Merge pull request #3479 from geoffw0/fp2762

C++: Allow equality to block taint (security taint tracking)
2020-05-25 15:11:10 +02:00 · 2020-05-25 15:11:10 +02:00 · bc09720704
--- a/change-notes/1.25/analysis-cpp.md
+++ b/change-notes/1.25/analysis-cpp.md
@ -39,3 +39,5 @@ The following changes in version 1.25 affect C/C++ analysis in all applications.
      }
  };
  ```
+* The security pack taint tracking library (`semmle.code.cpp.security.TaintTracking`) now considers that equality checks may block the flow of taint.  This results in fewer false positive results from queries that use this library.
+
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@ -5,6 +5,7 @@ private import semmle.code.cpp.ir.dataflow.DataFlow2
 private import semmle.code.cpp.ir.dataflow.DataFlow3
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
+private import semmle.code.cpp.controlflow.IRGuards
 private import semmle.code.cpp.models.interfaces.Taint
 private import semmle.code.cpp.models.interfaces.DataFlow

@ -170,11 +171,34 @@ private predicate hasUpperBoundsCheck(Variable var) {
  )
 }

+private predicate nodeIsBarrierEqualityCandidate(
+  DataFlow::Node node, Operand access, Variable checkedVar
+) {
+  readsVariable(node.asInstruction(), checkedVar) and
+  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
+}
+
 private predicate nodeIsBarrier(DataFlow::Node node) {
  exists(Variable checkedVar |
    readsVariable(node.asInstruction(), checkedVar) and
    hasUpperBoundsCheck(checkedVar)
  )
+  or
+  exists(Variable checkedVar, Operand access |
+    /*
+     * This node is guarded by a condition that forces the accessed variable
+     * to equal something else.  For example:
+     * ```
+     * x = taintsource()
+     * if (x == 10) {
+     *   taintsink(x); // not considered tainted
+     * }
+     * ```
+     */
+
+    nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
+    readsVariable(access.getDef(), checkedVar)
+  )
 }

 private predicate nodeIsBarrierIn(DataFlow::Node node) {
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@ -68,6 +68,26 @@ edges
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:10:237:19 | (size_t)... |
 | test.cpp:235:11:235:20 | (size_t)... | test.cpp:214:23:214:23 | s |
 | test.cpp:237:10:237:19 | (size_t)... | test.cpp:220:21:220:21 | s |
+| test.cpp:241:2:241:32 | Chi | test.cpp:279:17:279:20 | get_size output argument |
+| test.cpp:241:2:241:32 | Chi | test.cpp:295:18:295:21 | get_size output argument |
+| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Chi |
+| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Chi |
+| test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
+| test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
+| test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
+| test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
+| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
+| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
+| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
 nodes
 | field_conflation.c:12:22:12:27 | call to getenv | semmle.label | call to getenv |
 | field_conflation.c:12:22:12:34 | (const char *)... | semmle.label | (const char *)... |
@ -140,6 +160,32 @@ nodes
 | test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:235:11:235:20 | (size_t)... | semmle.label | (size_t)... |
 | test.cpp:237:10:237:19 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:241:2:241:32 | Chi | semmle.label | Chi |
+| test.cpp:241:18:241:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:241:18:241:31 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:249:20:249:25 | call to getenv | semmle.label | call to getenv |
+| test.cpp:249:20:249:33 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:279:17:279:20 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:295:18:295:21 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:301:19:301:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:309:19:309:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
 #select
 | field_conflation.c:20:3:20:8 | call to malloc | field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:20:13:20:13 | x | This allocation size is derived from $@ and might overflow | field_conflation.c:12:22:12:27 | call to getenv | user input (getenv) |
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@ -155,3 +201,8 @@ nodes
 | test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
+| test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
+| test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
+| test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
+| test.cpp:305:4:305:9 | call to malloc | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:301:19:301:24 | call to getenv | user input (getenv) |
+| test.cpp:314:3:314:8 | call to malloc | test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:309:19:309:24 | call to getenv | user input (getenv) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@ -236,3 +236,81 @@ void more_cases() {
 	my_func(100); // GOOD
 	my_func(local_size); // GOOD
 }
+
+bool get_size(int &out_size) {
+	out_size = atoi(getenv("USER"));
+	
+	return true;
+}
+
+void equality_cases() {
+	{
+		int size1 = atoi(getenv("USER"));
+		int size2 = atoi(getenv("USER"));
+
+		if (size1 == 100)
+		{
+			malloc(size2 * sizeof(int)); // BAD
+		}
+		if (size2 == 100)
+		{
+			malloc(size2 * sizeof(int)); // GOOD
+		}
+	}
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size != 100)
+			return;
+
+		malloc(size * sizeof(int)); // GOOD
+	}
+	{
+		int size;
+
+		if ((get_size(size)) && (size == 100))
+		{
+			malloc(size * sizeof(int)); // GOOD
+		}
+	}
+	{
+		int size;
+
+		if ((get_size(size)) && (size != 100))
+		{
+			malloc(size * sizeof(int)); // BAD
+		}
+	}
+	{
+		int size;
+
+		if ((!get_size(size)) || (size != 100))
+			return;
+
+		malloc(size * sizeof(int)); // GOOD
+	}
+	{
+		int size;
+
+		if ((!get_size(size)) || (size == 100))
+			return;
+
+		malloc(size * sizeof(int)); // BAD
+	}
+	{
+		int size = atoi(getenv("USER"));
+
+		if ((size == 50) || (size == 100))
+		{
+			malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+		}
+	}
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size != 50 && size != 100)
+			return;
+
+		malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+	}
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
@ -5,5 +5,4 @@
 | test.c:63:3:63:5 | sc8 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:62:9:62:16 | - ... | Extreme value |
 | test.c:75:3:75:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
 | test.c:76:3:76:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
-| test.c:114:9:114:9 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:108:17:108:23 | 2147483647 | Extreme value |
 | test.c:124:9:124:9 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:118:17:118:23 | 2147483647 | Extreme value |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
@ -111,7 +111,7 @@ void test_guards3(int cond) {

 	if (x != 0) return;

-	return x + 1; // GOOD [FALSE POSITIVE]
+	return x + 1; // GOOD
 }

 void test_guards4(int cond) {