReAlloc", "2"]

5
cpp/ql/lib/ext/deallocation/empty.deallocation.model.yml Normal file
View File

@@ -0,0 +1,5 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: deallocationFunctionModel
data: []

2
cpp/ql/lib/qlpack.yml
View File

@@ -16,4 +16,6 @@ dependencies:
codeql/xml: ${workspace}
dataExtensions:
- ext/*.model.yml
- ext/deallocation/*.model.yml
- ext/allocation/*.model.yml
warnOnImplicitThis: true

170
cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
View File

@@ -7,119 +7,6 @@
import semmle.code.cpp.models.interfaces.Allocation
import semmle.code.cpp.models.interfaces.Taint
/**
* An allocation function (such as `malloc`) that has an argument for the size
* in bytes.
*/
private class MallocAllocationFunction extends AllocationFunction {
int sizeArg;
MallocAllocationFunction() {
// --- C library allocation
this.hasGlobalOrStdOrBslName("malloc") and // malloc(size)
sizeArg = 0
or
this.hasGlobalName([
// --- Windows Memory Management for Windows Drivers
"MmAllocateContiguousMemory", // MmAllocateContiguousMemory(size, maxaddress)
"MmAllocateContiguousNodeMemory", // MmAllocateContiguousNodeMemory(size, minaddress, maxaddress, bound, flag, prefer)
"MmAllocateContiguousMemorySpecifyCache", // MmAllocateContiguousMemorySpecifyCache(size, minaddress, maxaddress, bound, type)
"MmAllocateContiguousMemorySpecifyCacheNode", // MmAllocateContiguousMemorySpecifyCacheNode(size, minaddress, maxaddress, bound, type, prefer)
"MmAllocateNonCachedMemory", // MmAllocateNonCachedMemory(size)
"MmAllocateMappingAddress", // MmAllocateMappingAddress(size, tag)
// --- Windows COM allocation
"CoTaskMemAlloc", // CoTaskMemAlloc(size)
// --- Solaris/BSD kernel memory allocator
"kmem_alloc", // kmem_alloc(size, flags)
"kmem_zalloc", // kmem_zalloc(size, flags)
// --- OpenSSL memory allocation
"CRYPTO_malloc", // CRYPTO_malloc(size_t num, const char *file, int line)
"CRYPTO_zalloc", // CRYPTO_zalloc(size_t num, const char *file, int line)
"CRYPTO_secure_malloc", // CRYPTO_secure_malloc(size_t num, const char *file, int line)
"CRYPTO_secure_zalloc", // CRYPTO_secure_zalloc(size_t num, const char *file, int line)
"g_malloc", // g_malloc (n_bytes);
"g_try_malloc" // g_try_malloc(n_bytes);
]) and
sizeArg = 0
or
this.hasGlobalName([
// --- Windows Memory Management for Windows Drivers
"ExAllocatePool", // ExAllocatePool(type, size)
"ExAllocatePool2", // ExAllocatePool2(flags, size, tag)
"ExAllocatePool3", // ExAllocatePool3(flags, size, tag, extparams, extparamscount)
"ExAllocatePoolWithTag", // ExAllocatePool(type, size, tag)
"ExAllocatePoolWithTagPriority", // ExAllocatePoolWithTagPriority(type, size, tag, priority)
"ExAllocatePoolWithQuota", // ExAllocatePoolWithQuota(type, size)
"ExAllocatePoolWithQuotaTag", // ExAllocatePoolWithQuotaTag(type, size, tag)
"ExAllocatePoolZero", // ExAllocatePoolZero(type, size, tag)
"IoAllocateMdl", // IoAllocateMdl(address, size, flag, flag, irp)
"IoAllocateErrorLogEntry", // IoAllocateErrorLogEntry(object, size)
// --- Windows Global / Local legacy allocation
"LocalAlloc", // LocalAlloc(flags, size)
"GlobalAlloc", // GlobalAlloc(flags, size)
// --- Windows System Services allocation
"VirtualAlloc" // VirtualAlloc(address, size, type, flag)
]) and
sizeArg = 1
or
this.hasGlobalName("HeapAlloc") and // HeapAlloc(heap, flags, size)
sizeArg = 2
or
this.hasGlobalName([
// --- Windows Memory Management for Windows Drivers
