CPP: Add query for detecting invalid uses of temporary unique pointers.

alexet · alexet · commit e9bc5a54ea71 · 2023-12-12T16:22:20.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-416/Temporaries.qll b/cpp/ql/src/Security/CWE/CWE-416/Temporaries.qll
@@ -0,0 +1,90 @@
+import cpp
+import semmle.code.cpp.models.implementations.StdContainer
+
+/**
+ * Holds if `e` will be consumed by its parent as a glvalue and does not have
+ * an lvalue-to-rvalue conversion. This means that it will be materialized into
+ * a temporary object.
+ */
+predicate isTemporary(Expr e) {
+  e instanceof TemporaryObjectExpr
+  or
+  e.isPRValueCategory() and
+  e.getUnspecifiedType() instanceof Class and
+  not e.hasLValueToRValueConversion()
+}
+
+/** Holds if `e` is written to a container. */
+predicate isStoredInContainer(Expr e) {
+  exists(StdSequenceContainerInsert insert, Call call, int index |
+    call = insert.getACallToThisFunction() and
+    index = insert.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceContainerPush push, Call call, int index |
+    call = push.getACallToThisFunction() and
+    index = push.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceEmplace emplace, Call call, int index |
+    call = emplace.getACallToThisFunction() and
+    index = emplace.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceEmplaceBack emplaceBack, Call call, int index |
+    call = emplaceBack.getACallToThisFunction() and
+    index = emplaceBack.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+}
+
+/**
+ * Holds if the value of `e` outlives the enclosing full expression. For
+ * example, because the value is stored in a local variable.
+ */
+predicate outlivesFullExpr(Expr e) {
+  not e.getConversion*().hasLValueToRValueConversion() and
+  (
+    any(Assignment assign).getRValue() = e
+    or
+    any(Variable v).getInitializer().getExpr() = e
+    or
+    any(ReturnStmt ret).getExpr() = e
+    or
+    exists(ConditionalExpr cond |
+      outlivesFullExpr(cond) and
+      [cond.getThen(), cond.getElse()] = e
+    )
+    or
+    exists(BinaryOperation bin |
+      outlivesFullExpr(bin) and
+      bin.getAnOperand() = e and
+      not bin instanceof ComparisonOperation
+    )
+    or
+    exists(PointerFieldAccess fa |
+      outlivesFullExpr(fa) and
+      fa.getQualifier() = e
+    )
+    or
+    exists(AddressOfExpr ao |
+      outlivesFullExpr(ao) and
+      ao.getOperand() = e
+    )
+    or
+    exists(ClassAggregateLiteral aggr |
+      outlivesFullExpr(aggr) and
+      aggr.getAFieldExpr(_) = e
+    )
+    or
+    exists(ArrayAggregateLiteral aggr |
+      outlivesFullExpr(aggr) and
+      aggr.getAnElementExpr(_) = e
+    )
+    or
+    isStoredInContainer(e)
+  )
+}
diff --git a/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql b/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
@@ -14,81 +14,7 @@
 
 import cpp
 import semmle.code.cpp.models.implementations.StdString
-import semmle.code.cpp.models.implementations.StdContainer
-
-/**
- * Holds if `e` will be consumed by its parent as a glvalue and does not have
- * an lvalue-to-rvalue conversion. This means that it will be materialized into
- * a temporary object.
- */
-predicate isTemporary(Expr e) {
-  e instanceof TemporaryObjectExpr
-  or
-  e.isPRValueCategory() and
-  e.getUnspecifiedType() instanceof Class and
-  not e.hasLValueToRValueConversion()
-}
-
-/** Holds if `e` is written to a container. */
-predicate isStoredInContainer(Expr e) {
-  exists(StdSequenceContainerInsert insert, Call call, int index |
-    call = insert.getACallToThisFunction() and
-    index = insert.getAValueTypeParameterIndex() and
-    call.getArgument(index) = e
-  )
-  or
-  exists(StdSequenceContainerPush push, Call call, int index |
-    call = push.getACallToThisFunction() and
-    index = push.getAValueTypeParameterIndex() and
-    call.getArgument(index) = e
-  )
-  or
-  exists(StdSequenceEmplace emplace, Call call, int index |
-    call = emplace.getACallToThisFunction() and
-    index = emplace.getAValueTypeParameterIndex() and
-    call.getArgument(index) = e
-  )
-  or
-  exists(StdSequenceEmplaceBack emplaceBack, Call call, int index |
-    call = emplaceBack.getACallToThisFunction() and
-    index = emplaceBack.getAValueTypeParameterIndex() and
-    call.getArgument(index) = e
-  )
-}
-
-/**
- * Holds if the value of `e` outlives the enclosing full expression. For
- * example, because the value is stored in a local variable.
- */
-predicate outlivesFullExpr(Expr e) {
-  any(Assignment assign).getRValue() = e
-  or
-  any(Variable v).getInitializer().getExpr() = e
-  or
-  any(ReturnStmt ret).getExpr() = e
-  or
-  exists(ConditionalExpr cond |
-    outlivesFullExpr(cond) and
-    [cond.getThen(), cond.getElse()] = e
-  )
-  or
-  exists(BinaryOperation bin |
-    outlivesFullExpr(bin) and
-    bin.getAnOperand() = e
-  )
-  or
-  exists(ClassAggregateLiteral aggr |
-    outlivesFullExpr(aggr) and
-    aggr.getAFieldExpr(_) = e
-  )
-  or
-  exists(ArrayAggregateLiteral aggr |
-    outlivesFullExpr(aggr) and
-    aggr.getAnElementExpr(_) = e
-  )
-  or
-  isStoredInContainer(e)
-}
+import Temporaries
 
