Merge pull request #10398 from MathiasVP/further-work-on-buffer-over-queries

Robert Marsh · web-flow · commit c2dfbd47a30b · 2022-09-23T11:06:32.000-04:00
C++: Further work on buffer-overflow queries
diff --git a/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql b/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
@@ -1,3 +1,13 @@
+/**
+ * @name Off-by-one in array access
+ * @description TODO
+ * @kind path-problem
+ * @problem.severity error
+ * @id cpp/off-by-one-array-access
+ * @tags reliability
+ *       security
+ */
+
 import cpp
 import experimental.semmle.code.cpp.dataflow.ProductFlow
 import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
@@ -7,6 +17,21 @@ import semmle.code.cpp.ir.IR
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.ir.IRConfiguration
+import DataFlow::PathGraph
+
+// temporary - custom allocator for ffmpeg
+class AvBufferAlloc extends AllocationFunction {
+  AvBufferAlloc() { this.hasGlobalName(["av_mallocz", "av_malloc"]) }
+
+  override int getSizeArg() { result = 0 }
+}
+
+// temporary - custom allocator for php
+class PhpEmalloc extends AllocationFunction {
+  PhpEmalloc() { this.hasGlobalName(["_emalloc"]) }
+
+  override int getSizeArg() { result = 0 }
+}
 
 predicate bounded(Instruction i, Bound b, int delta, boolean upper) {
   // TODO: reason
@@ -17,18 +42,12 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {
   ArraySizeConfiguration() { this = "ArraySizeConfiguration" }
 
   override predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) {
-    exists(GVN sizeGvn |
-      source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and
-      source2.asConvertedExpr() = sizeGvn.getAnExpr()
-    )
+    source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = source2.asConvertedExpr()
   }
 
   override predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2) {
-    exists(PointerAddInstruction pai, Instruction index, Bound b, int delta |
-      pai.getRight() = index and
-      pai.getLeft() = sink1.asInstruction() and
-      bounded(index, b, delta, true) and
-      sink2.asInstruction() = b.getInstruction() and
+    exists(PointerAddInstruction pai, int delta |
+      isSinkPair1(sink1, sink2, pai, delta) and
       (
         delta = 0 and
         exists(DataFlow::Node paiNode, DataFlow::Node derefNode |
@@ -43,9 +62,22 @@ class ArraySizeConfiguration extends ProductFlow::Configuration {
   }
 }
 
+pragma[nomagic]
+predicate isSinkPair1(
+  DataFlow::Node sink1, DataFlow::Node sink2, PointerAddInstruction pai, int delta
+) {
+  exists(Instruction index, ValueNumberBound b |
+    pai.getRight() = index and
+    pai.getLeft() = sink1.asInstruction() and
+    bounded(index, b, delta, true) and
+    sink2.asInstruction() = b.getInstruction()
+  )
+}
+
 from
   ArraySizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
   DataFlow::PathNode sink1, DataFlow2::PathNode sink2
 where conf.hasFlowPath(source1, source2, sink1, sink2)
 // TODO: pull delta out and display it
-select source1, source2, sink1, sink2
+select sink1.getNode(), source1, sink1, "Off-by one error allocated at $@ bounded by $@.", source1,
+  source1.toString(), sink2, sink2.toString()
diff --git a/cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql b/cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql
@@ -1,20 +1,26 @@
+/**
+ * @name Overrunning write
+ * @description TODO
+ * @kind path-problem
+ * @problem.severity error
+ * @id cpp/overrun-write
+ * @tags reliability
+ *       security
+ */
+
 import cpp
 import experimental.semmle.code.cpp.dataflow.ProductFlow
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.models.interfaces.ArrayFunction
+import DataFlow::PathGraph
 
 class StringSizeConfiguration extends ProductFlow::Configuration {
   StringSizeConfiguration() { this = "StringSizeConfiguration" }
 
   override predicate isSourcePair(DataFlow::Node bufSource, DataFlow::Node sizeSource) {
-    exists(
-      GVN sizeGvn // TODO: use-use flow instead of GVN
-    |
-      bufSource.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and
-      sizeSource.asConvertedExpr() = sizeGvn.getAnExpr()
-    )
+    bufSource.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeSource.asConvertedExpr()
   }
 