"MmAllocatePagesForMdl", // MmAllocatePagesForMdl(minaddress, maxaddress, skip, size)
"MmAllocatePagesForMdlEx", // MmAllocatePagesForMdlEx(minaddress, maxaddress, skip, size, type, flags)
"MmAllocateNodePagesForMdlEx" // MmAllocateNodePagesForMdlEx(minaddress, maxaddress, skip, size, type, prefer, flags)
]) and
sizeArg = 3
}
override int getSizeArg() { result = sizeArg }
}
/**
* An allocation function (such as `alloca`) that does not require a
* corresponding free (and has an argument for the size in bytes).
*/
private class AllocaAllocationFunction extends AllocationFunction {
int sizeArg;
AllocaAllocationFunction() {
this.hasGlobalName([
// --- stack allocation
"alloca", // // alloca(size)
"__builtin_alloca", // __builtin_alloca(size)
"_alloca", // _alloca(size)
"_malloca" // _malloca(size)
]) and
sizeArg = 0
}
override int getSizeArg() { result = sizeArg }
override predicate requiresDealloc() { none() }
}
/**
* An allocation function (such as `calloc`) that has an argument for the size
* and another argument for the size of those units (in bytes).
*/
private class CallocAllocationFunction extends AllocationFunction {
int sizeArg;
int multArg;
CallocAllocationFunction() {
// --- C library allocation
this.hasGlobalOrStdOrBslName("calloc") and // calloc(num, size)
sizeArg = 1 and
multArg = 0
}
override int getSizeArg() { result = sizeArg }
override int getSizeMult() { result = multArg }
}
/**
* An allocation function (such as `realloc`) that has an argument for the size
* in bytes, and an argument for an existing pointer that is to be reallocated.
@@ -373,6 +260,63 @@ private class NewArrayAllocationExpr extends AllocationExpr, NewArrayExpr {
override predicate requiresDealloc() { not exists(this.getPlacementPointer()) }
}
/**
* Holds if `f` is an allocation function according to the
* extensible `allocationFunctionModel` predicate.
*/
private predicate isAllocationFunctionFromModel(
Function f, string namespace, string type, string name
) {
exists(boolean subtypes | allocationFunctionModel(namespace, type, subtypes, name, _, _, _, _) |
if type = ""
then f.hasQualifiedName(namespace, "", name)
else
exists(Class c |
c.hasQualifiedName(namespace, type) and f.hasQualifiedName(namespace, _, name)
|
if subtypes = true
then f = c.getADerivedClass*().getAMemberFunction()
else f = c.getAMemberFunction()
)
)
}
/**
* An allocation function modeled via the extensible `allocationFunctionModel` predicate.
*/
private class AllocationFunctionFromModel extends AllocationFunction {
string namespace;
string type;
string name;
AllocationFunctionFromModel() { isAllocationFunctionFromModel(this, namespace, type, name) }
final override int getSizeArg() {
exists(string sizeArg |
allocationFunctionModel(namespace, type, _, name, sizeArg, _, _, _) and
result = sizeArg.toInt()
)
}
final override int getSizeMult() {
exists(string sizeMult |
allocationFunctionModel(namespace, type, _, name, _, sizeMult, _, _) and
result = sizeMult.toInt()
)
}
final override int getReallocPtrArg() {
exists(string reallocPtrArg |
allocationFunctionModel(namespace, type, _, name, _, _, reallocPtrArg, _) and
result = reallocPtrArg.toInt()
)
}
final override predicate requiresDealloc() {
allocationFunctionModel(namespace, type, _, name, _, _, _, true)
}
}
private module HeuristicAllocation {
/** A class that maps an `AllocationExpr` to an `HeuristicAllocationExpr`. */
private class HeuristicAllocationModeled extends HeuristicAllocationExpr instanceof AllocationExpr

