From b82dfa9a21bfdb2fb193f4dd7a01e02d85cc72d5 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 2 Nov 2023 16:45:50 +0000 Subject: [PATCH] C++: Fix failing test by allocating 'TFunctionInput's and 'TFunctionOutput's for more indirections. Note that we now mark two output nodes coming out of 'getaddrinfo' as a remote flow source (the first indirection and the second indirection). We'll fix that in the next commit. --- .../interfaces/FunctionInputsAndOutputs.qll | 22 +++++++++++++------ .../dataflow-ir-consistency.expected | 4 ++++ .../fields/dataflow-ir-consistency.expected | 2 ++ .../source-sink-tests/remote-flow.expected | 4 +++- .../dataflow/taint-tests/localTaint.expected | 2 +- .../dataflow/taint-tests/taint.cpp | 2 +- 6 files changed, 26 insertions(+), 10 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll index 7fd36f26183..f80d08dfba7 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FunctionInputsAndOutputs.qll @@ -8,7 +8,7 @@ import semmle.code.cpp.Parameter private newtype TFunctionInput = TInParameter(ParameterIndex i) or - TInParameterDeref(ParameterIndex i) or + TInParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or TInQualifierObject() or TInQualifierAddress() or TInReturnValueDeref() @@ -245,15 +245,18 @@ class InParameter extends FunctionInput, TInParameter { */ class InParameterDeref extends FunctionInput, TInParameterDeref { ParameterIndex index; + int indirectionIndex; - InParameterDeref() { this = TInParameterDeref(index) } + InParameterDeref() { this = TInParameterDeref(index, indirectionIndex) } override string toString() { result = "InParameterDeref " + index.toString() } /** Gets the zero-based index of the parameter. */ ParameterIndex getIndex() { result = index } - override predicate isParameterDeref(ParameterIndex i) { i = index } + override predicate isParameterDeref(ParameterIndex i, int indirection) { + i = index and indirectionIndex = indirection + } } /** @@ -321,10 +324,10 @@ class InReturnValueDeref extends FunctionInput, TInReturnValueDeref { } private newtype TFunctionOutput = - TOutParameterDeref(ParameterIndex i) or + TOutParameterDeref(ParameterIndex i, int indirectionIndex) { indirectionIndex = [1, 2] } or TOutQualifierObject() or TOutReturnValue() or - TOutReturnValueDeref() + TOutReturnValueDeref(int indirections) { indirections = [1, 2] } /** * An output from a function. This can be: @@ -498,8 +501,9 @@ class FunctionOutput extends TFunctionOutput { */ class OutParameterDeref extends FunctionOutput, TOutParameterDeref { ParameterIndex index; + int indirectionIndex; - OutParameterDeref() { this = TOutParameterDeref(index) } + OutParameterDeref() { this = TOutParameterDeref(index, indirectionIndex) } override string toString() { result = "OutParameterDeref " + index.toString() } @@ -508,7 +512,7 @@ class OutParameterDeref extends FunctionOutput, TOutParameterDeref { override predicate isParameterDeref(ParameterIndex i) { i = index } override predicate isParameterDeref(ParameterIndex i, int ind) { - this.isParameterDeref(i) and ind = 1 + this.isParameterDeref(i) and ind = indirectionIndex } } @@ -572,4 +576,8 @@ class OutReturnValueDeref extends FunctionOutput, TOutReturnValueDeref { override string toString() { result = "OutReturnValueDeref" } override predicate isReturnValueDeref() { any() } + + override predicate isReturnValueDeref(int indirectionIndex) { + this = TOutReturnValueDeref(indirectionIndex) + } } diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected index bacd714e614..b7b2a8eab90 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected @@ -20,8 +20,12 @@ reverseRead argHasPostUpdate postWithInFlow | test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | +| test.cpp:384:10:384:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | +| test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | | test.cpp:391:10:391:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | | test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | +| test.cpp:400:10:400:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | +| test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | | test.cpp:407:10:407:13 | memcpy output argument | PostUpdateNode should not be the target of local flow. | viableImplInCallContextTooLarge uniqueParameterNodeAtPosition diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected index 4b74de5a825..72818427b84 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected @@ -44,6 +44,8 @@ reverseRead argHasPostUpdate postWithInFlow | realistic.cpp:54:16:54:47 | memcpy output argument | PostUpdateNode should not be the target of local flow. | +| realistic.cpp:54:16:54:47 | memcpy output argument | PostUpdateNode should not be the target of local flow. | +| realistic.cpp:60:16:60:18 | memcpy output argument | PostUpdateNode should not be the target of local flow. | | realistic.cpp:60:16:60:18 | memcpy output argument | PostUpdateNode should not be the target of local flow. | viableImplInCallContextTooLarge uniqueParameterNodeAtPosition diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected b/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected index 48de9172b36..24dec225c2e 100644 --- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected @@ -1,2 +1,4 @@ -failures testFailures +| sources-and-sinks.cpp:51:52:51:55 | getaddrinfo output argument | Unexpected result: remote_source=51:52 | +| sources-and-sinks.cpp:51:59:51:76 | // $ remote_source | Missing result:remote_source= | +failures diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 017c978bec3..cebf91d6f59 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -6652,7 +6652,7 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future ( | taint.cpp:744:5:744:10 | buffer | taint.cpp:744:4:744:10 | * ... | TAINT | | taint.cpp:744:14:744:19 | call to source | taint.cpp:744:3:744:21 | ... = ... | | | taint.cpp:745:19:745:25 | call to realloc | taint.cpp:743:40:743:45 | buffer | | -| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:745:3:745:36 | ... = ... | | +| taint.cpp:745:19:745:25 | call to realloc | taint.cpp:745:3:745:37 | ... = ... | | | taint.cpp:745:19:745:25 | call to realloc | taint.cpp:746:10:746:15 | buffer | | | taint.cpp:745:27:745:32 | buffer | taint.cpp:745:19:745:25 | call to realloc | TAINT | | taint.cpp:746:9:746:15 | * ... | taint.cpp:746:8:746:15 | * ... | TAINT | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp index 6815f45b1b7..eeefa6dd427 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp @@ -743,5 +743,5 @@ void test_realloc() { void test_realloc_2_indirections(int **buffer) { **buffer = source(); buffer = (int**)realloc(buffer, 16); - sink(**buffer); // $ MISSING: ir,ast + sink(**buffer); // $ ir MISSING: ast } \ No newline at end of file