C++: Implement models for poll, accept and select.

MathiasVP · MathiasVP · commit fef824c37a95 · 2021-02-19T14:03:54.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -30,3 +30,6 @@ private import implementations.SmartPointer
 private import implementations.Sscanf
 private import implementations.Send
 private import implementations.Recv
+private import implementations.Accept
+private import implementations.Poll
+private import implementations.Select
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Accept.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Accept.qll
@@ -0,0 +1,56 @@
+/**
+ * Provides implementation classes modeling `accept` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The function `accept` and its assorted variants
+ */
+private class Accept extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
+  Accept() { this.hasGlobalName(["accept", "accept4", "WSAAccept"]) }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = 1 and countParam = 2
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = [1, 2] }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = [1, 2] }
+
+  override predicate parameterNeverEscapes(int index) { exists(this.getParameter(index)) }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (input.isParameter(0) or input.isParameterDeref(1)) and
+    (output.isReturnValue() or output.isParameterDeref(1))
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 1 and buffer = true and mustWrite = false
+    or
+    i = 2 and buffer = false and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = 0 and buffer = true
+    or
+    i = 1 and buffer = false
+  }
+
+  override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
+
+  // NOTE: We implement thse two predicates as none because we can't model the low-level changes made to
+  // the structure pointed to by the file-descriptor argument.
+  override predicate hasOnlySpecificReadSideEffects() { none() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { none() }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Poll.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Poll.qll
@@ -0,0 +1,50 @@
+/**
+ * Provides implementation classes modeling `poll` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The function `poll` and its assorted variants
+ */
+private class Poll extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
+  Poll() { this.hasGlobalName(["poll", "ppoll", "WSAPoll"]) }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = 0 and countParam = 1
+  }
+
+  override predicate hasArrayInput(int bufParam) {
+    getParameter(bufParam).getUnspecifiedType() instanceof PointerType
+  }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
+
+  override predicate parameterNeverEscapes(int index) { exists(this.getParameter(index)) }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(0) and
+    output.isParameterDeref(0)
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 0 and buffer = true and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    getParameter(i).getUnspecifiedType() instanceof PointerType and buffer = true
+  }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Select.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Select.qll
@@ -0,0 +1,48 @@
+/**
+ * Provides implementation classes modeling `select` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The function `select` and its assorted variants
+ */
+private class Select extends ArrayFunction, AliasFunction, TaintFunction, SideEffectFunction {
+  Select() { this.hasGlobalName(["select", "pselect"]) }
+
+  override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = [1 .. 3] }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = [1 .. 3] }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = [1 .. 3] }
+
+  override predicate parameterNeverEscapes(int index) { exists(this.getParameter(index)) }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    exists(int i | i = [1 .. 3] |
+      input.isParameterDeref(i) and
+      output.isParameterDeref(i)
+    )
+  }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = [1 .. 3] and buffer = true and mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    i = [1 .. 5] and buffer = true
+  }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/bsd.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/bsd.cpp
@@ -0,0 +1,64 @@
+void sink(...);
+int source();
+
+// --- accept ---
+
+struct sockaddr {
+	unsigned char length;
+	int sa_family;
+	char* sa_data;
+};
+
+int accept(int, const sockaddr*, int*);
+
+void sink(sockaddr);
+
+void test_accept() {
+  int s = source();
+  sockaddr addr;
+  int size = sizeof(sockaddr);
+  int a = accept(s, &addr, &size);
+
+  sink(a); // $ ast=17:11 SPURIOUS: ast=18:12 MISSING: ir
+  sink(addr); // $ ast MISSING: ir
+}
+
+// --- poll ---
+
+struct pollfd {
+  int   fd;
+  short events;
+  short revents;
+};
+
+int poll(struct pollfd *, int, int);
+
+void test_poll() {
+  pollfd pfds;
+
+  pfds.events = 1;
+  pfds.fd = source();
+  poll(&pfds, 1, -1);
+
+  sink(pfds); // $ ast MISSING: ir
+}
+
+// --- select ---
+
+typedef struct {} timeval;
+
+typedef struct fd_set {
+  int  fd_count;
+  int fd_array[4096];
+} fd_set;
+
+int select(int, fd_set *, fd_set *, fd_set *, timeval *);
+
+void test_select(timeval timeout) {
+  fd_set readfds;
+
+  readfds.fd_count = 1;
+  readfds.fd_array[0] = source();
+  select(2, &readfds, nullptr, nullptr, &timeout);
+  sink(&readfds); // $ ast MISSING: ir
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -135,6 +135,62 @@
 | arrayassignment.cpp:145:12:145:12 | 5 | arrayassignment.cpp:145:7:145:13 | access to array | TAINT |
 | arrayassignment.cpp:146:7:146:10 | arr3 | arrayassignment.cpp:146:7:146:13 | access to array |  |
 | arrayassignment.cpp:146:12:146:12 | 5 | arrayassignment.cpp:146:7:146:13 | access to array | TAINT |
+| bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s |  |
+| bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr |  |
+| bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr |  |
+| bsd.cpp:19:14:19:29 | sizeof(sockaddr) | bsd.cpp:20:29:20:32 | size |  |
+| bsd.cpp:20:11:20:16 | call to accept | bsd.cpp:22:8:22:8 | a |  |
+| bsd.cpp:20:18:20:18 | s | bsd.cpp:20:11:20:16 | call to accept | TAINT |
+| bsd.cpp:20:21:20:25 | & ... | bsd.cpp:20:11:20:16 | call to accept | TAINT |
+| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:11:20:16 | call to accept | TAINT |
+| bsd.cpp:20:22:20:25 | addr | bsd.cpp:20:21:20:25 | & ... |  |
+| bsd.cpp:20:28:20:32 | ref arg & ... | bsd.cpp:20:29:20:32 | size [inner post update] |  |
+| bsd.cpp:20:29:20:32 | size | bsd.cpp:20:28:20:32 | & ... |  |
+| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:39:3:39:6 | pfds |  |
+| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:40:3:40:6 | pfds |  |
+| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:41:9:41:12 | pfds |  |
+| bsd.cpp:37:10:37:13 | pfds | bsd.cpp:43:8:43:11 | pfds |  |
+| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:40:3:40:6 | pfds |  |
+| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:41:9:41:12 | pfds |  |
+| bsd.cpp:39:3:39:6 | pfds [post update] | bsd.cpp:43:8:43:11 | pfds |  |
+| bsd.cpp:39:3:39:17 | ... = ... | bsd.cpp:39:8:39:13 | events [post update] |  |
+| bsd.cpp:39:17:39:17 | 1 | bsd.cpp:39:3:39:17 | ... = ... |  |
+| bsd.cpp:40:3:40:6 | pfds [post update] | bsd.cpp:41:9:41:12 | pfds |  |
+| bsd.cpp:40:3:40:6 | pfds [post update] | bsd.cpp:43:8:43:11 | pfds |  |
+| bsd.cpp:40:3:40:20 | ... = ... | bsd.cpp:40:8:40:9 | fd [post update] |  |
+| bsd.cpp:40:13:40:18 | call to source | bsd.cpp:40:3:40:20 | ... = ... |  |
+| bsd.cpp:41:8:41:12 | & ... | bsd.cpp:41:8:41:12 | ref arg & ... | TAINT |
+| bsd.cpp:41:8:41:12 | ref arg & ... | bsd.cpp:41:9:41:12 | pfds [inner post update] |  |
+| bsd.cpp:41:8:41:12 | ref arg & ... | bsd.cpp:43:8:43:11 | pfds |  |
+| bsd.cpp:41:9:41:12 | pfds | bsd.cpp:41:8:41:12 | & ... |  |
+| bsd.cpp:41:9:41:12 | pfds | bsd.cpp:41:8:41:12 | ref arg & ... | TAINT |
+| bsd.cpp:41:19:41:19 | 1 | bsd.cpp:41:18:41:19 | - ... | TAINT |
+| bsd.cpp:57:26:57:32 | timeout | bsd.cpp:62:42:62:48 | timeout |  |
+| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:60:3:60:9 | readfds |  |
+| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:61:3:61:9 | readfds |  |
+| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:62:14:62:20 | readfds |  |
+| bsd.cpp:58:10:58:16 | readfds | bsd.cpp:63:9:63:15 | readfds |  |
+| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:61:3:61:9 | readfds |  |
+| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:62:14:62:20 | readfds |  |
+| bsd.cpp:60:3:60:9 | readfds [post update] | bsd.cpp:63:9:63:15 | readfds |  |
+| bsd.cpp:60:3:60:22 | ... = ... | bsd.cpp:60:11:60:18 | fd_count [post update] |  |
+| bsd.cpp:60:22:60:22 | 1 | bsd.cpp:60:3:60:22 | ... = ... |  |
+| bsd.cpp:61:3:61:9 | readfds [post update] | bsd.cpp:62:14:62:20 | readfds |  |
+| bsd.cpp:61:3:61:9 | readfds [post update] | bsd.cpp:63:9:63:15 | readfds |  |
+| bsd.cpp:61:3:61:21 | access to array [post update] | bsd.cpp:61:11:61:18 | fd_array [inner post update] |  |
+| bsd.cpp:61:3:61:32 | ... = ... | bsd.cpp:61:3:61:21 | access to array [post update] |  |
+| bsd.cpp:61:11:61:18 | fd_array | bsd.cpp:61:3:61:21 | access to array |  |
+| bsd.cpp:61:20:61:20 | 0 | bsd.cpp:61:3:61:21 | access to array | TAINT |
+| bsd.cpp:61:25:61:30 | call to source | bsd.cpp:61:3:61:32 | ... = ... |  |
+| bsd.cpp:62:13:62:20 | & ... | bsd.cpp:62:13:62:20 | ref arg & ... | TAINT |
+| bsd.cpp:62:13:62:20 | ref arg & ... | bsd.cpp:62:14:62:20 | readfds [inner post update] |  |
+| bsd.cpp:62:13:62:20 | ref arg & ... | bsd.cpp:63:9:63:15 | readfds |  |
+| bsd.cpp:62:14:62:20 | readfds | bsd.cpp:62:13:62:20 | & ... |  |
+| bsd.cpp:62:14:62:20 | readfds | bsd.cpp:62:13:62:20 | ref arg & ... | TAINT |
+| bsd.cpp:62:41:62:48 | ref arg & ... | bsd.cpp:62:42:62:48 | timeout [inner post update] |  |
+| bsd.cpp:62:42:62:48 | timeout | bsd.cpp:62:41:62:48 | & ... |  |
+| bsd.cpp:63:8:63:15 | ref arg & ... | bsd.cpp:63:9:63:15 | readfds [inner post update] |  |
+| bsd.cpp:63:9:63:15 | readfds | bsd.cpp:63:8:63:15 | & ... |  |
 | constructor_delegation.cpp:8:2:8:8 | this | constructor_delegation.cpp:8:20:8:24 | constructor init of field x [pre-this] |  |
 | constructor_delegation.cpp:8:14:8:15 | _x | constructor_delegation.cpp:8:22:8:23 | _x |  |
 | constructor_delegation.cpp:8:22:8:23 | _x | constructor_delegation.cpp:8:20:8:24 | constructor init of field x | TAINT |
