C++: Fix handling of the 'stat' pointer argument.

geoffw0 · geoffw0 · commit 7684796d63e7 · 2021-07-19T15:13:19.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -111,8 +111,11 @@ where
     // access to a member variable on the stat buf
     // (morally, this should be a use-use pair, but it seems unlikely
     // that this variable will get reused in practice)
-    exists(Variable buf | exists(stat(checkPath, buf.getAnAccess())) |
-      check.(VariableAccess).getQualifier() = buf.getAnAccess()
+    exists(Expr call, Expr e, Variable v |
+      call = stat(checkPath, e) and
+      e.getAChild*().(VariableAccess).getTarget() = v and
+      check.(VariableAccess).getTarget() = v and
+      not e.getAChild*() = check // the call that writes to the pointer is not where the pointer is checked.
     )
   ) and
   // `checkPath` and `usePath` refer to the same SSA variable
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected
@@ -1,7 +1,10 @@
 | test2.cpp:39:7:39:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:39:13:39:16 | path | filename | test2.cpp:34:6:34:10 | call to fopen | checked |
 | test2.cpp:52:7:52:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:52:13:52:16 | path | filename | test2.cpp:52:7:52:11 | call to fopen | checked |
 | test2.cpp:69:7:69:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:69:13:69:16 | path | filename | test2.cpp:67:6:67:9 | call to stat | checked |
-| test2.cpp:98:7:98:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:98:13:98:16 | path | filename | test2.cpp:96:15:96:17 | foo | checked |
+| test2.cpp:83:7:83:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:83:13:83:16 | path | filename | test2.cpp:81:6:81:8 | buf | checked |
+| test2.cpp:98:7:98:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:98:13:98:16 | path | filename | test2.cpp:96:6:96:12 | buf_ptr | checked |
+| test2.cpp:115:7:115:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:115:13:115:16 | path | filename | test2.cpp:113:22:113:24 | buf | checked |
+| test2.cpp:130:7:130:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:130:13:130:16 | path | filename | test2.cpp:128:21:128:27 | buf_ptr | checked |
 | test2.cpp:157:7:157:10 | call to open | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:157:12:157:15 | path | filename | test2.cpp:155:6:155:9 | call to stat | checked |
 | test2.cpp:170:7:170:10 | call to open | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:170:12:170:15 | path | filename | test2.cpp:168:6:168:10 | call to lstat | checked |
 | test2.cpp:245:3:245:7 | call to chmod | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:245:9:245:12 | path | filename | test2.cpp:238:6:238:10 | call to fopen | checked |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp
@@ -80,7 +80,7 @@ void test2_2(const char *path)
 	stat(path, &buf);
 	if (buf.foo > 0)
 	{
-		f = fopen(path, "r"); // BAD [NOT DETECTED]
+		f = fopen(path, "r"); // BAD
 	}
 
 	// ...
@@ -112,7 +112,7 @@ void test2_4(const char *path)
 	stat(path, &buf);
 	if (stat_condition(&buf))
 	{
-		f = fopen(path, "r"); // BAD [NOT DETECTED]
+		f = fopen(path, "r"); // BAD
 	}
 
 	// ...
@@ -127,7 +127,7 @@ void test2_5(const char *path)
 	stat(path, buf_ptr);
 	if (stat_condition(buf_ptr))
 	{
-		f = fopen(path, "r"); // BAD [NOT DETECTED]
+		f = fopen(path, "r"); // BAD
 	}
 
 	// ...

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ void test2_2(const char *path)`
`80`	`80`	`stat(path, &buf);`
`81`	`81`	`if (buf.foo > 0)`
`82`	`82`	`{`
`83`		`- f = fopen(path, "r"); // BAD [NOT DETECTED]`
	`83`	`+ f = fopen(path, "r"); // BAD`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`// ...`
`@@ -112,7 +112,7 @@ void test2_4(const char *path)`
`112`	`112`	`stat(path, &buf);`
`113`	`113`	`if (stat_condition(&buf))`
`114`	`114`	`{`
`115`		`- f = fopen(path, "r"); // BAD [NOT DETECTED]`
	`115`	`+ f = fopen(path, "r"); // BAD`
`116`	`116`	`}`
`117`	`117`
`118`	`118`	`// ...`
`@@ -127,7 +127,7 @@ void test2_5(const char *path)`
`127`	`127`	`stat(path, buf_ptr);`
`128`	`128`	`if (stat_condition(buf_ptr))`
`129`	`129`	`{`
`130`		`- f = fopen(path, "r"); // BAD [NOT DETECTED]`
	`130`	`+ f = fopen(path, "r"); // BAD`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`// ...`