-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathDangerousUseOfTransformationAfterOperation.ql
More file actions
100 lines (95 loc) · 3.57 KB
/
DangerousUseOfTransformationAfterOperation.ql
File metadata and controls
100 lines (95 loc) · 3.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
/**
* @name Dangerous use of transformation after operation
* @description By using the transformation after the operation, you are doing a pointless and dangerous action.
* @kind problem
* @id cpp/dangerous-use-of-transformation-after-operation
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* experimental
* external/cwe/cwe-190
*/
import cpp
/** Returns the number of the expression in the function call arguments. */
int argumentPosition(FunctionCall fc, Expr exp, int n) {
n in [0 .. fc.getNumberOfArguments() - 1] and
fc.getArgument(n) = exp and
result = n
}
/** Holds if a nonsensical type conversion situation is found. */
predicate conversionDoneLate(MulExpr mexp) {
exists(Expr e1, Expr e2 |
mexp.hasOperands(e1, e2) and
not e1.isConstant() and
not e1.hasConversion() and
not e1.hasConversion() and
(
e2.isConstant() or
not e2.hasConversion()
) and
mexp.getConversion().hasExplicitConversion() and
mexp.getConversion() instanceof ParenthesisExpr and
mexp.getConversion().getConversion() instanceof CStyleCast and
mexp.getConversion().getConversion().getType().getSize() > mexp.getType().getSize() and
mexp.getConversion().getConversion().getType().getSize() > e2.getType().getSize() and
mexp.getConversion().getConversion().getType().getSize() > e1.getType().getSize() and
exists(Expr e0 |
e0.(AssignExpr).getRValue() = mexp.getParent*() and
e0.(AssignExpr).getLValue().getType().getSize() =
mexp.getConversion().getConversion().getType().getSize()
or
mexp.getEnclosingElement().(ComparisonOperation).hasOperands(mexp, e0) and
e0.getType().getSize() = mexp.getConversion().getConversion().getType().getSize()
or
e0.(FunctionCall).getTarget().getParameter(argumentPosition(e0, mexp, _)).getType().getSize() =
mexp.getConversion().getConversion().getType().getSize()
)
)
}
/** Holds if the situation of a possible signed overflow used in pointer arithmetic is found. */
predicate signSmallerWithEqualSizes(MulExpr mexp) {
exists(Expr e1, Expr e2 |
mexp.hasOperands(e1, e2) and
not e1.isConstant() and
not e1.hasConversion() and
not e1.hasConversion() and
(
e2.isConstant() or
not e2.hasConversion()
) and
mexp.getConversion+().getUnderlyingType().getSize() = e1.getUnderlyingType().getSize() and
(
e2.isConstant() or
mexp.getConversion+().getUnderlyingType().getSize() = e2.getUnderlyingType().getSize()
) and
mexp.getConversion+().getUnderlyingType().getSize() = e1.getUnderlyingType().getSize() and
exists(AssignExpr ae |
ae.getRValue() = mexp.getParent*() and
ae.getRValue().getUnderlyingType().(IntegralType).isUnsigned() and
ae.getLValue().getUnderlyingType().(IntegralType).isSigned() and
(
not mexp.getParent*() instanceof DivExpr
or
exists(DivExpr de, Expr ec |
e2.isConstant() and
de.hasOperands(mexp.getParent*(), ec) and
ec.isConstant() and
e2.getValue().toInt() > ec.getValue().toInt()
)
) and
exists(PointerAddExpr pa |
ae.getASuccessor+() = pa and
pa.getAnOperand().(VariableAccess).getTarget() = ae.getLValue().(VariableAccess).getTarget()
)
)
)
}
from MulExpr mexp, string msg
where
conversionDoneLate(mexp) and
msg = "This transformation is applied after multiplication."
or
signSmallerWithEqualSizes(mexp) and
msg = "Possible signed overflow followed by offset of the pointer out of bounds."
select mexp, msg