sa_mask FP reduced, better sigaction detection

GrosQuildu · GrosQuildu · commit f4598eff5eea · 2024-07-02T22:07:22.000+02:00
diff --git a/cpp/src/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.ql b/cpp/src/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.ql
@@ -10,56 +10,99 @@
  * @group security
  */
 
-import cpp
+ import cpp
 
-/* List from https://man7.org/linux/man-pages/man3/stdio.3.html */
-class StdioFunction extends Function {
-  StdioFunction() {
-    this.getName() in [
-        "fopen", "freopen", "fflush", "fclose", "fread", "fwrite", "fgetc", "fgets", "fputc",
-        "fputs", "getc", "getchar", "gets", "putc", "putchar", "puts", "ungetc", "fprintf",
-        "fscanf", "printf", "scanf", "sprintf", "sscanf", "vprintf", "vfprintf", "vsprintf",
-        "fgetpos", "fsetpos", "ftell", "fseek", "rewind", "clearerr", "feof", "ferror", "perror",
-        "setbuf", "setvbuf", "remove", "rename", "tmpfile", "tmpnam",
-      ]
-  }
-}
 
-/* List from https://man7.org/linux/man-pages/man3/syslog.3.html */
-class SyslogFunction extends Function {
-  SyslogFunction() { this.getName() in ["syslog", "vsyslog",] }
-}
+ /* List from https://man7.org/linux/man-pages/man3/stdio.3.html */
+ class StdioFunction extends Function {
+   StdioFunction() {
+     this.getName() in [
+         "fopen", "freopen", "fflush", "fclose", "fread", "fwrite", "fgetc", "fgets", "fputc",
+         "fputs", "getc", "getchar", "gets", "putc", "putchar", "puts", "ungetc", "fprintf",
+         "fscanf", "printf", "scanf", "sprintf", "sscanf", "vprintf", "vfprintf", "vsprintf",
+         "fgetpos", "fsetpos", "ftell", "fseek", "rewind", "clearerr", "feof", "ferror", "perror",
+         "setbuf", "setvbuf", "remove", "rename", "tmpfile", "tmpnam",
+       ]
+   }
+ }
+ 
+ /* List from https://man7.org/linux/man-pages/man3/syslog.3.html */
+ class SyslogFunction extends Function {
+   SyslogFunction() { this.getName() in ["syslog", "vsyslog",] }
+ }
+ 
+ /* List from https://man7.org/linux/man-pages/man0/stdlib.h.0p.html */
+ class StdlibFunction extends Function {
+   StdlibFunction() { this.getName() in ["malloc", "calloc", "realloc", "free",] }
+ }
+ 
+ predicate isAsyncUnsafe(Function signalHandler) {
+   exists(Function f |
+     signalHandler.calls+(f) and
+     (
+       f instanceof StdioFunction or
+       f instanceof SyslogFunction or
+       f instanceof StdlibFunction
+     )
+   )
+ }
 
-/* List from https://man7.org/linux/man-pages/man0/stdlib.h.0p.html */
-class StdlibFunction extends Function {
-  StdlibFunction() { this.getName() in ["malloc", "calloc", "realloc", "free",] }
+// signal(SIGX, signalHandler)
+predicate isSignal(FunctionCall signalCall, Function signalHandler) {
+  signalCall.getTarget().getName() = "signal"
+  and signalHandler.getAnAccess() = signalCall.getArgument(1).getAChild*()
 }
 
-predicate isAsyncUnsafe(Function signalHandler) {
-  exists(Function f |
-    signalHandler.calls+(f) and
-    (
-      f instanceof StdioFunction or
-      f instanceof SyslogFunction or
-      f instanceof StdlibFunction
+/**
+ * struct sigaction sigactVar = ...
+ * sigaction(SIGX, &sigactVar, ...)
+ */
+predicate isSigaction(FunctionCall sigactionCall, Function signalHandler) {
+  exists(Variable sigactVar, Struct sigactStruct, Field handlerField |
+    sigactionCall.getTarget().getName() = "sigaction"
+    and sigactionCall.getArgument(1).getAChild*() = sigactVar.getAnAccess()
+
+    // struct sigaction with the handler func
+    and sigactStruct.getName() = "sigaction"
+    and handlerField.getName() = ["sa_handler", "sa_sigaction", "__sa_handler", "__sa_sigaction", "__sigaction_u"]
+    and (
+      handlerField = sigactStruct.getAField()
+      or
+      exists(Union u | u.getAField() = handlerField and u = sigactStruct.getAField().getType())
+    )
+    and (
+      exists(Assignment a, ValueFieldAccess dfa |
+        // sigactVar.sa_handler = &signalHandler
+        a.getLValue() = dfa.getAChild*()
+        and a.getRValue().getAChild*() = signalHandler.getAnAccess()
+        and dfa.getTarget() = handlerField
+        and dfa.getQualifier+() = sigactVar.getAnAccess()
+      )
+      or
+      exists(VariableDeclarationEntry varDec, ClassAggregateLiteral init |
+        // struct sigaction sigactVar = {.sa_sigaction = signalHandler};
+        varDec.getVariable() = sigactVar
+        and sigactVar.getInitializer().getExpr() = init
+        and signalHandler.getAnAccess() = init.getAFieldExpr(handlerField).getAChild*()
+        // ignore if signals are blocked via sa_mask
+        and not exists(Field mask | mask.getName() = "sa_mask" and exists(init.getAFieldExpr(mask)))
+      )
+    )
+    // ignore if signals are blocked via sa_mask
+    and not exists(ValueFieldAccess dfa |
+      dfa.getQualifier+() = sigactVar.getAnAccess()
+      and dfa.getTarget().getName() = "sa_mask"
     )
   )
 }
-
-predicate isSignalHandlerField(FieldAccess fa) {
-  fa.getTarget().getName() in ["__sa_handler", "__sa_sigaction", "sa_handler", "sa_sigaction"]
-}
-
-
-from FunctionCall fc, Function signalHandler, FieldAccess fa
+ 
+from FunctionCall fc, Function signalHandler  
 where
-  fc.getTarget().getName() = "signal" and
-  signalHandler.getName() = fc.getArgument(1).toString() and
   isAsyncUnsafe(signalHandler)
-  or
-  fc.getTarget().getName() = "sigaction" and
-  isSignalHandlerField(fa) and
-  signalHandler = fa.getTarget().getAnAssignedValue().(AddressOfExpr).getAddressable() and
-  isAsyncUnsafe(signalHandler)
-select signalHandler,
-  "is a non-trivial signal handler that may be using functions that are not async-safe."
+  and (
+    isSignal(fc, signalHandler)
+    or
+    isSigaction(fc, signalHandler)
+  )
+select signalHandler, "is a non-trivial signal handler that may be using not async-safe functions. Registered by $@", fc, fc.toString()
+
diff --git a/cpp/test/query-tests/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.c b/cpp/test/query-tests/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.c
@@ -6,6 +6,7 @@ void transitive_call() {
     printf("UNSAFE");
 }
 void transitive_call3() {
+    // TODO: decide which functions are exploitable
     int *x = (int*)malloc(16);
     free(x);
 }
@@ -49,6 +50,7 @@ int main() {
     }
 
