Extract the value of O_CREAT and O_TMPFILE from the defining macro

jketema · jketema · commit 92d9e51d2aa3 · 2022-02-02T15:16:26.000+01:00
There are operating systems that define `O_CREAT` with a different
value than Linux, which uses `0x40`. For example, OpenBSD uses `0x0200`.
Hence, we cannot use a hardcoded value.

Also handle `O_TMPFILE` while here.
diff --git a/cpp/ql/src/Security/CWE/CWE-732/FilePermissions.qll b/cpp/ql/src/Security/CWE/CWE-732/FilePermissions.qll
@@ -1,6 +1,29 @@
 import cpp
 import semmle.code.cpp.commons.unix.Constants
 
+bindingset[input]
+int parseHex(string input) {
+  input.prefix(2) = "0x" and
+  result =
+    strictsum(int ix |
+      ix in [2 .. input.length()]
+    |
+      16.pow(input.length() - (ix + 1)) * "0123456789abcdef".indexOf(input.charAt(ix).toLowerCase())
+    )
+}
+
+int o_creat_new() {
+  exists(Macro m | m.getName() = "O_CREAT" | result = parseHex(m.getBody()))
+  or
+  exists(Macro m | m.getName() = "O_CREAT" | result = parseOctal(m.getBody()))
+}
+
+int o_tmpfile() {
+  exists(Macro m | m.getName() = "O_TMPFILE" | result = parseHex(m.getBody()))
+  or
+  exists(Macro m | m.getName() = "O_TMPFILE" | result = parseOctal(m.getBody()))
+}
+
 bindingset[n, digit]
 private string octalDigit(int n, int digit) {
   result = n.bitShiftRight(digit * 3).bitAnd(7).toString()
@@ -90,7 +113,9 @@ abstract class FileCreationWithOptionalModeExpr extends FileCreationExpr {
 class OpenCreationExpr extends FileCreationWithOptionalModeExpr {
   OpenCreationExpr() {
     this.getTarget().getName() = ["open", "_open", "_wopen"] and
-    sets(this.getArgument(1).getValue().toInt(), o_creat())
+    exists(int flag | flag = this.getArgument(1).getValue().toInt() |
+      sets(flag, o_creat_new()) or sets(flag, o_tmpfile())
+    )
   }
 
   override Expr getPath() { result = this.getArgument(0) }
@@ -117,7 +142,9 @@ class CreatCreationExpr extends FileCreationExpr {
 class OpenatCreationExpr extends FileCreationWithOptionalModeExpr {
   OpenatCreationExpr() {
     this.getTarget().getName() = "openat" and
-    sets(this.getArgument(2).getValue().toInt(), o_creat())
+    exists(int flag | flag = this.getArgument(2).getValue().toInt() |
+      sets(flag, o_creat_new()) or sets(flag, o_tmpfile())
+    )
   }
 
   override Expr getPath() { result = this.getArgument(1) }
diff --git a/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.qhelp b/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.qhelp
@@ -5,15 +5,15 @@
 
 <overview>
 <p>
-When opening a file with the <code>O_CREAT</code> flag, the <code>mode</code> must be supplied. If the
-<code>mode</code> argument is omitted, some arbitrary bytes from the stack will be used as the file mode.
-This leaks some bits from the stack into the permissions of the file.
+When opening a file with the <code>O_CREAT</code> or <code>O_TMPFILE</code> flag, the <code>mode</code> must
+be supplied. If the <code>mode</code> argument is omitted, some arbitrary bytes from the stack will be used
+as the file mode. This leaks some bits from the stack into the permissions of the file.
 </p>
 </overview>
 
 <recommendation>
 <p>
-The <code>mode</code> must be supplied when <code>O_CREAT</code> is specified.
+The <code>mode</code> must be supplied when <code>O_CREAT</code> or <code>O_TMPFILE</code> is specified.
 </p>
 </recommendation>
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c
@@ -1,7 +1,8 @@
 typedef unsigned int mode_t;
 
-#define O_APPEND 0010
-#define O_CREAT  0100
+#define O_APPEND  0x0020
+#define O_CREAT   0x0200
+#define O_TMPFILE 0x2000
 
 int open(const char *pathname, int flags, ...);
 
@@ -13,7 +14,11 @@ void test_open() {
   open(a_file, O_APPEND); // GOOD
   open(a_file, O_CREAT); // BAD
   open(a_file, O_CREAT, 0); // GOOD
+  open(a_file, O_TMPFILE); // BAD
+  open(a_file, O_TMPFILE, 0); // GOOD
   openat(0, a_file, O_APPEND); // GOOD
   openat(0, a_file, O_CREAT); // BAD
   openat(0, a_file, O_CREAT, 0); // GOOD
+  openat(0, a_file, O_TMPFILE); // BAD
+  openat(0, a_file, O_TMPFILE, 0); // GOOD
 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.expected
@@ -1,2 +1,4 @@
-| OpenCallMissingModeArgument.c:14:3:14:6 | call to open | A file is created here without providing a mode argument, which may leak bits from the stack. |
-| OpenCallMissingModeArgument.c:17:3:17:8 | call to openat | A file is created here without providing a mode argument, which may leak bits from the stack. |
+| OpenCallMissingModeArgument.c:15:3:15:6 | call to open | A file is created here without providing a mode argument, which may leak bits from the stack. |
+| OpenCallMissingModeArgument.c:17:3:17:6 | call to open | A file is created here without providing a mode argument, which may leak bits from the stack. |
+| OpenCallMissingModeArgument.c:20:3:20:8 | call to openat | A file is created here without providing a mode argument, which may leak bits from the stack. |
+| OpenCallMissingModeArgument.c:22:3:22:8 | call to openat | A file is created here without providing a mode argument, which may leak bits from the stack. |
