Merge pull request github#12971 from MathiasVP/fix-fp-in-invalid-deref-2

MathiasVP · web-flow · commit fd6282063efd · 2023-05-11T10:06:01.000+01:00
C++: Fix more FPs on `cpp/invalid-pointer-deref`
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -562,6 +562,14 @@ class SsaPhiNode extends Node, TSsaPhiNode {
 
   /** Gets the source variable underlying this phi node. */
   Ssa::SourceVariable getSourceVariable() { result = phi.getSourceVariable() }
+
+  /**
+   * Holds if this phi node is a phi-read node.
+   *
+   * Phi-read nodes are like normal phi nodes, but they are inserted based
+   * on reads instead of writes.
+   */
+  predicate isPhiRead() { phi.isPhiRead() }
 }
 
 /**
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -1012,6 +1012,14 @@ class PhiNode extends SsaImpl::DefinitionExt {
     this instanceof SsaImpl::PhiNode or
     this instanceof SsaImpl::PhiReadNode
   }
+
+  /**
+   * Holds if this phi node is a phi-read node.
+   *
+   * Phi-read nodes are like normal phi nodes, but they are inserted based
+   * on reads instead of writes.
+   */
+  predicate isPhiRead() { this instanceof SsaImpl::PhiReadNode }
 }
 
 class DefinitionExt = SsaImpl::DefinitionExt;
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -229,6 +229,10 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {
 
   pragma[inline]
   predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node = any(DataFlow::SsaPhiNode phi | not phi.isPhiRead()).getAnInput(true)
+  }
 }
 
