C++: Replace allocation models with models from extensible predicates.

2025-12-17 01:03:14 +01:00 · 2024-06-20 14:35:48 +01:00
parent d308178781
commit 6bf22bda58
7 changed files with 73 additions and 113 deletions
--- a/cpp/ql/lib/ext/allocation/Bsd.allocation.model.yml
+++ b/cpp/ql/lib/ext/allocation/Bsd.allocation.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "kmem_alloc", "0", "", "", True]
+      - ["", "", False, "kmem_zalloc", "0", "", "", True]
--- a/cpp/ql/lib/ext/allocation/Glibc.allocation.model.yml
+++ b/cpp/ql/lib/ext/allocation/Glibc.allocation.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "g_malloc", "0", "", "", True]
+      - ["", "", False, "g_try_malloc", "0", "", "", True]
--- a/cpp/ql/lib/ext/allocation/OpenSSL.allocation.model.yml
+++ b/cpp/ql/lib/ext/allocation/OpenSSL.allocation.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "CRYPTO_malloc", "0", "", "", True]
+      - ["", "", False, "CRYPTO_zalloc", "0", "", "", True]
+      - ["", "", False, "CRYPTO_secure_malloc", "0", "", "", True]
+      - ["", "", False, "CRYPTO_secure_zalloc", "0", "", "", True]
+
--- a/cpp/ql/lib/ext/allocation/Std.allocation.model.yml
+++ b/cpp/ql/lib/ext/allocation/Std.allocation.model.yml
@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "malloc", "0", "", "", True]
+      - ["std", "", False, "malloc", "0", "", "", True]
+      - ["bsl", "", False, "malloc", "0", "", "", True]
+      - ["", "", False, "alloca", "0", "", "", False]
+      - ["", "", False, "__builtin_alloca", "0", "", "", False]
+      - ["", "", False, "_alloca", "0", "", "", False]
+      - ["", "", False, "_malloca", "0", "", "", False]
+      - ["", "", False, "calloc", "1", "0", "", True]
+      - ["std", "", False, "calloc", "1", "0", "", True]
+      - ["bsl", "", False, "calloc", "1", "0", "", True]
--- a/cpp/ql/lib/ext/allocation/Windows.allocation.model.yml
+++ b/cpp/ql/lib/ext/allocation/Windows.allocation.model.yml
@@ -0,0 +1,29 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data:
+      - ["", "", False, "MmAllocateContiguousMemory", "0", "", "", True]
+      - ["", "", False, "MmAllocateContiguousNodeMemory", "0", "", "", True]
+      - ["", "", False, "MmAllocateContiguousMemorySpecifyCache", "0", "", "", True]
+      - ["", "", False, "MmAllocateContiguousMemorySpecifyCacheNode", "0", "", "", True]
+      - ["", "", False, "MmAllocateNonCachedMemory", "0", "", "", True]
+      - ["", "", False, "MmAllocateMappingAddress", "0", "", "", True]
+      - ["", "", False, "CoTaskMemAlloc", "0", "", "", True]
+      - ["", "", False, "ExAllocatePool", "1", "", "", True]
+      - ["", "", False, "ExAllocatePool2", "1", "", "", True]
+      - ["", "", False, "ExAllocatePool3", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolWithTag", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolWithTagPriority", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolWithQuota", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolWithQuotaTag", "1", "", "", True]
+      - ["", "", False, "ExAllocatePoolZero", "1", "", "", True]
+      - ["", "", False, "IoAllocateMdl", "1", "", "", True]
+      - ["", "", False, "IoAllocateErrorLogEntry", "1", "", "", True]
+      - ["", "", False, "LocalAlloc", "1", "", "", True]
+      - ["", "", False, "GlobalAlloc", "1", "", "", True]
+      - ["", "", False, "VirtualAlloc", "1", "", "", True]
+      - ["", "", False, "HeapAlloc", "2", "", "", True]
+      - ["", "", False, "MmAllocatePagesForMdl", "3", "", "", True]
+      - ["", "", False, "MmAllocatePagesForMdlEx", "3", "", "", True]
+      - ["", "", False, "MmAllocateNodePagesForMdlEx", "3", "", "", True]
--- a/cpp/ql/lib/ext/allocation/empty.allocation.model.yml
+++ b/cpp/ql/lib/ext/allocation/empty.allocation.model.yml
@@ -0,0 +1,5 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: allocationFunctionModel
+    data: []
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll
@@ -7,119 +7,6 @@
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.models.interfaces.Taint

-/**
- * An allocation function (such as `malloc`) that has an argument for the size
- * in bytes.
