Skip to content

Commit ca561a0

Browse files
author
Robert Marsh
committed
C++: model taint from pointers to aliased buffers
1 parent e8ac905 commit ca561a0

2 files changed

Lines changed: 123 additions & 0 deletions

File tree

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,4 +142,22 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut) {
142142
modelMidOut.isParameterDeref(indexMid) and
143143
modelMidIn.isParameter(indexMid)
144144
)
145+
or
146+
// Taint flow from a pointer argument to an output, when the model specifies flow from the deref
147+
// to that output, but the deref is not modeled in the IR for the caller.
148+
exists(
149+
CallInstruction call, ReadSideEffectInstruction read, Function func,
150+
FunctionInput modelIn, FunctionOutput modelOut
151+
|
152+
read.getSideEffectOperand() = callInput(call, modelIn).asOperand() and
153+
read.getArgumentDef() = nodeIn.asInstruction() and
154+
not read.getSideEffect().isResultModeled() and
155+
call.getStaticCallTarget() = func and
156+
(
157+
func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
158+
or
159+
func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
160+
) and
161+
nodeOut.asInstruction() = callOutput(call, modelOut)
162+
)
145163
}

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,47 @@ edges
6161
| argvLocal.c:106:9:106:13 | access to array | argvLocal.c:106:9:106:13 | access to array |
6262
| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:110:9:110:11 | (const char *)... |
6363
| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:110:9:110:11 | * ... |
64+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection |
65+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | Argument 0 indirection |
66+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
67+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
68+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection |
69+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | Argument 0 indirection |
70+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
71+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 |
72+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | printWrapper output argument |
73+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | printWrapper output argument |
74+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection |
75+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | Argument 0 indirection |
76+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
77+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 |
78+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection |
79+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | Argument 0 indirection |
80+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
81+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 |
82+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | printWrapper output argument |
83+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | printWrapper output argument |
84+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
85+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ |
86+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection |
87+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | Argument 0 indirection |
88+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
89+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
90+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection |
91+
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | Argument 0 indirection |
92+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | Argument 0 indirection |
93+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
94+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | Argument 0 indirection |
95+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | i4 |
96+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:122:15:122:16 | printWrapper output argument |
97+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
98+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | Argument 0 indirection |
99+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
100+
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection |
101+
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
102+
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | Argument 0 indirection |
103+
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
104+
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | Argument 0 indirection |
64105
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection |
65106
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | Argument 0 indirection |
66107
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 |
@@ -93,6 +134,22 @@ edges
93134
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
94135
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
95136
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
137+
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection |
138+
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | Argument 0 indirection |
139+
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
140+
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
141+
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection |
142+
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | Argument 0 indirection |
143+
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
144+
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
145+
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection |
146+
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | Argument 0 indirection |
147+
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
148+
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
149+
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection |
150+
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | Argument 0 indirection |
151+
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
152+
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
96153
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
97154
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
98155
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
@@ -150,6 +207,22 @@ nodes
150207
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
151208
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
152209
| argvLocal.c:111:15:111:17 | * ... | semmle.label | * ... |
210+
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
211+
| argvLocal.c:115:13:115:16 | argv | semmle.label | argv |
212+
| argvLocal.c:116:9:116:10 | Argument 0 indirection | semmle.label | Argument 0 indirection |
213+
| argvLocal.c:116:9:116:10 | Argument 0 indirection | semmle.label | Argument 0 indirection |
214+
| argvLocal.c:116:9:116:10 | i3 | semmle.label | i3 |
215+
| argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection |
216+
| argvLocal.c:117:15:117:16 | Argument 0 indirection | semmle.label | Argument 0 indirection |
217+
