CPP: Add test cases for the macro logic and other details of ArithmeticUncontrolled.ql.

2018-12-13 12:01:58 +00:00 · 2018-12-13 12:01:58 +00:00 · b59c2868cd
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@ -1 +1,12 @@
-| test.c:13:17:13:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:10:13:10:16 | call to rand | Uncontrolled value |
+WARNING: Type MacroInvocationExpr has been deprecated and may be removed in future (C:\semmle\code\ql\cpp\ql\src\Security\CWE\CWE-190\ArithmeticUncontrolled.ql:22,13-32)
+| test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
+| test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
+| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
+| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:22 | call to rand | Uncontrolled value |
+| test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
+| test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
+| test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
+| test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
+| test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
@ -1,9 +1,17 @@
 // Semmle test case for rule ArithmeticUncontrolled.ql (Uncontrolled data in arithmetic expression).
 // Associated with CWE-190: Integer Overflow or Wraparound. http://cwe.mitre.org/data/definitions/190.html

-int rand();
+int rand(void);
 void trySlice(int start, int end);

+#define RAND() rand()
+#define RANDN(n) (rand() % n)
+#define RAND2() (rand() ^ rand())
+
+
+
+
+
 void randomTester() {
  int i;
  for (i = 0; i < 1000; i++) {
@ -21,5 +29,74 @@ void randomTester() {
      trySlice(r, r+100);
    }
  }
-}

+  {
+    int r = RAND();
+    r += 100; // BAD: The return from RAND() is unbounded
+  }
+
+  {
+    int r = RANDN(100);
+    r += 100; // GOOD: The return from RANDN is bounded [FALSE POSITIVE]
+  }
+
+  {
+    int r = rand();
+    r += 100; // BAD
+  }
+  
+  {
+    int r = rand() / 10;
+    r += 100; // GOOD
+  }
+  
+  {
+    int r = rand();
+    r = r / 10;
+    r += 100; // GOOD [FALSE POSITIVE]
+  }
+  
+  {
+    int r = rand();
+    r /= 10;
+    r += 100; // GOOD
+  }
+  
+  {
+    int r = rand() & 0xFF;
+    r += 100; // GOOD [FALSE POSITIVE]
+  }
+
+  {
+    int r = rand() + 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND2();
+
+    r = r - 100; // BAD
+  }
+
+  {
+    int r = (rand() ^ rand());
+
+    r = r - 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND2() - 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = RAND();
+    int *ptr_r = &r;
+    *ptr_r -= 100; // BAD [NOT DETECTED]
+  }
+
+  {
+    int r = 0;
+    int *ptr_r = &r;
+    *ptr_r = RAND();
+    r -= 100; // BAD
+  }
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
@ -0,0 +1,39 @@
+// Semmle test case for rule ArithmeticUncontrolled.ql (Uncontrolled data in arithmetic expression).
+// Associated with CWE-190: Integer Overflow or Wraparound. http://cwe.mitre.org/data/definitions/190.html
+
+int rand(void);
+
+int get_rand()
+{
+	return rand();
+}
+
+void get_rand2(int *dest)
+{
+	*dest = rand();
+}
+
+void get_rand3(int &dest)
+{
+	dest = rand();
+}
+
+void randomTester2()
+{
+	{
+		int r = get_rand();
+		r = r + 100; // BAD
+	}
+
+	{
+		int r;
+		get_rand2(&r);
+		r = r + 100; // BAD [NOT DETECTED]
+	}
+
+	{
+		int r;
+		get_rand3(r);
+		r = r + 100; // BAD
+	}
+}