add data flow

Author: GrosQuildu

cpp/src/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.ql

@@ -10,55 +10,76 @@
  * @group security
  */
 
- import cpp
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
 
 
- /* List from https://man7.org/linux/man-pages/man3/stdio.3.html */
- class StdioFunction extends Function {
-   StdioFunction() {
-     this.getName() in [
-         "fopen", "freopen", "fflush", "fclose", "fread", "fwrite", "fgetc", "fgets", "fputc",
-         "fputs", "getc", "getchar", "gets", "putc", "putchar", "puts", "ungetc", "fprintf",
-         "fscanf", "printf", "scanf", "sprintf", "sscanf", "vprintf", "vfprintf", "vsprintf",
-         "fgetpos", "fsetpos", "ftell", "fseek", "rewind", "clearerr", "feof", "ferror", "perror",
-         "setbuf", "setvbuf", "remove", "rename", "tmpfile", "tmpnam",
-       ]
-   }
- }
- 
- /* List from https://man7.org/linux/man-pages/man3/syslog.3.html */
- class SyslogFunction extends Function {
-   SyslogFunction() { this.getName() in ["syslog", "vsyslog",] }
- }
- 
- /* List from https://man7.org/linux/man-pages/man0/stdlib.h.0p.html */
- class StdlibFunction extends Function {
-   StdlibFunction() { this.getName() in ["malloc", "calloc", "realloc", "free",] }
- }
- 
- predicate isAsyncUnsafe(Function signalHandler) {
-   exists(Function f |
-     signalHandler.calls+(f) and
-     (
-       f instanceof StdioFunction or
-       f instanceof SyslogFunction or
-       f instanceof StdlibFunction
-     )
-   )
- }
+/* List from https://man7.org/linux/man-pages/man3/stdio.3.html */
+class StdioFunction extends Function {
+  StdioFunction() {
+    this.getName() in [
+        "fopen", "freopen", "fflush", "fclose", "fread", "fwrite", "fgetc", "fgets", "fputc",
+        "fputs", "getc", "getchar", "gets", "putc", "putchar", "puts", "ungetc", "fprintf",
+        "fscanf", "printf", "scanf", "sprintf", "sscanf", "vprintf", "vfprintf", "vsprintf",
+        "fgetpos", "fsetpos", "ftell", "fseek", "rewind", "clearerr", "feof", "ferror", "perror",
+        "setbuf", "setvbuf", "remove", "rename", "tmpfile", "tmpnam",
+      ]
+  }
+}
+
+/* List from https://man7.org/linux/man-pages/man3/syslog.3.html */
+class SyslogFunction extends Function {
+  SyslogFunction() { this.getName() in ["syslog", "vsyslog",] }
+}
+
+/* List from https://man7.org/linux/man-pages/man0/stdlib.h.0p.html */
+class StdlibFunction extends Function {
+  StdlibFunction() { this.getName() in ["malloc", "calloc", "realloc", "free",] }
+}
+
+predicate isAsyncUnsafe(Function signalHandler) {
+  exists(Function f |
+    signalHandler.calls+(f) and
+    (
+      f instanceof StdioFunction or
+      f instanceof SyslogFunction or
+      f instanceof StdlibFunction
+    )
+  )
+}
+
+/**
+ * Flows from any function ptr
+ */
+module HandlerToSignalConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() = any(Function f || f.getAnAccess())
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink = sink
+  }
+}
+module HandlerToSignal = DataFlow::Global<HandlerToSignalConfiguration>;
 
-// signal(SIGX, signalHandler)
+/**
+ * signal(SIGX, signalHandler)
+ */ 
 predicate isSignal(FunctionCall signalCall, Function signalHandler) {
   signalCall.getTarget().getName() = "signal"
-  and signalHandler.getAnAccess() = signalCall.getArgument(1).getAChild*()
+  and exists(DataFlow::Node source, DataFlow::Node sink |
+    HandlerToSignal::flow(source, sink)
+    and source.asExpr() = signalHandler.getAnAccess()
+    and sink.asExpr() = signalCall.getArgument(1)
+  )
 }
 
 /**
  * struct sigaction sigactVar = ...
  * sigaction(SIGX, &sigactVar, ...)
  */
 predicate isSigaction(FunctionCall sigactionCall, Function signalHandler, Variable sigactVar) {
-  exists(Struct sigactStruct, Field handlerField |
+  exists(Struct sigactStruct, Field handlerField, DataFlow::Node source, DataFlow::Node sink |
     sigactionCall.getTarget().getName() = "sigaction"
     and sigactionCall.getArgument(1).getAChild*() = sigactVar.getAnAccess()
 
