C++: Exclude unintended results on pointers.

geoffw0 · geoffw0 · commit 40f0658e8a06 · 2021-07-27T13:39:20.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -108,6 +108,9 @@ class UncontrolledArithConfiguration extends TaintTracking::Configuration {
         op instanceof BitwiseAndExpr or
         op instanceof ComplementExpr
       ).getAnOperand*()
+    or
+    // block unintended flow to pointers
+    node.asExpr().getUnspecifiedType() instanceof PointerType
   }
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -20,12 +20,6 @@ edges
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
 | test.cpp:36:13:36:13 | get_rand3 output argument [[]] | test.cpp:36:13:36:13 | Chi |
 | test.cpp:54:10:54:13 | call to rand | test.cpp:57:9:57:9 | x |
-| test.cpp:63:23:63:31 | buf_start | test.cpp:67:9:67:11 | len |
-| test.cpp:63:40:63:46 | buf_end | test.cpp:67:9:67:11 | len |
-| test.cpp:72:50:72:53 | call to rand | test.cpp:73:2:73:12 | ... + ... |
-| test.cpp:72:50:72:53 | call to rand | test.cpp:73:2:73:12 | buf |
-| test.cpp:73:2:73:12 | ... + ... | test.cpp:63:40:63:46 | buf_end |
-| test.cpp:73:2:73:12 | buf | test.cpp:63:23:63:31 | buf_start |
 | test.cpp:78:10:78:13 | call to rand | test.cpp:82:10:82:10 | x |
 | test.cpp:78:10:78:13 | call to rand | test.cpp:84:10:84:10 | x |
 | test.cpp:90:10:90:13 | call to rand | test.cpp:94:10:94:10 | x |
@@ -65,12 +59,6 @@ nodes
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:54:10:54:13 | call to rand | semmle.label | call to rand |
 | test.cpp:57:9:57:9 | x | semmle.label | x |
-| test.cpp:63:23:63:31 | buf_start | semmle.label | buf_start |
-| test.cpp:63:40:63:46 | buf_end | semmle.label | buf_end |
-| test.cpp:67:9:67:11 | len | semmle.label | len |
-| test.cpp:72:50:72:53 | call to rand | semmle.label | call to rand |
-| test.cpp:73:2:73:12 | ... + ... | semmle.label | ... + ... |
-| test.cpp:73:2:73:12 | buf | semmle.label | buf |
 | test.cpp:78:10:78:13 | call to rand | semmle.label | call to rand |
 | test.cpp:82:10:82:10 | x | semmle.label | x |
 | test.cpp:84:10:84:10 | x | semmle.label | x |
@@ -96,8 +84,6 @@ nodes
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
 | test.cpp:57:9:57:9 | x | test.cpp:54:10:54:13 | call to rand | test.cpp:57:9:57:9 | x | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:54:10:54:13 | call to rand | Uncontrolled value |
-| test.cpp:67:9:67:11 | len | test.cpp:72:50:72:53 | call to rand | test.cpp:67:9:67:11 | len | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:72:50:72:53 | call to rand | Uncontrolled value |
-| test.cpp:67:9:67:11 | len | test.cpp:72:50:72:53 | call to rand | test.cpp:67:9:67:11 | len | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:72:50:72:53 | call to rand | Uncontrolled value |
 | test.cpp:82:10:82:10 | x | test.cpp:78:10:78:13 | call to rand | test.cpp:82:10:82:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:78:10:78:13 | call to rand | Uncontrolled value |
 | test.cpp:84:10:84:10 | x | test.cpp:78:10:78:13 | call to rand | test.cpp:84:10:84:10 | x | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:78:10:78:13 | call to rand | Uncontrolled value |
 | test.cpp:94:10:94:10 | x | test.cpp:90:10:90:13 | call to rand | test.cpp:94:10:94:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:90:10:90:13 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
@@ -64,7 +64,7 @@ int test_buffer(char *buf_start, char *buf_end)
 {
 	int len = buf_end - buf_start;
 
-	return len * 2; // GOOD [FALSE POSITIVE]
+	return len * 2; // GOOD
 }
 
 int test_snprintf(char *buf, size_t buf_sz)

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,9 @@ class UncontrolledArithConfiguration extends TaintTracking::Configuration {`
`108`	`108`	`op instanceof BitwiseAndExpr or`
`109`	`109`	`op instanceof ComplementExpr`
`110`	`110`	`).getAnOperand*()`
	`111`	`+ or`
	`112`	`+ // block unintended flow to pointers`
	`113`	`+ node.asExpr().getUnspecifiedType() instanceof PointerType`
`111`	`114`	`}`
`112`	`115`	`}`
`113`	`116`
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ int test_buffer(char buf_start, char buf_end)`
`64`	`64`	`{`
`65`	`65`	`int len = buf_end - buf_start;`
`66`	`66`
`67`		`- return len * 2; // GOOD [FALSE POSITIVE]`
	`67`	`+ return len * 2; // GOOD`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`int test_snprintf(char *buf, size_t buf_sz)`