   override predicate isSinkPair(DataFlow::Node bufSink, DataFlow::Node sizeSink) {
@@ -31,4 +37,6 @@ from
   StringSizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
   DataFlow::PathNode sink1, DataFlow2::PathNode sink2
 where conf.hasFlowPath(source1, source2, sink1, sink2)
-select source1, source2, sink1, sink2
+// TODO: pull delta out and display it
+select sink1.getNode(), source1, sink1, "Overrunning write allocated at $@ bounded by $@.", source1,
+  source1.toString(), sink2, sink2.toString()
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected
@@ -1,2 +1,33 @@
-| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:26:18:26:23 | Load | test.cpp:26:31:26:39 | Convert |
-| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:30:18:30:23 | Load | test.cpp:30:31:30:39 | Convert |
+edges
+| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:24:21:24:31 | Call indirection [string] |
+| test.cpp:16:11:16:21 | VariableAddress indirection [string] | test.cpp:34:21:34:31 | Call indirection [string] |
+| test.cpp:18:5:18:30 | Store | test.cpp:18:10:18:15 | Load indirection [post update] [string] |
+| test.cpp:18:10:18:15 | Load indirection [post update] [string] | test.cpp:16:11:16:21 | VariableAddress indirection [string] |
+| test.cpp:18:19:18:24 | call to malloc | test.cpp:18:5:18:30 | Store |
+| test.cpp:24:21:24:31 | Call indirection [string] | test.cpp:26:13:26:15 | Load indirection [string] |
+| test.cpp:26:13:26:15 | Load indirection [string] | test.cpp:26:18:26:23 | FieldAddress indirection |
+| test.cpp:26:18:26:23 | FieldAddress indirection | test.cpp:26:18:26:23 | Load |
+| test.cpp:29:32:29:34 | str indirection [string] | test.cpp:30:13:30:15 | Load indirection [string] |
+| test.cpp:30:13:30:15 | Load indirection [string] | test.cpp:30:18:30:23 | FieldAddress indirection |
+| test.cpp:30:18:30:23 | FieldAddress indirection | test.cpp:30:18:30:23 | Load |
+| test.cpp:34:21:34:31 | Call indirection [string] | test.cpp:35:21:35:23 | str indirection [string] |
+| test.cpp:35:21:35:23 | str indirection [string] | test.cpp:29:32:29:34 | str indirection [string] |
+nodes
+| test.cpp:16:11:16:21 | VariableAddress indirection [string] | semmle.label | VariableAddress indirection [string] |
+| test.cpp:18:5:18:30 | Store | semmle.label | Store |
+| test.cpp:18:10:18:15 | Load indirection [post update] [string] | semmle.label | Load indirection [post update] [string] |
+| test.cpp:18:19:18:24 | call to malloc | semmle.label | call to malloc |
+| test.cpp:24:21:24:31 | Call indirection [string] | semmle.label | Call indirection [string] |
+| test.cpp:26:13:26:15 | Load indirection [string] | semmle.label | Load indirection [string] |
+| test.cpp:26:18:26:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
+| test.cpp:26:18:26:23 | Load | semmle.label | Load |
+| test.cpp:29:32:29:34 | str indirection [string] | semmle.label | str indirection [string] |
+| test.cpp:30:13:30:15 | Load indirection [string] | semmle.label | Load indirection [string] |
+| test.cpp:30:18:30:23 | FieldAddress indirection | semmle.label | FieldAddress indirection |
+| test.cpp:30:18:30:23 | Load | semmle.label | Load |
+| test.cpp:34:21:34:31 | Call indirection [string] | semmle.label | Call indirection [string] |
+| test.cpp:35:21:35:23 | str indirection [string] | semmle.label | str indirection [string] |
+subpaths
+#select
+| test.cpp:26:18:26:23 | Load | test.cpp:18:19:18:24 | call to malloc | test.cpp:26:18:26:23 | Load | Overrunning write allocated at $@ bounded by $@. | test.cpp:18:19:18:24 | call to malloc | call to malloc | test.cpp:26:31:26:39 | Convert | Convert |
+| test.cpp:30:18:30:23 | Load | test.cpp:18:19:18:24 | call to malloc | test.cpp:30:18:30:23 | Load | Overrunning write allocated at $@ bounded by $@. | test.cpp:18:19:18:24 | call to malloc | call to malloc | test.cpp:30:31:30:39 | Convert | Convert |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp
@@ -15,8 +15,8 @@ typedef struct
 
 string_t *mk_string_t(int size) {
     string_t *str = (string_t *) malloc(sizeof(string_t));
-    str->size = size;
     str->string = malloc(size);
+    str->size = size;
     return str;
 }
 
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp

Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,8 @@ typedef struct`
`15`	`15`
`16`	`16`	`string_t *mk_string_t(int size) {`
`17`	`17`	`string_t str = (string_t ) malloc(sizeof(string_t));`
`18`		`- str->size = size;`
`19`	`18`	`str->string = malloc(size);`
	`19`	`+ str->size = size;`
`20`	`20`	`return str;`
`21`	`21`	`}`
`22`	`22`