@@ -70,27 +91,36 @@ predicate isSigaction(FunctionCall sigactionCall, Function signalHandler, Variab
       or
       exists(Union u | u.getAField() = handlerField and u = sigactStruct.getAField().getType())
     )
+    
     and (
-      exists(Assignment a, ValueFieldAccess dfa |
-        // sigactVar.sa_handler = &signalHandler
-        a.getLValue() = dfa.getAChild*()
-        and a.getRValue().getAChild*() = signalHandler.getAnAccess()
-        and dfa.getTarget() = handlerField
-        and dfa.getQualifier+() = sigactVar.getAnAccess()
+      // sigactVar.sa_handler = &signalHandler
+      exists(Assignment a, ValueFieldAccess vfa |
+        vfa.getTarget() = handlerField
+        and vfa.getQualifier+() = sigactVar.getAnAccess()
+        and a.getLValue() = vfa.getAChild*()
+
+        and source.asExpr() = signalHandler.getAnAccess()
+        and sink.asExpr() = a.getRValue()
+        and HandlerToSignal::flow(source, sink)
       )
       or
+      // struct sigaction sigactVar = {.sa_sigaction = signalHandler};
       exists(ClassAggregateLiteral initLit |
-        // struct sigaction sigactVar = {.sa_sigaction = signalHandler};
-        // varDec.getVariable() = sigactVar
         sigactVar.getInitializer().getExpr() = initLit
-        and signalHandler.getAnAccess() = initLit.getAFieldExpr(handlerField).getAChild*()
+        and source.asExpr() = signalHandler.getAnAccess()
+        and sink.asExpr() = initLit.getAFieldExpr(handlerField).getAChild*()
+        and HandlerToSignal::flow(source, sink)
       )
     )
   )
 }
 
+/**
+ * Determine if new signals are blocked
+ * TODO: should only find writes and only for correct (or all) signals
+ * TODO: should detect other block mechanisms
+ */
 predicate isSignalDeliveryBlocked(Variable sigactVar) {
-  // TODO: should only find writes and for specific signals 
   exists(ValueFieldAccess dfa |
     dfa.getQualifier+() = sigactVar.getAnAccess() and dfa.getTarget().getName() = "sa_mask"
   )

cpp/test/include/libc/signal.h

@@ -3,8 +3,6 @@
 #ifndef HEADER_SIGNAL_STUB_H
 #define HEADER_SIGNAL_STUB_H
 
-
-
 #define SIGALRM 14
 #define SIGSEGV 11
 #define SIGTERM 15
@@ -13,8 +11,8 @@
 #define SA_SIGINFO 4
 
 {} // to silent error from codeql's extractor
-typedef void (*sighandler_t)(int);
-extern int signal(int, sighandler_t);
+typedef void (*sig_t)(int);
+extern int signal(int, sig_t);
 
 typedef struct {
     unsigned long sig[64];

cpp/test/query-tests/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.c

@@ -23,6 +23,12 @@ void safe_handler(int sig) {
     }
 }
 
+void safe_handler2(int signo, siginfo_t *info, void *context) {
+    if (signo == SIGALRM) {
+        kill(1, SIGALRM);
+    }
+}
+
 void unsafe_handler(int sig) {
     transitive_call();
 }
@@ -34,7 +40,7 @@ void unsafe_handler2(int signo, siginfo_t *info, void *context) {
     transitive_call2();
 }
 
-void unsafe_handler3(int signal) {
+void unsafe_handler3(int signo, siginfo_t *info, void *context) {
     transitive_call3();
 }
 
@@ -74,7 +80,7 @@ static void df_handler(int sig) {
 	sigdie("some log %d", sig);
 }
 
-sighandler_t register_signal(int signum, sighandler_t handler) {
+sig_t register_signal(int signum, sig_t handler) {
 	struct sigaction sa, osa;
 	memset(&sa, 0, sizeof(sa));
 	sa.sa_handler = handler;
@@ -92,6 +98,15 @@ int main() {
         _Exit(EXIT_FAILURE);
     }
 
+    // Safe handler 2
+    struct sigaction actG2 = {0};
+    actG2.sa_flags = SA_SIGINFO;
+    actG2.sa_sigaction = &safe_handler2;
+    if (sigaction(SIGSEGV, &actG2, NULL) == -1) {
+        perror("sigaction");
+        _Exit(EXIT_FAILURE);
+    }
+
     // Unsafe example 1
     if (signal(SIGALRM, unsafe_handler) == SIG_ERR) {
         perror("Unable to catch SIGALRM");
@@ -127,7 +142,7 @@ int main() {
     }
 
