C++: Don't report underflowing multiplication.

geoffw0 · geoffw0 · commit 00f6f668cc84 · 2021-07-27T14:02:40.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -74,7 +74,10 @@ private class RandS extends RandomFunction {
 
 predicate missingGuard(VariableAccess va, string effect) {
   exists(Operation op | op.getAnOperand() = va |
-    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
+    (
+      missingGuardAgainstUnderflow(op, va) and effect = "underflow" and
+      not op instanceof MulExpr // random numbers are usually non-negative, so multiplication doesn't underflow.
+    )
     or
     missingGuardAgainstOverflow(op, va) and effect = "overflow"
   )
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -21,11 +21,7 @@ edges
 | test.cpp:36:13:36:13 | get_rand3 output argument [[]] | test.cpp:36:13:36:13 | Chi |
 | test.cpp:54:10:54:13 | call to rand | test.cpp:57:9:57:9 | x |
 | test.cpp:78:10:78:13 | call to rand | test.cpp:82:10:82:10 | x |
-| test.cpp:78:10:78:13 | call to rand | test.cpp:84:10:84:10 | x |
 | test.cpp:90:10:90:13 | call to rand | test.cpp:94:10:94:10 | x |
-| test.cpp:90:10:90:13 | call to rand | test.cpp:97:9:97:9 | x |
-| test.cpp:102:10:102:13 | call to rand | test.cpp:108:10:108:10 | y |
-| test.cpp:116:10:116:13 | call to rand | test.cpp:124:9:124:9 | y |
 nodes
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
 | test.c:21:17:21:17 | r | semmle.label | r |
@@ -61,14 +57,8 @@ nodes
 | test.cpp:57:9:57:9 | x | semmle.label | x |
 | test.cpp:78:10:78:13 | call to rand | semmle.label | call to rand |
 | test.cpp:82:10:82:10 | x | semmle.label | x |
-| test.cpp:84:10:84:10 | x | semmle.label | x |
 | test.cpp:90:10:90:13 | call to rand | semmle.label | call to rand |
 | test.cpp:94:10:94:10 | x | semmle.label | x |
-| test.cpp:97:9:97:9 | x | semmle.label | x |
-| test.cpp:102:10:102:13 | call to rand | semmle.label | call to rand |
-| test.cpp:108:10:108:10 | y | semmle.label | y |
-| test.cpp:116:10:116:13 | call to rand | semmle.label | call to rand |
-| test.cpp:124:9:124:9 | y | semmle.label | y |
 #select
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
@@ -79,14 +69,9 @@ nodes
 | test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
 | test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
 | test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | Uncontrolled value |
-| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:125:13:125:16 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
 | test.cpp:57:9:57:9 | x | test.cpp:54:10:54:13 | call to rand | test.cpp:57:9:57:9 | x | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:54:10:54:13 | call to rand | Uncontrolled value |
 | test.cpp:82:10:82:10 | x | test.cpp:78:10:78:13 | call to rand | test.cpp:82:10:82:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:78:10:78:13 | call to rand | Uncontrolled value |
-| test.cpp:84:10:84:10 | x | test.cpp:78:10:78:13 | call to rand | test.cpp:84:10:84:10 | x | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:78:10:78:13 | call to rand | Uncontrolled value |
 | test.cpp:94:10:94:10 | x | test.cpp:90:10:90:13 | call to rand | test.cpp:94:10:94:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:90:10:90:13 | call to rand | Uncontrolled value |
-| test.cpp:97:9:97:9 | x | test.cpp:90:10:90:13 | call to rand | test.cpp:97:9:97:9 | x | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:90:10:90:13 | call to rand | Uncontrolled value |
-| test.cpp:108:10:108:10 | y | test.cpp:102:10:102:13 | call to rand | test.cpp:108:10:108:10 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:102:10:102:13 | call to rand | Uncontrolled value |
-| test.cpp:124:9:124:9 | y | test.cpp:116:10:116:13 | call to rand | test.cpp:124:9:124:9 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:116:10:116:13 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
@@ -81,7 +81,7 @@ int test_else_1()
 	{
 		return x * 10; // BAD
 	} else {
-		return x * 10; // GOOD (as x <= 100) [FALSE POSITIVE]
+		return x * 10; // GOOD (as x <= 100)
 	}
 }
 
@@ -94,7 +94,7 @@ int test_else_2()
 		return x * 10; // BAD
 	}
 
-	return x * 10; // GOOD (as x <= 100) [FALSE POSITIVE]
+	return x * 10; // GOOD (as x <= 100)
 }
 
 int test_conditional_assignment_1()
@@ -105,7 +105,7 @@ int test_conditional_assignment_1()
 	if (x < y)
 	{
 		y = x;
-		return y * 10; // GOOD (as y <= 100) [FALSE POSITIVE]
+		return y * 10; // GOOD (as y <= 100)
 	} else {
 		return y * 10; // GOOD (as y = 100)
 	}
@@ -121,5 +121,5 @@ int test_conditional_assignment_2()
 		y = x;
 	}
 	
-	return y * 10; // GOOD (as y <= 100) [FALSE POSITIVE]
+	return y * 10; // GOOD (as y <= 100)
 }

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ int test_else_1()`
`81`	`81`	`{`
`82`	`82`	`return x * 10; // BAD`
`83`	`83`	`} else {`
`84`		`- return x * 10; // GOOD (as x <= 100) [FALSE POSITIVE]`
	`84`	`+ return x * 10; // GOOD (as x <= 100)`
`85`	`85`	`}`
`86`	`86`	`}`
`87`	`87`
`@@ -94,7 +94,7 @@ int test_else_2()`
`94`	`94`	`return x * 10; // BAD`
`95`	`95`	`}`
`96`	`96`
`97`		`- return x * 10; // GOOD (as x <= 100) [FALSE POSITIVE]`
	`97`	`+ return x * 10; // GOOD (as x <= 100)`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`int test_conditional_assignment_1()`
`@@ -105,7 +105,7 @@ int test_conditional_assignment_1()`
`105`	`105`	`if (x < y)`
`106`	`106`	`{`
`107`	`107`	`y = x;`
`108`		`- return y * 10; // GOOD (as y <= 100) [FALSE POSITIVE]`
	`108`	`+ return y * 10; // GOOD (as y <= 100)`
`109`	`109`	`} else {`
`110`	`110`	`return y * 10; // GOOD (as y = 100)`
`111`	`111`	`}`
`@@ -121,5 +121,5 @@ int test_conditional_assignment_2()`
`121`	`121`	`y = x;`
`122`	`122`	`}`
`123`	`123`
`124`		`- return y * 10; // GOOD (as y <= 100) [FALSE POSITIVE]`
	`124`	`+ return y * 10; // GOOD (as y <= 100)`
`125`	`125`	`}`