C++: Add a member predicate to phi nodes for checking if a phi is a read-phi and use it to restrict flow in 'cpp/invalid-pointer-deref'.

MathiasVP · MathiasVP · commit f05cce8fc2e7 · 2023-05-10T14:10:13.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -552,7 +552,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
    */
   final Node getAnInput(boolean fromBackEdge) {
     localFlowStep(result, this) and
-    if phi.getBasicBlock().strictlyDominates(result.getBasicBlock())
+    if phi.getBasicBlock().dominates(result.getBasicBlock())
     then fromBackEdge = true
     else fromBackEdge = false
   }
@@ -562,6 +562,14 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 
   /** Gets the source variable underlying this phi node. */
   Ssa::SourceVariable getSourceVariable() { result = phi.getSourceVariable() }
+
+  /**
+   * Holds if this phi node is a phi-read node.
+   *
+   * Phi-read nodes are like normal phi nodes, but they are inserted based
+   * on reads instead of writes.
+   */
+  predicate isPhiRead() { phi.isPhiRead() }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -1012,6 +1012,14 @@ class PhiNode extends SsaImpl::DefinitionExt {
     this instanceof SsaImpl::PhiNode or
     this instanceof SsaImpl::PhiReadNode
   }
+
+  /**
+   * Holds if this phi node is a phi-read node.
+   *
+   * Phi-read nodes are like normal phi nodes, but they are inserted based
+   * on reads instead of writes.
+   */
+  predicate isPhiRead() { this instanceof SsaImpl::PhiReadNode }
 }
 
 class DefinitionExt = SsaImpl::DefinitionExt;
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -230,7 +230,9 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {
   pragma[inline]
   predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
 
-  predicate isBarrier(DataFlow::Node node) { node = any(DataFlow::SsaPhiNode phi).getAnInput(true) }
+  predicate isBarrier(DataFlow::Node node) {
+    node = any(DataFlow::SsaPhiNode phi | not phi.isPhiRead()).getAnInput(true)
+  }
 }
 
 module InvalidPointerToDerefFlow = DataFlow::Global<InvalidPointerToDerefConfig>;

Original file line number	Diff line number	Diff line change
`@@ -1012,6 +1012,14 @@ class PhiNode extends SsaImpl::DefinitionExt {`
`1012`	`1012`	`this instanceof SsaImpl::PhiNode or`
`1013`	`1013`	`this instanceof SsaImpl::PhiReadNode`
`1014`	`1014`	`}`
	`1015`	`+`
	`1016`	`+ /**`
	`1017`	`+ * Holds if this phi node is a phi-read node.`
	`1018`	`+ *`
	`1019`	`+ * Phi-read nodes are like normal phi nodes, but they are inserted based`
	`1020`	`+ * on reads instead of writes.`
	`1021`	`+ */`
	`1022`	`+ predicate isPhiRead() { this instanceof SsaImpl::PhiReadNode }`
`1015`	`1023`	`}`
`1016`	`1024`
`1017`	`1025`	`class DefinitionExt = SsaImpl::DefinitionExt;`
Original file line number	Diff line number	Diff line change
`@@ -230,7 +230,9 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {`
`230`	`230`	`pragma[inline]`
`231`	`231`	`predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }`
`232`	`232`
`233`		`- predicate isBarrier(DataFlow::Node node) { node = any(DataFlow::SsaPhiNode phi).getAnInput(true) }`
	`233`	`+ predicate isBarrier(DataFlow::Node node) {`
	`234`	`+ node = any(DataFlow::SsaPhiNode phi \| not phi.isPhiRead()).getAnInput(true)`
	`235`	`+ }`
`234`	`236`	`}`
`235`	`237`
`236`	`238`	`module InvalidPointerToDerefFlow = DataFlow::Global<InvalidPointerToDerefConfig>;`