 module InvalidPointerToDerefFlow = DataFlow::Global<InvalidPointerToDerefConfig>;
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected
@@ -594,8 +594,6 @@ edges
 | test.cpp:261:14:261:15 | xs | test.cpp:262:26:262:28 | end |
 | test.cpp:261:14:261:15 | xs | test.cpp:262:26:262:28 | end |
 | test.cpp:261:14:261:15 | xs | test.cpp:262:31:262:31 | x |
-| test.cpp:261:14:261:15 | xs | test.cpp:262:31:262:33 | ... ++ |
-| test.cpp:261:14:261:15 | xs | test.cpp:262:31:262:33 | ... ++ |
 | test.cpp:261:14:261:15 | xs | test.cpp:264:14:264:14 | x |
 | test.cpp:261:14:261:15 | xs | test.cpp:264:14:264:14 | x |
 | test.cpp:261:14:261:21 | ... + ... | test.cpp:261:14:261:21 | ... + ... |
@@ -608,20 +606,11 @@ edges
 | test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:261:14:261:21 | ... + ... | test.cpp:264:13:264:14 | Load: * ... |
-| test.cpp:262:21:262:21 | x | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:262:26:262:28 | end | test.cpp:262:26:262:28 | end |
 | test.cpp:262:26:262:28 | end | test.cpp:262:26:262:28 | end |
 | test.cpp:262:26:262:28 | end | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:262:26:262:28 | end | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:262:31:262:31 | x | test.cpp:264:13:264:14 | Load: * ... |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:262:21:262:21 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:262:21:262:21 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:262:31:262:31 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:262:31:262:31 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:264:14:264:14 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:264:14:264:14 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:264:14:264:14 | x |
-| test.cpp:262:31:262:33 | ... ++ | test.cpp:264:14:264:14 | x |
 | test.cpp:264:14:264:14 | x | test.cpp:262:31:262:31 | x |
 | test.cpp:264:14:264:14 | x | test.cpp:264:13:264:14 | Load: * ... |
 | test.cpp:264:14:264:14 | x | test.cpp:264:13:264:14 | Load: * ... |
@@ -634,8 +623,6 @@ edges
 | test.cpp:271:14:271:15 | xs | test.cpp:272:26:272:28 | end |
 | test.cpp:271:14:271:15 | xs | test.cpp:272:26:272:28 | end |
 | test.cpp:271:14:271:15 | xs | test.cpp:272:31:272:31 | x |
-| test.cpp:271:14:271:15 | xs | test.cpp:272:31:272:33 | ... ++ |
-| test.cpp:271:14:271:15 | xs | test.cpp:272:31:272:33 | ... ++ |
 | test.cpp:271:14:271:15 | xs | test.cpp:274:5:274:6 | * ... |
 | test.cpp:271:14:271:15 | xs | test.cpp:274:6:274:6 | x |
 | test.cpp:271:14:271:15 | xs | test.cpp:274:6:274:6 | x |
@@ -649,55 +636,19 @@ edges
 | test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:271:14:271:21 | ... + ... | test.cpp:274:5:274:10 | Store: ... = ... |
-| test.cpp:272:21:272:21 | x | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:272:26:272:28 | end | test.cpp:272:26:272:28 | end |
 | test.cpp:272:26:272:28 | end | test.cpp:272:26:272:28 | end |
 | test.cpp:272:26:272:28 | end | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:272:26:272:28 | end | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:272:31:272:31 | x | test.cpp:274:5:274:10 | Store: ... = ... |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:272:21:272:21 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:272:21:272:21 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:272:31:272:31 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:272:31:272:31 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:5:274:6 | * ... |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:5:274:6 | * ... |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:6:274:6 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:6:274:6 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:6:274:6 | x |
-| test.cpp:272:31:272:33 | ... ++ | test.cpp:274:6:274:6 | x |
 | test.cpp:274:5:274:6 | * ... | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:274:6:274:6 | x | test.cpp:272:31:272:31 | x |
 | test.cpp:274:6:274:6 | x | test.cpp:274:5:274:6 | * ... |
 | test.cpp:274:6:274:6 | x | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:274:6:274:6 | x | test.cpp:274:5:274:10 | Store: ... = ... |
 | test.cpp:280:13:280:24 | new[] | test.cpp:281:14:281:15 | xs |
-| test.cpp:281:14:281:15 | xs | test.cpp:282:30:282:32 | ... ++ |
-| test.cpp:281:14:281:15 | xs | test.cpp:282:30:282:32 | ... ++ |
-| test.cpp:282:21:282:21 | x | test.cpp:284:13:284:14 | Load: * ... |
-| test.cpp:282:30:282:30 | x | test.cpp:284:13:284:14 | Load: * ... |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:282:21:282:21 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:282:21:282:21 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:282:30:282:30 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:282:30:282:30 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:284:14:284:14 | x |
-| test.cpp:282:30:282:32 | ... ++ | test.cpp:284:14:284:14 | x |
-| test.cpp:284:14:284:14 | x | test.cpp:284:13:284:14 | Load: * ... |
 | test.cpp:290:13:290:24 | new[] | test.cpp:291:14:291:15 | xs |
 | test.cpp:290:13:290:24 | new[] | test.cpp:292:30:292:30 | x |
-| test.cpp:291:14:291:15 | xs | test.cpp:292:30:292:32 | ... ++ |
-| test.cpp:291:14:291:15 | xs | test.cpp:292:30:292:32 | ... ++ |
-| test.cpp:292:21:292:21 | x | test.cpp:294:5:294:10 | Store: ... = ... |
-| test.cpp:292:30:292:30 | x | test.cpp:294:5:294:10 | Store: ... = ... |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:292:21:292:21 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:292:21:292:21 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:292:30:292:30 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:292:30:292:30 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:294:5:294:6 | * ... |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:294:5:294:6 | * ... |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:294:6:294:6 | x |
-| test.cpp:292:30:292:32 | ... ++ | test.cpp:294:6:294:6 | x |
-| test.cpp:294:5:294:6 | * ... | test.cpp:294:5:294:10 | Store: ... = ... |
-| test.cpp:294:6:294:6 | x | test.cpp:294:5:294:10 | Store: ... = ... |
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
 | test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -719,9 +670,5 @@ edges
 | test.cpp:232:3:232:20 | Store: ... = ... | test.cpp:231:18:231:30 | new[] | test.cpp:232:3:232:20 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:231:18:231:30 | new[] | new[] | test.cpp:232:11:232:15 | index | index |
 | test.cpp:239:5:239:22 | Store: ... = ... | test.cpp:238:20:238:32 | new[] | test.cpp:239:5:239:22 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:238:20:238:32 | new[] | new[] | test.cpp:239:13:239:17 | index | index |
 | test.cpp:254:9:254:16 | Store: ... = ... | test.cpp:248:24:248:30 | call to realloc | test.cpp:254:9:254:16 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:248:24:248:30 | call to realloc | call to realloc | test.cpp:254:11:254:11 | i | i |
-| test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
 | test.cpp:264:13:264:14 | Load: * ... | test.cpp:260:13:260:24 | new[] | test.cpp:264:13:264:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:260:13:260:24 | new[] | new[] | test.cpp:261:19:261:21 | len | len |
-| test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
 | test.cpp:274:5:274:10 | Store: ... = ... | test.cpp:270:13:270:24 | new[] | test.cpp:274:5:274:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:270:13:270:24 | new[] | new[] | test.cpp:271:19:271:21 | len | len |
-| test.cpp:284:13:284:14 | Load: * ... | test.cpp:280:13:280:24 | new[] | test.cpp:284:13:284:14 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:280:13:280:24 | new[] | new[] | test.cpp:281:19:281:21 | len | len |
-| test.cpp:294:5:294:10 | Store: ... = ... | test.cpp:290:13:290:24 | new[] | test.cpp:294:5:294:10 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:290:13:290:24 | new[] | new[] | test.cpp:291:19:291:21 | len | len |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp
@@ -281,7 +281,7 @@ void test19(unsigned len)
   int *end = xs + len;
   for (int *x = xs; x < end; x++)
   {
-    int i = *x; // GOOD [FALSE POSITIVE]
+    int i = *x; // GOOD
   }
 }
 
@@ -291,6 +291,6 @@ void test20(unsigned len)
   int *end = xs + len;
   for (int *x = xs; x < end; x++)
   {
-    *x = 0; // GOOD [FALSE POSITIVE]
+    *x = 0; // GOOD
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1012,6 +1012,14 @@ class PhiNode extends SsaImpl::DefinitionExt {`
`1012`	`1012`	`this instanceof SsaImpl::PhiNode or`
`1013`	`1013`	`this instanceof SsaImpl::PhiReadNode`
`1014`	`1014`	`}`
	`1015`	`+`
	`1016`	`+ /**`
	`1017`	`+ * Holds if this phi node is a phi-read node.`
	`1018`	`+ *`
	`1019`	`+ * Phi-read nodes are like normal phi nodes, but they are inserted based`
	`1020`	`+ * on reads instead of writes.`
	`1021`	`+ */`
	`1022`	`+ predicate isPhiRead() { this instanceof SsaImpl::PhiReadNode }`
`1015`	`1023`	`}`
`1016`	`1024`
`1017`	`1025`	`class DefinitionExt = SsaImpl::DefinitionExt;`
Original file line number	Diff line number	Diff line change
`@@ -229,6 +229,10 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {`
`229`	`229`
`230`	`230`	`pragma[inline]`
`231`	`231`	`predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }`
	`232`	`+`
	`233`	`+ predicate isBarrier(DataFlow::Node node) {`
	`234`	`+ node = any(DataFlow::SsaPhiNode phi \| not phi.isPhiRead()).getAnInput(true)`
	`235`	`+ }`
`232`	`236`	`}`
`233`	`237`
`234`	`238`	`module InvalidPointerToDerefFlow = DataFlow::Global<InvalidPointerToDerefConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,7 @@ void test19(unsigned len)`
`281`	`281`	`int *end = xs + len;`
`282`	`282`	`for (int *x = xs; x < end; x++)`
`283`	`283`	`{`
`284`		`- int i = *x; // GOOD [FALSE POSITIVE]`
	`284`	`+ int i = *x; // GOOD`
`285`	`285`	`}`
`286`	`286`	`}`
`287`	`287`
`@@ -291,6 +291,6 @@ void test20(unsigned len)`
`291`	`291`	`int *end = xs + len;`
`292`	`292`	`for (int *x = xs; x < end; x++)`
`293`	`293`	`{`
`294`		`- *x = 0; // GOOD [FALSE POSITIVE]`
	`294`	`+ *x = 0; // GOOD`
`295`	`295`	`}`
`296`	`296`	`}`