hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Support flow of pointed-to things through function calls.

Browse Source
This commit is contained in:
Geoffrey White
2020-01-15 19:19:40 +00:00
parent 04af2ace94
commit ef47563139
5 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
View File

@@ -602,9 +602,14 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel, int iIn | exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel, int iIn |
call.getTarget() = f and call.getTarget() = f and
f.hasDataFlow(inModel, outModel) and f.hasDataFlow(inModel, outModel) and
outModel.isReturnValue() and fromExpr = call.getArgument(iIn) and
inModel.isParameter(iIn) and (
fromExpr = call.getArgument(iIn) inModel.isParameter(iIn) and
outModel.isReturnValue()
or
inModel.isParameterDeref(iIn) and
outModel.isReturnValueDeref()
)
) )
) )
} }

7
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -144,6 +144,7 @@
| taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:171:8:171:13 | buffer | | | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:171:8:171:13 | buffer | |
| taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:172:10:172:15 | buffer | | | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:172:10:172:15 | buffer | |
| taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:173:8:173:13 | buffer | | | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:173:8:173:13 | buffer | |
| taint.cpp:170:18:170:26 | Hello, | taint.cpp:170:3:170:8 | call to strcpy | |
| taint.cpp:170:18:170:26 | Hello, | taint.cpp:170:10:170:15 | ref arg buffer | TAINT | | taint.cpp:170:18:170:26 | Hello, | taint.cpp:170:10:170:15 | ref arg buffer | TAINT |
| taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:172:10:172:15 | buffer | | | taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:172:10:172:15 | buffer | |
| taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:173:8:173:13 | buffer | | | taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:173:8:173:13 | buffer | |
@@ -163,6 +164,8 @@
| taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:194:2:194:7 | call to memcpy | | | taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:194:2:194:7 | call to memcpy | |
| taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:195:7:195:7 | x | | | taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:195:7:195:7 | x | |
| taint.cpp:194:10:194:10 | x | taint.cpp:194:9:194:10 | & ... | | | taint.cpp:194:10:194:10 | x | taint.cpp:194:9:194:10 | & ... | |
| taint.cpp:194:13:194:18 | ref arg source | taint.cpp:194:2:194:7 | call to memcpy | |
| taint.cpp:194:13:194:18 | source | taint.cpp:194:2:194:7 | call to memcpy | |
| taint.cpp:194:13:194:18 | source | taint.cpp:194:9:194:10 | ref arg & ... | TAINT | | taint.cpp:194:13:194:18 | source | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
| taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:9:194:10 | ref arg & ... | TAINT | | taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
| taint.cpp:207:6:207:11 | call to source | taint.cpp:207:2:207:13 | ... = ... | | | taint.cpp:207:6:207:11 | call to source | taint.cpp:207:2:207:13 | ... = ... | |
@@ -328,8 +331,10 @@
| taint.cpp:365:24:365:29 | source | taint.cpp:371:14:371:19 | source | | | taint.cpp:365:24:365:29 | source | taint.cpp:371:14:371:19 | source | |
| taint.cpp:369:6:369:11 | call to strdup | taint.cpp:369:2:369:19 | ... = ... | | | taint.cpp:369:6:369:11 | call to strdup | taint.cpp:369:2:369:19 | ... = ... | |
| taint.cpp:369:6:369:11 | call to strdup | taint.cpp:372:7:372:7 | a | | | taint.cpp:369:6:369:11 | call to strdup | taint.cpp:372:7:372:7 | a | |
| taint.cpp:369:13:369:18 | source | taint.cpp:369:6:369:11 | call to strdup | |
| taint.cpp:370:6:370:11 | call to strdup | taint.cpp:370:2:370:27 | ... = ... | | | taint.cpp:370:6:370:11 | call to strdup | taint.cpp:370:2:370:27 | ... = ... | |
| taint.cpp:370:6:370:11 | call to strdup | taint.cpp:373:7:373:7 | b | | | taint.cpp:370:6:370:11 | call to strdup | taint.cpp:373:7:373:7 | b | |
| taint.cpp:370:13:370:26 | hello, world | taint.cpp:370:6:370:11 | call to strdup | |
| taint.cpp:371:6:371:12 | call to strndup | taint.cpp:371:2:371:25 | ... = ... | | | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:371:2:371:25 | ... = ... | |
| taint.cpp:371:6:371:12 | call to strndup | taint.cpp:374:7:374:7 | c | | | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:374:7:374:7 | c | |
| taint.cpp:377:23:377:28 | source | taint.cpp:381:30:381:35 | source | | | taint.cpp:377:23:377:28 | source | taint.cpp:381:30:381:35 | source | |
@@ -338,5 +343,7 @@
| taint.cpp:385:27:385:32 | source | taint.cpp:389:13:389:18 | source | | | taint.cpp:385:27:385:32 | source | taint.cpp:389:13:389:18 | source | |
| taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:389:2:389:19 | ... = ... | | | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:389:2:389:19 | ... = ... | |
| taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:391:7:391:7 | a | | | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:391:7:391:7 | a | |
| taint.cpp:389:13:389:18 | source | taint.cpp:389:6:389:11 | call to wcsdup | |
| taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:390:2:390:28 | ... = ... | | | taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:390:2:390:28 | ... = ... | |
| taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:392:7:392:7 | b | | | taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:392:7:392:7 | b | |
| taint.cpp:390:13:390:27 | hello, world | taint.cpp:390:6:390:11 | call to wcsdup | |

4
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -369,7 +369,7 @@ void test_strdup(char *source)
a = strdup(source); a = strdup(source);
b = strdup("hello, world"); b = strdup("hello, world");
c = strndup(source, 100); c = strndup(source, 100);
sink(a); // tainted [NOT DETECTED] sink(a); // tainted
sink(b); sink(b);
sink(c); // tainted [NOT DETECTED] sink(c); // tainted [NOT DETECTED]
} }
@@ -388,6 +388,6 @@ void test_wcsdup(wchar_t *source)
a = wcsdup(source); a = wcsdup(source);
b = wcsdup(L"hello, world"); b = wcsdup(L"hello, world");
sink(a); // tainted [NOT DETECTED] sink(a); // tainted
sink(b); sink(b);
} }

2
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -37,3 +37,5 @@
| taint.cpp:350:7:350:7 | t | taint.cpp:330:6:330:11 | call to source | | taint.cpp:350:7:350:7 | t | taint.cpp:330:6:330:11 | call to source |
| taint.cpp:351:7:351:7 | a | taint.cpp:330:6:330:11 | call to source | | taint.cpp:351:7:351:7 | a | taint.cpp:330:6:330:11 | call to source |
| taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source | | taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source |
| taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
| taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |

2
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -25,3 +25,5 @@
| taint.cpp:350:7:350:7 | taint.cpp:330:6:330:11 | AST only | | taint.cpp:350:7:350:7 | taint.cpp:330:6:330:11 | AST only |
| taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only | | taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only |
| taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only | | taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |
| taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
| taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |