Implement SIG30-C

Extract library Signal.qll

Author: mbaluda

c/cert/src/rules/ERR32-C/DoNotRelyOnIndeterminateValuesOfErrno.ql

@@ -13,21 +13,9 @@
 import cpp
 import codingstandards.c.cert
 import codingstandards.c.Errno
+import codingstandards.c.Signal
 import semmle.code.cpp.controlflow.Guards
 
-/**
- * A call to function `signal`
- */
-class SignalCall extends FunctionCall {
-  SignalCall() { this.getTarget().hasGlobalName("signal") }
-}
-
-/**
- * A call to `abort` or `_Exit`
- */
-class AbortCall extends FunctionCall {
-  AbortCall() { this.getTarget().hasGlobalName(["abort", "_Exit"]) }
-}
 
 /**
  * A check on `signal` call return value
@@ -47,22 +35,16 @@ class SignalCheckOperation extends EqualityOperation, GuardCondition {
     )
   }
 
-  BasicBlock getCheckedSuccessor() {
-    result != errorSuccessor and result = this.getASuccessor()
-  }
+  BasicBlock getCheckedSuccessor() { result != errorSuccessor and result = this.getASuccessor() }
 
   BasicBlock getErrorSuccessor() { result = errorSuccessor }
 }
 
 /**
  * Models signal handlers that call signal() and return
  */
-class SignalCallingHandler extends Function {
-  SignalCall registration;
-
+class SignalCallingHandler extends SignalHandler {
   SignalCallingHandler() {
-    // is a signal handler
-    this = registration.getArgument(1).(FunctionAccess).getTarget() and
     // calls signal() on the handled signal
     exists(SignalCall sCall |
       sCall.getEnclosingFunction() = this and
@@ -75,8 +57,6 @@ class SignalCallingHandler extends Function {
       )
     )
   }
-
-  SignalCall getCall() { result = registration }
 }
 
 /**
@@ -100,7 +80,7 @@ where
   not isExcluded(errno, Contracts5Package::doNotRelyOnIndeterminateValuesOfErrnoQuery()) and
   exists(SignalCallingHandler handler |
     // errno read after the handler returns
-    handler.getCall() = signal
+    handler.getRegistration() = signal
     or
     // errno read inside the handler
     signal.getEnclosingFunction() = handler

c/cert/src/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.ql

@@ -11,8 +11,109 @@
 
 import cpp
 import codingstandards.c.cert
+import codingstandards.c.Signal
+import semmle.code.cpp.dataflow.DataFlow
 