| argvLocal.c:117:15:117:16 | i3 | semmle.label | i3 |
218+
| argvLocal.c:117:15:117:16 | printWrapper output argument | semmle.label | printWrapper output argument |
219+
| argvLocal.c:121:9:121:10 | Argument 0 indirection | semmle.label | Argument 0 indirection |
220+
| argvLocal.c:121:9:121:10 | Argument 0 indirection | semmle.label | Argument 0 indirection |
221+
| argvLocal.c:121:9:121:10 | i4 | semmle.label | i4 |
222+
| argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection |
223+
| argvLocal.c:122:15:122:16 | Argument 0 indirection | semmle.label | Argument 0 indirection |
224+
| argvLocal.c:122:15:122:16 | i4 | semmle.label | i4 |
225+
| argvLocal.c:122:15:122:16 | printWrapper output argument | semmle.label | printWrapper output argument |
153226
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
154227
| argvLocal.c:126:10:126:13 | argv | semmle.label | argv |
155228
| argvLocal.c:127:9:127:10 | Argument 0 indirection | semmle.label | Argument 0 indirection |
@@ -165,6 +238,12 @@ nodes
165238
| argvLocal.c:132:15:132:20 | ... + ... | semmle.label | ... + ... |
166239
| argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection |
167240
| argvLocal.c:132:15:132:20 | Argument 0 indirection | semmle.label | Argument 0 indirection |
241+
| argvLocal.c:135:9:135:12 | ... ++ | semmle.label | ... ++ |
242+
| argvLocal.c:135:9:135:12 | Argument 0 indirection | semmle.label | Argument 0 indirection |
243+
| argvLocal.c:135:9:135:12 | Argument 0 indirection | semmle.label | Argument 0 indirection |
244+
| argvLocal.c:136:15:136:18 | -- ... | semmle.label | -- ... |
245+
| argvLocal.c:136:15:136:18 | Argument 0 indirection | semmle.label | Argument 0 indirection |
246+
| argvLocal.c:136:15:136:18 | Argument 0 indirection | semmle.label | Argument 0 indirection |
168247
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
169248
| argvLocal.c:144:9:144:10 | (const char *)... | semmle.label | (const char *)... |
170249
| argvLocal.c:144:9:144:10 | i7 | semmle.label | i7 |
@@ -183,6 +262,22 @@ nodes
183262
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
184263
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
185264
| argvLocal.c:151:15:151:16 | i8 | semmle.label | i8 |
265+
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
266+
| argvLocal.c:156:23:156:26 | argv | semmle.label | argv |
267+
| argvLocal.c:157:9:157:10 | Argument 0 indirection | semmle.label | Argument 0 indirection |
268+
| argvLocal.c:157:9:157:10 | Argument 0 indirection | semmle.label | Argument 0 indirection |
269+
| argvLocal.c:157:9:157:10 | i9 | semmle.label | i9 |
270+
| argvLocal.c:158:15:158:16 | Argument 0 indirection | semmle.label | Argument 0 indirection |
271+
| argvLocal.c:158:15:158:16 | Argument 0 indirection | semmle.label | Argument 0 indirection |
272+
| argvLocal.c:158:15:158:16 | i9 | semmle.label | i9 |
273+
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
274+
| argvLocal.c:163:22:163:25 | argv | semmle.label | argv |
275+
| argvLocal.c:164:9:164:11 | Argument 0 indirection | semmle.label | Argument 0 indirection |
276+
| argvLocal.c:164:9:164:11 | Argument 0 indirection | semmle.label | Argument 0 indirection |
277+
| argvLocal.c:164:9:164:11 | i91 | semmle.label | i91 |
278+
| argvLocal.c:165:15:165:17 | Argument 0 indirection | semmle.label | Argument 0 indirection |
279+
| argvLocal.c:165:15:165:17 | Argument 0 indirection | semmle.label | Argument 0 indirection |
280+
| argvLocal.c:165:15:165:17 | i91 | semmle.label | i91 |
186281
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
187282
| argvLocal.c:168:18:168:21 | argv | semmle.label | argv |
188283
| argvLocal.c:169:9:169:20 | (char *)... | semmle.label | (char *)... |
@@ -206,13 +301,23 @@ nodes
206301
| argvLocal.c:107:15:107:19 | access to array | argvLocal.c:105:14:105:17 | argv | argvLocal.c:107:15:107:19 | access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
207302
| argvLocal.c:110:9:110:11 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:110:9:110:11 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
208303
| argvLocal.c:111:15:111:17 | * ... | argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:105:14:105:17 | argv | argv |
304+
| argvLocal.c:116:9:116:10 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
305+
| argvLocal.c:117:15:117:16 | i3 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:117:15:117:16 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
306+
| argvLocal.c:121:9:121:10 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:121:9:121:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
307+
| argvLocal.c:122:15:122:16 | i4 | argvLocal.c:115:13:115:16 | argv | argvLocal.c:122:15:122:16 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
209308
| argvLocal.c:127:9:127:10 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:127:9:127:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
210309
| argvLocal.c:128:15:128:16 | i5 | argvLocal.c:126:10:126:13 | argv | argvLocal.c:128:15:128:16 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
211310
| argvLocal.c:131:9:131:14 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:131:9:131:14 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
212311
| argvLocal.c:132:15:132:20 | ... + ... | argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:126:10:126:13 | argv | argv |
312+
| argvLocal.c:135:9:135:12 | ... ++ | argvLocal.c:115:13:115:16 | argv | argvLocal.c:135:9:135:12 | ... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
313+
| argvLocal.c:136:15:136:18 | -- ... | argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:115:13:115:16 | argv | argv |
213314
| argvLocal.c:144:9:144:10 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:144:9:144:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
214315
| argvLocal.c:145:15:145:16 | i7 | argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:100:7:100:10 | argv | argv |
215316
| argvLocal.c:150:9:150:10 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
216317
| argvLocal.c:151:15:151:16 | i8 | argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:149:11:149:14 | argv | argv |
318+
| argvLocal.c:157:9:157:10 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
319+
| argvLocal.c:158:15:158:16 | i9 | argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:156:23:156:26 | argv | argv |
320+
| argvLocal.c:164:9:164:11 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
321+
| argvLocal.c:165:15:165:17 | i91 | argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:163:22:163:25 | argv | argv |
217322
| argvLocal.c:169:18:169:20 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:18:169:20 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | argvLocal.c:168:18:168:21 | argv | argv |
218323
| argvLocal.c:170:24:170:26 | i10 | argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format) | argvLocal.c:168:18:168:21 | argv | argv |

0 commit comments

Comments
 (0)