C++: Fix result duplication.

geoffw0 · geoffw0 · commit bb451f391133 · 2023-01-06T11:05:47.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -88,6 +88,10 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
       readsVariable(access.getDef(), checkedVar) and
       nodeIsBarrierEqualityCandidate(node, access, checkedVar)
     )
+    or
+    // block flow to inside of identified allocation functions (this flow leads
+    // to duplicate results)
+    any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()
   }
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -10,13 +10,10 @@ edges
 | test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... |
 | test.cpp:209:8:209:23 | ReturnValue | test.cpp:241:9:241:24 | call to get_tainted_size |
 | test.cpp:211:14:211:19 | call to getenv | test.cpp:209:8:209:23 | ReturnValue |
-| test.cpp:224:23:224:23 | s | test.cpp:225:21:225:21 | s |
 | test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:245:11:245:20 | local_size |
-| test.cpp:237:24:237:29 | call to getenv | test.cpp:245:11:245:20 | local_size |
 | test.cpp:237:24:237:29 | call to getenv | test.cpp:247:10:247:19 | local_size |
-| test.cpp:245:11:245:20 | local_size | test.cpp:224:23:224:23 | s |
 | test.cpp:247:10:247:19 | local_size | test.cpp:230:21:230:21 | s |
 | test.cpp:251:2:251:9 | (reference dereference) [post update] | test.cpp:289:17:289:20 | size [post update] |
 | test.cpp:251:2:251:9 | (reference dereference) [post update] | test.cpp:305:18:305:21 | size [post update] |
@@ -26,11 +23,8 @@ edges
 | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
 | test.cpp:289:17:289:20 | size [post update] | test.cpp:291:11:291:28 | ... * ... |
 | test.cpp:305:18:305:21 | size [post update] | test.cpp:308:10:308:27 | ... * ... |
-| test.cpp:348:24:348:27 | size | test.cpp:348:46:348:49 | size |
-| test.cpp:353:18:353:23 | call to getenv | test.cpp:355:35:355:38 | size |
 | test.cpp:353:18:353:23 | call to getenv | test.cpp:355:35:355:38 | size |
 | test.cpp:353:18:353:23 | call to getenv | test.cpp:356:35:356:38 | size |
-| test.cpp:355:35:355:38 | size | test.cpp:348:24:348:27 | size |
 nodes
 | test.cpp:39:27:39:30 | argv | semmle.label | argv |
 | test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
@@ -47,15 +41,12 @@ nodes
 | test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:209:8:209:23 | ReturnValue | semmle.label | ReturnValue |
 | test.cpp:211:14:211:19 | call to getenv | semmle.label | call to getenv |
-| test.cpp:224:23:224:23 | s | semmle.label | s |
-| test.cpp:225:21:225:21 | s | semmle.label | s |
 | test.cpp:230:21:230:21 | s | semmle.label | s |
 | test.cpp:231:21:231:21 | s | semmle.label | s |
 | test.cpp:237:24:237:29 | call to getenv | semmle.label | call to getenv |
 | test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
 | test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:245:11:245:20 | local_size | semmle.label | local_size |
-| test.cpp:245:11:245:20 | local_size | semmle.label | local_size |
 | test.cpp:247:10:247:19 | local_size | semmle.label | local_size |
 | test.cpp:251:2:251:9 | (reference dereference) [post update] | semmle.label | (reference dereference) [post update] |
 | test.cpp:251:18:251:23 | call to getenv | semmle.label | call to getenv |
@@ -65,11 +56,8 @@ nodes
 | test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:305:18:305:21 | size [post update] | semmle.label | size [post update] |
 | test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:348:24:348:27 | size | semmle.label | size |
-| test.cpp:348:46:348:49 | size | semmle.label | size |
 | test.cpp:353:18:353:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:355:35:355:38 | size | semmle.label | size |
-| test.cpp:355:35:355:38 | size | semmle.label | size |
 | test.cpp:356:35:356:38 | size | semmle.label | size |
 subpaths
 #select
@@ -82,14 +70,12 @@ subpaths
 | test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:23 | call to getenv | user input (an environment variable) |
 | test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:133:19:133:24 | call to getenv | user input (an environment variable) |
 | test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:148:20:148:25 | call to getenv | user input (an environment variable) |
-| test.cpp:225:14:225:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:225:21:225:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:29 | call to getenv | user input (an environment variable) |
 | test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:29 | call to getenv | user input (an environment variable) |
 | test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:29 | call to getenv | user input (an environment variable) |
 | test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:19 | call to getenv | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow. | test.cpp:211:14:211:19 | call to getenv | user input (an environment variable) |
 | test.cpp:245:2:245:9 | call to my_alloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:245:11:245:20 | local_size | This allocation size is derived from $@ and might overflow. | test.cpp:237:24:237:29 | call to getenv | user input (an environment variable) |
 | test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:259:20:259:25 | call to getenv | user input (an environment variable) |
 | test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:23 | call to getenv | user input (an environment variable) |
 | test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:251:18:251:23 | call to getenv | user input (an environment variable) |
-| test.cpp:348:39:348:44 | call to malloc | test.cpp:353:18:353:23 | call to getenv | test.cpp:348:46:348:49 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:23 | call to getenv | user input (an environment variable) |
 | test.cpp:355:25:355:33 | call to MyMalloc1 | test.cpp:353:18:353:23 | call to getenv | test.cpp:355:35:355:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:23 | call to getenv | user input (an environment variable) |
 | test.cpp:356:25:356:33 | call to MyMalloc2 | test.cpp:353:18:353:23 | call to getenv | test.cpp:356:35:356:38 | size | This allocation size is derived from $@ and might overflow. | test.cpp:353:18:353:23 | call to getenv | user input (an environment variable) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -222,7 +222,7 @@ size_t get_bounded_size()
 }
 
 void *my_alloc(size_t s) {
-	void *ptr = malloc(s); // [additional detection here]
+	void *ptr = malloc(s);
 
 	return ptr;
 }
@@ -345,7 +345,7 @@ void equality_barrier() {
 
 // --- custom allocators ---
  
-void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]
+void *MyMalloc1(size_t size) { return malloc(size); }
 void *MyMalloc2(size_t size);
 
 void customAllocatorTests()

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,10 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {`
`88`	`88`	`readsVariable(access.getDef(), checkedVar) and`
`89`	`89`	`nodeIsBarrierEqualityCandidate(node, access, checkedVar)`
`90`	`90`	`)`
	`91`	`+ or`
	`92`	`+ // block flow to inside of identified allocation functions (this flow leads`
	`93`	`+ // to duplicate results)`
	`94`	`+ any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()`
`91`	`95`	`}`
`92`	`96`	`}`
`93`	`97`
Original file line number	Diff line number	Diff line change
`@@ -222,7 +222,7 @@ size_t get_bounded_size()`
`222`	`222`	`}`
`223`	`223`
`224`	`224`	`void *my_alloc(size_t s) {`
`225`		`- void *ptr = malloc(s); // [additional detection here]`
	`225`	`+ void *ptr = malloc(s);`
`226`	`226`
`227`	`227`	`return ptr;`
`228`	`228`	`}`
`@@ -345,7 +345,7 @@ void equality_barrier() {`
`345`	`345`
`346`	`346`	`// --- custom allocators ---`
`347`	`347`
`348`		`-void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]`
	`348`	`+void *MyMalloc1(size_t size) { return malloc(size); }`
`349`	`349`	`void *MyMalloc2(size_t size);`
`350`	`350`
`351`	`351`	`void customAllocatorTests()`