codeql-coding-standards/c/cert/src/rules/INT36-C/ConvertingAPointerToIntegerOrIntegerToPointer.ql at a60f9b5ac78b59c4966e055c5d41613208fecfa7 · github/codeql-coding-standards · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
/**
 * @id c/cert/converting-a-pointer-to-integer-or-integer-to-pointer
 * @name INT36-C: Do not convert pointers to integers and back
 * @description Converting between pointers and integers is not portable and might cause invalid
 *              memory access.
 * @kind problem
 * @precision very-high
 * @problem.severity error
 * @tags external/cert/id/int36-c
 *       external/cert/severity/low
 *       external/cert/likelihood/probable
 *       external/cert/remediation-cost/high
 *       external/cert/priority/p2
 *       external/cert/level/l3
 *       external/cert/obligation/rule
 */

import cpp
import codingstandards.c.cert
import codingstandards.cpp.types.Resolve

class LiteralZero extends Literal {
  LiteralZero() { this.getValue() = "0" }
}

class StdIntIntPtrType extends Type {
  StdIntIntPtrType() {
    exists(TypeDeclarationEntry entry |
      /*
       * Just check if there is a header file,
       * because we don't know what header file the declaration might live in
       */

      exists(entry.getFile().(HeaderFile)) and
      entry.getType() = this and
      this.getName().regexpMatch("u?intptr_t")
    )
  }
}

class ResolvesToStdIntIntPtrType = ResolvesTo<StdIntIntPtrType>::IgnoringSpecifiers;

class ResolvesToVoidPointerType = ResolvesTo<VoidPointerType>::IgnoringSpecifiers;

/**
 * Casting a pointer value to integer, excluding literal 0.
 * Includes implicit conversions made during declarations or assignments.
 */
predicate conversionBetweenPointerAndInteger(Cast cast, string message) {
  /* Ensure that `int` has different size than that of pointers */
  exists(
    ResolvesTo<IntType>::IgnoringSpecifiers intType,
    ResolvesTo<PointerType>::IgnoringSpecifiers ptrType
  |
    intType.getSize() < ptrType.getSize()
  |
    cast.getExpr().getType() = intType and
    cast.getType() = ptrType and
    if cast.isCompilerGenerated()
    then message = "Integer expression " + cast.getExpr() + " is implicitly cast to a pointer type."
    else message = "Integer expression " + cast.getExpr() + " is cast to a pointer type."
    or
    cast.getExpr().getType() = ptrType and
    cast.getType() = intType and
    if cast.isCompilerGenerated()
    then
      message = "Pointer expression " + cast.getExpr() + " is implicitly cast to an integer type."
    else message = "Pointer expression " + cast.getExpr() + " is cast to an integer type."
  ) and
  /* Compliant exception 1: literal 0 */
  not cast.getExpr() instanceof LiteralZero and
  /* Compliant exception 2: variable's declared type is (u)intptr_t */
  not (
    cast.getType() instanceof ResolvesToStdIntIntPtrType and
    cast.getExpr().getType() instanceof ResolvesToVoidPointerType
    or
    cast.getType() instanceof ResolvesToVoidPointerType and
    cast.getExpr().getType() instanceof ResolvesToStdIntIntPtrType
  )
}

from Element elem, string message
where
  not isExcluded(elem, Types1Package::convertingAPointerToIntegerOrIntegerToPointerQuery()) and
  conversionBetweenPointerAndInteger(elem, message)
select elem, message