C++: Allow equality checking to block taint flow.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -5,6 +5,7 @@ private import semmle.code.cpp.ir.dataflow.DataFlow2
 private import semmle.code.cpp.ir.dataflow.DataFlow3
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
+private import semmle.code.cpp.controlflow.IRGuards
 private import semmle.code.cpp.models.interfaces.Taint
 private import semmle.code.cpp.models.interfaces.DataFlow
 
@@ -175,6 +176,23 @@ private predicate nodeIsBarrier(DataFlow::Node node) {
     readsVariable(node.asInstruction(), checkedVar) and
     hasUpperBoundsCheck(checkedVar)
   )
+  or
+  exists(Variable checkedVar, IRGuardCondition guard, Operand access, Operand other |
+    /*
+     * This node is guarded by a condition that forces the accessed variable
+     * to equal something else.  For example:
+     * ```
+     * x = taintsource()
+     * if (x == 10) {
+     *   taintsink(x); // not considered tainted
+     * }
+     * ```
+     */
+
+    readsVariable(node.asInstruction(), checkedVar) and
+    readsVariable(access.getDef(), checkedVar) and
+    guard.ensuresEq(access, other, _, node.asInstruction().getBlock(), true)
+  )
 }
 
 private predicate nodeIsBarrierIn(DataFlow::Node node) {

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

@@ -59,30 +59,16 @@ edges
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:10:237:19 | (size_t)... |
 | test.cpp:235:11:235:20 | (size_t)... | test.cpp:214:23:214:23 | s |
 | test.cpp:237:10:237:19 | (size_t)... | test.cpp:220:21:220:21 | s |
-| test.cpp:241:2:241:32 | Chi | test.cpp:271:17:271:20 | get_size output argument |
 | test.cpp:241:2:241:32 | Chi | test.cpp:279:17:279:20 | get_size output argument |
-| test.cpp:241:2:241:32 | Chi | test.cpp:287:18:287:21 | get_size output argument |
 | test.cpp:241:2:241:32 | Chi | test.cpp:295:18:295:21 | get_size output argument |
 | test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Chi |
 | test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Chi |
 | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
 | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
-| test.cpp:249:20:249:25 | call to getenv | test.cpp:257:11:257:29 | ... * ... |
-| test.cpp:249:20:249:25 | call to getenv | test.cpp:257:11:257:29 | ... * ... |
 | test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
 | test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
-| test.cpp:249:20:249:33 | (const char *)... | test.cpp:257:11:257:29 | ... * ... |
-| test.cpp:249:20:249:33 | (const char *)... | test.cpp:257:11:257:29 | ... * ... |
-| test.cpp:261:19:261:24 | call to getenv | test.cpp:266:10:266:27 | ... * ... |
-| test.cpp:261:19:261:24 | call to getenv | test.cpp:266:10:266:27 | ... * ... |
-| test.cpp:261:19:261:32 | (const char *)... | test.cpp:266:10:266:27 | ... * ... |
-| test.cpp:261:19:261:32 | (const char *)... | test.cpp:266:10:266:27 | ... * ... |
-| test.cpp:271:17:271:20 | get_size output argument | test.cpp:273:11:273:28 | ... * ... |
-| test.cpp:271:17:271:20 | get_size output argument | test.cpp:273:11:273:28 | ... * ... |
 | test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
 | test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
-| test.cpp:287:18:287:21 | get_size output argument | test.cpp:290:10:290:27 | ... * ... |
-| test.cpp:287:18:287:21 | get_size output argument | test.cpp:290:10:290:27 | ... * ... |
 | test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
 nodes
@@ -156,26 +142,10 @@ nodes
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
 | test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:257:11:257:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:257:11:257:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:257:11:257:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:261:19:261:24 | call to getenv | semmle.label | call to getenv |
-| test.cpp:261:19:261:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:266:10:266:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:266:10:266:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:266:10:266:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:271:17:271:20 | get_size output argument | semmle.label | get_size output argument |
-| test.cpp:273:11:273:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:273:11:273:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:273:11:273:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:279:17:279:20 | get_size output argument | semmle.label | get_size output argument |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:287:18:287:21 | get_size output argument | semmle.label | get_size output argument |
-| test.cpp:290:10:290:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:290:10:290:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:290:10:290:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:295:18:295:21 | get_size output argument | semmle.label | get_size output argument |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
@@ -195,9 +165,5 @@ nodes
 | test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
 | test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
-| test.cpp:257:4:257:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:257:11:257:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
-| test.cpp:266:3:266:8 | call to malloc | test.cpp:261:19:261:24 | call to getenv | test.cpp:266:10:266:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:261:19:261:24 | call to getenv | user input (getenv) |
-| test.cpp:273:4:273:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:273:11:273:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
 | test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
-| test.cpp:290:3:290:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:290:10:290:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
 | test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp

@@ -254,7 +254,7 @@ void equality_cases() {
 		}
 		if (size2 == 100)
 		{
-			malloc(size2 * sizeof(int)); // GOOD [FALSE POSITIVE]
+			malloc(size2 * sizeof(int)); // GOOD
 		}
 	}
 	{
@@ -263,14 +263,14 @@ void equality_cases() {
 		if (size != 100)
 			return;
 
-		malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+		malloc(size * sizeof(int)); // GOOD
 	}
 	{
 		int size;
 
 		if ((get_size(size)) && (size == 100))
 		{
-			malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+			malloc(size * sizeof(int)); // GOOD
 		}
 	}
 	{
@@ -287,7 +287,7 @@ void equality_cases() {
 		if ((!get_size(size)) || (size != 100))
 			return;
 
-		malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+		malloc(size * sizeof(int)); // GOOD
 	}
 	{
 		int size;