|
18 | 18 | import semmle.code.cpp.ir.dataflow.TaintTracking |
19 | 19 | import semmle.code.cpp.commons.Printf |
20 | 20 | import semmle.code.cpp.security.FlowSources |
| 21 | +import semmle.code.cpp.ir.dataflow.internal.ModelUtil |
| 22 | +import semmle.code.cpp.models.interfaces.DataFlow |
| 23 | +import semmle.code.cpp.models.interfaces.Taint |
| 24 | +import semmle.code.cpp.ir.implementation.raw.Instruction |
21 | 25 |
|
22 | 26 | class UncalledFunction extends Function { |
23 | | - UncalledFunction() { not exists(Call c | c.getTarget() = this) } |
| 27 | + UncalledFunction() { |
| 28 | + not exists(Call c | c.getTarget() = this) and |
| 29 | + not this.(MemberFunction).overrides(_) |
| 30 | + } |
24 | 31 | } |
25 | 32 |
|
26 | | -// For the following `...gettext` functions, we assume that |
27 | | -// all translations preserve the type and order of `%` specifiers |
28 | | -// (and hence are safe to use as format strings). This |
29 | | -// assumption is hard-coded into the query. |
30 | | -predicate whitelistFunction(Function f, int arg) { |
31 | | - // basic variations of gettext |
32 | | - f.getName() = "_" and arg = 0 |
33 | | - or |
34 | | - f.getName() = "gettext" and arg = 0 |
35 | | - or |
36 | | - f.getName() = "dgettext" and arg = 1 |
37 | | - or |
38 | | - f.getName() = "dcgettext" and arg = 1 |
39 | | - or |
40 | | - // plural variations of gettext that take one format string for singular and another for plural form |
41 | | - f.getName() = "ngettext" and |
42 | | - (arg = 0 or arg = 1) |
| 33 | +/** |
| 34 | + * Holds if `node` is a non-constant source of data flow. |
| 35 | + * This is defined as either: |
| 36 | + * 1) a `FlowSource` |
| 37 | + * 2) a parameter of an 'uncalled' function (i.e., a function that is not called in the program) |
| 38 | + * 3) an argument to a function with no definition that is not known to define the output through its input |
| 39 | + * 4) an out arg of a function with no definition that is not known to define the output through its input |
| 40 | + * |
| 41 | + * The latter two cases address identifying standard string manipulation libraries as input sources |
| 42 | + * e.g., strcpy, but it will identify unknown function calls as possible non-constant source |
| 43 | + * since it cannot be determined if the out argument or return is constant. |
| 44 | + */ |
| 45 | +predicate isNonConst(DataFlow::Node node) { |
| 46 | + node instanceof FlowSource |
43 | 47 | or |
44 | | - f.getName() = "dngettext" and |
45 | | - (arg = 1 or arg = 2) |
| 48 | + exists(UncalledFunction f | f.getAParameter() = node.asParameter()) |
46 | 49 | or |
47 | | - f.getName() = "dcngettext" and |
48 | | - (arg = 1 or arg = 2) |
49 | | -} |
50 | | - |
51 | | -// we assume that ALL uses of the `_` macro |
52 | | -// return constant string literals |
53 | | -predicate underscoreMacro(Expr e) { |
54 | | - exists(MacroInvocation mi | |
55 | | - mi.getMacroName() = "_" and |
56 | | - mi.getExpr() = e |
| 50 | + // Consider as an input any out arg of a function or a function's return where the function is not: |
| 51 | + // 1. a function with a known dataflow or taintflow from input to output and the `node` is the output |
| 52 | + // 2. a function where there is a known definition |
| 53 | + // i.e., functions that with unknown bodies and are not known to define the output through its input |
| 54 | + // are considered as possible non-const sources |
| 55 | + ( |
| 56 | + node instanceof DataFlow::DefinitionByReferenceNode or |
| 57 | + node.asIndirectExpr() instanceof Call |
| 58 | + ) and |
| 59 | + not exists(Function func, FunctionInput input, FunctionOutput output, CallInstruction call | |
| 60 | + // NOTE: we must include dataflow and taintflow. e.g., including only dataflow we will find sprintf |
| 61 | + // variant function's output are now possible non-const sources |
| 62 | + ( |
| 63 | + func.(DataFlowFunction).hasDataFlow(input, output) or |
| 64 | + func.(TaintFunction).hasTaintFlow(input, output) |
| 65 | + ) and |
| 66 | + node = callOutput(call, output) and |
| 67 | + call.getStaticCallTarget() = func |
| 68 | + ) and |
| 69 | + not exists(Call c | |
| 70 | + c.getTarget().hasDefinition() and |
| 71 | + if node instanceof DataFlow::DefinitionByReferenceNode |
| 72 | + then c.getAnArgument() = node.asDefiningArgument() |
| 73 | + else c = [node.asExpr(), node.asIndirectExpr()] |
57 | 74 | ) |
58 | 75 | } |
59 | 76 |
|
60 | 77 | /** |
61 | | - * Holds if `t` cannot hold a character array, directly or indirectly. |
| 78 | + * Holds if `sink` is a sink is a format string of any |
| 79 | + * `FormattingFunctionCall`. |
62 | 80 | */ |
63 | | -predicate cannotContainString(Type t, boolean isIndirect) { |
64 | | - isIndirect = false and |
65 | | - exists(Type unspecified | |
66 | | - unspecified = t.getUnspecifiedType() and |
67 | | - not unspecified instanceof UnknownType |
68 | | - | |
69 | | - unspecified instanceof BuiltInType or |
70 | | - unspecified instanceof IntegralOrEnumType |
71 | | - ) |
72 | | -} |
73 | | - |
74 | | -predicate isNonConst(DataFlow::Node node, boolean isIndirect) { |
75 | | - exists(Expr e | |
76 | | - e = node.asExpr() and isIndirect = false |
77 | | - or |
78 | | - e = node.asIndirectExpr() and isIndirect = true |
79 | | - | |
80 | | - exists(FunctionCall fc | fc = e | |
81 | | - not ( |
82 | | - whitelistFunction(fc.getTarget(), _) or |
83 | | - fc.getTarget().hasDefinition() |
84 | | - ) |
85 | | - ) |
86 | | - or |
87 | | - exists(Variable v | v = e.(VariableAccess).getTarget() | |
88 | | - v.getType().(ArrayType).getBaseType() instanceof CharType and |
89 | | - exists(AssignExpr ae | |
90 | | - ae.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v |
91 | | - ) |
92 | | - ) |
93 | | - or |
94 | | - exists(UncalledFunction f, Parameter p | f.getAParameter() = p | |
95 | | - p = e.(VariableAccess).getTarget() |
96 | | - ) |
97 | | - or |
98 | | - node instanceof FlowSource |
99 | | - or |
100 | | - node instanceof DataFlow::DefinitionByReferenceNode and |
101 | | - not exists(FormattingFunctionCall fc | node.asDefiningArgument() = fc.getOutputArgument(_)) and |
102 | | - not exists(Call c | |
103 | | - c.getAnArgument() = node.asDefiningArgument() and c.getTarget().hasDefinition() |
104 | | - ) |
105 | | - ) |
106 | | - or |
107 | | - node instanceof DataFlow::DefinitionByReferenceNode and |
108 | | - isIndirect = true |
109 | | -} |
110 | | - |
111 | | -pragma[noinline] |
112 | | -predicate isBarrierNode(DataFlow::Node node) { |
113 | | - underscoreMacro([node.asExpr(), node.asIndirectExpr()]) |
114 | | - or |
115 | | - exists(node.asExpr()) and |
116 | | - cannotContainString(node.getType(), false) |
117 | | -} |
118 | | - |
119 | 81 | predicate isSinkImpl(DataFlow::Node sink, Expr formatString) { |
120 | 82 | [sink.asExpr(), sink.asIndirectExpr()] = formatString and |
121 | 83 | exists(FormattingFunctionCall fc | formatString = fc.getArgument(fc.getFormatParameterIndex())) |
122 | 84 | } |
123 | 85 |
|
124 | 86 | module NonConstFlowConfig implements DataFlow::ConfigSig { |
125 | | - predicate isSource(DataFlow::Node source) { isNonConst(source, _) } |
| 87 | + predicate isSource(DataFlow::Node source) { isNonConst(source) } |
126 | 88 |
|
127 | 89 | predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) } |
128 | 90 |
|
129 | | - predicate isBarrier(DataFlow::Node node) { isBarrierNode(node) } |
| 91 | + predicate isBarrier(DataFlow::Node node) { |
| 92 | + // Ignore tracing non-const through array indices |
| 93 | + exists(ArrayExpr a | a.getArrayOffset() = node.asExpr()) |
| 94 | + } |
130 | 95 | } |
131 | 96 |
|
132 | 97 | module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>; |
|
0 commit comments