C++: Add more indirections in models.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/models/implementations/Allocation.qll

@@ -45,7 +45,10 @@ private class ReallocAllocationFunction extends AllocationFunction, DataFlowFunc
   override int getReallocPtrArg() { result = reallocArg }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(this.getReallocPtrArg()) and output.isReturnValueDeref()
+    exists(int indirectionIndex |
+      input.isParameterDeref(this.getReallocPtrArg(), indirectionIndex) and
+      output.isReturnValueDeref(indirectionIndex)
+    )
   }
 }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/GetDelim.qll

@@ -12,10 +12,10 @@ private class GetDelimFunction extends TaintFunction, AliasFunction, SideEffectF
   GetDelimFunction() { this.hasGlobalName(["getdelim", "getwdelim", "__getdelim"]) }
 
   override predicate hasTaintFlow(FunctionInput i, FunctionOutput o) {
-    i.isParameter(3) and o.isParameterDeref(0)
+    i.isParameter(3) and o.isParameterDeref(0, 2)
   }
 
-  override predicate isPartialWrite(FunctionOutput o) { o.isParameterDeref(3) }
+  override predicate isPartialWrite(FunctionOutput o) { o.isParameterDeref(0, 2) }
 
   override predicate parameterNeverEscapes(int index) { index = [0, 1, 3] }
 
@@ -38,7 +38,7 @@ private class GetDelimFunction extends TaintFunction, AliasFunction, SideEffectF
   }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(0) and
+    output.isParameterDeref(0, 2) and
     description = "string read by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

@@ -30,7 +30,7 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
   override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(2) }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameter(2) and
+    input.isParameterDeref(2) and
     output.isParameterDeref(0)
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/IdentityFunction.qll

@@ -31,6 +31,8 @@ private class IdentityFunction extends DataFlowFunction, SideEffectFunction, Ali
     // These functions simply return the argument value.
     input.isParameter(0) and output.isReturnValue()
     or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
+    exists(int indirectionIndex |
+      input.isParameterDeref(0, indirectionIndex) and output.isReturnValueDeref(indirectionIndex)
+    )
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll

@@ -151,7 +151,7 @@ private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSource
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref([0 .. 2]) and
-    output.isParameterDeref(3)
+    output.isParameterDeref(3, 2)
   }
 
   override predicate hasArrayInput(int bufParam) { bufParam in [0, 1] }

cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll

@@ -164,7 +164,9 @@ private class IteratorCrementNonMemberOperatorModel extends IteratorCrementNonMe
     input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
     or
-    input.isParameterDeref(0) and output.isReturnValueDeref()
+    exists(int indirectionIndex |
+      input.isParameterDeref(0, indirectionIndex) and output.isReturnValueDeref(indirectionIndex)
+    )
   }
 
   override predicate hasOnlySpecificReadSideEffects() { any() }
@@ -205,16 +207,21 @@ private class IteratorCrementMemberOperatorModel extends IteratorCrementMemberOp
     input.isQualifierAddress() and
     output.isReturnValue()
     or
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-    or
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
+    exists(int indirectionIndex |
+      // reverse flow
+      input.isReturnValueDeref(indirectionIndex) and
+      output.isQualifierObject(indirectionIndex)
+      or
+      input.isQualifierObject(indirectionIndex) and
+      output.isReturnValueDeref(indirectionIndex)
+    )
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
+    exists(int indirectionIndex |
+      input.isQualifierObject(indirectionIndex) and
+      output.isReturnValueDeref(indirectionIndex)
+    )
   }
 
   override predicate hasOnlySpecificReadSideEffects() { any() }
@@ -286,8 +293,11 @@ private class IteratorBinaryArithmeticMemberOperatorModel extends IteratorBinary
   TaintFunction
 {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
+    exists(int indirectionIndex | input.isQualifierObject(indirectionIndex) |
+      output.isReturnValueDeref(indirectionIndex)
+      or
+      output.isReturnValue()
+    )
   }
 }
 
@@ -346,15 +356,23 @@ private class IteratorAssignArithmeticNonMemberOperatorModel extends IteratorAss
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(0) and output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the object referenced by the first parameter
-    input.isReturnValueDeref() and
-    output.isParameterDeref(0)
-    or
-    (input.isParameter(1) or input.isParameterDeref(1)) and
-    output.isParameterDeref(0)
+    exists(int indirectionIndex |
+      input.isParameterDeref(0, indirectionIndex) and output.isReturnValueDeref(indirectionIndex)
+      or
+      // reverse flow from returned reference to the object referenced by the first parameter
+      input.isReturnValueDeref(indirectionIndex) and
+      output.isParameterDeref(0, indirectionIndex)
+      or
+      (
+        input.isParameter(1) and indirectionIndex = 0
+        or
+        input.isParameterDeref(1, indirectionIndex)
+      ) and
+      output.isParameterDeref(0, indirectionIndex + 1)
+    )
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isParameterDeref(0, _) }
 }
 
