CPP: Support flow of pointed-to things through function calls.

2025-12-22 11:46:32 +01:00 · 2020-01-15 19:19:40 +00:00
parent 04af2ace94
commit ef47563139
5 changed files with 21 additions and 5 deletions
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -602,9 +602,14 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
      exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel, int iIn |
        call.getTarget() = f and
        f.hasDataFlow(inModel, outModel) and
-        outModel.isReturnValue() and
+        fromExpr = call.getArgument(iIn) and
+        (
          inModel.isParameter(iIn) and
-        fromExpr = call.getArgument(iIn)
+          outModel.isReturnValue()
+          or
+          inModel.isParameterDeref(iIn) and
+          outModel.isReturnValueDeref()
+        )
      )
    )
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -144,6 +144,7 @@
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:171:8:171:13 | buffer |  |
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:172:10:172:15 | buffer |  |
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:173:8:173:13 | buffer |  |
+| taint.cpp:170:18:170:26 | Hello,  | taint.cpp:170:3:170:8 | call to strcpy |  |
 | taint.cpp:170:18:170:26 | Hello,  | taint.cpp:170:10:170:15 | ref arg buffer | TAINT |
 | taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:172:10:172:15 | buffer |  |
 | taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:173:8:173:13 | buffer |  |
@@ -163,6 +164,8 @@
 | taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:194:2:194:7 | call to memcpy |  |
 | taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:195:7:195:7 | x |  |
 | taint.cpp:194:10:194:10 | x | taint.cpp:194:9:194:10 | & ... |  |
+| taint.cpp:194:13:194:18 | ref arg source | taint.cpp:194:2:194:7 | call to memcpy |  |
+| taint.cpp:194:13:194:18 | source | taint.cpp:194:2:194:7 | call to memcpy |  |
 | taint.cpp:194:13:194:18 | source | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
 | taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
 | taint.cpp:207:6:207:11 | call to source | taint.cpp:207:2:207:13 | ... = ... |  |
@@ -328,8 +331,10 @@
 | taint.cpp:365:24:365:29 | source | taint.cpp:371:14:371:19 | source |  |
 | taint.cpp:369:6:369:11 | call to strdup | taint.cpp:369:2:369:19 | ... = ... |  |
 | taint.cpp:369:6:369:11 | call to strdup | taint.cpp:372:7:372:7 | a |  |
+| taint.cpp:369:13:369:18 | source | taint.cpp:369:6:369:11 | call to strdup |  |
 | taint.cpp:370:6:370:11 | call to strdup | taint.cpp:370:2:370:27 | ... = ... |  |
 | taint.cpp:370:6:370:11 | call to strdup | taint.cpp:373:7:373:7 | b |  |
+| taint.cpp:370:13:370:26 | hello, world | taint.cpp:370:6:370:11 | call to strdup |  |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:371:2:371:25 | ... = ... |  |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:374:7:374:7 | c |  |
 | taint.cpp:377:23:377:28 | source | taint.cpp:381:30:381:35 | source |  |
@@ -338,5 +343,7 @@
 | taint.cpp:385:27:385:32 | source | taint.cpp:389:13:389:18 | source |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:389:2:389:19 | ... = ... |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:391:7:391:7 | a |  |
+| taint.cpp:389:13:389:18 | source | taint.cpp:389:6:389:11 | call to wcsdup |  |
 | taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:390:2:390:28 | ... = ... |  |
 | taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:392:7:392:7 | b |  |
+| taint.cpp:390:13:390:27 | hello, world | taint.cpp:390:6:390:11 | call to wcsdup |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -369,7 +369,7 @@ void test_strdup(char *source)
 	a = strdup(source);
 	b = strdup("hello, world");
 	c = strndup(source, 100);
-	sink(a); // tainted [NOT DETECTED]
+	sink(a); // tainted
 	sink(b);
 	sink(c); // tainted [NOT DETECTED]
 }
@@ -388,6 +388,6 @@ void test_wcsdup(wchar_t *source)

 	a = wcsdup(source);
 	b = wcsdup(L"hello, world");
-	sink(a); // tainted [NOT DETECTED]
+	sink(a); // tainted
 	sink(b);
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -37,3 +37,5 @@
 | taint.cpp:350:7:350:7 | t | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:351:7:351:7 | a | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source |
+| taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
+| taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -25,3 +25,5 @@
 | taint.cpp:350:7:350:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |
+| taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
+| taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |