Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow

cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected

@@ -7,3 +7,5 @@
 | tests3.cpp:25:21:25:31 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:30:21:30:31 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:53:17:53:44 | new[] | This allocation does not include space to null-terminate the string. |
+| tests3.cpp:81:20:81:28 | call to MyMalloc1 | This allocation does not include space to null-terminate the string. |
+| tests3.cpp:84:20:84:28 | call to MyMalloc2 | This allocation does not include space to null-terminate the string. |

cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp

@@ -1,4 +1,4 @@
-// tests1.cpp
+// tests3.cpp
 
 typedef unsigned int size_t;
 
@@ -66,3 +66,21 @@ void test3c()
 
 	delete buffer;
 }
+
+ // --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return std::malloc(size); }
+void *MyMalloc2(size_t size);
+
+void tests4()
+{
+	const char *str4 = "1234";
+	char *buffer1 = 0;
+	char *buffer2 = 0;
+
+	buffer1 = (char *)MyMalloc1(strlen(str4)); // BAD
+	strcpy(buffer1, str4);
+
+	buffer2 = (char *)MyMalloc2(strlen(str4)); // BAD
+	strcpy(buffer2, str4);
+}

cpp/ql/test/query-tests/Critical/SizeCheck/test.c

@@ -58,3 +58,14 @@ void test_union() {
 	MyUnion *a = malloc(sizeof(MyUnion)); // GOOD
 	MyUnion *b = malloc(sizeof(MyStruct)); // BAD (too small)
 }
+
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); }
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests()
+{
+    float *fptr1 = MyMalloc1(3); // BAD (too small) [NOT DETECTED]
+    float *fptr2 = MyMalloc2(3); // BAD (too small) [NOT DETECTED]
+}

cpp/ql/test/query-tests/Critical/SizeCheck/test2.c

@@ -43,5 +43,13 @@ void good1(void) {
     free(dptr);
 }
 
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); }
+void *MyMalloc2(size_t size);
 
-
+void customAllocatorTests()
+{
+    double *dptr1 = MyMalloc1(33); // BAD -- Not a multiple of sizeof(double) [NOT DETECTED]
+    double *dptr2 = MyMalloc2(33); // BAD -- Not a multiple of sizeof(double) [NOT DETECTED]
+}

cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.expected

@@ -1,5 +1,7 @@
 | test2.cpp:64:34:64:39 | call to calloc | This allocation does not include space to null-terminate the string. |
 | test2.cpp:71:28:71:34 | call to realloc | This allocation does not include space to null-terminate the string. |
+| test2.cpp:84:27:84:35 | call to MyMalloc1 | This allocation does not include space to null-terminate the string. |
+| test2.cpp:89:27:89:35 | call to MyMalloc2 | This allocation does not include space to null-terminate the string. |
 | test.c:16:20:16:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:32:20:32:25 | call to malloc | This allocation does not include space to null-terminate the string. |
 | test.c:49:20:49:25 | call to malloc | This allocation does not include space to null-terminate the string. |

cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp

@@ -72,3 +72,21 @@ void bad4(char *str) {
     strcpy(buffer, str);
     free(buffer);
 }
+
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); }
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests(char *str)
+{
+	{
+		char *buffer1 = (char *)MyMalloc1(strlen(str)); // BAD (no room for `\0` terminator)
+		strcpy(buffer1, str);
+	}
+
+	{
+		char *buffer2 = (char *)MyMalloc2(strlen(str)); // BAD (no room for `\0` terminator)
+		strcpy(buffer2, str);
+	}
+}