85
cpp/ql/lib/semmle/code/cpp/models/implementations/Deallocation.qll
View File

@@ -7,61 +7,42 @@
import semmle.code.cpp.models.interfaces.Deallocation
/**
* A deallocation function such as `free`.
* Holds if `f` is an deallocation function according to the
* extensible `deallocationFunctionModel` predicate.
*/
private class StandardDeallocationFunction extends DeallocationFunction {
int freedArg;
private predicate isDeallocationFunctionFromModel(
Function f, string namespace, string type, string name
) {
exists(boolean subtypes | deallocationFunctionModel(namespace, type, subtypes, name, _) |
if type = ""
then f.hasQualifiedName(namespace, "", name)
else
exists(Class c |
c.hasQualifiedName(namespace, type) and f.hasQualifiedName(namespace, _, name)
|
if subtypes = true
then f = c.getADerivedClass*().getAMemberFunction()
else f = c.getAMemberFunction()
)
)
}
StandardDeallocationFunction() {
this.hasGlobalOrStdOrBslName([
// --- C library allocation
"free", "realloc"
]) and
freedArg = 0
or
this.hasGlobalName([
// --- OpenSSL memory deallocation
"CRYPTO_free", "CRYPTO_secure_free",
// --- glib memory deallocation
"g_free"
]) and
freedArg = 0
or
this.hasGlobalOrStdName([
// --- Windows Memory Management for Windows Drivers
"ExFreePool", "ExFreePoolWithTag", "ExDeleteTimer", "IoFreeIrp", "IoFreeMdl",
"IoFreeErrorLogEntry", "IoFreeWorkItem", "MmFreeContiguousMemory",
"MmFreeContiguousMemorySpecifyCache", "MmFreeNonCachedMemory", "MmFreeMappingAddress",
"MmFreePagesFromMdl", "MmUnmapReservedMapping", "MmUnmapLockedPages",
"NdisFreeGenericObject", "NdisFreeMemory", "NdisFreeMemoryWithTag", "NdisFreeMdl",
"NdisFreeNetBufferListPool", "NdisFreeNetBufferPool",
// --- Windows Global / Local legacy allocation
"LocalFree", "GlobalFree", "LocalReAlloc", "GlobalReAlloc",
// --- Windows System Services allocation
"VirtualFree",
// --- Windows COM allocation
"CoTaskMemFree", "CoTaskMemRealloc",
// --- Windows Automation
"SysFreeString",
// --- Solaris/BSD kernel memory allocator
"kmem_free"
]) and
freedArg = 0
or
this.hasGlobalOrStdName([
// --- Windows Memory Management for Windows Drivers
"ExFreeToLookasideListEx", "ExFreeToPagedLookasideList", "ExFreeToNPagedLookasideList",
"NdisFreeMemoryWithTagPriority", "StorPortFreeMdl", "StorPortFreePool",
// --- NetBSD pool manager
"pool_put", "pool_cache_put"
]) and
freedArg = 1
or
this.hasGlobalOrStdName(["HeapFree", "HeapReAlloc"]) and
freedArg = 2
/**
* A deallocation function modeled via the extensible `deallocationFunctionModel` predicate.
*/
private class DeallocationFunctionFromModel extends DeallocationFunction {
string namespace;
string type;
string name;
DeallocationFunctionFromModel() { isDeallocationFunctionFromModel(this, namespace, type, name) }
final override int getFreedArg() {
exists(string freedArg |
deallocationFunctionModel(namespace, type, _, name, freedArg) and
result = freedArg.toInt()
)
}
override int getFreedArg() { result = freedArg }
}
/**

8
cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll
View File

@@ -89,6 +89,14 @@ abstract class AllocationFunction extends Function {
predicate requiresDealloc() { any() }
}
/**
* Holds if an external allocation model exists for the given parameters.
*/
extensible predicate allocationFunctionModel(
string namespace, string type, boolean subtypes, string name, string sizeArg, string multArg,
string reallocPtrArg, boolean requiresDealloc
);
/**
* An `operator new` or `operator new[]` function that may be associated with
* `new` or `new[]` expressions. Note that `new` and `new[]` are not function

7
cpp/ql/lib/semmle/code/cpp/models/interfaces/Deallocation.qll
View File

@@ -34,6 +34,13 @@ abstract class DeallocationFunction extends Function {
int getFreedArg() { none() }
}
/**
* Holds if an external deallocation model exists for the given parameters.
*/
extensible predicate deallocationFunctionModel(
string namespace, string type, boolean subtypes, string name, string freedArg
);
/**
* An `operator delete` or `operator delete[]` function that may be associated
* with `delete` or `delete[]` expressions. Note that `delete` and `delete[]`