Merge branch 'main' into logs

Author: erik-krogh

cpp/change-notes/2021-06-15-path-sensitive-stack-reachability.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `StackVariableReachability` library now ignores some paths that contain an infeasible combination
+  of conditionals. These improvements primarily affect the queries `cpp/uninitialized-local` and
+  `cpp/use-after-free`.

cpp/change-notes/2021-06-30-wrong-type-format-argument.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms.  There are now fewer false positive results.

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -19,28 +19,32 @@ import cpp
  * Holds if the argument corresponding to the `pos` conversion specifier
  * of `ffc` is expected to have type `expected`.
  */
-pragma[noopt]
 private predicate formattingFunctionCallExpectedType(
   FormattingFunctionCall ffc, int pos, Type expected
 ) {
-  exists(FormattingFunction f, int i, FormatLiteral fl |
-    ffc instanceof FormattingFunctionCall and
-    ffc.getTarget() = f and
-    f.getFormatParameterIndex() = i and
-    ffc.getArgument(i) = fl and
-    fl.getConversionType(pos) = expected
-  )
+  ffc.getFormat().(FormatLiteral).getConversionType(pos) = expected
+}
+
+/**
+ * Holds if the argument corresponding to the `pos` conversion specifier
+ * of `ffc` could alternatively have type `expected`, for example on a different
+ * platform.
+ */
+private predicate formattingFunctionCallAlternateType(
+  FormattingFunctionCall ffc, int pos, Type expected
+) {
+  ffc.getFormat().(FormatLiteral).getConversionTypeAlternate(pos) = expected
 }
 
 /**
  * Holds if the argument corresponding to the `pos` conversion specifier
- * of `ffc` is expected to have type `expected` and the corresponding
- * argument `arg` has type `actual`.
+ * of `ffc` is `arg` and has type `actual`.
  */
 pragma[noopt]
-predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
+predicate formattingFunctionCallActualType(
+  FormattingFunctionCall ffc, int pos, Expr arg, Type actual
+) {
   exists(Expr argConverted |
-    formattingFunctionCallExpectedType(ffc, pos, expected) and
     ffc.getConversionArgument(pos) = arg and
     argConverted = arg.getFullyConverted() and
     actual = argConverted.getType()
@@ -72,7 +76,8 @@ class ExpectedType extends Type {
   ExpectedType() {
     exists(Type t |
       (
-        formatArgType(_, _, t, _, _) or
+        formattingFunctionCallExpectedType(_, _, t) or
+        formattingFunctionCallAlternateType(_, _, t) or
         formatOtherArgType(_, _, t, _, _)
       ) and
       this = t.getUnspecifiedType()
@@ -91,7 +96,11 @@ class ExpectedType extends Type {
  */
 predicate trivialConversion(ExpectedType expected, Type actual) {
   exists(Type exp, Type act |
-    formatArgType(_, _, exp, _, act) and
+    (
+      formattingFunctionCallExpectedType(_, _, exp) or
+      formattingFunctionCallAlternateType(_, _, exp)
+    ) and
+    formattingFunctionCallActualType(_, _, _, act) and
     expected = exp.getUnspecifiedType() and
     actual = act.getUnspecifiedType()
   ) and
@@ -146,9 +155,13 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
   (
-    formatArgType(ffc, n, expected, arg, actual) and
+    formattingFunctionCallExpectedType(ffc, n, expected) and
+    formattingFunctionCallActualType(ffc, n, arg, actual) and
     not exists(Type anyExpected |
-      formatArgType(ffc, n, anyExpected, arg, actual) and
+      (
+        formattingFunctionCallExpectedType(ffc, n, anyExpected) or
+        formattingFunctionCallAlternateType(ffc, n, anyExpected)
+      ) and
       trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
     )
     or

cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql

@@ -9,7 +9,6 @@
  * @tags reliability
  *       external/cwe/cwe-573
  *       external/cwe/cwe-252
- * @opaque-id SM02344
  * @microsoft.severity Important
  */
 

cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql

@@ -6,7 +6,6 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.8
- * @opaque-id SM02313
  * @id cpp/conditionally-uninitialized-variable
  * @tags security
  *       external/cwe/cwe-457

cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.c

@@ -0,0 +1,12 @@
+intA = ++intA + 1; // BAD: undefined behavior when changing variable `intA`
+...
+intA++;
+intA = intA + 1; // GOOD: correct design
+...
+char * buff;
+...
+if(funcAdd(buff)+fucDel(buff)>0) return 1; // BAD: undefined behavior when calling functions to change the `buff` variable
+...
+intA = funcAdd(buff);
+intB = funcDel(buff);
+if(intA+intB>0) return 1; // GOOD: correct design

cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>In some situations, the code constructs used may be executed in the wrong order in which the developer designed them. For example, if you call multiple functions as part of a single expression, and the functions have the ability to modify a shared resource, then the sequence in which the resource is changed can be unpredictable. These code snippets look suspicious and require the developer's attention.</p>
+
+
+</overview>
+<recommendation>
+
+<p>We recommend that you use more guaranteed, in terms of sequence of execution, coding techniques.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates sections of code with insufficient execution sequence definition.</p>
+<sample src="UndefinedOrImplementationDefinedBehavior.c" />
+
+</example>
+<references>
+
+<li>
+  CWE Common Weakness Enumeration:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP10-C.+Do+not+depend+on+the+order+of+evaluation+of+subexpressions+or+the+order+in+which+side+effects+take+place"> EXP10-C. Do not depend on the order of evaluation of subexpressions or the order in which side effects take place</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql

@@ -0,0 +1,166 @@
+/**
+ * @name Errors Of Undefined Program Behavior
+ * @description --In some situations, the code constructs used may be executed in the wrong order in which the developer designed them.
+ *              --For example, if you call multiple functions as part of a single expression, and the functions have the ability to modify a shared resource, then the sequence in which the resource is changed can be unpredictable.
+ *              --These code snippets look suspicious and require the developer's attention.
+ * @kind problem
+ * @id cpp/errors-of-undefined-program-behavior
+ * @problem.severity warning
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-758
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.HashCons
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * Threatening expressions of undefined behavior.
+ */
+class ExpressionsOfTheSameLevel extends Expr {
+  Expr exp2;
+
+  ExpressionsOfTheSameLevel() {
+    this != exp2 and
+    this.getParent() = exp2.getParent()
+  }
+
+  /** Holds if the underlying expression is a function call. */
+  predicate expressionCall() {
+    this instanceof FunctionCall and
+    exp2.getAChild*() instanceof FunctionCall and
+    not this.getParent() instanceof Operator and
+    not this.(FunctionCall).hasQualifier()
+  }
+
+  /** Holds if the underlying expression is a call to a function to free resources. */
+  predicate existsCloseOrFreeCall() {
+    (
+      globalValueNumber(this.(FunctionCall).getAnArgument()) =
+        globalValueNumber(exp2.getAChild*().(FunctionCall).getAnArgument()) or
+      hashCons(this.(FunctionCall).getAnArgument()) =
+        hashCons(exp2.getAChild*().(FunctionCall).getAnArgument())
+    ) and
+    (
+      this.(FunctionCall).getTarget().hasGlobalOrStdName("close") or
+      this.(FunctionCall).getTarget().hasGlobalOrStdName("free") or
+      this.(FunctionCall).getTarget().hasGlobalOrStdName("fclose")
+    )
+  }
+
+  /** Holds if the arguments in the function can be changed. */
+  predicate generalArgumentDerivedType() {
+    exists(Parameter prt1, Parameter prt2, AssignExpr aet1, AssignExpr aet2, int i, int j |
+      not this.(FunctionCall).getArgument(i).isConstant() and
+      hashCons(this.(FunctionCall).getArgument(i)) =
+        hashCons(exp2.getAChild*().(FunctionCall).getArgument(j)) and
+      prt1 = this.(FunctionCall).getTarget().getParameter(i) and
+      prt2 = exp2.getAChild*().(FunctionCall).getTarget().getParameter(j) and
+      prt1.getType() instanceof DerivedType and
+      (
+        aet1 = this.(FunctionCall).getTarget().getEntryPoint().getASuccessor*() and
+        (
+          aet1.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() =
+            prt1.getAnAccess().getTarget() or
+          aet1.getLValue().(VariableAccess).getTarget() = prt1.getAnAccess().getTarget()
+        )
+        or
+        exists(FunctionCall fc1 |
+          fc1.getTarget().hasGlobalName("memcpy") and
+          fc1.getArgument(0).(VariableAccess).getTarget() = prt1.getAnAccess().getTarget() and
+          fc1 = this.(FunctionCall).getTarget().getEntryPoint().getASuccessor*()
+        )
+      ) and
+      (
+        aet2 = exp2.getAChild*().(FunctionCall).getTarget().getEntryPoint().getASuccessor*() and
+        (
+          aet2.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() =
+            prt2.getAnAccess().getTarget() or
+          aet2.getLValue().(VariableAccess).getTarget() = prt2.getAnAccess().getTarget()
+        )
+        or
+        exists(FunctionCall fc1 |
+          fc1.getTarget().hasGlobalName("memcpy") and
+          fc1.getArgument(0).(VariableAccess).getTarget() = prt2.getAnAccess().getTarget() and
+          fc1 = exp2.(FunctionCall).getTarget().getEntryPoint().getASuccessor*()
+        )
+      )
+    )
+  }
+
+  /** Holds if functions have a common global argument. */
+  predicate generalGlobalArgument() {
+    exists(Declaration dl, AssignExpr aet1, AssignExpr aet2 |
+      dl instanceof GlobalVariable and
+      (
+        (
+          aet1.getLValue().(Access).getTarget() = dl or
+          aet1.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = dl
+        ) and
+        aet1 = this.(FunctionCall).getTarget().getEntryPoint().getASuccessor*() and
+        not aet1.getRValue().isConstant()
+        or
+        exists(FunctionCall fc1 |
+          fc1.getTarget().hasGlobalName("memcpy") and
+          fc1.getArgument(0).(VariableAccess).getTarget() = dl and
+          fc1 = this.(FunctionCall).getTarget().getEntryPoint().getASuccessor*()
+        )
+      ) and
+      (
+        (
+          aet2.getLValue().(Access).getTarget() = dl or
+          aet2.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = dl
+        ) and
+        aet2 = exp2.(FunctionCall).getTarget().getEntryPoint().getASuccessor*()
+        or
+        exists(FunctionCall fc1 |
+          fc1.getTarget().hasGlobalName("memcpy") and
+          fc1.getArgument(0).(VariableAccess).getTarget() = dl and
+          fc1 = exp2.(FunctionCall).getTarget().getEntryPoint().getASuccessor*()
+        )
+      )
+    )
+  }
+
+  /** Holds if sequence point is not present in expression. */
+  predicate orderOfActionExpressions() {
+    not this.getParent() instanceof BinaryLogicalOperation and
+    not this.getParent() instanceof ConditionalExpr and
+    not this.getParent() instanceof Loop and
+    not this.getParent() instanceof CommaExpr
+  }
+
+  /** Holds if expression is crement. */
+  predicate dangerousCrementChanges() {
+    hashCons(this.(CrementOperation).getOperand()) = hashCons(exp2.(CrementOperation).getOperand())
+    or
+    hashCons(this.(CrementOperation).getOperand()) = hashCons(exp2)
+    or
+    hashCons(this.(CrementOperation).getOperand()) = hashCons(exp2.(ArrayExpr).getArrayOffset())
+    or
+    hashCons(this.(Assignment).getLValue()) = hashCons(exp2.(Assignment).getLValue())
+    or
+    not this.getAChild*() instanceof Call and
+    (
+      hashCons(this.getAChild*().(CrementOperation).getOperand()) = hashCons(exp2) or
+      hashCons(this.getAChild*().(CrementOperation).getOperand()) =
+        hashCons(exp2.(Assignment).getLValue())
+    )
+  }
+}
+
+from ExpressionsOfTheSameLevel eots
+where
+  eots.orderOfActionExpressions() and
+  (
+    eots.expressionCall() and
+    (
+      eots.generalArgumentDerivedType() or
+      eots.generalGlobalArgument() or
+      eots.existsCloseOrFreeCall()
+    )
+    or
+    eots.dangerousCrementChanges()
+  )
+select eots, "This expression may have undefined behavior."

cpp/ql/src/semmle/code/cpp/File.qll

@@ -272,20 +272,16 @@ class File extends Container, @file {
    * are compiled by a Microsoft compiler are detected by this predicate.
    */
   predicate compiledAsMicrosoft() {
-    exists(Compilation c |
-      c.getAFileCompiled() = this and
+    exists(File f, Compilation c |
+      c.getAFileCompiled() = f and
       (
         c.getAnArgument() = "--microsoft" or
         c.getAnArgument()
             .toLowerCase()
             .replaceAll("\\", "/")
             .matches(["%/cl.exe", "%/clang-cl.exe"])
-      )
-    )
-    or
-    exists(File parent |
-      parent.compiledAsMicrosoft() and
-      parent.getAnIncludedFile() = this
+      ) and
+      f.getAnIncludedFile*() = this
     )
   }
 
@@ -358,6 +354,11 @@ class File extends Container, @file {
   string getShortName() { files(underlyingElement(this), _, result, _, _) }
 }
 
+/**
+ * Holds if any file was compiled by a Microsoft compiler.
+ */
+predicate anyFileCompiledAsMicrosoft() { any(File f).compiledAsMicrosoft() }
+
 /**
  * A C/C++ header file, as determined (mainly) by file extension.
  *