hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Remove hasTaintFlow from poll and select functions.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2021-02-21 17:23:19 +01:00
parent 576a872316
commit f908d2f1de
4 changed files with 2 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cpp/ql/src/semmle/code/cpp/models/implementations/Poll.qll
View File

@@ -5,14 +5,13 @@
import semmle.code.cpp.Function
import semmle.code.cpp.models.interfaces.ArrayFunction
import semmle.code.cpp.models.interfaces.Taint
import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.SideEffect
/**
* The function `poll` and its assorted variants
*/
private class Poll extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
private class Poll extends ArrayFunction, AliasFunction, SideEffectFunction {
Poll() { this.hasGlobalName(["poll", "ppoll", "WSAPoll"]) }
override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
@@ -29,11 +28,6 @@ private class Poll extends ArrayFunction, AliasFunction, TaintFunction, SideEffe
override predicate parameterIsAlwaysReturned(int index) { none() }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input.isParameterDeref(0) and
output.isParameterDeref(0)
}
override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
i = 0 and buffer = true and mustWrite = false
}

10
cpp/ql/src/semmle/code/cpp/models/implementations/Select.qll
View File

@@ -5,14 +5,13 @@
import semmle.code.cpp.Function
import semmle.code.cpp.models.interfaces.ArrayFunction
import semmle.code.cpp.models.interfaces.Taint
import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.SideEffect
/**
* The function `select` and its assorted variants
*/
private class Select extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
private class Select extends ArrayFunction, AliasFunction, SideEffectFunction {
Select() { this.hasGlobalName(["select", "pselect"]) }
override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = [1 .. 3] }
@@ -27,13 +26,6 @@ private class Select extends ArrayFunction, AliasFunction, TaintFunction, SideEf
override predicate parameterIsAlwaysReturned(int index) { none() }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
exists(int i | i = [1 .. 3] |
input.isParameterDeref(i) and
output.isParameterDeref(i)
)
}
override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
i = [1 .. 3] and buffer = true and mustWrite = false
}

40
cpp/ql/test/library-tests/dataflow/taint-tests/bsd.cpp
View File

@@ -22,43 +22,3 @@ void test_accept() {
sink(a); // $ ast=17:11 SPURIOUS: ast=18:12 MISSING: ir
sink(addr); // $ ast MISSING: ir
}
// --- poll ---
struct pollfd {
int fd;
short events;
short revents;
};
int poll(struct pollfd *, int, int);
void test_poll() {
pollfd pfds;
pfds.events = 1;
pfds.fd = source();
poll(&pfds, 1, -1);
sink(pfds); // $ ast MISSING: ir
}
// --- select ---
typedef struct {} timeval;
typedef struct fd_set {
int fd_count;
int fd_array[4096];
} fd_set;
int select(int, fd_set *, fd_set *, fd_set *, timeval *);
void test_select(timeval timeout) {
fd_set readfds;
readfds.fd_count = 1;
readfds.fd_array[0] = source();
select(2, &readfds, nullptr, nullptr, &timeout);
sink(&readfds); // $ ast MISSING: ir
}

