Merge pull request #11823 from geoffw0/heuristicalloc

C++: Use HeuristicAllocationExpr in more queries
2026-05-01 11:45:14 +02:00 · 2023-01-06 13:13:14 +00:00
parent f5e5f6dfd1 bb451f3911
commit f3914ffe25
18 changed files with 124 additions and 15 deletions
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -21,7 +21,7 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.commons.NullTermination

-predicate terminationProblem(AllocationExpr malloc, string msg) {
+predicate terminationProblem(HeuristicAllocationExpr malloc, string msg) {
  // malloc(strlen(...))
  exists(StrlenCall strlen | DataFlow::localExprFlow(strlen, malloc.getSizeExpr())) and
  // flows to a call that implies this is a null-terminated string
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -25,9 +25,8 @@ import DataFlow::PathGraph
 * Holds if `alloc` is an allocation, and `tainted` is a child of it that is a
 * taint sink.
 */
-predicate allocSink(Expr alloc, DataFlow::Node sink) {
+predicate allocSink(HeuristicAllocationExpr alloc, DataFlow::Node sink) {
  exists(Expr e | e = sink.asConvertedExpr() |
-    isAllocationExpr(alloc) and
    e = alloc.getAChild() and
    e.getUnspecifiedType() instanceof IntegralType
  )
@@ -89,6 +88,10 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
      readsVariable(access.getDef(), checkedVar) and
      nodeIsBarrierEqualityCandidate(node, access, checkedVar)
    )
+    or
+    // block flow to inside of identified allocation functions (this flow leads
+    // to duplicate results)
+    any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()
  }
 }

--- a/cpp/ql/src/change-notes/2023-01-05-heuristic-allocations.md
+++ b/cpp/ql/src/change-notes/2023-01-05-heuristic-allocations.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/no-space-for-terminator` and `cpp/uncontrolled-allocation-size` queries have been enhanced with heuristic detection of allocations. These queries now find more results.
--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
@@ -29,7 +29,7 @@ class MultToAllocConfig extends DataFlow::Configuration {

  override predicate isSink(DataFlow::Node node) {
    // something that affects an allocation size
-    node.asExpr() = any(AllocationExpr ae).getSizeExpr().getAChild*()
+    node.asExpr() = any(HeuristicAllocationExpr ae).getSizeExpr().getAChild*()
  }
 }