C++: Basic model of '&' and '>>' in SimpleRangeAnalysis.

geoffw0 · geoffw0 · commit 24d7446976cc · 2020-04-16T11:17:29.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -118,36 +118,74 @@ private string getValue(Expr e) {
     )
 }
 
+/**
+ * A bitwise `&` expression in which both operands are unsigned, or are effectively
+ * unsigned due to being a non-negative constant.
+ */
+private class UnsignedBitwiseAndExpr extends BitwiseAndExpr {
+  UnsignedBitwiseAndExpr() {
+    (
+      getLeftOperand().getType().getUnderlyingType().(IntegralType).isUnsigned() or
+      getLeftOperand().getValue().toInt() >= 0
+    ) and
+    (
+      getRightOperand().getType().getUnderlyingType().(IntegralType).isUnsigned() or
+      getRightOperand().getValue().toInt() >= 0
+    )
+  }
+}
+
 /** Set of expressions which we know how to analyze. */
 private predicate analyzableExpr(Expr e) {
   // The type of the expression must be arithmetic. We reuse the logic in
   // `exprMinVal` to check this.
   exists(exprMinVal(e)) and
   (
-    exists(getValue(e).toFloat()) or
-    e instanceof UnaryPlusExpr or
-    e instanceof UnaryMinusExpr or
-    e instanceof MinExpr or
-    e instanceof MaxExpr or
-    e instanceof ConditionalExpr or
-    e instanceof AddExpr or
-    e instanceof SubExpr or
-    e instanceof AssignExpr or
-    e instanceof AssignAddExpr or
-    e instanceof AssignSubExpr or
-    e instanceof CrementOperation or
-    e instanceof RemExpr or
-    e instanceof CommaExpr or
-    e instanceof StmtExpr or
+    exists(getValue(e).toFloat())
+    or
+    e instanceof UnaryPlusExpr
+    or
+    e instanceof UnaryMinusExpr
+    or
+    e instanceof MinExpr
+    or
+    e instanceof MaxExpr
+    or
+    e instanceof ConditionalExpr
+    or
+    e instanceof AddExpr
+    or
+    e instanceof SubExpr
+    or
+    e instanceof AssignExpr
+    or
+    e instanceof AssignAddExpr
+    or
+    e instanceof AssignSubExpr
+    or
+    e instanceof CrementOperation
+    or
+    e instanceof RemExpr
+    or
+    e instanceof CommaExpr
+    or
+    e instanceof StmtExpr
+    or
     // A conversion is analyzable, provided that its child has an arithmetic
     // type. (Sometimes the child is a reference type, and so does not get
     // any bounds.) Rather than checking whether the type of the child is
     // arithmetic, we reuse the logic that is already encoded in
     // `exprMinVal`.
-    exists(exprMinVal(e.(Conversion).getExpr())) or
+    exists(exprMinVal(e.(Conversion).getExpr()))
+    or
     // Also allow variable accesses, provided that they have SSA
     // information.
     exists(RangeSsaDefinition def, StackVariable v | e = def.getAUse(v))
+    or
+    e instanceof UnsignedBitwiseAndExpr
+    or
+    // `>>` by a constant
+    exists(e.(RShiftExpr).getRightOperand().getValue())
   )
 }
 
@@ -245,6 +283,19 @@ private predicate exprDependsOnDef(Expr e, RangeSsaDefinition srcDef, StackVaria
   or
   exists(Conversion convExpr | e = convExpr | exprDependsOnDef(convExpr.getExpr(), srcDef, srcVar))
   or
+  // unsigned `&`
+  exists(UnsignedBitwiseAndExpr andExpr |
+    andExpr = e and
+    exprDependsOnDef(andExpr.getAnOperand(), srcDef, srcVar)
+  )
+  or
+  // `>>` by a constant
+  exists(RShiftExpr rs |
+    rs = e and
+    exists(rs.getRightOperand().getValue()) and
+    exprDependsOnDef(rs.getLeftOperand(), srcDef, srcVar)
+  )
+  or
   e = srcDef.getAUse(srcVar)
 }
 
@@ -641,6 +692,20 @@ private float getLowerBoundsImpl(Expr expr) {
   exists(RangeSsaDefinition def, StackVariable v | expr = def.getAUse(v) |
     result = getDefLowerBounds(def, v)
   )
+  or
+  // unsigned `&` (tighter bounds may exist)
+  exists(UnsignedBitwiseAndExpr andExpr |
+    andExpr = expr and
+    result = 0.0
+  )
+  or
+  // `>>` by a constant
+  exists(RShiftExpr rsExpr, float left, int right |
+    rsExpr = expr and
+    left = getFullyConvertedLowerBounds(rsExpr.getLeftOperand()) and
+    right = rsExpr.getRightOperand().getValue().toInt() and
+    result = left / 2.pow(right)
+  )
 }
 