     // Unsafe example 5
-    struct sigaction act4 = {.sa_flags = SA_SIGINFO, .sa_sigaction = unsafe_handler2};
+    struct sigaction act4 = {.sa_flags = SA_SIGINFO, .sa_sigaction = unsafe_handler3};
     act4.sa_mask = sigset;
     if (sigaction(SIGSEGV, &act4, NULL) == -1) {
         perror("sigaction 4");
@@ -137,13 +152,20 @@ int main() {
     // Unsafe example 6
     struct sigaction act5 = {.sa_mask = sigset};
     act5.sa_flags = SA_SIGINFO;
-    act5.sa_sigaction = &unsafe_handler2;
+    act5.sa_sigaction = &unsafe_handler3;
     if (sigaction(SIGSEGV, &act5, NULL) == -1) {
         perror("sigaction 5");
         _Exit(EXIT_FAILURE);
     }
 
-    // Unsafe example 7, indirect handler registration
+        // Unsafe example 7
+    sig_t wrapper = unsafe_handler;
+    if (signal(SIGALRM, wrapper) == SIG_ERR) {
+        perror("Unable to catch SIGALRM");
+        _Exit(EXIT_FAILURE);
+    }
+
+    // Unsafe example 8, indirect handler registration
     if(register_signal(SIGALRM, df_handler)) {
         _exit(EXIT_FAILURE);
     }

cpp/test/query-tests/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.expected

@@ -1,4 +1,8 @@
-| AsyncUnsafeSignalHandler.c:24:6:24:19 | unsafe_handler | is a non-trivial signal handler that may be using not async-safe functions. Registered by $@ | AsyncUnsafeSignalHandler.c:47:9:47:14 | call to signal | call to signal |
-| AsyncUnsafeSignalHandler.c:28:6:28:20 | unsafe_handler2 | is a non-trivial signal handler that may be using not async-safe functions. Registered by $@ | AsyncUnsafeSignalHandler.c:57:9:57:17 | call to sigaction | call to sigaction |
-| AsyncUnsafeSignalHandler.c:28:6:28:20 | unsafe_handler2 | is a non-trivial signal handler that may be using not async-safe functions. Registered by $@ | AsyncUnsafeSignalHandler.c:64:9:64:17 | call to sigaction | call to sigaction |
-| AsyncUnsafeSignalHandler.c:28:6:28:20 | unsafe_handler2 | is a non-trivial signal handler that may be using not async-safe functions. Registered by $@ | AsyncUnsafeSignalHandler.c:91:9:91:17 | call to sigaction | call to sigaction |
+| AsyncUnsafeSignalHandler.c:32:6:32:19 | unsafe_handler | is a non-trivial signal handler that uses not async-safe functions. Delivery of new signals may be not blocked when the handler executes. Handler is registered by $@ | AsyncUnsafeSignalHandler.c:111:9:111:14 | call to signal | call to signal |
+| AsyncUnsafeSignalHandler.c:32:6:32:19 | unsafe_handler | is a non-trivial signal handler that uses not async-safe functions. Delivery of new signals may be not blocked when the handler executes. Handler is registered by $@ | AsyncUnsafeSignalHandler.c:163:9:163:14 | call to signal | call to signal |
+| AsyncUnsafeSignalHandler.c:36:6:36:20 | unsafe_handler2 | is a non-trivial signal handler that uses not async-safe functions. Delivery of new signals may be not blocked when the handler executes. Handler is registered by $@ | AsyncUnsafeSignalHandler.c:121:9:121:17 | call to sigaction | call to sigaction |
+| AsyncUnsafeSignalHandler.c:36:6:36:20 | unsafe_handler2 | is a non-trivial signal handler that uses not async-safe functions. Delivery of new signals may be not blocked when the handler executes. Handler is registered by $@ | AsyncUnsafeSignalHandler.c:128:9:128:17 | call to sigaction | call to sigaction |
+| AsyncUnsafeSignalHandler.c:36:6:36:20 | unsafe_handler2 | is a non-trivial signal handler that uses not async-safe functions. Handler is registered by $@ | AsyncUnsafeSignalHandler.c:139:9:139:17 | call to sigaction | call to sigaction |
+| AsyncUnsafeSignalHandler.c:43:6:43:20 | unsafe_handler3 | is a non-trivial signal handler that uses not async-safe functions. Handler is registered by $@ | AsyncUnsafeSignalHandler.c:147:9:147:17 | call to sigaction | call to sigaction |
+| AsyncUnsafeSignalHandler.c:43:6:43:20 | unsafe_handler3 | is a non-trivial signal handler that uses not async-safe functions. Handler is registered by $@ | AsyncUnsafeSignalHandler.c:156:9:156:17 | call to sigaction | call to sigaction |
+| AsyncUnsafeSignalHandler.c:76:13:76:22 | df_handler | is a non-trivial signal handler that uses not async-safe functions. Handler is registered by $@ | AsyncUnsafeSignalHandler.c:88:6:88:14 | call to sigaction | call to sigaction |