C++: Actally convert 'cpp/overflow-destination' to a path-problem query.

MathiasVP · MathiasVP · commit f2676968f01e · 2022-03-09T13:49:52.000Z
diff --git a/cpp/ql/src/Critical/OverflowDestination.ql b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -2,7 +2,7 @@
  * @name Copy function using source size
  * @description Calling a copy operation with a size derived from the source
  *              buffer instead of the destination buffer may result in a buffer overflow.
- * @kind problem
+ * @kind path-problem
  * @id cpp/overflow-destination
  * @problem.severity warning
  * @security-severity 9.3
@@ -30,9 +30,9 @@ predicate sourceSized(FunctionCall fc, Expr src) {
   fc.getTarget().hasGlobalOrStdName(["strncpy", "strncat", "memcpy", "memmove"]) and
   exists(Expr dest, Expr size, Variable v |
     fc.getArgument(0) = dest and
-    fc.getArgument(1) = src and
+    fc.getArgument(1).getFullyConverted() = src and
     fc.getArgument(2) = size and
-    src = v.getAnAccess() and
+    src = v.getAnAccess().getFullyConverted() and
     size.getAChild+() = v.getAnAccess() and
     // exception: `dest` is also referenced in the size argument
     not exists(Variable other |
@@ -71,7 +71,7 @@ class OverflowDestinationConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asExpr()) }
+  override predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asConvertedExpr()) }
 
   override predicate isSanitizer(DataFlow::Node node) {
     exists(Variable checkedVar |
@@ -91,6 +91,6 @@ from
   DataFlow::PathNode sink
 where
   conf.hasFlowPath(source, sink) and
-  sourceSized(fc, sink.getNode().asExpr())
-select fc,
+  sourceSized(fc, sink.getNode().asConvertedExpr())
+select fc, source, sink,
   "To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size."
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
@@ -1,4 +1,43 @@
-| overflowdestination.cpp:30:2:30:8 | call to strncpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:46:2:46:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:53:2:53:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:64:2:64:7 | call to memcpy | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+edges
+| overflowdestination.cpp:27:9:27:12 | argv | overflowdestination.cpp:30:17:30:20 | (const char *)... |
+| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | (const void *)... |
+| overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | ReturnIndirection |
+| overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:53:15:53:17 | (const void *)... |
+| overflowdestination.cpp:57:52:57:54 | *src | overflowdestination.cpp:64:16:64:19 | (const void *)... |
+| overflowdestination.cpp:57:52:57:54 | src | overflowdestination.cpp:64:16:64:19 | (const void *)... |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
+| overflowdestination.cpp:75:30:75:32 | src | overflowdestination.cpp:50:52:50:54 | src |
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | *src |
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
+| overflowdestination.cpp:76:30:76:32 | src | overflowdestination.cpp:57:52:57:54 | src |
+| overflowdestination.cpp:76:30:76:32 | src indirection | overflowdestination.cpp:57:52:57:54 | *src |
+nodes
+| overflowdestination.cpp:27:9:27:12 | argv | semmle.label | argv |
+| overflowdestination.cpp:30:17:30:20 | (const char *)... | semmle.label | (const char *)... |
+| overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
+| overflowdestination.cpp:46:15:46:17 | (const void *)... | semmle.label | (const void *)... |
+| overflowdestination.cpp:50:52:50:54 | *src | semmle.label | *src |
+| overflowdestination.cpp:50:52:50:54 | ReturnIndirection | semmle.label | ReturnIndirection |
+| overflowdestination.cpp:50:52:50:54 | src | semmle.label | src |
+| overflowdestination.cpp:53:15:53:17 | (const void *)... | semmle.label | (const void *)... |
+| overflowdestination.cpp:57:52:57:54 | *src | semmle.label | *src |
+| overflowdestination.cpp:57:52:57:54 | src | semmle.label | src |
+| overflowdestination.cpp:64:16:64:19 | (const void *)... | semmle.label | (const void *)... |
+| overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
+| overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | semmle.label | overflowdest_test2 output argument |
+| overflowdestination.cpp:75:30:75:32 | src | semmle.label | src |
+| overflowdestination.cpp:75:30:75:32 | src indirection | semmle.label | src indirection |
+| overflowdestination.cpp:76:30:76:32 | src | semmle.label | src |
+| overflowdestination.cpp:76:30:76:32 | src indirection | semmle.label | src indirection |
+subpaths
+| overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | ReturnIndirection | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
+#select
+| overflowdestination.cpp:30:2:30:8 | call to strncpy | overflowdestination.cpp:27:9:27:12 | argv | overflowdestination.cpp:30:17:30:20 | (const char *)... | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | (const void *)... | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | (const void *)... | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | (const void *)... | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +edges
 +nodes
 +subpaths
 +#select