Add IndexExpr logic and example

2026-01-29 22:32:58 +01:00 · 2020-07-01 10:21:16 +03:00
parent 036a1faffa
commit 9421476bea
2 changed files with 42 additions and 12 deletions
--- a/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql
+++ b/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql
@@ -54,22 +54,31 @@ predicate castShortArrayToLongerArray(
 ) {
  exists(
    UnsafeTypeCastingConf cfg, ConversionExpr castBig, ConversionToUnsafePointer castLittle,
-    ArrayType arrTo, ArrayType arrFrom
+    ArrayType arrTo, ArrayType arrFrom, int arrFromAvailableSize
  |
    cfg.hasFlowPath(source, sink) and
    cfg.isSource(source.getNode(), castLittle) and
    cfg.isSink(sink.getNode(), castBig) and
    arrTo = getBaseType(castBig.getTypeExpr().getType()) and
    (
-      arrFrom = getBaseType(castLittle.getOperand().getType())
+      arrFrom = getBaseType(castLittle.getOperand().getType()) and
+      arrFromAvailableSize = arrFrom.getLength() and
+      message =
+        "Dangerous array type casting to [" + arrTo.getLength() + "]" + arrTo.getElementType() +
+          " from [" + arrFrom.getLength() + "]" + arrFrom.getElementType()
      or
-      arrFrom = castLittle.getOperand().getChildExpr(0).(IndexExpr).getBase().getType()
+      exists(IndexExpr indexExpr |
+        indexExpr = castLittle.getOperand().getChildExpr(0) and
+        arrFrom = indexExpr.getBase().getType() and
+        arrFromAvailableSize = arrFrom.getLength() - indexExpr.getIndex().getIntValue() and
+        message =
+          "Dangerous array type casting to [" + arrTo.getLength() + "]" + arrTo.getElementType() +
+            " from an index [" + arrFrom.getLength() + "]" + arrFrom.getElementType() + "[" +
+            indexExpr.getIndex().getIntValue() + "]"
+      )
    ) and
    arrTo.getLength() > 0 and //TODO
-    arrTo.getLength() > arrFrom.getLength() and
-    message =
-      "Dangerous array type casting to [" + arrTo.getLength() + "]" + arrTo.getElementType() +
-        " from [" + arrFrom.getLength() + "]" + arrFrom.getElementType()
+    arrTo.getLength() > arrFromAvailableSize
  )
 }

--- a/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go
+++ b/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go
@@ -14,9 +14,9 @@ func good0() {

 	// Read before secret without overflowing to secret:
 	// NOTE: unsafe.Pointer(&harmless) == unsafe.Pointer(&harmless[0])
-	var leaking = (*[8]byte)(unsafe.Pointer(&harmless)) // OK
+	var nonLeaking = (*[8]byte)(unsafe.Pointer(&harmless)) // OK

-	fmt.Println(string((*leaking)[:]))
+	fmt.Println(string((*nonLeaking)[:]))

 	// Avoid optimization:
 	if secret[0] == 123 {
@@ -31,7 +31,28 @@ func good1() {

 	// Read before secret without overflowing to secret:
 	// NOTE: unsafe.Pointer(&harmless) == unsafe.Pointer(&harmless[0])
-	var leaking = (*[8]byte)(unsafe.Pointer(&harmless[0])) // OK
+	var nonLeaking = (*[8]byte)(unsafe.Pointer(&harmless[0])) // OK
+
+	fmt.Println(string((*nonLeaking)[:]))
+
+	// Avoid optimization:
+	if secret[0] == 123 {
+		fmt.Println("hello world")
+	}
+}
+func badIndex() {
+	// A harmless piece of data:
+	harmless := [8]byte{'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A'}
+	// Something secret:
+	secret := [9]byte{'s', 'e', 'n', 's', 'i', 't', 'i', 'v', 'e'}
+
+	// Read before secret, overflowing into secret.
+	// NOTE: unsafe.Pointer(&harmless) != unsafe.Pointer(&harmless[2])
+	// The new variable `leaking` will contain data starting from
+	// the address of the 3rd element of the `harmless` array,
+	// and continue for 8 bytes, crossing the boundaries of
+	// `harmless` into the memory occupied by `secret`.
+	var leaking = (*[8]byte)(unsafe.Pointer(&harmless[2])) // BAD

 	fmt.Println(string((*leaking)[:]))

@@ -47,9 +68,9 @@ func good2() {
 	secret := [9]byte{'s', 'e', 'n', 's', 'i', 't', 'i', 'v', 'e'}

 	// Read before secret:
-	var leaking = (*int)(unsafe.Pointer(&harmless)) // TODO: is this really OK?
+	var nonLeaking = (*int)(unsafe.Pointer(&harmless)) // TODO: is this really OK?

-	fmt.Println(*leaking)
+	fmt.Println(*nonLeaking)

 	// Avoid optimization:
 	if secret[0] == 123 {