C++: Fix false positive by recognizing more absolute value functions in Overflow.qll

MathiasVP · MathiasVP · commit 48e783184cd8 · 2021-05-11T14:30:28.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -12,7 +12,7 @@ import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
  * Holds if the value of `use` is guarded using `abs`.
  */
 predicate guardedAbs(Operation e, Expr use) {
-  exists(FunctionCall fc | fc.getTarget().getName() = "abs" |
+  exists(FunctionCall fc | fc.getTarget().getName() = ["abs", "labs", "llabs", "imaxabs"] |
     fc.getArgument(0).getAChild*() = use and
     guardedLesser(e, fc)
   )
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -3,10 +3,6 @@
 | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:27:30:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:27:30:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
@@ -27,6 +27,6 @@ void useTaintedIntWithGuard() {
 	int tainted = getTaintedInt();
 
 	if(imaxabs(tainted) <= 100) {
-		int product = tainted * tainted; // GOOD: can't underflow/overflow [FALSE POSITIVE]
+		int product = tainted * tainted; // GOOD: can't underflow/overflow
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils`
`12`	`12`	* Holds if the value of `use` is guarded using `abs`.
`13`	`13`	`*/`
`14`	`14`	`predicate guardedAbs(Operation e, Expr use) {`
`15`		`- exists(FunctionCall fc \| fc.getTarget().getName() = "abs" \|`
	`15`	`+ exists(FunctionCall fc \| fc.getTarget().getName() = ["abs", "labs", "llabs", "imaxabs"] \|`
`16`	`16`	`fc.getArgument(0).getAChild*() = use and`
`17`	`17`	`guardedLesser(e, fc)`
`18`	`18`	`)`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,6 @@ void useTaintedIntWithGuard() {`
`27`	`27`	`int tainted = getTaintedInt();`
`28`	`28`
`29`	`29`	`if(imaxabs(tainted) <= 100) {`
`30`		`- int product = tainted * tainted; // GOOD: can't underflow/overflow [FALSE POSITIVE]`
	`30`	`+ int product = tainted * tainted; // GOOD: can't underflow/overflow`
`31`	`31`	`}`
`32`	`32`	`}`