C++: Fix join order problem in TaintedAllocationSize.

aschackmull · aschackmull · commit 1a4d21777d49 · 2025-01-23T14:20:23.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -33,8 +33,9 @@ predicate allocSink(HeuristicAllocationExpr alloc, DataFlow::Node sink) {
   )
 }
 
-predicate readsVariable(LoadInstruction load, Variable var) {
-  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
+predicate readsVariable(LoadInstruction load, Variable var, IRBlock bb) {
+  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var and
+  bb = load.getBlock()
 }
 
 predicate hasUpperBoundsCheck(Variable var) {
@@ -46,10 +47,18 @@ predicate hasUpperBoundsCheck(Variable var) {
   )
 }
 
-predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
-  exists(Instruction instr | instr = node.asOperand().getDef() |
-    readsVariable(instr, checkedVar) and
-    any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
+predicate variableEqualityCheckedInBlock(Variable checkedVar, IRBlock bb) {
+  exists(Operand access |
+    readsVariable(access.getDef(), checkedVar, _) and
+    any(IRGuardCondition guard).ensuresEq(access, _, _, bb, true)
+  )
+}
+
+predicate nodeIsBarrierEquality(DataFlow::Node node) {
+  exists(Variable checkedVar, Instruction instr, IRBlock bb |
+    instr = node.asOperand().getDef() and
+    readsVariable(instr, checkedVar, bb) and
+    variableEqualityCheckedInBlock(checkedVar, bb)
   )
 }
 
@@ -72,14 +81,11 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
     )
     or
     exists(Variable checkedVar, Instruction instr | instr = node.asOperand().getDef() |
-      readsVariable(instr, checkedVar) and
+      readsVariable(instr, checkedVar, _) and
       hasUpperBoundsCheck(checkedVar)
     )
     or
-    exists(Variable checkedVar, Operand access |
-      readsVariable(access.getDef(), checkedVar) and
-      nodeIsBarrierEqualityCandidate(node, access, checkedVar)
-    )
+    nodeIsBarrierEquality(node)
     or
     // block flow to inside of identified allocation functions (this flow leads
     // to duplicate results)

Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,9 @@ predicate allocSink(HeuristicAllocationExpr alloc, DataFlow::Node sink) {`
`33`	`33`	`)`
`34`	`34`	`}`
`35`	`35`
`36`		`-predicate readsVariable(LoadInstruction load, Variable var) {`
`37`		`- load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var`
	`36`	`+predicate readsVariable(LoadInstruction load, Variable var, IRBlock bb) {`
	`37`	`+ load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var and`
	`38`	`+ bb = load.getBlock()`
`38`	`39`	`}`
`39`	`40`
`40`	`41`	`predicate hasUpperBoundsCheck(Variable var) {`
`@@ -46,10 +47,18 @@ predicate hasUpperBoundsCheck(Variable var) {`
`46`	`47`	`)`
`47`	`48`	`}`
`48`	`49`
`49`		`-predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {`
`50`		`- exists(Instruction instr \| instr = node.asOperand().getDef() \|`
`51`		`- readsVariable(instr, checkedVar) and`
`52`		`- any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)`
	`50`	`+predicate variableEqualityCheckedInBlock(Variable checkedVar, IRBlock bb) {`
	`51`	`+ exists(Operand access \|`
	`52`	`+ readsVariable(access.getDef(), checkedVar, _) and`
	`53`	`+ any(IRGuardCondition guard).ensuresEq(access, _, _, bb, true)`
	`54`	`+ )`
	`55`	`+}`
	`56`	`+`
	`57`	`+predicate nodeIsBarrierEquality(DataFlow::Node node) {`
	`58`	`+ exists(Variable checkedVar, Instruction instr, IRBlock bb \|`
	`59`	`+ instr = node.asOperand().getDef() and`
	`60`	`+ readsVariable(instr, checkedVar, bb) and`
	`61`	`+ variableEqualityCheckedInBlock(checkedVar, bb)`
`53`	`62`	`)`
`54`	`63`	`}`
`55`	`64`
`@@ -72,14 +81,11 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {`
`72`	`81`	`)`
`73`	`82`	`or`
`74`	`83`	`exists(Variable checkedVar, Instruction instr \| instr = node.asOperand().getDef() \|`
`75`		`- readsVariable(instr, checkedVar) and`
	`84`	`+ readsVariable(instr, checkedVar, _) and`
`76`	`85`	`hasUpperBoundsCheck(checkedVar)`
`77`	`86`	`)`
`78`	`87`	`or`
`79`		`- exists(Variable checkedVar, Operand access \|`
`80`		`- readsVariable(access.getDef(), checkedVar) and`
`81`		`- nodeIsBarrierEqualityCandidate(node, access, checkedVar)`
`82`		`- )`
	`88`	`+ nodeIsBarrierEquality(node)`
`83`	`89`	`or`
`84`	`90`	`// block flow to inside of identified allocation functions (this flow leads`
`85`	`91`	`// to duplicate results)`