Merge pull request github#5847 from MathiasVP/improve-wrong-in-detecting-and-handling-memory-allocation-errors

Improve wrong in detecting and handling memory allocation errors

Author: geoffw0

cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp renamed to cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp

@@ -17,7 +17,7 @@ make sure to handle the possibility of null pointers if <code>new(std::nothrow)
 
 </recommendation>
 <example>
-<sample src="WrongInDetectingAndHandlingMemoryAllocationErrors.cpp" />
+<sample src="IncorrectAllocationErrorHandling.cpp" />
 
 </example>
 <references>

cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp renamed to cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp

@@ -0,0 +1,224 @@
+/**
+ * @name Incorrect allocation-error handling
+ * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
+ * @kind problem
+ * @id cpp/incorrect-allocation-error-handling
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-570
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.controlflow.Guards
+
+/**
+ * A C++ `delete` or `delete[]` expression.
+ */
+class DeleteOrDeleteArrayExpr extends Expr {
+  DeleteOrDeleteArrayExpr() { this instanceof DeleteExpr or this instanceof DeleteArrayExpr }
+
+  DeallocationFunction getDeallocator() {
+    result = [this.(DeleteExpr).getDeallocator(), this.(DeleteArrayExpr).getDeallocator()]
+  }
+
+  Destructor getDestructor() {
+    result = [this.(DeleteExpr).getDestructor(), this.(DeleteArrayExpr).getDestructor()]
+  }
+}
+
+/** Gets the `Constructor` invoked when `newExpr` allocates memory. */
+Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
+  result.getACallToThisFunction() = newExpr.getInitializer()
+}
+
+/** Gets the `Destructor` invoked when `deleteExpr` deallocates memory. */
+Destructor getDestructorForDeallocation(DeleteOrDeleteArrayExpr deleteExpr) {
+  result = deleteExpr.getDestructor()
+}
+
+/** Holds if the evaluation of `newExpr` may throw an exception. */
+predicate newMayThrow(NewOrNewArrayExpr newExpr) {
+  functionMayThrow(newExpr.getAllocator()) or
+  functionMayThrow(getConstructorForAllocation(newExpr))
+}
+
+/** Holds if the evaluation of `deleteExpr` may throw an exception. */
+predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
+  functionMayThrow(deleteExpr.getDeallocator()) or
+  functionMayThrow(getDestructorForDeallocation(deleteExpr))
+}
+
+/**
+ * Holds if the function may throw an exception when called. That is, if the body of the function looks
+ * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
+ */
+predicate functionMayThrow(Function f) {
+  (not exists(f.getBlock()) or stmtMayThrow(f.getBlock())) and
+  not f.isNoExcept() and
+  not f.isNoThrow()
+}
+
+/** Holds if the evaluation of `stmt` may throw an exception. */
+predicate stmtMayThrow(Stmt stmt) {
+  stmtMayThrow(stmt.(BlockStmt).getAStmt())
+  or
+  convertedExprMayThrow(stmt.(ExprStmt).getExpr())
+  or
+  convertedExprMayThrow(stmt.(DeclStmt).getADeclaration().(Variable).getInitializer().getExpr())
+  or
+  exists(IfStmt ifStmt | ifStmt = stmt |
+    convertedExprMayThrow(ifStmt.getCondition()) or
+    stmtMayThrow([ifStmt.getThen(), ifStmt.getElse()])
+  )
+  or
+  exists(ConstexprIfStmt constIfStmt | constIfStmt = stmt |
+    stmtMayThrow([constIfStmt.getThen(), constIfStmt.getElse()])
+  )
+  or
+  exists(Loop loop | loop = stmt |
+    convertedExprMayThrow(loop.getCondition()) or
+    stmtMayThrow(loop.getStmt())
+  )
+  or
+  // The case for `Loop` already checked the condition and the statement.
+  convertedExprMayThrow(stmt.(RangeBasedForStmt).getUpdate())
+  or
+  // The case for `Loop` already checked the condition and the statement.
+  exists(ForStmt forStmt | forStmt = stmt |
+    stmtMayThrow(forStmt.getInitialization())
+    or
+    convertedExprMayThrow(forStmt.getUpdate())
+  )
+  or
+  exists(SwitchStmt switchStmt | switchStmt = stmt |
+    convertedExprMayThrow(switchStmt.getExpr()) or
+    stmtMayThrow(switchStmt.getStmt())
+  )
+  or
+  // NOTE: We don't include `TryStmt` as those exceptions are not "observable" outside the function.
+  stmtMayThrow(stmt.(Handler).getBlock())
+  or
+  convertedExprMayThrow(stmt.(CoReturnStmt).getExpr())
+  or
+  convertedExprMayThrow(stmt.(ReturnStmt).getExpr())
+}
+
+/** Holds if the evaluation of `e` (including conversions) may throw an exception. */
+predicate convertedExprMayThrow(Expr e) {
+  exprMayThrow(e)
+  or
+  convertedExprMayThrow(e.getConversion())
+}
+
+/** Holds if the evaluation of `e` may throw an exception. */
+predicate exprMayThrow(Expr e) {
+  e instanceof DynamicCast
+  or
+  e instanceof TypeidOperator
+  or
+  e instanceof ThrowExpr
+  or
+  newMayThrow(e)
+  or
+  deleteMayThrow(e)
+  or
+  convertedExprMayThrow(e.(UnaryOperation).getOperand())
+  or
+  exists(BinaryOperation binOp | binOp = e |
+    convertedExprMayThrow([binOp.getLeftOperand(), binOp.getRightOperand()])
+  )
+  or
+  exists(Assignment assign | assign = e |
+    convertedExprMayThrow([assign.getLValue(), assign.getRValue()])
+  )
+  or
+  exists(CommaExpr comma | comma = e |
+    convertedExprMayThrow([comma.getLeftOperand(), comma.getRightOperand()])
+  )
+  or
+  exists(StmtExpr stmtExpr | stmtExpr = e |
+    convertedExprMayThrow(stmtExpr.getResultExpr()) or
+    stmtMayThrow(stmtExpr.getStmt())
+  )
+  or
+  convertedExprMayThrow(e.(Conversion).getExpr())
+  or
+  exists(FunctionCall fc | fc = e |
+    not exists(fc.getTarget()) or
+    functionMayThrow(fc.getTarget()) or
+    convertedExprMayThrow(fc.getAnArgument())
+  )
+}
+
+/** An allocator that might throw an exception. */
+class ThrowingAllocator extends Function {
+  ThrowingAllocator() {
+    exists(NewOrNewArrayExpr newExpr |
+      newExpr.getAllocator() = this and
+      functionMayThrow(this)
+    )
+  }
+}
+
+/** The `std::bad_alloc` exception and its `bsl` variant. */
+class BadAllocType extends Class {
+  BadAllocType() { this.hasGlobalOrStdOrBslName("bad_alloc") }
+}
+
+/**
+ * A catch block that catches a `std::bad_alloc` (or any of its superclasses), or a catch
+ * block that catches every exception (i.e., `catch(...)`).
+ */
+class BadAllocCatchBlock extends CatchBlock {
+  BadAllocCatchBlock() {
+    this.getParameter().getUnspecifiedType().stripType() =
+      any(BadAllocType badAlloc).getABaseClass*()
+    or
+    not exists(this.getParameter())
+  }
+}
+
+/**
+ * Holds if `newExpr` is embedded in a `try` statement with a catch block `catchBlock` that
+ * catches a `std::bad_alloc` exception, but nothing in the `try` block (including the `newExpr`)
+ * will throw that exception.
+ */
+predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
+  exists(TryStmt try |
+    not stmtMayThrow(try.getStmt()) and
+    try.getACatchClause() = catchBlock and
+    newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt()
+  )
+}
+
+/**
+ * Holds if `newExpr` is handles allocation failures by throwing an exception, yet
+ * the guard condition `guard` compares the result of `newExpr` to a null value.
+ */
+predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
+  newExpr.getAllocator() instanceof ThrowingAllocator and
+  (
+    // Handles null comparisons.
+    guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
+    or
+    // Handles `if(ptr)` and `if(!ptr)` cases.
+    guard = globalValueNumber(newExpr).getAnExpr()
+  )
+}
+
+from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString
+where
+  not newExpr.isFromUninstantiatedTemplate(_) and
+  (
+    noThrowInTryBlock(newExpr, element) and
+    msg = "This allocation cannot throw. $@ is unnecessary." and
+    elementString = "This catch block"
+    or
+    nullCheckInThrowingNew(newExpr, element) and
+    msg = "This allocation cannot return null. $@ is unnecessary." and
+    elementString = "This check"
+  )
+select newExpr, msg, element, elementString

cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql

@@ -850,6 +850,24 @@ class NewOrNewArrayExpr extends Expr, @any_new_expr {
       this.getAllocatorCall()
           .getArgument(this.getAllocator().(OperatorNewAllocationFunction).getPlacementArgument())
   }
+
+  /**
+   * For `operator new`, this gets the call or expression that initializes the allocated object, if any.
+   *
+   * As examples, for `new int(4)`, this will be `4`, and for `new std::vector(4)`, this will
+   * be a call to the constructor `std::vector::vector(size_t)` with `4` as an argument.
+   *
+   * For `operator new[]`, this gets the call or expression that initializes the first element of the
+   * array, if any.
+   *
+   * This will either be a call to the default constructor for the array's element type (as
+   * in `new std::string[10]`), or a literal zero for arrays of scalars which are zero-initialized
+   * due to extra parentheses (as in `new int[10]()`).
+   *
+   * At runtime, the constructor will be called once for each element in the array, but the
+   * constructor call only exists once in the AST.
+   */
+  final Expr getInitializer() { result = this.getChild(1) }
 }
 
 /**
@@ -871,14 +889,6 @@ class NewExpr extends NewOrNewArrayExpr, @new_expr {
   override Type getAllocatedType() {
     new_allocated_type(underlyingElement(this), unresolveElement(result))
   }
-
-  /**
-   * Gets the call or expression that initializes the allocated object, if any.
-   *
-   * As examples, for `new int(4)`, this will be `4`, and for `new std::vector(4)`, this will
-   * be a call to the constructor `std::vector::vector(size_t)` with `4` as an argument.
-   */
-  Expr getInitializer() { result = this.getChild(1) }
 }
 
 /**
@@ -909,18 +919,6 @@ class NewArrayExpr extends NewOrNewArrayExpr, @new_array_expr {
     result = getType().getUnderlyingType().(PointerType).getBaseType()
   }
 
-  /**
-   * Gets the call or expression that initializes the first element of the array, if any.
-   *
-   * This will either be a call to the default constructor for the array's element type (as
-   * in `new std::string[10]`), or a literal zero for arrays of scalars which are zero-initialized
-   * due to extra parentheses (as in `new int[10]()`).
-   *
-   * At runtime, the constructor will be called once for each element in the array, but the
-   * constructor call only exists once in the AST.
-   */
-  Expr getInitializer() { result = this.getChild(1) }
-
   /**
    * Gets the extent of the non-constant array dimension, if any.
    *