45
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -146,51 +146,6 @@
| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:21:20:25 | & ... | |
| bsd.cpp:20:28:20:32 | ref arg & ... | bsd.cpp:20:29:20:32 | size [inner post update] | |
| bsd.cpp:20:29:20:32 | size | bsd.cpp:20:28:20:32 | & ... | |
| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:39:3:39:6 | pfds | |
| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:40:3:40:6 | pfds | |
| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:41:9:41:12 | pfds | |
| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:43:8:43:11 | pfds | |
| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:40:3:40:6 | pfds | |
| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:41:9:41:12 | pfds | |
| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:43:8:43:11 | pfds | |
| bsd.cpp:39:3:39:17 | ... = ... | bsd.cpp:39:8:39:13 | events [post update] | |
| bsd.cpp:39:17:39:17 | 1 | bsd.cpp:39:3:39:17 | ... = ... | |
| bsd.cpp:40:3:40:6 | pfds [post update] | bsd.cpp:41:9:41:12 | pfds | |
| bsd.cpp:40:3:40:6 | pfds [post update] | bsd.cpp:43:8:43:11 | pfds | |
| bsd.cpp:40:3:40:20 | ... = ... | bsd.cpp:40:8:40:9 | fd [post update] | |
| bsd.cpp:40:13:40:18 | call to source | bsd.cpp:40:3:40:20 | ... = ... | |
| bsd.cpp:41:8:41:12 | & ... | bsd.cpp:41:8:41:12 | ref arg & ... | TAINT |
| bsd.cpp:41:8:41:12 | ref arg & ... | bsd.cpp:41:9:41:12 | pfds [inner post update] | |
| bsd.cpp:41:8:41:12 | ref arg & ... | bsd.cpp:43:8:43:11 | pfds | |
| bsd.cpp:41:9:41:12 | pfds | bsd.cpp:41:8:41:12 | & ... | |
| bsd.cpp:41:9:41:12 | pfds | bsd.cpp:41:8:41:12 | ref arg & ... | TAINT |
| bsd.cpp:41:19:41:19 | 1 | bsd.cpp:41:18:41:19 | - ... | TAINT |
| bsd.cpp:57:26:57:32 | timeout | bsd.cpp:62:42:62:48 | timeout | |
| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:60:3:60:9 | readfds | |
| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:61:3:61:9 | readfds | |
| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:62:14:62:20 | readfds | |
| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:63:9:63:15 | readfds | |
| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:61:3:61:9 | readfds | |
| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:62:14:62:20 | readfds | |
| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:63:9:63:15 | readfds | |
| bsd.cpp:60:3:60:22 | ... = ... | bsd.cpp:60:11:60:18 | fd_count [post update] | |
| bsd.cpp:60:22:60:22 | 1 | bsd.cpp:60:3:60:22 | ... = ... | |
| bsd.cpp:61:3:61:9 | readfds [post update] | bsd.cpp:62:14:62:20 | readfds | |
| bsd.cpp:61:3:61:9 | readfds [post update] | bsd.cpp:63:9:63:15 | readfds | |
| bsd.cpp:61:3:61:21 | access to array [post update] | bsd.cpp:61:11:61:18 | fd_array [inner post update] | |
| bsd.cpp:61:3:61:32 | ... = ... | bsd.cpp:61:3:61:21 | access to array [post update] | |
| bsd.cpp:61:11:61:18 | fd_array | bsd.cpp:61:3:61:21 | access to array | |
| bsd.cpp:61:20:61:20 | 0 | bsd.cpp:61:3:61:21 | access to array | TAINT |
| bsd.cpp:61:25:61:30 | call to source | bsd.cpp:61:3:61:32 | ... = ... | |
| bsd.cpp:62:13:62:20 | & ... | bsd.cpp:62:13:62:20 | ref arg & ... | TAINT |
| bsd.cpp:62:13:62:20 | ref arg & ... | bsd.cpp:62:14:62:20 | readfds [inner post update] | |
| bsd.cpp:62:13:62:20 | ref arg & ... | bsd.cpp:63:9:63:15 | readfds | |
| bsd.cpp:62:14:62:20 | readfds | bsd.cpp:62:13:62:20 | & ... | |
| bsd.cpp:62:14:62:20 | readfds | bsd.cpp:62:13:62:20 | ref arg & ... | TAINT |
| bsd.cpp:62:41:62:48 | ref arg & ... | bsd.cpp:62:42:62:48 | timeout [inner post update] | |
| bsd.cpp:62:42:62:48 | timeout | bsd.cpp:62:41:62:48 | & ... | |
| bsd.cpp:63:8:63:15 | ref arg & ... | bsd.cpp:63:9:63:15 | readfds [inner post update] | |
| bsd.cpp:63:9:63:15 | readfds | bsd.cpp:63:8:63:15 | & ... | |
| constructor_delegation.cpp:8:2:8:8 | this | constructor_delegation.cpp:8:20:8:24 | constructor init of field x [pre-this] | |
| constructor_delegation.cpp:8:14:8:15 | _x | constructor_delegation.cpp:8:22:8:23 | _x | |
| constructor_delegation.cpp:8:22:8:23 | _x | constructor_delegation.cpp:8:20:8:24 | constructor init of field x | TAINT |