hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add a few more models I noticed while here.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2025-11-06 17:00:19 +00:00
parent 2b6a75f4ad
commit f0da0d98a2
4 changed files with 26 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll
View File

@@ -12,8 +12,8 @@ import semmle.code.cpp.models.interfaces.Taint
import semmle.code.cpp.models.interfaces.NonThrowing import semmle.code.cpp.models.interfaces.NonThrowing
/** /**
* The standard functions `memcpy`, `memmove` and `bcopy`; and the gcc variant * The standard functions `memcpy`, `memmove` and `bcopy`; and variants such as
* `__builtin___memcpy_chk`. * `__builtin___memcpy_chk` and `__builtin___memmove_chk`.
*/ */
private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction, private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction,
AliasFunction, NonCppThrowingFunction AliasFunction, NonCppThrowingFunction
@@ -27,7 +27,9 @@ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffect
// bcopy(src, dest, num) // bcopy(src, dest, num)
// mempcpy(dest, src, num) // mempcpy(dest, src, num)
// memccpy(dest, src, c, n) // memccpy(dest, src, c, n)
this.hasGlobalName(["bcopy", mempcpy(), "memccpy", "__builtin___memcpy_chk"]) this.hasGlobalName([
"bcopy", mempcpy(), "memccpy", "__builtin___memcpy_chk", "__builtin___memmove_chk"
])
} }
/** /**

5
cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll
View File

@@ -19,7 +19,8 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
this.hasGlobalOrStdName("wmemset") this.hasGlobalOrStdName("wmemset")
or or
this.hasGlobalName([ this.hasGlobalName([
bzero(), "__builtin_memset", "__builtin_memset_chk", "RtlZeroMemory", "RtlSecureZeroMemory" bzero(), "__builtin_memset", "__builtin_memset_chk", "__builtin___memset_chk",
"RtlZeroMemory", "RtlSecureZeroMemory"
]) ])
} }
@@ -32,7 +33,7 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias
or or
this.hasGlobalOrStdName("wmemset") this.hasGlobalOrStdName("wmemset")
or or
this.hasGlobalName(["__builtin_memset", "__builtin_memset_chk"]) this.hasGlobalName(["__builtin_memset", "__builtin_memset_chk", "__builtin___memset_chk"])
) and ) and
result = 1 result = 1
} }

10
cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
View File

@@ -30,7 +30,9 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
"_mbsncat", // _mbsncat(dst, src, max_amount) "_mbsncat", // _mbsncat(dst, src, max_amount)
"_mbsncat_l", // _mbsncat_l(dst, src, max_amount, locale) "_mbsncat_l", // _mbsncat_l(dst, src, max_amount, locale)
"_mbsnbcat", // _mbsnbcat(dest, src, count) "_mbsnbcat", // _mbsnbcat(dest, src, count)
"_mbsnbcat_l" // _mbsnbcat_l(dest, src, count, locale) "_mbsnbcat_l", // _mbsnbcat_l(dest, src, count, locale)
"__builtin___strcat_chk", // __builtin___strcat_chk (dest, src, magic);
"__builtin___strncat_chk" // __builtin___strncat_chk (dest, src, max_amount, magic);
]) ])
} }
@@ -56,7 +58,11 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
( (
this.getName() = ["strncat", "wcsncat", "_mbsncat", "_mbsncat_l"] and this.getName() =
[
"strncat", "wcsncat", "_mbsncat", "_mbsncat_l", "__builtin___strncat_chk",
"__builtin___strcat_chk"
] and
input.isParameter(2) input.isParameter(2)
or or
this.getName() = ["_mbsncat_l", "_mbsnbcat_l"] and this.getName() = ["_mbsncat_l", "_mbsnbcat_l"] and

12
cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
View File

@@ -36,7 +36,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
"_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount) "_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount)
"stpcpy", // stpcpy(dest, src) "stpcpy", // stpcpy(dest, src)
"stpncpy", // stpncpy(dest, src, max_amount) "stpncpy", // stpncpy(dest, src, max_amount)
"strlcpy" // strlcpy(dst, src, dst_size) "strlcpy", // strlcpy(dst, src, dst_size)
"__builtin___strcpy_chk", // __builtin___strcpy_chk (dest, src, magic);
"__builtin___stpcpy_chk", // __builtin___stpcpy_chk (dest, src, magic);
"__builtin___stpncpy_chk", // __builtin___stpncpy_chk(dest, src, max_amount, magic)
"__builtin___strncpy_chk" // __builtin___strncpy_chk (dest, src, max_amount, magic);
]) ])
or or
( (
@@ -69,7 +73,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
if this.isSVariant() if this.isSVariant()
then result = 1 then result = 1
else ( else (
this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and this.getName()
.matches([
"%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy", "__builtin___strcpy_chk",
"__builtin___stpcpy_chk", "__builtin___stpncpy_chk", "__builtin___strncpy_chk"
]) and
result = 2 result = 2
) )
} }