Merge pull request github#6372 from geoffw0/uncontrolledarith

Author: MathiasVP

cpp/change-notes/2021-07-27-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm
+* Improvements made to the (`cpp/uncontrolled-arithmetic`) query, reducing the frequency of false positive results.

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -74,8 +74,15 @@ private class RandS extends RandomFunction {
 
 predicate missingGuard(VariableAccess va, string effect) {
   exists(Operation op | op.getAnOperand() = va |
-    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
+    // underflow - random numbers are usually non-negative, so underflow is
+    // only likely if the type is unsigned. Multiplication is also unlikely to
+    // cause underflow of a non-negative number.
+    missingGuardAgainstUnderflow(op, va) and
+    effect = "underflow" and
+    op.getUnspecifiedType().(IntegralType).isUnsigned() and
+    not op instanceof MulExpr
     or
+    // overflow
     missingGuardAgainstOverflow(op, va) and effect = "overflow"
   )
 }
@@ -108,6 +115,9 @@ class UncontrolledArithConfiguration extends TaintTracking::Configuration {
         op instanceof BitwiseAndExpr or
         op instanceof ComplementExpr
       ).getAnOperand*()
+    or
+    // block unintended flow to pointers
+    node.asExpr().getUnspecifiedType() instanceof PointerType
   }
 }
 

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected

@@ -7,6 +7,9 @@ edges
 | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
 | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r |
+| test.c:148:22:148:25 | call to rand | test.c:150:9:150:9 | r |
+| test.c:148:22:148:27 | (unsigned int)... | test.c:150:9:150:9 | r |
 | test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
 | test.cpp:13:2:13:15 | Chi [[]] | test.cpp:30:13:30:14 | get_rand2 output argument [[]] |
@@ -18,6 +21,11 @@ edges
 | test.cpp:30:13:30:14 | get_rand2 output argument [[]] | test.cpp:30:13:30:14 | Chi |
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
 | test.cpp:36:13:36:13 | get_rand3 output argument [[]] | test.cpp:36:13:36:13 | Chi |
+| test.cpp:78:10:78:13 | call to rand | test.cpp:82:10:82:10 | x |
+| test.cpp:90:10:90:13 | call to rand | test.cpp:94:10:94:10 | x |
+| test.cpp:129:10:129:13 | call to rand | test.cpp:132:10:132:10 | b |
+| test.cpp:147:11:147:14 | call to rand | test.cpp:149:11:149:16 | (int)... |
+| test.cpp:147:11:147:14 | call to rand | test.cpp:149:16:149:16 | y |
 nodes
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
 | test.c:21:17:21:17 | r | semmle.label | r |
@@ -33,6 +41,11 @@ nodes
 | test.c:83:9:83:9 | r | semmle.label | r |
 | test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
 | test.c:100:5:100:5 | r | semmle.label | r |
+| test.c:125:13:125:16 | call to rand | semmle.label | call to rand |
+| test.c:127:9:127:9 | r | semmle.label | r |
+| test.c:148:22:148:25 | call to rand | semmle.label | call to rand |
+| test.c:148:22:148:27 | (unsigned int)... | semmle.label | (unsigned int)... |
+| test.c:150:9:150:9 | r | semmle.label | r |
 | test.cpp:8:9:8:12 | Store | semmle.label | Store |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:13:2:13:15 | Chi [[]] | semmle.label | Chi [[]] |
@@ -47,15 +60,32 @@ nodes
 | test.cpp:36:13:36:13 | Chi | semmle.label | Chi |
 | test.cpp:36:13:36:13 | get_rand3 output argument [[]] | semmle.label | get_rand3 output argument [[]] |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
+| test.cpp:78:10:78:13 | call to rand | semmle.label | call to rand |
+| test.cpp:82:10:82:10 | x | semmle.label | x |
+| test.cpp:90:10:90:13 | call to rand | semmle.label | call to rand |
+| test.cpp:94:10:94:10 | x | semmle.label | x |
+| test.cpp:129:10:129:13 | call to rand | semmle.label | call to rand |
+| test.cpp:132:10:132:10 | b | semmle.label | b |
+| test.cpp:147:11:147:14 | call to rand | semmle.label | call to rand |
+| test.cpp:149:11:149:16 | (int)... | semmle.label | (int)... |
+| test.cpp:149:16:149:16 | y | semmle.label | y |
 #select
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
 | test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
-| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
+| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
+| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
+| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | Uncontrolled value |
+| test.c:150:9:150:9 | r | test.c:148:22:148:25 | call to rand | test.c:150:9:150:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:148:22:148:25 | call to rand | Uncontrolled value |
+| test.c:150:9:150:9 | r | test.c:148:22:148:27 | (unsigned int)... | test.c:150:9:150:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:148:22:148:25 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
+| test.cpp:82:10:82:10 | x | test.cpp:78:10:78:13 | call to rand | test.cpp:82:10:82:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:78:10:78:13 | call to rand | Uncontrolled value |
+| test.cpp:94:10:94:10 | x | test.cpp:90:10:90:13 | call to rand | test.cpp:94:10:94:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:90:10:90:13 | call to rand | Uncontrolled value |
+| test.cpp:132:10:132:10 | b | test.cpp:129:10:129:13 | call to rand | test.cpp:132:10:132:10 | b | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:129:10:129:13 | call to rand | Uncontrolled value |
+| test.cpp:149:11:149:16 | (int)... | test.cpp:147:11:147:14 | call to rand | test.cpp:149:11:149:16 | (int)... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:147:11:147:14 | call to rand | Uncontrolled value |
+| test.cpp:149:16:149:16 | y | test.cpp:147:11:147:14 | call to rand | test.cpp:149:16:149:16 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:147:11:147:14 | call to rand | Uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c

