Skip to content

Commit

Permalink
Merge pull request #18578 from aschackmull/cpp/join-order-fix-tainted…
Browse files Browse the repository at this point in the history 
…allocationsize

C++: Fix join order problem in TaintedAllocationSize.
  • Loading branch information
@jketema
jketema authored Jan 23, 2025
2 parents 9c779c3 + 1a4d217 commit 4311553
Showing 1 changed file with 17 additions and 11 deletions.
28 changes: 17 additions & 11 deletions cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,9 @@ predicate allocSink(HeuristicAllocationExpr alloc, DataFlow::Node sink) {
)
}

predicate readsVariable(LoadInstruction load, Variable var) {
load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
predicate readsVariable(LoadInstruction load, Variable var, IRBlock bb) {
load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var and
bb = load.getBlock()
}

predicate hasUpperBoundsCheck(Variable var) {
Expand All @@ -46,10 +47,18 @@ predicate hasUpperBoundsCheck(Variable var) {
)
}

predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
exists(Instruction instr | instr = node.asOperand().getDef() |
readsVariable(instr, checkedVar) and
any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
predicate variableEqualityCheckedInBlock(Variable checkedVar, IRBlock bb) {
exists(Operand access |
readsVariable(access.getDef(), checkedVar, _) and
any(IRGuardCondition guard).ensuresEq(access, _, _, bb, true)
)
}

predicate nodeIsBarrierEquality(DataFlow::Node node) {
exists(Variable checkedVar, Instruction instr, IRBlock bb |
instr = node.asOperand().getDef() and
readsVariable(instr, checkedVar, bb) and
variableEqualityCheckedInBlock(checkedVar, bb)
)
}

Expand All @@ -72,14 +81,11 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
)
or
exists(Variable checkedVar, Instruction instr | instr = node.asOperand().getDef() |
readsVariable(instr, checkedVar) and
readsVariable(instr, checkedVar, _) and
hasUpperBoundsCheck(checkedVar)
)
or
exists(Variable checkedVar, Operand access |
readsVariable(access.getDef(), checkedVar) and
nodeIsBarrierEqualityCandidate(node, access, checkedVar)
)
nodeIsBarrierEquality(node)
or
// block flow to inside of identified allocation functions (this flow leads
// to duplicate results)
Expand Down

0 comments on commit 4311553

Please sign in to comment.