Skip to content

[zlaski/memset-model] QL model for memset and friends#2027

Merged
jbj merged 4 commits into
github:masterfrom
zlaski-semmle:zlaski/memset-model
Oct 3, 2019
Merged

[zlaski/memset-model] QL model for memset and friends#2027
jbj merged 4 commits into
github:masterfrom
zlaski-semmle:zlaski/memset-model

Conversation

@zlaski-semmle

Copy link
Copy Markdown
Contributor

No description provided.

@jbj jbj left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/**
* The standard function `memset` and its assorted variants
*/
class MemsetFunction extends ArrayFunction, DataFlowFunction, TaintFunction {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can remove TaintFunction from the list of superclasses and remove Taint from the list of imports.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or add taint flow from the character and number parameters to the buffer??? An attacker with control of them has some (very limited) control of the data that ends up in the buffer and could plausibly use this for harm.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I argued against that in #1933 (comment).

@zlaski-semmle and I just had a discussion about what constitutes taint. Here is the definition I wrote a long time ago: https://github.com/Semmle/ql/blob/e1594a4b0b9ff0cd3fe70e873ad38a98c0a6b41d/cpp/ql/src/semmle/code/cpp/dataflow/TaintTracking.qll#L5-L8. For other languages, like Java, it's completely different, and they haven't attempted to write down a definition. I think the only "definition" that fits all languages is: taint should flow where it's beneficial for some taint-tracking queries and harmful for none.

/**
* The standard function `memset` and its assorted variants
*/
class MemsetFunction extends ArrayFunction, DataFlowFunction, TaintFunction {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think AliasFunction should be extended as well in order to tell the escape analysis that memset doesn't retain a pointer for later. See https://github.com/Semmle/ql/blob/0db648beaeba490ee29d00104d254c27c83f65ba/cpp/ql/src/semmle/code/cpp/models/interfaces/Alias.qll#L43-L48

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Let me know if I've over-specified things :-)

hasGlobalName("memset") or
hasGlobalName("bzero") or
hasGlobalName("__builtin_memset") or
hasQualifiedName("std", "memset")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wmemset?

@geoffw0

geoffw0 commented Sep 26, 2019

Copy link
Copy Markdown
Contributor

LGTM. Most of our suggestions are actually requests for improvements, not fixes, so feel free to defer them as future work.


override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
input.isInParameter(0) and
output.isOutReturnValue()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just merged #1938, so these names are now deprecated.

@jbj

jbj commented Sep 30, 2019

Copy link
Copy Markdown
Contributor

This PR LGTM now. It needs

  • Geoffrey's review,
  • qlformat, and
  • to be taken out of Draft state.

@zlaski-semmle zlaski-semmle marked this pull request as ready for review September 30, 2019 19:34
@zlaski-semmle zlaski-semmle requested a review from a team as a code owner September 30, 2019 19:34
@zlaski-semmle

Copy link
Copy Markdown
Contributor Author

I believe this PR is now mergeable. I'd like to get it merged so that I may continue work on #1933.

@jbj

jbj commented Oct 3, 2019

Copy link
Copy Markdown
Contributor

It looks like @geoffw0 has no objections, so I'll merge this.

@jbj jbj merged commit dca39f0 into github:master Oct 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants