C++: Add a member predicate to phi nodes for checking if a phi is a read-phi and use it to restrict flow in 'cpp/invalid-pointer-deref'.

2026-04-30 19:26:02 +02:00 · 2023-05-10 14:10:13 +01:00
parent c3a7f98b2f
commit f05cce8fc2
3 changed files with 20 additions and 2 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -552,7 +552,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
   */
  final Node getAnInput(boolean fromBackEdge) {
    localFlowStep(result, this) and
-    if phi.getBasicBlock().strictlyDominates(result.getBasicBlock())
+    if phi.getBasicBlock().dominates(result.getBasicBlock())
    then fromBackEdge = true
    else fromBackEdge = false
  }
@@ -562,6 +562,14 @@ class SsaPhiNode extends Node, TSsaPhiNode {

  /** Gets the source variable underlying this phi node. */
  Ssa::SourceVariable getSourceVariable() { result = phi.getSourceVariable() }
+
+  /**
+   * Holds if this phi node is a phi-read node.
+   *
+   * Phi-read nodes are like normal phi nodes, but they are inserted based
+   * on reads instead of writes.
+   */
+  predicate isPhiRead() { phi.isPhiRead() }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -1012,6 +1012,14 @@ class PhiNode extends SsaImpl::DefinitionExt {
    this instanceof SsaImpl::PhiNode or
    this instanceof SsaImpl::PhiReadNode
  }
+
+  /**
+   * Holds if this phi node is a phi-read node.
+   *
+   * Phi-read nodes are like normal phi nodes, but they are inserted based
+   * on reads instead of writes.
+   */
+  predicate isPhiRead() { this instanceof SsaImpl::PhiReadNode }
 }

 class DefinitionExt = SsaImpl::DefinitionExt;
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -230,7 +230,9 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {
  pragma[inline]
  predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }

-  predicate isBarrier(DataFlow::Node node) { node = any(DataFlow::SsaPhiNode phi).getAnInput(true) }
+  predicate isBarrier(DataFlow::Node node) {
+    node = any(DataFlow::SsaPhiNode phi | not phi.isPhiRead()).getAnInput(true)
+  }
 }

 module InvalidPointerToDerefFlow = DataFlow::Global<InvalidPointerToDerefConfig>;