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -26,7 +26,6 @@ edges
 | test.cpp:209:8:209:23 | VariableAddress indirection | test.cpp:241:9:241:24 | call to get_tainted_size |
 | test.cpp:211:14:211:19 | Call | test.cpp:209:8:209:23 | VariableAddress indirection |
 | test.cpp:211:14:211:27 | call to getenv indirection | test.cpp:209:8:209:23 | VariableAddress indirection |
-| test.cpp:224:23:224:23 | s | test.cpp:225:21:225:21 | s |
 | test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
 | test.cpp:237:24:237:29 | Call | test.cpp:239:9:239:18 | local_size |
 | test.cpp:237:24:237:29 | Call | test.cpp:245:11:245:20 | local_size |
@@ -34,7 +33,6 @@ edges
 | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:239:9:239:18 | local_size |
 | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:245:11:245:20 | local_size |
 | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:247:10:247:19 | local_size |
-| test.cpp:245:11:245:20 | local_size | test.cpp:224:23:224:23 | s |
 | test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s |
 | test.cpp:250:20:250:27 | Load indirection | test.cpp:289:17:289:20 | get_size output argument |
 | test.cpp:250:20:250:27 | Load indirection | test.cpp:305:18:305:21 | get_size output argument |
@@ -46,6 +44,10 @@ edges
 | test.cpp:305:18:305:21 | get_size output argument | test.cpp:308:10:308:27 | ... * ... |
 | test.cpp:338:19:338:24 | Call | test.cpp:342:25:342:43 | ... * ... |
 | test.cpp:338:19:338:32 | call to getenv indirection | test.cpp:342:25:342:43 | ... * ... |
+| test.cpp:353:18:353:23 | Call | test.cpp:355:35:355:38 | size |
+| test.cpp:353:18:353:23 | Call | test.cpp:356:35:356:38 | size |
+| test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:355:35:355:38 | size |
+| test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:356:35:356:38 | size |
 nodes
 | test.cpp:39:27:39:30 | argv | semmle.label | argv |
 | test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
@@ -68,8 +70,6 @@ nodes
 | test.cpp:209:8:209:23 | VariableAddress indirection | semmle.label | VariableAddress indirection |
 | test.cpp:211:14:211:19 | Call | semmle.label | Call |
 | test.cpp:211:14:211:27 | call to getenv indirection | semmle.label | call to getenv indirection |
-| test.cpp:224:23:224:23 | s | semmle.label | s |
-| test.cpp:225:21:225:21 | s | semmle.label | s |
 | test.cpp:230:21:230:21 | s | semmle.label | s |
 | test.cpp:231:21:231:21 | s | semmle.label | s |
 | test.cpp:237:24:237:29 | Call | semmle.label | Call |
@@ -91,6 +91,10 @@ nodes
 | test.cpp:338:19:338:24 | Call | semmle.label | Call |
 | test.cpp:338:19:338:32 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:342:25:342:43 | ... * ... | semmle.label | ... * ... |
+| test.cpp:353:18:353:23 | Call | semmle.label | Call |
+| test.cpp:353:18:353:31 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:355:35:355:38 | size | semmle.label | size |
+| test.cpp:356:35:356:38 | size | semmle.label | size |
 subpaths
 #select
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
@@ -117,14 +121,14 @@ subpaths
 | test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | call to getenv indirection | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:133:19:133:32 | call to getenv indirection | user input (an environment variable) |
 | test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:25 | Call | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:148:20:148:25 | Call | user input (an environment variable) |
 | test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | call to getenv indirection | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:148:20:148:33 | call to getenv indirection | user input (an environment variable) |
-| test.cpp:225:14:225:19 | call to malloc | test.cpp:237:24:237:29 | Call | test.cpp:225:21:225:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:29 | Call | user input (an environment variable) |
-| test.cpp:225:14:225:19 | call to malloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:225:21:225:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
 | test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:29 | Call | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:29 | Call | user input (an environment variable) |
 | test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
 | test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:29 | Call | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:29 | Call | user input (an environment variable) |
 | test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
 | test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:19 | Call | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow. | test.cpp:211:14:211:19 | Call | user input (an environment variable) |
 | test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:27 | call to getenv indirection | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow. | test.cpp:211:14:211:27 | call to getenv indirection | user input (an environment variable) |
+| test.cpp:245:2:245:9 | call to my_alloc | test.cpp:237:24:237:29 | Call | test.cpp:245:11:245:20 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:29 | Call | user input (an environment variable) |
+| test.cpp:245:2:245:9 | call to my_alloc | test.cpp:237:24:237:37 | call to getenv indirection | test.cpp:245:11:245:20 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:37 | call to getenv indirection | user input (an environment variable) |
 | test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:25 | Call | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:259:20:259:25 | Call | user input (an environment variable) |
 | test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:33 | call to getenv indirection | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:259:20:259:33 | call to getenv indirection | user input (an environment variable) |
 | test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:23 | Call | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:23 | Call | user input (an environment variable) |
@@ -133,3 +137,7 @@ subpaths
 | test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:31 | call to getenv indirection | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:31 | call to getenv indirection | user input (an environment variable) |
 | test.cpp:342:18:342:23 | call to malloc | test.cpp:338:19:338:24 | Call | test.cpp:342:25:342:43 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:338:19:338:24 | Call | user input (an environment variable) |
 | test.cpp:342:18:342:23 | call to malloc | test.cpp:338:19:338:32 | call to getenv indirection | test.cpp:342:25:342:43 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:338:19:338:32 | call to getenv indirection | user input (an environment variable) |
+| test.cpp:355:25:355:33 | call to MyMalloc1 | test.cpp:353:18:353:23 | Call | test.cpp:355:35:355:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:23 | Call | user input (an environment variable) |
+| test.cpp:355:25:355:33 | call to MyMalloc1 | test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:355:35:355:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | call to getenv indirection | user input (an environment variable) |
+| test.cpp:356:25:356:33 | call to MyMalloc2 | test.cpp:353:18:353:23 | Call | test.cpp:356:35:356:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:23 | Call | user input (an environment variable) |
+| test.cpp:356:25:356:33 | call to MyMalloc2 | test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:356:35:356:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:31 | call to getenv indirection | user input (an environment variable) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp

@@ -222,7 +222,7 @@ size_t get_bounded_size()
 }
 
 void *my_alloc(size_t s) {
-	void *ptr = malloc(s); // [UNHELPFUL RESULT]
+	void *ptr = malloc(s);
 
 	return ptr;
 }
@@ -242,7 +242,7 @@ void more_cases() {
 	malloc(get_bounded_size()); // GOOD
 
 	my_alloc(100); // GOOD
-	my_alloc(local_size); // BAD [NOT DETECTED IN CORRECT LOCATION]
+	my_alloc(local_size); // BAD
 	my_func(100); // GOOD
 	my_func(local_size); // GOOD
 }
@@ -342,3 +342,16 @@ void equality_barrier() {
 		int* a = (int*)malloc(size1 * sizeof(int)); // GOOD
 	}
 }
+
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); }
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests()
+{
+	int size = atoi(getenv("USER"));
+
+	char *chars1 = (char *)MyMalloc1(size); // BAD
+	char *chars2 = (char *)MyMalloc2(size); // BAD
+}