@@ -74,30 +74,30 @@ void randomTester() {
   {
     int r = RAND2();
 
-    r = r - 100; // BAD
+    r = r + 100; // BAD
   }
 
   {
     int r = (rand() ^ rand());
 
-    r = r - 100; // BAD
+    r = r + 100; // BAD
   }
 
   {
-    int r = RAND2() - 100; // BAD [NOT DETECTED]
+    int r = RAND2() + 100; // BAD [NOT DETECTED]
   }
 
   {
     int r = RAND();
     int *ptr_r = &r;
-    *ptr_r -= 100; // BAD [NOT DETECTED]
+    *ptr_r += 100; // BAD [NOT DETECTED]
   }
 
   {
     int r = 0;
     int *ptr_r = &r;
     *ptr_r = RAND();
-    r -= 100; // BAD
+    r += 100; // BAD
   }
 
   {
@@ -119,3 +119,34 @@ void randomTester2(int bound, int min, int max) {
   int r2 = (rand() % (max - min + 1)) + min;
   r2 += 100; // GOOD (This is a common way to clamp the random value between [min, max])
 }
+
+void moreTests() {
+  {
+    int r = rand();
+    
+    r = r * 100; // BAD
+  }
+  {
+    int r = rand();
+    
+    r *= 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = rand();
+    
+    r <<= 8; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = rand();
+    
+    r = r - 100; // GOOD
+  }
+
+  {
+    unsigned int r = rand();
+    
+    r = r - 100; // BAD
+  }
+}

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp

@@ -47,4 +47,117 @@ void test_with_bounded_randomness() {
 
 	unsigned unsigned_r = rand(10);
 	unsigned_r++; // GOOD
-}
+}
+
+int test_remainder_subtract()
+{
+	int x = rand();
+	int y = x % 100; // y <= x
+
+	return x - y; // GOOD (as y <= x)
+}
+
+typedef unsigned long size_t;
+int snprintf(char *s, size_t n, const char *format, ...);
+
+int test_buffer(char *buf_start, char *buf_end)
+{
+	int len = buf_end - buf_start;
+
+	return len * 2; // GOOD
+}
+
+int test_snprintf(char *buf, size_t buf_sz)
+{
+	snprintf(buf, buf_sz, "my random number: %i\n", rand());
+	test_buffer(buf, buf + buf_sz);
+}
+
+int test_else_1()
+{
+	int x = rand();
+
+	if (x > 100)
+	{
+		return x * 10; // BAD
+	} else {
+		return x * 10; // GOOD (as x <= 100)
+	}
+}
+
+int test_else_2()
+{
+	int x = rand();
+
+	if (x > 100)
+	{
+		return x * 10; // BAD
+	}
+
+	return x * 10; // GOOD (as x <= 100)
+}
+
+int test_conditional_assignment_1()
+{
+	int x = rand();
+	int y = 100;
+
+	if (x < y)
+	{
+		y = x;
+		return y * 10; // GOOD (as y <= 100)
+	} else {
+		return y * 10; // GOOD (as y = 100)
+	}
+}
+
+int test_conditional_assignment_2()
+{
+	int x = rand();
+	int y = 100;
+
+	if (x < y)
+	{
+		y = x;
+	}
+	
+	return y * 10; // GOOD (as y <= 100)
+}
+
+int test_underflow()
+{
+	int x = rand();
+	int a = -x; // GOOD
+	int b = 10 - x; // GOOD
+	int c = b * 2; // BAD
+}
+
+int test_cast()
+{
+	int x = rand();
+	short a = x; // BAD [NOT DETECTED]
+	short b = -x; // BAD [NOT DETECTED]
+	long long c = x; // GOOD
+	long long d = -x; // GOOD
+}
+
+void test_float()
+{
+	{
+		int x = rand();
+		float y = x; // GOOD
+		int z = (int)y * 5; // BAD
+	}
+
+	{
+		int x = rand();
+		float y = x * 5.0f; // GOOD
+		int z = y; // BAD [NOT DETECTED]
+	}
+
+	{
+		int x = rand();
+		float y = x / 10.0f; // GOOD
+		int z = (int)y * 5; // GOOD
+	}
+}