C++: Make any non-overflowing arithmetic operation a barrier.

MathiasVP · MathiasVP · commit 238c483e5b35 · 2021-06-21T14:05:34.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -36,7 +36,7 @@ predicate boundedDiv(Expr e, Expr left) { e = left }
 
 /**
  * An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
- * an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
+ * an `AssignRemExpr`) with left-hand side `left` and right-hand side `right` is bounded
  * when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
  * allowed by the result type of `rem`.
  */
@@ -59,10 +59,15 @@ predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2)
 }
 
 /**
- * Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
- * of possible values.
+ * Holds if `e` is an operand of an operation that greatly reduces the range of possible values.
  */
 predicate bounded(Expr e) {
+  (
+    e instanceof UnaryArithmeticOperation or
+    e instanceof BinaryArithmeticOperation
+  ) and
+  not convertedExprMightOverflow(e)
+  or
   //  For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
   //  maximum possible value of the result type of the operation.
   //  For example, the function call `rand()` is considered bounded in the following program:
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -19,11 +19,6 @@ edges
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
-| test.c:104:13:104:16 | call to rand | test.c:106:5:106:11 | r |
-| test.c:104:13:104:16 | call to rand | test.c:106:5:106:11 | r |
-| test.c:106:5:106:11 | r | test.c:110:18:110:18 | r |
-| test.c:110:18:110:18 | r | test.c:111:3:111:3 | r |
-| test.c:110:18:110:18 | r | test.c:111:3:111:3 | r |
 | test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
@@ -67,13 +62,6 @@ nodes
 | test.c:100:5:100:5 | r | semmle.label | r |
 | test.c:100:5:100:5 | r | semmle.label | r |
 | test.c:100:5:100:5 | r | semmle.label | r |
-| test.c:104:13:104:16 | call to rand | semmle.label | call to rand |
-| test.c:104:13:104:16 | call to rand | semmle.label | call to rand |
-| test.c:106:5:106:11 | r | semmle.label | r |
-| test.c:110:18:110:18 | r | semmle.label | r |
-| test.c:111:3:111:3 | r | semmle.label | r |
-| test.c:111:3:111:3 | r | semmle.label | r |
-| test.c:111:3:111:3 | r | semmle.label | r |
 | test.cpp:8:9:8:12 | Store | semmle.label | Store |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
@@ -105,7 +93,6 @@ nodes
 | test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
 | test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
 | test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
-| test.c:111:3:111:3 | r | test.c:104:13:104:16 | call to rand | test.c:111:3:111:3 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:104:13:104:16 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
@@ -108,5 +108,5 @@ void randomTester() {
 }
 
 void add_100(int r) {
-  r += 100; // GOOD [FALSE POSITIVE]
+  r += 100; // GOOD
 }

Original file line number	Diff line number	Diff line change
`@@ -108,5 +108,5 @@ void randomTester() {`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`void add_100(int r) {`
`111`		`- r += 100; // GOOD [FALSE POSITIVE]`
	`111`	`+ r += 100; // GOOD`
`112`	`112`	`}`