 /** Only to be called by `getTruncatedUpperBounds`. */
@@ -794,6 +859,22 @@ private float getUpperBoundsImpl(Expr expr) {
   exists(RangeSsaDefinition def, StackVariable v | expr = def.getAUse(v) |
     result = getDefUpperBounds(def, v)
   )
+  or
+  // unsigned `&` (tighter bounds may exist)
+  exists(UnsignedBitwiseAndExpr andExpr, float left, float right |
+    andExpr = expr and
+    left = getFullyConvertedUpperBounds(andExpr.getLeftOperand()) and
+    right = getFullyConvertedUpperBounds(andExpr.getRightOperand()) and
+    result = left.minimum(right)
+  )
+  or
+  // `>>` by a constant
+  exists(RShiftExpr rsExpr, float left, int right |
+    rsExpr = expr and
+    left = getFullyConvertedUpperBounds(rsExpr.getLeftOperand()) and
+    right = rsExpr.getRightOperand().getValue().toInt() and
+    result = left / 2.pow(right)
+  )
 }
 
 /**
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
@@ -6,13 +6,8 @@
 | test.c:91:14:91:23 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:91:18:91:23 | 65280 | 65280 |
 | test.c:93:14:93:25 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test.c:83:16:83:16 | c | c | test.c:93:18:93:25 | 16711680 | 16711680 |
 | test.c:95:14:95:27 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:95:18:95:27 | 4278190080 | 4278190080 |
-| test.c:97:14:97:27 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:97:19:97:26 | ... & ... | ... & ... |
 | test.c:99:14:99:29 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:99:19:99:28 | ... & ... | ... & ... |
 | test.c:101:14:101:31 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:101:19:101:30 | ... & ... | ... & ... |
 | test.c:103:14:103:33 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:103:19:103:32 | ... & ... | ... & ... |
 | test.c:105:14:105:25 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:105:19:105:24 | ... >> ... | ... >> ... |
 | test.c:107:14:107:26 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:107:19:107:25 | ... >> ... | ... >> ... |
-| test.c:109:14:109:26 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:109:19:109:25 | ... >> ... | ... >> ... |
-| test.c:111:14:111:36 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:111:19:111:35 | ... >> ... | ... >> ... |
-| test.c:113:14:113:39 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:113:19:113:38 | ... >> ... | ... >> ... |
-| test.c:115:14:115:41 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test.c:83:16:83:16 | c | c | test.c:115:19:115:40 | ... >> ... | ... >> ... |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c
@@ -94,7 +94,7 @@ void test12() {
 	x = get_a_uint();
 	for (c = 0; c < 0xFF000000; c++) {} // BAD
 	x = get_a_uint();
-	for (c = 0; c < (x & 0xFF); c++) {} // GOOD [FALSE POSITIVE]
+	for (c = 0; c < (x & 0xFF); c++) {} // GOOD
 	x = get_a_uint();
 	for (c = 0; c < (x & 0xFF00); c++) {} // BAD
 	x = get_a_uint();
@@ -106,11 +106,11 @@ void test12() {
 	x = get_a_uint();
 	for (c = 0; c < (x >> 16); c++) {} // BAD
 	x = get_a_uint();
-	for (c = 0; c < (x >> 24); c++) {} // GOOD (assuming 32-bit ints) [FALSE POSITIVE]
+	for (c = 0; c < (x >> 24); c++) {} // GOOD (assuming 32-bit ints)
 	x = get_a_uint();
-	for (c = 0; c < ((x & 0xFF00) >> 8); c++) {} // GOOD [FALSE POSITIVE]
+	for (c = 0; c < ((x & 0xFF00) >> 8); c++) {} // GOOD
 	x = get_a_uint();
-	for (c = 0; c < ((x & 0xFF0000) >> 16); c++) {} // GOOD [FALSE POSITIVE]
+	for (c = 0; c < ((x & 0xFF0000) >> 16); c++) {} // GOOD
 	x = get_a_uint();
-	for (c = 0; c < ((x & 0xFF000000) >> 24); c++) {} // GOOD [FALSE POSITIVE]
+	for (c = 0; c < ((x & 0xFF000000) >> 24); c++) {} // GOOD
 }