 from Call c
 where
diff --git a/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.qhelp b/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.qhelp
@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Calling <code>get</code> on a <code>std::unique_ptr</code> object returns a pointer to the underlying allocations.
+When the <code>std::unique_ptr</code> object is destroyed, the pointer returned by <code>get</code> is no
+longer valid. If the pointer is used after the <code>std::unique_ptr</code> object is destroyed, then the behavior is undefined.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Ensure that the pointer returned by <code>get</code> does not outlive the underlying <code>std::unique_ptr</code> object.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example gets a <code>std::unique_ptr</code> object, and then converts the resulting unique pointer to a
+pointer using <code>get</code> so that it can be passed to the <code>work</code> function.
+
+However, the <code>std::unique_ptr</code> object is destroyed as soon as the call
+to <code>get</code> returns. This means that <code>work</code> is given a pointer to invalid memory.
+</p>
+
+<sample src="UseOfUniquePointerAfterLifetimeEndsBad.cpp" />
+
+<p>
+The following example fixes the above code by ensuring that the pointer returned by the call to <code>get</code> does
+not outlive the underlying <code>std::unique_ptr</code> objects. This ensures that the pointer passed to <code>work</code>
+points to valid memory.
+</p>
+
+<sample src="UseOfUniquePointerAfterLifetimeEndsGood.cpp" />
+
+</example>
+<references>
+
+<li><a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory">MEM50-CPP. Do not access freed memory</a>.</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql b/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
@@ -0,0 +1,36 @@
+/**
+ * @name Use of unique pointer after lifetime ends
+ * @description If a reference to the contents of a unique pointer outlives the underlying object it may lead to unexpected behavior.
+ * @kind problem
+ * @precision high
+ * @id cpp/use-of-uniwue-pointer-after-lifetime-ends
+ * @problem.severity warning
+ * @security-severity 8.8
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-416
+ *       external/cwe/cwe-664
+ */
+
+import cpp
+import semmle.code.cpp.models.interfaces.PointerWrapper
+import Temporaries
+
+predicate isUniquePointerDerefFunction(Function f) {
+  exists(PointerWrapper wrapper |
+    f = wrapper.getAnUnwrapperFunction() and
+    // We only want unique pointers as the memory behind share pointers may still be
+    // alive after the shared pointer is destroyed.
+    wrapper.(Class).hasQualifiedName(["std", "bsl"], "unique_ptr")
+  )
+}
+
+from Call c
+where
+  outlivesFullExpr(c) and
+  not c.isFromUninstantiatedTemplate(_) and
+  isUniquePointerDerefFunction(c.getTarget()) and
+  isTemporary(c.getQualifier().getFullyConverted())
+select c,
+  "The underlying unique pointer object is destroyed after the call to '" + c.getTarget() +
+    "' returns."
diff --git a/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEndsBad.cpp b/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEndsBad.cpp
@@ -0,0 +1,10 @@
+#include <memory>
+std::unique_ptr<T> getUniquePointer();
+void work(const T*);
+
+// BAD: the unique pointer is deallocated when `get` returns. So `work`
+// is given a pointer to invalid memory.
+void work_with_unique_ptr_bad() {
+  const T* combined_string = getUniquePointer().get();
+  work(combined_string);
+}
diff --git a/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEndsGood.cpp b/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEndsGood.cpp
@@ -0,0 +1,10 @@
+#include <memory>
+std::unique_ptr<T> getUniquePointer();
+void work(const T*);
+
+// GOOD: the unique pointer outlives the call to `work`. So the pointer
+// obtainted from `get` is valid.
+void work_with_unique_ptr_good() {
+  auto combined_string = getUniquePointer();
+  work(combined_string.get());
+}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.expected
@@ -0,0 +1,9 @@
+| test.cpp:156:15:156:15 | call to operator* | The underlying unique pointer object is destroyed after the call to 'operator*' returns. |
+| test.cpp:157:31:157:33 | call to get | The underlying unique pointer object is destroyed after the call to 'get' returns. |
+| test.cpp:159:32:159:32 | call to operator-> | The underlying unique pointer object is destroyed after the call to 'operator->' returns. |
+| test.cpp:160:35:160:37 | call to get | The underlying unique pointer object is destroyed after the call to 'get' returns. |
+| test.cpp:161:44:161:46 | call to get | The underlying unique pointer object is destroyed after the call to 'get' returns. |
+| test.cpp:163:25:163:27 | call to get | The underlying unique pointer object is destroyed after the call to 'get' returns. |
+| test.cpp:172:33:172:35 | call to get | The underlying unique pointer object is destroyed after the call to 'get' returns. |
+| test.cpp:174:32:174:34 | call to get | The underlying unique pointer object is destroyed after the call to 'get' returns. |
+| test.cpp:176:11:176:11 | call to operator* | The underlying unique pointer object is destroyed after the call to 'operator*' returns. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql`