Check that all bits are set when checking for a flag

jketema · jketema · commit 5a2ce225f4f2 · 2022-02-03T10:29:13.000+01:00
The `O_...` macro definitions somtimes set multiple bits, while
the bits individually represent the values of different `O_...`
macros. This lead to false postives on codebases built against
Musl libc, which defines `O_TMPFILE` as `020200000` and
`O_DIRECTORY` as `0200000`.
diff --git a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
@@ -15,13 +15,13 @@ import FilePermissions
 
 predicate worldWritableCreation(FileCreationExpr fc, int mode) {
   mode = localUmask(fc).mask(fc.getMode()) and
-  sets(mode, UnixConstants::s_iwoth())
+  setsAnyBits(mode, UnixConstants::s_iwoth())
 }
 
 predicate setWorldWritable(FunctionCall fc, int mode) {
   fc.getTarget().getName() = ["chmod", "fchmod", "_chmod", "_wchmod"] and
   mode = fc.getArgument(1).getValue().toInt() and
-  sets(mode, UnixConstants::s_iwoth())
+  setsAnyBits(mode, UnixConstants::s_iwoth())
 }
 
 from Expr fc, int mode, string message
diff --git a/cpp/ql/src/Security/CWE/CWE-732/FilePermissions.qll b/cpp/ql/src/Security/CWE/CWE-732/FilePermissions.qll
@@ -45,11 +45,17 @@ string octalFileMode(int mode) {
   else result = "[non-standard mode: decimal " + mode + "]"
 }
 
+/**
+ * Holds if the bitmask `value` sets the bits in `flag`.
+ */
+bindingset[value, flag]
+predicate setsFlag(int value, int flag) { value.bitAnd(flag) = flag }
+
 /**
  * Holds if the bitmask `mask` sets any of the bit fields in `fields`.
  */
 bindingset[mask, fields]
-predicate sets(int mask, int fields) { mask.bitAnd(fields) != 0 }
+predicate setsAnyBits(int mask, int fields) { mask.bitAnd(fields) != 0 }
 
 /**
  * Gets the value that `fc` sets the umask to, if `fc` is a call to
@@ -116,7 +122,7 @@ class OpenCreationExpr extends FileCreationWithOptionalModeExpr {
   OpenCreationExpr() {
     this.getTarget().getName() = ["open", "_open", "_wopen"] and
     exists(int flag | flag = this.getArgument(1).getValue().toInt() |
-      sets(flag, o_creat()) or sets(flag, o_tmpfile())
+      setsFlag(flag, o_creat()) or setsFlag(flag, o_tmpfile())
     )
   }
 
@@ -145,7 +151,7 @@ class OpenatCreationExpr extends FileCreationWithOptionalModeExpr {
   OpenatCreationExpr() {
     this.getTarget().getName() = "openat" and
     exists(int flag | flag = this.getArgument(2).getValue().toInt() |
-      sets(flag, o_creat()) or sets(flag, o_tmpfile())
+      setsFlag(flag, o_creat()) or setsFlag(flag, o_tmpfile())
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -15,13 +15,13 @@ import FilePermissions`
`15`	`15`
`16`	`16`	`predicate worldWritableCreation(FileCreationExpr fc, int mode) {`
`17`	`17`	`mode = localUmask(fc).mask(fc.getMode()) and`
`18`		`- sets(mode, UnixConstants::s_iwoth())`
	`18`	`+ setsAnyBits(mode, UnixConstants::s_iwoth())`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`predicate setWorldWritable(FunctionCall fc, int mode) {`
`22`	`22`	`fc.getTarget().getName() = ["chmod", "fchmod", "_chmod", "_wchmod"] and`
`23`	`23`	`mode = fc.getArgument(1).getValue().toInt() and`
`24`		`- sets(mode, UnixConstants::s_iwoth())`
	`24`	`+ setsAnyBits(mode, UnixConstants::s_iwoth())`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`from Expr fc, int mode, string message`