     // Another unsafe example
+    // TODO: decide which signals are exploitable and should produce findings
     struct sigaction act = { 0 };
     act.sa_flags = SA_SIGINFO;
     act.sa_sigaction = &unsafe_handler2;
@@ -57,13 +59,40 @@ int main() {
         _Exit(EXIT_FAILURE);
     }
 
-    struct sigaction act2 = { 0 };
-    act2.sa_flags = SA_SIGINFO;
-    act2.sa_handler = &unsafe_handler3;
+    // Yet another unsafe
+    struct sigaction act2 = {.sa_flags = SA_SIGINFO, .sa_sigaction = unsafe_handler2};
     if (sigaction(SIGALRM, &act2, NULL) == -1) {
         perror("sigaction 2");
         _Exit(EXIT_FAILURE);
     }
 
+    // Let's call these safe, because some signals are blocked
+    // TODO: not every masked signals should indicate safe signal handling
+    sigset_t sigset;
+    sigemptyset(&sigset);
+    sigaddset(&sigset, SIGALRM);
+    struct sigaction act3 = {.sa_flags = SA_SIGINFO, .sa_sigaction = unsafe_handler2, .sa_mask = sigset};
+    if (sigaction(SIGALRM, &act3, NULL) == -1) {
+        perror("sigaction 3");
+        _Exit(EXIT_FAILURE);
+    }
+
+    struct sigaction act4 = {.sa_flags = SA_SIGINFO, .sa_sigaction = unsafe_handler2};
+    act4.sa_mask = sigset;
+    if (sigaction(SIGSEGV, &act4, NULL) == -1) {
+        perror("sigaction 4");
+        _Exit(EXIT_FAILURE);
+    }
+
+    // TODO: this example should be not marked as finding
+    struct sigaction act5 = {.sa_mask = sigset};
+    act5.sa_flags = SA_SIGINFO;
+    act5.sa_sigaction = &unsafe_handler2;
+    if (sigaction(SIGSEGV, &act5, NULL) == -1) {
+        perror("sigaction 5");
+        _Exit(EXIT_FAILURE);
+    }
+
+
     return 0;
 }
diff --git a/cpp/test/query-tests/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.expected b/cpp/test/query-tests/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.expected
@@ -1,3 +1,4 @@
-| AsyncUnsafeSignalHandler.c:23:6:23:19 | unsafe_handler | is a non-trivial signal handler that may be using functions that are not async-safe. |
-| AsyncUnsafeSignalHandler.c:27:6:27:20 | unsafe_handler2 | is a non-trivial signal handler that may be using functions that are not async-safe. |
-| AsyncUnsafeSignalHandler.c:34:6:34:20 | unsafe_handler3 | is a non-trivial signal handler that may be using functions that are not async-safe. |
+| AsyncUnsafeSignalHandler.c:24:6:24:19 | unsafe_handler | is a non-trivial signal handler that may be using not async-safe functions. Registered by $@ | AsyncUnsafeSignalHandler.c:47:9:47:14 | call to signal | call to signal |
+| AsyncUnsafeSignalHandler.c:28:6:28:20 | unsafe_handler2 | is a non-trivial signal handler that may be using not async-safe functions. Registered by $@ | AsyncUnsafeSignalHandler.c:57:9:57:17 | call to sigaction | call to sigaction |
+| AsyncUnsafeSignalHandler.c:28:6:28:20 | unsafe_handler2 | is a non-trivial signal handler that may be using not async-safe functions. Registered by $@ | AsyncUnsafeSignalHandler.c:64:9:64:17 | call to sigaction | call to sigaction |
+| AsyncUnsafeSignalHandler.c:28:6:28:20 | unsafe_handler2 | is a non-trivial signal handler that may be using not async-safe functions. Registered by $@ | AsyncUnsafeSignalHandler.c:91:9:91:17 | call to sigaction | call to sigaction |
