Skip to content

Commit 30d1c32

Browse files
committed
C++: Implement predictableInstruction without Expr
This is one step toward implementing the taint-tracking wrapper in terms of `Instruction` rather than `Expr`. This leads to a few duplicate results in `TaintedAllocationSize.ql` because the library now considers `sizeof(int)` to be just as predictable as `4`, whereas the `security.TaintTracking` library does not consider `sizeof` to be predictable. I think it's simpler to accept the duplicate results since they are ultimately a quirk of the query, not the library. The following is the diff between (a) replacing `TaintTracking.qll` with a link to `DefaultTaintTracking.qll` and (b) additionally applying this commit. diff --git a b --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected @@ -1,5 +1,8 @@ | test.cpp:42:31:42:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | +| test.cpp:43:31:43:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | +| test.cpp:45:31:45:36 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | | test.cpp:48:25:48:30 | call to malloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | | test.cpp:49:17:49:30 | new[] | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | +| test.cpp:52:21:52:27 | call to realloc | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) | --- a/semmlecode-cpp-tests/DO_NOT_DISTRIBUTE/security-tests/CWE-190/CERT/INT04-C/int04.expected +++ b/semmlecode-cpp-tests/DO_NOT_DISTRIBUTE/security-tests/CWE-190/CERT/INT04-C/int04.expected @@ -1 +1,2 @@ | int04c.c:21:29:21:51 | ... * ... | This allocation size is derived from $@ and might overflow | int04c.c:14:30:14:35 | call to getenv | user input (getenv) | +| int04c.c:22:33:22:38 | call to malloc | This allocation size is derived from $@ and might overflow | int04c.c:14:30:14:35 | call to getenv | user input (getenv) |
1 parent 327ade1 commit 30d1c32

File tree

1 file changed

+6
-14
lines changed

1 file changed

+6
-14
lines changed

cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

Lines changed: 6 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -4,25 +4,17 @@ private import semmle.code.cpp.ir.dataflow.DataFlow
44
private import semmle.code.cpp.ir.IR
55

66
/**
7-
* A predictable expression is one where an external user can predict
7+
* A predictable instruction is one where an external user can predict
88
* the value. For example, a literal in the source code is considered
99
* predictable.
1010
*/
11-
// TODO: Change to use Instruction instead of Expr. Naive attempt breaks
12-
// TaintedAllocationSize qltest.
13-
private predicate predictable(Expr expr) {
14-
expr instanceof Literal
11+
private predicate predictableInstruction(Instruction instr) {
12+
instr instanceof ConstantInstruction
1513
or
16-
exists(BinaryOperation binop | binop = expr |
17-
predictable(binop.getLeftOperand()) and predictable(binop.getRightOperand())
18-
)
14+
instr instanceof StringConstantInstruction
1915
or
20-
exists(UnaryOperation unop | unop = expr | predictable(unop.getOperand()))
21-
}
22-
23-
// TODO: remove when `predictable` has an `Instruction` parameter instead of `Expr`.
24-
private predicate predictableInstruction(Instruction instr) {
25-
predictable(DataFlow::instructionNode(instr).asExpr())
16+
// This could be a conversion on a string literal
17+
predictableInstruction(instr.(UnaryInstruction).getUnary())
2618
}
2719

2820
private class DefaultTaintTrackingCfg extends DataFlow::Configuration {

0 commit comments

Comments
 (0)