From 7475170ced938096d4d6d4a460597c14dfc2eb14 Mon Sep 17 00:00:00 2001 From: Slavomir Date: Wed, 1 Jul 2020 11:21:15 +0300 Subject: [PATCH] Fix getBaseType --- .../experimental/Unsafe/WrongUsageOfUnsafe.ql | 22 +++++++++---------- .../Unsafe/WrongUsageOfUnsafe.expected | 1 - 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql b/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql index f183dd36b3a..5ac1ed96782 100644 --- a/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql +++ b/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql @@ -13,17 +13,17 @@ import go import DataFlow::PathGraph +Type getFinalType(Type typ) { result = getBaseType*(typ.getUnderlyingType()).getUnderlyingType() } + Type getBaseType(Type typ) { - result = - getBaseType*(typ.getUnderlyingType*().(PointerType).getBaseType*().getUnderlyingType*()) - .getUnderlyingType*() + result = getBaseType*(typ.(PointerType).getBaseType*()) or result = typ } /* A conversion to a `unsafe.Pointer` */ class ConversionToUnsafePointer extends ConversionExpr { - ConversionToUnsafePointer() { getBaseType(getType()) instanceof UnsafePointerType } + ConversionToUnsafePointer() { getFinalType(getType()) instanceof UnsafePointerType } } /* Type casting through the use of unsafe pointers.*/ @@ -59,9 +59,9 @@ predicate castShortArrayToLongerArray( cfg.hasFlowPath(source, sink) and cfg.isSource(source.getNode(), castLittle) and cfg.isSink(sink.getNode(), castBig) and - arrTo = getBaseType(castBig.getTypeExpr().getType()) and + arrTo = getFinalType(castBig.getTypeExpr().getType()) and ( - arrFrom = getBaseType(castLittle.getOperand().getType()) and + arrFrom = getFinalType(castLittle.getOperand().getType()) and arrFromAvailableSize = arrFrom.getLength() and message = "Dangerous array type casting to [" + arrTo.getLength() + "]" + arrTo.getElementType() + @@ -95,11 +95,11 @@ predicate castTypeToArray(DataFlow::PathNode source, DataFlow::PathNode sink, st cfg.hasFlowPath(source, sink) and cfg.isSource(source.getNode(), castLittle) and cfg.isSink(sink.getNode(), castBig) and - arrTo = getBaseType(castBig.getTypeExpr().getType()) and + arrTo = getFinalType(castBig.getTypeExpr().getType()) and not (typeFrom instanceof ArrayType or typeFrom.getUnderlyingType() instanceof ArrayType) and not typeFrom instanceof PointerType and not castLittle.getOperand().getChildExpr(0).(IndexExpr).getBase().getType() instanceof ArrayType and - typeFrom = getBaseType(castLittle.getOperand().getType()) and + typeFrom = getFinalType(castLittle.getOperand().getType()) and message = "Dangerous type up-casting to [" + arrTo.getLength() + "]" + arrTo.getElementType() + " from " + typeFrom @@ -121,11 +121,11 @@ predicate castDifferentBitSizeNumbers( cfg.hasFlowPath(source, sink) and cfg.isSource(source.getNode(), castLittle) and cfg.isSink(sink.getNode(), castBig) and - numTo = getBaseType(castBig.getTypeExpr().getType()) and + numTo = getFinalType(castBig.getTypeExpr().getType()) and ( - numFrom = getBaseType(castLittle.getOperand().getType()) or + numFrom = getFinalType(castLittle.getOperand().getType()) or numFrom = - getBaseType(getBaseType(castLittle.getOperand().getType()) + getFinalType(getFinalType(castLittle.getOperand().getType()) .(StructType) .getField(_) .getType()) diff --git a/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected b/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected index e9f4f557d84..e0d9f0cac41 100644 --- a/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected +++ b/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected @@ -53,7 +53,6 @@ nodes | WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion : unsafe.Pointer | WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | $@. | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | | WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion : unsafe.Pointer | WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | $@. | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | | WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion : unsafe.Pointer | WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | $@. | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | Dangerous array type casting to [17]string from [8]string | -| WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion : unsafe.Pointer | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | $@. | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | Dangerous type up-casting to [17]uint8 from harmlessType | | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion : unsafe.Pointer | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | $@. | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | Dangerous type up-casting to [17]uint8 from struct type | | WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion : unsafe.Pointer | WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | $@. | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 | | WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion : unsafe.Pointer | WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | $@. | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |