Skip to content

Commit fbe857d

Browse files
author
Robert Marsh
committed
C++: require that other operands be predictable
This brings back a constraint that was lost when switching DefaultTaintTracking to use a TaintTracking::Configuration
1 parent 7d79be7 commit fbe857d

3 files changed

Lines changed: 19 additions & 27 deletions

File tree

cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -213,6 +213,25 @@ private predicate nodeIsBarrierIn(DataFlow::Node node) {
213213
// `getNodeForSource`.
214214
node = DataFlow::definitionByReferenceNodeFromArgument(source)
215215
)
216+
or
217+
// don't use dataflow into binary instructions if both operands are unpredictable
218+
exists(BinaryInstruction iTo |
219+
iTo = node.asInstruction() and
220+
not predictableInstruction(iTo.getLeft()) and
221+
not predictableInstruction(iTo.getRight())
222+
)
223+
or
224+
// don't use dataflow through calls to pure functions if two or more operands
225+
// are unpredictable
226+
exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
227+
iTo = node.asInstruction() and
228+
isPureFunction(iTo.getStaticCallTarget().getName()) and
229+
iFrom1 = iTo.getAnArgument() and
230+
iFrom2 = iTo.getAnArgument() and
231+
not predictableInstruction(iFrom1) and
232+
not predictableInstruction(iFrom2) and
233+
iFrom1 != iFrom2
234+
)
216235
}
217236

218237
cached

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -35,14 +35,6 @@ edges
3535
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
3636
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
3737
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
38-
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
39-
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
40-
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
41-
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
42-
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
43-
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
44-
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
45-
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
4638
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
4739
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
4840
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
@@ -110,13 +102,6 @@ nodes
110102
| test.c:77:9:77:9 | r | semmle.label | r |
111103
| test.c:77:9:77:9 | r | semmle.label | r |
112104
| test.c:77:9:77:9 | r | semmle.label | r |
113-
| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
114-
| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
115-
| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
116-
| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
117-
| test.c:83:9:83:9 | r | semmle.label | r |
118-
| test.c:83:9:83:9 | r | semmle.label | r |
119-
| test.c:83:9:83:9 | r | semmle.label | r |
120105
| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
121106
| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
122107
| test.c:100:5:100:5 | r | semmle.label | r |
@@ -155,8 +140,6 @@ nodes
155140
| test.c:56:5:56:5 | r | test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
156141
| test.c:67:5:67:5 | r | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
157142
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
158-
| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
159-
| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
160143
| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
161144
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
162145
| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -7,25 +7,15 @@ edges
77
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
88
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
99
| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
10-
| test.cpp:29:27:29:32 | call to getenv | test.cpp:30:10:30:37 | ! ... |
11-
| test.cpp:29:27:29:32 | call to getenv | test.cpp:30:11:30:16 | call to strcmp |
12-
| test.cpp:29:27:29:42 | (const char *)... | test.cpp:30:10:30:37 | ! ... |
13-
| test.cpp:29:27:29:42 | (const char *)... | test.cpp:30:11:30:16 | call to strcmp |
1410
nodes
1511
| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
1612
| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
1713
| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
1814
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
1915
| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
20-
| test.cpp:29:27:29:32 | call to getenv | semmle.label | call to getenv |
21-
| test.cpp:29:27:29:42 | (const char *)... | semmle.label | (const char *)... |
22-
| test.cpp:30:10:30:37 | ! ... | semmle.label | ! ... |
23-
| test.cpp:30:11:30:16 | call to strcmp | semmle.label | call to strcmp |
24-
| test.cpp:30:11:30:16 | call to strcmp | semmle.label | call to strcmp |
2516
| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
2617
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
2718
| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
2819
#select
2920
| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
30-
| test.cpp:30:10:30:37 | ! ... | test.cpp:29:27:29:32 | call to getenv | test.cpp:30:10:30:37 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:29:27:29:32 | call to getenv | call to getenv | test.cpp:31:9:31:27 | ... = ... | ... = ... |
3121
| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |

0 commit comments

Comments
 (0)