-from
+/**
+ * Does not an access an external variable except
+ * to assign a value to a volatile static variable of sig_atomic_t type
+ */
+class AsyncSafeVariableAccess extends VariableAccess {
+  AsyncSafeVariableAccess() {
+    this.getTarget() instanceof StackVariable
+    or
+    this.getTarget().getType().hasName("volatile sig_atomic_t") and // TODO search without "volatile"
+    this.isModified() and
+    this.getTarget().isVolatile()
+  }
+}
+
+abstract class AsyncSafeFunction extends Function { }
+
+/**
+ * C standard library ayncronous-safe functions
+ */
+class CAsyncSafeFunction extends AsyncSafeFunction {
+  //tion, or the signal function with the first argument equal to the signal number corresponding to the signal that caused the invocation of the handler
+  CAsyncSafeFunction() { this.hasGlobalName(["abort", "_Exit", "quick_exit", "signal"]) }
+}
+
+/**
+ * POSIX defined ayncronous-safe functions
+ */
+class PosixAsyncSafeFunction extends AsyncSafeFunction {
+  PosixAsyncSafeFunction() {
+    this.hasGlobalName([
+        "_Exit", "_exit", "abort", "accept", "access", "aio_error", "aio_return", "aio_suspend",
+        "alarm", "bind", "cfgetispeed", "cfgetospeed", "cfsetispeed", "cfsetospeed", "chdir",
+        "chmod", "chown", "clock_gettime", "close", "connect", "creat", "dup", "dup2", "execl",
+        "execle", "execv", "execve", "faccessat", "fchdir", "fchmod", "fchmodat", "fchown",
+        "fchownat", "fcntl", "fdatasync", "fexecve", "fork", "fstat", "fstatat", "fsync",
+        "ftruncate", "futimens", "getegid", "geteuid", "getgid", "getgroups", "getpeername",
+        "getpgrp", "getpid", "getppid", "getsockname", "getsockopt", "getuid", "kill", "link",
+        "linkat", "listen", "lseek", "lstat", "mkdir", "mkdirat", "mkfifo", "mkfifoat", "mknod",
+        "mknodat", "open", "openat", "pause", "pipe", "poll", "posix_trace_event", "pselect",
+        "pthread_kill", "pthread_self", "pthread_sigmask", "raise", "read", "readlink",
+        "readlinkat", "recv", "recvfrom", "recvmsg", "rename", "renameat", "rmdir", "select",
+        "sem_post", "send", "sendmsg", "sendto", "setgid", "setpgid", "setsid", "setsockopt",
+        "setuid", "shutdown", "sigaction", "sigaddset", "sigdelset", "sigemptyset", "sigfillset",
+        "sigismember", "signal", "sigpause", "sigpending", "sigprocmask", "sigqueue", "sigset",
+        "sigsuspend", "sleep", "sockatmark", "socket", "socketpair", "stat", "symlink", "symlinkat",
+        "tcdrain", "tcflow", "tcflush", "tcgetattr", "tcgetpgrp", "tcsendbreak", "tcsetattr",
+        "tcsetpgrp", "time", "timer_getoverrun", "timer_gettime", "timer_settime", "times", "umask",
+        "uname", "unlink", "unlinkat", "utime", "utimensat", "utimes", "wait", "waitpid", "write"
+      ])
+  }
+}
+
+/**
+ * Application defined ayncronous-safe functions
+ */
+class ApplicationAsyncSafeFunction extends AsyncSafeFunction {
+  pragma[nomagic]
+  ApplicationAsyncSafeFunction() {
+    // Application-defined
+    this.hasDefinition() and
+    exists(this.getFile().getRelativePath()) and
+    // Only references async-safe variables
+    not exists(VariableAccess va |
+      this = va.getEnclosingFunction() and not va instanceof AsyncSafeVariableAccess
+    ) and
+    // Only calls async-safe functions
+    not exists(Function f | this.calls(f) and not f instanceof AsyncSafeFunction)
+  }
+}
+
+/**
+ * Call to function `raise` withing a signal handler with mismatching signals
+ * ```
+ * void int_handler(int signum) {
+ *   raise(SIGTERM);
+ * }
+ * int main(void) {
+ *   signal(SIGINT, int_handler);
+ * }
+ * ```
+ */
+class AsyncUnsafeRaiseCall extends FunctionCall {
+  AsyncUnsafeRaiseCall() {
+    this.getTarget().hasGlobalName("raise") and
+    exists(SignalHandler handler | handler = this.getEnclosingFunction() |
+      not handler.getRegistration().getArgument(0).getValue() = this.getArgument(0).getValue() and
+      not DataFlow::localFlow(DataFlow::parameterNode(handler.getParameter(0)),
+        DataFlow::exprNode(this.getArgument(0)))
+    )
+  }
+}
+
+from FunctionCall fc, SignalHandler handler
 where
-  not isExcluded(x, SignalHandlersPackage::callOnlyAsyncSafeFunctionsWithinSignalHandlersQuery()) and
-select
+  not isExcluded(fc, SignalHandlersPackage::callOnlyAsyncSafeFunctionsWithinSignalHandlersQuery()) and
+  handler = fc.getEnclosingFunction() and
+  (
+    not fc.getTarget() instanceof AsyncSafeFunction
+    or
+    fc instanceof AsyncUnsafeRaiseCall
+  )
+select fc, "Asyncronous-unsafe function calls within a $@ can lead to undefined behavior.",
+  handler.getRegistration(), "signal handler"

c/cert/test/rules/SIG30-C/CallOnlyAsyncSafeFunctionsWithinSignalHandlers.expected

@@ -1 +1,4 @@
-No expected results have yet been specified
+| test.c:11:3:11:18 | call to log_local_unsafe | Asyncronous-unsafe function calls within a $@ can lead to undefined behavior. | test.c:17:7:17:12 | call to signal | signal handler |
+| test.c:12:3:12:6 | call to free | Asyncronous-unsafe function calls within a $@ can lead to undefined behavior. | test.c:17:7:17:12 | call to signal | signal handler |
+| test.c:48:3:48:9 | call to longjmp | Asyncronous-unsafe function calls within a $@ can lead to undefined behavior. | test.c:52:7:52:12 | call to signal | signal handler |
+| test.c:78:7:78:11 | call to raise | Asyncronous-unsafe function calls within a $@ can lead to undefined behavior. | test.c:93:7:93:12 | call to signal | signal handler |

c/cert/test/rules/SIG30-C/test.c

@@ -0,0 +1,123 @@
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+enum { MAXLINE = 1024 };
+char *info = NULL;
+
+void log_local_unsafe(void) { fputs(info, stderr); }
+
+void handler1(int signum) {
+  log_local_unsafe(); // NON_COMPLIANT
+  free(info);         // NON_COMPLIANT
+  info = NULL;
+}
+
+int f1(void) {
+  if (signal(SIGINT, handler1) == SIG_ERR) // COMPLIANT
+  {
+    //...
+  }
+
+  log_local_unsafe(); // COMPLIANT
+
+  return 0;
+}
+
+volatile sig_atomic_t eflag = 0;
+
+void handler2(int signum) { eflag = 1; }
+
+int f2(void) {
+  if (signal(SIGINT, handler2) == SIG_ERR) {
+    // ...
+  }
+
+  while (!eflag) {
+    log_local_unsafe(); // COMPLIANT
+  }
+
+  return 0;
+}
+
+#include <setjmp.h>
+
+static jmp_buf env;
+
+void handler3(int signum) {
+  longjmp(env, 1); // NON_COMPLIANT
+}
+
+int f3(void) {
+  if (signal(SIGINT, handler3) == SIG_ERR) {
+    // ...
+  }
+  log_local_unsafe();
+
+  return 0;
+}
+
+int f4(void) {
+  if (signal(SIGINT, handler2) == SIG_ERR) {
+    // ...
+  }
+
+  while (!eflag) {
+
+    log_local_unsafe();
+  }
+
+  return 0;
+}
+
+void term_handler(int signum) { // SIGTERM handler
+}
+
+void int_handler(int signum) {
+  // SIGINT handler
+  if (raise(SIGTERM) != 0) { // NON_COMPLIANT
+    // ...
+  }
+  if (raise(SIGINT) != 0) { // COMPLIANT
+    // ...
+  }
+    if (raise(signum) != 0) { // COMPLIANT
+    // ...
+  }
+}
+
+int f5(void) {
+  if (signal(SIGTERM, term_handler) == SIG_ERR) {
+    // ...
+  }
+  if (signal(SIGINT, int_handler) == SIG_ERR) {
+    // ...
+  }
+
+  if (raise(SIGINT) != 0) {
+    // ...
+  }
+
+  return EXIT_SUCCESS;
+}
+
+void int_handler6(int signum) {
+
+  term_handler(SIGTERM); // COMPLIANT
+}
+
+int f6(void) {
+  if (signal(SIGTERM, term_handler) == SIG_ERR) {
+    // ...
+  }
+  if (signal(SIGINT, int_handler6) == SIG_ERR) {
+    // ...
+  }
+
+  if (raise(SIGINT) != 0) // COMPLIANT
+  {
+    // ...
+  }
+
+  return EXIT_SUCCESS;
+}

c/common/src/codingstandards/c/Signal.qll

@@ -0,0 +1,29 @@
+import cpp
+
+/**
+ * A call to function `signal`
+ */
+class SignalCall extends FunctionCall {
+  SignalCall() { this.getTarget().hasGlobalName("signal") }
+}
+
+/**
+ * A signal handler
+ */
+class SignalHandler extends Function {
+  SignalCall registration;
+
+  SignalHandler() {
+    // is a signal handler
+    this = registration.getArgument(1).(FunctionAccess).getTarget()
+  }
+
+  SignalCall getRegistration() { result = registration }
+}
+
+/**
+ * A call to `abort` or `_Exit` or `quick_exit`
+ */
+class AbortCall extends FunctionCall {
+  AbortCall() { this.getTarget().hasGlobalName(["abort", "_Exit", "quick_exit"]) }
+}