Merge pull request github#11823 from geoffw0/heuristicalloc

C++: Use HeuristicAllocationExpr in more queries

Author: geoffw0

cpp/ql/lib/semmle/code/cpp/models/interfaces/Allocation.qll

@@ -133,13 +133,15 @@ abstract class HeuristicAllocationExpr extends Expr {
 
   /**
    * Gets a constant multiplier for the allocation size given by `getSizeExpr`,
-   * in bytes.
+   * in bytes. This predicate should be used with caution as it can be
+   * inaccurate for allocations identified using heuristics.
    */
   int getSizeMult() { none() }
 
   /**
    * Gets the size of this allocation in bytes, if it is a fixed size and that
-   * size can be determined.
+   * size can be determined. This predicate should be used with caution as it
+   * can be inaccurate for allocations identified using heuristics.
    */
   int getSizeBytes() { none() }
 

cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql

@@ -21,7 +21,7 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Allocation
 import semmle.code.cpp.commons.NullTermination
 
-predicate terminationProblem(AllocationExpr malloc, string msg) {
+predicate terminationProblem(HeuristicAllocationExpr malloc, string msg) {
   // malloc(strlen(...))
   exists(StrlenCall strlen | DataFlow::localExprFlow(strlen, malloc.getSizeExpr())) and
   // flows to a call that implies this is a null-terminated string

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

@@ -25,9 +25,8 @@ import DataFlow::PathGraph
  * Holds if `alloc` is an allocation, and `tainted` is a child of it that is a
  * taint sink.
  */
-predicate allocSink(Expr alloc, DataFlow::Node sink) {
+predicate allocSink(HeuristicAllocationExpr alloc, DataFlow::Node sink) {
   exists(Expr e | e = sink.asConvertedExpr() |
-    isAllocationExpr(alloc) and
     e = alloc.getAChild() and
     e.getUnspecifiedType() instanceof IntegralType
   )
@@ -89,6 +88,10 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
       readsVariable(access.getDef(), checkedVar) and
       nodeIsBarrierEqualityCandidate(node, access, checkedVar)
     )
+    or
+    // block flow to inside of identified allocation functions (this flow leads
+    // to duplicate results)
+    any(HeuristicAllocationFunction f).getAParameter() = node.asParameter()
   }
 }
 

cpp/ql/src/change-notes/2023-01-05-heuristic-allocations.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/no-space-for-terminator` and `cpp/uncontrolled-allocation-size` queries have been enhanced with heuristic detection of allocations. These queries now find more results.

cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql

@@ -29,7 +29,7 @@ class MultToAllocConfig extends DataFlow::Configuration {
 
   override predicate isSink(DataFlow::Node node) {
     // something that affects an allocation size
-    node.asExpr() = any(AllocationExpr ae).getSizeExpr().getAChild*()
+    node.asExpr() = any(HeuristicAllocationExpr ae).getSizeExpr().getAChild*()
   }
 }
 

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected

@@ -1,5 +1,7 @@
 edges
 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 |
+| test.cpp:37:24:37:27 | size | test.cpp:37:46:37:49 | size |
+| test.cpp:45:36:45:40 | ... * ... | test.cpp:37:24:37:27 | size |
 nodes
 | test.cpp:13:33:13:37 | ... * ... | semmle.label | ... * ... |
 | test.cpp:15:31:15:35 | ... * ... | semmle.label | ... * ... |
@@ -8,6 +10,11 @@ nodes
 | test.cpp:23:33:23:37 | size1 | semmle.label | size1 |
 | test.cpp:30:27:30:31 | ... * ... | semmle.label | ... * ... |
 | test.cpp:31:27:31:31 | ... * ... | semmle.label | ... * ... |
+| test.cpp:37:24:37:27 | size | semmle.label | size |
+| test.cpp:37:46:37:49 | size | semmle.label | size |
+| test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
+| test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
+| test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
 subpaths
 #select
 | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
@@ -16,3 +23,6 @@ subpaths
 | test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication |
 | test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | test.cpp:30:27:30:31 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:27:30:31 | ... * ... | multiplication |
 | test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | test.cpp:31:27:31:31 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:27:31:31 | ... * ... | multiplication |
+| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
+| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
+| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp

@@ -30,3 +30,18 @@ void test()
 	char *buffer8 = new char[x * y]; // BAD
 	char *buffer9 = new char[x * x]; // BAD
 }
+
+
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests()
+{
+	int x = getAnInt();
+	int y = getAnInt();
+
+	char *buffer1 = (char *)MyMalloc1(x * y); // BAD
+	char *buffer2 = (char *)MyMalloc2(x * y); // BAD
+}

cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.expected

@@ -7,3 +7,5 @@
 | tests3.cpp:25:21:25:31 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:30:21:30:31 | call to malloc | This allocation does not include space to null-terminate the string. |
 | tests3.cpp:53:17:53:44 | new[] | This allocation does not include space to null-terminate the string. |
+| tests3.cpp:81:20:81:28 | call to MyMalloc1 | This allocation does not include space to null-terminate the string. |
+| tests3.cpp:84:20:84:28 | call to MyMalloc2 | This allocation does not include space to null-terminate the string. |

cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp

@@ -1,4 +1,4 @@
-// tests1.cpp
+// tests3.cpp
 
 typedef unsigned int size_t;
 
@@ -66,3 +66,21 @@ void test3c()
 
 	delete buffer;
 }
+
+ // --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return std::malloc(size); }
+void *MyMalloc2(size_t size);
+
+void tests4()
+{
+	const char *str4 = "1234";
+	char *buffer1 = 0;
+	char *buffer2 = 0;
+
+	buffer1 = (char *)MyMalloc1(strlen(str4)); // BAD
+	strcpy(buffer1, str4);
+
+	buffer2 = (char *)MyMalloc2(strlen(str4)); // BAD
+	strcpy(buffer2, str4);
+}

cpp/ql/test/query-tests/Critical/SizeCheck/test.c

@@ -58,3 +58,14 @@ void test_union() {
 	MyUnion *a = malloc(sizeof(MyUnion)); // GOOD
 	MyUnion *b = malloc(sizeof(MyStruct)); // BAD (too small)
 }
+
+// --- custom allocators ---
+ 
+void *MyMalloc1(size_t size) { return malloc(size); }
+void *MyMalloc2(size_t size);
+
+void customAllocatorTests()
+{
+    float *fptr1 = MyMalloc1(3); // BAD (too small) [NOT DETECTED]
+    float *fptr2 = MyMalloc2(3); // BAD (too small) [NOT DETECTED]
+}