Merge pull request #2680 from geoffw0/modelstrndup

CPP: Model strndup.
2025-12-20 10:46:30 +01:00 · 2020-01-27 15:19:52 -05:00
parent 4d743d2bce 4778914154
commit 79a72a3496
9 changed files with 54 additions and 30 deletions
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -132,6 +132,9 @@ private predicate exprToExprStep(Expr exprIn, Expr exprOut) {
      // dest_ptr = strdup(tainted_ptr)
      inModel.isParameterDeref(argInIndex) and
      exprIn = call.getArgument(argInIndex)
+      or
+      inModel.isParameter(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
    )
  )
  or
@@ -173,6 +176,9 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
      // memcpy(&dest_var, tainted_ptr, len)
      inModel.isParameterDeref(argInIndex) and
      exprIn = call.getArgument(argInIndex)
+      or
+      inModel.isParameter(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
    )
  )
  or
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll
@@ -47,20 +47,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
  }

  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    (
-      // These always copy the full value of the input buffer to the output
-      // buffer
-      this.hasName("strcpy") or
-      this.hasName("_mbscpy") or
-      this.hasName("wcscpy")
-    ) and
-    (
-      input.isParameterDeref(1) and
-      output.isParameterDeref(0)
-      or
-      input.isParameterDeref(1) and
-      output.isReturnValueDeref()
-    )
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(1) and
+    output.isReturnValueDeref()
    or
    input.isParameter(0) and
    output.isReturnValue()
@@ -77,10 +68,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
      this.hasName("wcsncpy") or
      this.hasName("_wcsncpy_l")
    ) and
-    (
-      input.isParameter(2) or
-      input.isParameterDeref(1)
-    ) and
+    input.isParameter(2) and
    (
      output.isParameterDeref(0) or
      output.isReturnValueDeref()
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strdup.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strdup.qll
@@ -9,17 +9,14 @@ import semmle.code.cpp.models.interfaces.Taint
 class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction {
  StrdupFunction() {
    exists(string name |
-      hasGlobalOrStdName(name) and
+      hasGlobalName(name) and
      (
        // strdup(str)
        name = "strdup"
        or
        // wcsdup(str)
        name = "wcsdup"
-      )
-      or
-      hasGlobalName(name) and
-      (
+        or
        // _strdup(str)
        name = "_strdup"
        or
@@ -37,9 +34,32 @@ class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction
  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }

  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    // These always copy the full value of the input buffer to the result
-    // buffer
    input.isParameterDeref(0) and
    output.isReturnValueDeref()
  }
 }
+
+/**
+ * A `strndup` style allocation function.
+ */
+class StrndupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction {
+  StrndupFunction() {
+    exists(string name |
+      hasGlobalName(name) and
+      // strndup(str, maxlen)
+      name = "strndup"
+    )
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 0 }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    (
+      input.isParameterDeref(0) or
+      input.isParameter(1)
+    ) and
+    output.isReturnValueDeref()
+  }
+}
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/DataFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/DataFlow.qll
@@ -12,8 +12,8 @@ import FunctionInputsAndOutputs
 import semmle.code.cpp.models.Models

 /**
- * A library function for which a value is copied from a parameter or qualifier
- * to an output buffer, return value, or qualifier.
+ * A library function for which a value is or may be copied from a parameter
+ * or qualifier to an output buffer, return value, or qualifier.
 *
 * Note that this does not include partial copying of values or partial writes
 * to destinations; that is covered by `TaintModel.qll`.
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll
@@ -16,7 +16,9 @@ import semmle.code.cpp.models.Models
 * from a parameter or qualifier to an output buffer, return value, or qualifier.
 *
 * Note that this does not include direct copying of values; that is covered by
- * DataFlowModel.qll
+ * DataFlowModel.qll. If a value is sometimes copied in full, and sometimes
+ * altered (for example copying a string with `strncpy`), this is also considered
+ * data flow.
 */
 abstract class TaintFunction extends Function {
  abstract predicate hasTaintFlow(FunctionInput input, FunctionOutput output);