Merge branch 'main' into SQL_int_sanitizer

Author: smowton

cpp/ql/lib/semmle/code/cpp/controlflow/Dereferenced.qll

@@ -26,17 +26,18 @@ predicate callDereferences(FunctionCall fc, int i) {
 }
 
 /**
- * Holds if evaluation of `op` dereferences `e`.
+ * Holds if evaluation of `op` dereferences `e` directly.
+ *
+ * This predicate does not recurse through function calls or arithmetic operations. To find
+ * such cases, use `dereferencedByOperation`.
  */
-predicate dereferencedByOperation(Expr op, Expr e) {
+predicate directDereferencedByOperation(Expr op, Expr e) {
   exists(PointerDereferenceExpr deref |
     deref.getAChild() = e and
     deref = op and
     not deref.getParent*() instanceof SizeofOperator
   )
   or
-  exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
-  or
   exists(ArrayExpr ae |
     (
       not ae.getParent() instanceof AddressOfExpr and
@@ -50,6 +51,24 @@ predicate dereferencedByOperation(Expr op, Expr e) {
     )
   )
   or
+  // ptr->Field
+  e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
+  or
+  // ptr->method()
+  e = op.(Call).getQualifier() and isClassPointerType(e.getType())
+}
+
+/**
+ * Holds if evaluation of `op` dereferences `e`.
+ *
+ * This includes the set of operations identified via `directDereferencedByOperation`, as well
+ * as calls to function that are known to dereference an argument.
+ */
+predicate dereferencedByOperation(Expr op, Expr e) {
+  directDereferencedByOperation(op, e)
+  or
+  exists(CrementOperation crement | dereferencedByOperation(e, op) and crement.getOperand() = e)
+  or
   exists(AddressOfExpr addof, ArrayExpr ae |
     dereferencedByOperation(addof, op) and
     addof.getOperand() = ae and
@@ -74,12 +93,6 @@ predicate dereferencedByOperation(Expr op, Expr e) {
     e = fc.getArgument(i) and
     op = fc
   )
-  or
-  // ptr->Field
-  e = op.(FieldAccess).getQualifier() and isClassPointerType(e.getType())
-  or
-  // ptr->method()
-  e = op.(Call).getQualifier() and isClassPointerType(e.getType())
 }
 
 private predicate isClassPointerType(Type t) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -1113,6 +1113,13 @@ private module GetConvertedResultExpression {
       result = tas.getExtent().getExpr() and
       instr = tas.getInstruction(any(AllocationExtentConvertTag tag))
     )
+    or
+    // There's no instruction that returns `ParenthesisExpr`, but some queries
+    // expect this
+    exists(TranslatedTransparentConversion ttc |
+      result = ttc.getExpr().(ParenthesisExpr) and
+      instr = ttc.getResult()
+    )
   }
 
   private Expr getConvertedResultExpressionImpl(Instruction instr) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -766,7 +766,7 @@ predicate fromPhiNode(SsaPhiNode nodeFrom, Node nodeTo) {
     or
     exists(PhiNode phiTo |
       phi != phiTo and
-      lastRefRedefExt(phi, _, _, phiTo) and
+      lastRefRedefExt(phi, bb1, i1, phiTo) and
       nodeTo.(SsaPhiNode).getPhiNode() = phiTo
     )
   )

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll

@@ -824,6 +824,9 @@ abstract class TranslatedElement extends TTranslatedElement {
   /** DEPRECATED: Alias for getAst */
   deprecated Locatable getAST() { result = this.getAst() }
 
+  /** Gets the location of this element. */
+  Location getLocation() { result = this.getAst().getLocation() }
+
   /**
    * Get the first instruction to be executed in the evaluation of this element.
    */

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedGlobalVar.qll

@@ -22,8 +22,6 @@ class TranslatedStaticStorageDurationVarInit extends TranslatedRootElement,
 
   final override Declaration getFunction() { result = var }
 
-  final Location getLocation() { result = var.getLocation() }
-
   override Instruction getFirstInstruction() { result = this.getInstruction(EnterFunctionTag()) }
 
   override TranslatedElement getChild(int n) {

cpp/ql/src/Critical/FlowAfterFree.qll

@@ -98,8 +98,11 @@ module FlowFromFree<isSinkSig/2 isASink, isExcludedSig/2 isExcluded> {
  * is being freed by a deallocation expression `dealloc`.
  */
 predicate isFree(DataFlow::Node n, Expr e, DeallocationExpr dealloc) {
-  e = dealloc.getFreedExpr() and
-  e = n.asExpr() and
+  exists(Expr conv |
+    e = conv.getUnconverted() and
+    conv = dealloc.getFreedExpr().getFullyConverted() and
+    conv = n.asConvertedExpr()
+  ) and
   // Ignore realloc functions
   not exists(dealloc.(FunctionCall).getTarget().(AllocationFunction).getReallocPtrArg())
 }

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -296,7 +296,7 @@ deprecated class PossibleYearArithmeticOperationCheckConfiguration extends Taint
   }
 
   override predicate isSource(DataFlow::Node source) {
-    exists(Operation op | op = source.asConvertedExpr() |
+    exists(Operation op | op = source.asExpr() |
       op.getAChild*().getValue().toInt() = 365 and
       (
         not op.getParent() instanceof Expr or
@@ -321,7 +321,7 @@ deprecated class PossibleYearArithmeticOperationCheckConfiguration extends Taint
 
   override predicate isSink(DataFlow::Node sink) {
     exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr |
-      aexpr.getRValue() = sink.asConvertedExpr()
+      aexpr.getRValue() = sink.asExpr()
     |
       (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and
       fa.getQualifier().getUnderlyingType() = dds and
@@ -336,7 +336,7 @@ deprecated class PossibleYearArithmeticOperationCheckConfiguration extends Taint
  */
 private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    exists(Operation op | op = source.asConvertedExpr() |
+    exists(Operation op | op = source.asExpr() |
       op.getAChild*().getValue().toInt() = 365 and
       (
         not op.getParent() instanceof Expr or
@@ -361,7 +361,7 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
 
   predicate isSink(DataFlow::Node sink) {
     exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr |
-      aexpr.getRValue() = sink.asConvertedExpr()
+      aexpr.getRValue() = sink.asExpr()
     |
       (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and
       fa.getQualifier().getUnderlyingType() = dds and

cpp/ql/src/Metrics/Internal/ASTConsistency.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Count AST inconsistencies
+ * @description Counts the various AST inconsistencies that may occur.
+ *              This query is for internal use only and may change without notice.
+ * @kind table
+ * @id cpp/count-ast-inconsistencies
+ */
+
+import cpp
+
+predicate hasDuplicateFunctionEntryPointLocation(Function func) {
+  count(func.getEntryPoint().getLocation()) > 1
+}
+
+predicate hasDuplicateFunctionEntryPoint(Function func) { count(func.getEntryPoint()) > 1 }
+
+select count(Function f | hasDuplicateFunctionEntryPoint(f) | f) as duplicateFunctionEntryPoint,
+  count(Function f | hasDuplicateFunctionEntryPointLocation(f) | f) as duplicateFunctionEntryPointLocation

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.qhelp

@@ -0,0 +1,68 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Using an object after its lifetime has ended results in undefined behavior.
+When an object's lifetime has ended it relinquishes ownership of its resources and the memory it occupied may be reused for other purposes.
+If the object is accessed after its lifetime has ended, the program may crash or behave in unexpected ways.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Ensure that no object is accessed after its lifetime has ended.
+Use RAII ("Resource Acquisition Is Initialization") to manage the lifetime of objects, and avoid manual memory management, if possible.
+</p>
+
+</recommendation>
+<example>
+<p>
+The following two examples demonstrate common lifetime violations when working with the C++ standard library.
+</p>
+
+<p>
+The <code>bad_call_c_api</code> function contains a use of an expired lifetime.
+First, a temporary object of type <code>std::string</code> is constructed, and a pointer to its internal buffer is stored in a local variable.
+Once the <code>c_str()</code> call returns, the temporary object is destroyed, and the memory pointed to by <code>p</code> is freed.
+Thus, any attempt to dereference <code>p</code> inside <code>c_api</code> will result in a use-after-free vulnerability.
+
+The <code>good_call_c_api</code> function contains a fixed version of the first example.
+The variable <code>hello</code> is declared as a local variable, and the pointer to its internal buffer is stored in <code>p</code>.
+The lifetime of hello outlives the call to <code>c_api</code>, so the pointer stored in <code>p</code> remains valid throughout the call to <code>c_api</code>.
+</p>
+<sample src="UseAfterExpiredLifetime_c_api_call.cpp" />
+
+<p>
+The <code>bad_remove_even_numbers</code> function demonstrates a potential issue with iterator invalidation.
+Each C++ standard library container comes with a specification of which operations invalidates iterators pointing into the container.
+For example, calling <code>erase</code> on an object of type <code>std::vector&lt;T&gt;</code> invalidates all its iterators, and thus any attempt to dereference the iterator can result in a use-after-free vulnerability.
+
+The <code>good_remove_even_numbers</code> function contains a fixd version of the third example.
+The <code>erase</code> function returns an iterator to the element following the last element removed, and this return value is used to ensure that <code>it</code> remains valid after the call to <code>erase</code>.
+</p>
+<sample src="UseAfterExpiredLifetime_iterator_invalidation.cpp" />
+
+</example>
+<references>
+
+<li>CERT C Coding Standard:
+<a href="https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory">MEM30-C. Do not access freed memory</a>.</li>
+<li>
+OWASP:
+<a href="https://owasp.org/www-community/vulnerabilities/Using_freed_memory">Using freed memory</a>.
+</li>
+<li>
+<a href="https://github.com/isocpp/CppCoreGuidelines/blob/master/docs/Lifetime.pdf">Lifetime safety: Preventing common dangling</a>
+</li>
+<li>
+<a href="https://en.cppreference.com/w/cpp/container">Containers library</a>
+</li>
+<li>
+<a href="https://en.cppreference.com/w/cpp/language/raii">RAII</a>
+</li>
+
+</references>
+</qhelp>