- */
-private class MallocAllocationFunction extends AllocationFunction {
-  int sizeArg;
-
-  MallocAllocationFunction() {
-    // --- C library allocation
-    this.hasGlobalOrStdOrBslName("malloc") and // malloc(size)
-    sizeArg = 0
-    or
-    this.hasGlobalName([
-        // --- Windows Memory Management for Windows Drivers
-        "MmAllocateContiguousMemory", // MmAllocateContiguousMemory(size, maxaddress)
-        "MmAllocateContiguousNodeMemory", // MmAllocateContiguousNodeMemory(size, minaddress, maxaddress, bound, flag, prefer)
-        "MmAllocateContiguousMemorySpecifyCache", // MmAllocateContiguousMemorySpecifyCache(size, minaddress, maxaddress, bound, type)
-        "MmAllocateContiguousMemorySpecifyCacheNode", // MmAllocateContiguousMemorySpecifyCacheNode(size, minaddress, maxaddress, bound, type, prefer)
-        "MmAllocateNonCachedMemory", // MmAllocateNonCachedMemory(size)
-        "MmAllocateMappingAddress", // MmAllocateMappingAddress(size, tag)
-        // --- Windows COM allocation
-        "CoTaskMemAlloc", // CoTaskMemAlloc(size)
-        // --- Solaris/BSD kernel memory allocator
-        "kmem_alloc", // kmem_alloc(size, flags)
-        "kmem_zalloc", // kmem_zalloc(size, flags)
-        // --- OpenSSL memory allocation
-        "CRYPTO_malloc", // CRYPTO_malloc(size_t num, const char *file, int line)
-        "CRYPTO_zalloc", // CRYPTO_zalloc(size_t num, const char *file, int line)
-        "CRYPTO_secure_malloc", // CRYPTO_secure_malloc(size_t num, const char *file, int line)
-        "CRYPTO_secure_zalloc", // CRYPTO_secure_zalloc(size_t num, const char *file, int line)
-        "g_malloc", // g_malloc (n_bytes);
-        "g_try_malloc" // g_try_malloc(n_bytes);
-      ]) and
-    sizeArg = 0
-    or
-    this.hasGlobalName([
-        // --- Windows Memory Management for Windows Drivers
-        "ExAllocatePool", // ExAllocatePool(type, size)
-        "ExAllocatePool2", // ExAllocatePool2(flags, size, tag)
-        "ExAllocatePool3", // ExAllocatePool3(flags, size, tag, extparams, extparamscount)
-        "ExAllocatePoolWithTag", // ExAllocatePool(type, size, tag)
-        "ExAllocatePoolWithTagPriority", // ExAllocatePoolWithTagPriority(type, size, tag, priority)
-        "ExAllocatePoolWithQuota", // ExAllocatePoolWithQuota(type, size)
-        "ExAllocatePoolWithQuotaTag", // ExAllocatePoolWithQuotaTag(type, size, tag)
-        "ExAllocatePoolZero", // ExAllocatePoolZero(type, size, tag)
-        "IoAllocateMdl", // IoAllocateMdl(address, size, flag, flag, irp)
-        "IoAllocateErrorLogEntry", // IoAllocateErrorLogEntry(object, size)
-        // --- Windows Global / Local legacy allocation
-        "LocalAlloc", // LocalAlloc(flags, size)
-        "GlobalAlloc", // GlobalAlloc(flags, size)
-        // --- Windows System Services allocation
-        "VirtualAlloc" // VirtualAlloc(address, size, type, flag)
-      ]) and
-    sizeArg = 1
-    or
-    this.hasGlobalName("HeapAlloc") and // HeapAlloc(heap, flags, size)
-    sizeArg = 2
-    or
-    this.hasGlobalName([
-        // --- Windows Memory Management for Windows Drivers
-        "MmAllocatePagesForMdl", // MmAllocatePagesForMdl(minaddress, maxaddress, skip, size)
-        "MmAllocatePagesForMdlEx", // MmAllocatePagesForMdlEx(minaddress, maxaddress, skip, size, type, flags)
-        "MmAllocateNodePagesForMdlEx" // MmAllocateNodePagesForMdlEx(minaddress, maxaddress, skip, size, type, prefer, flags)
-      ]) and
-    sizeArg = 3
-  }
-
-  override int getSizeArg() { result = sizeArg }
-}
-
-/**
- * An allocation function (such as `alloca`) that does not require a
- * corresponding free (and has an argument for the size in bytes).
- */
-private class AllocaAllocationFunction extends AllocationFunction {
-  int sizeArg;
-
-  AllocaAllocationFunction() {
-    this.hasGlobalName([
-        // --- stack allocation
-        "alloca", // // alloca(size)
-        "__builtin_alloca", // __builtin_alloca(size)
-        "_alloca", // _alloca(size)
-        "_malloca" // _malloca(size)
-      ]) and
-    sizeArg = 0
-  }
-
-  override int getSizeArg() { result = sizeArg }
-
-  override predicate requiresDealloc() { none() }
-}
-
-/**
- * An allocation function (such as `calloc`) that has an argument for the size
- * and another argument for the size of those units (in bytes).
- */
-private class CallocAllocationFunction extends AllocationFunction {
-  int sizeArg;
-  int multArg;
-
-  CallocAllocationFunction() {
-    // --- C library allocation
-    this.hasGlobalOrStdOrBslName("calloc") and // calloc(num, size)
-    sizeArg = 1 and
-    multArg = 0
-  }
-
-  override int getSizeArg() { result = sizeArg }
-
-  override int getSizeMult() { result = multArg }
-}
-
 /**
 * An allocation function (such as `realloc`) that has an argument for the size
 * in bytes, and an argument for an existing pointer that is to be reallocated.