 /**
@@ -378,16 +396,25 @@ private class IteratorAssignArithmeticMemberOperatorModel extends IteratorAssign
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the qualifier
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-    or
-    (input.isParameter(0) or input.isParameterDeref(0)) and
-    output.isQualifierObject()
+    exists(int indirectionIndex |
+      input.isParameterDeref(0, indirectionIndex) and output.isReturnValueDeref(indirectionIndex)
+      or
+      input.isQualifierObject(indirectionIndex) and output.isReturnValueDeref(indirectionIndex)
+      or
+      // reverse flow from returned reference to the object referenced by the first parameter
+      input.isReturnValueDeref(indirectionIndex) and
+      output.isQualifierObject(indirectionIndex)
+      or
+      (
+        input.isParameter(0) and indirectionIndex = 0
+        or
+        input.isParameterDeref(0, indirectionIndex)
+      ) and
+      output.isQualifierObject(indirectionIndex + 1)
+    )
   }
+
+  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject(_) }
 }
 
 /**
@@ -414,11 +441,14 @@ class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunc
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
-    or
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
+    exists(int indirectionIndex |
+      input.isQualifierObject(indirectionIndex) and
+      (output.isReturnValueDeref(indirectionIndex) or output.isReturnValue())
+      or
+      // reverse flow
+      input.isReturnValueDeref(indirectionIndex) and
+      output.isQualifierObject(indirectionIndex)
+    )
   }
 
   override predicate parameterNeverEscapes(int index) { index = -1 }
@@ -454,8 +484,10 @@ private class IteratorPointerDereferenceNonMemberOperatorModel extends IteratorP
     input = getIteratorArgumentInput(this, 0) and
     output.isReturnValue()
     or
-    input.isReturnValueDeref() and
-    output.isParameterDeref(0)
+    exists(int indirectionIndex |
+      input.isReturnValueDeref(indirectionIndex) and
+      output.isParameterDeref(0, indirectionIndex)
+    )
   }
 
   override predicate parameterNeverEscapes(int index) { index = 0 }
@@ -488,8 +520,10 @@ private class IteratorFieldMemberOperator extends Operator, TaintFunction {
   IteratorFieldMemberOperator() { this.getClassAndName("operator->") instanceof Iterator }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
+    exists(int indirectionIndex |
+      input.isQualifierObject(indirectionIndex) and
+      output.isReturnValueDeref(indirectionIndex) // TODO
+    )
   }
 }
 
@@ -502,8 +536,10 @@ private class IteratorArrayMemberOperator extends MemberFunction, TaintFunction,
   IteratorArrayMemberOperator() { this.getClassAndName("operator[]") instanceof Iterator }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
+    exists(int indirectionIndex |
+      input.isQualifierObject(indirectionIndex) and
+      output.isReturnValueDeref(indirectionIndex) // TODO
+    )
   }
 }
 
@@ -595,8 +631,11 @@ private class IteratorAssignmentMemberOperatorModel extends IteratorAssignmentMe
   TaintFunction, SideEffectFunction, AliasFunction
 {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    (input.isParameterDeref(0) or input.isParameter(0)) and
-    output.isQualifierObject()
+    exists(int indirectionIndex | output.isQualifierObject(indirectionIndex + 1) |
+      input.isParameterDeref(0, indirectionIndex)
+      or
+      input.isParameter(0) and indirectionIndex = 0
+    )
   }
 
   override predicate hasOnlySpecificReadSideEffects() { any() }
@@ -669,8 +708,11 @@ private class BeginOrEndFunctionModels extends BeginOrEndFunction, TaintFunction
   GetIteratorFunction, AliasFunction, SideEffectFunction
 {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
+    exists(int indirectionIndex | input.isQualifierObject(indirectionIndex) |
+      // output.isReturnValue()
+      // or
+      output.isReturnValueDeref(indirectionIndex) // TODO
+    )
   }
 
   override predicate getsIterator(FunctionInput input, FunctionOutput output) {

cpp/ql/lib/semmle/code/cpp/models/implementations/MemberFunction.qll

@@ -65,12 +65,14 @@ private class MoveConstructorModel extends MoveConstructor, DataFlowFunction {
 private class CopyAssignmentOperatorModel extends CopyAssignmentOperator, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // taint flow from argument to self
-    input.isParameterDeref(0) and
-    output.isQualifierObject()
-    or
-    // taint flow from argument to return value
-    input.isParameterDeref(0) and
-    output.isReturnValueDeref()
+    exists(int indirectionIndex |
+      input.isParameterDeref(0, indirectionIndex) and
+      output.isQualifierObject(indirectionIndex)
+      or
+      // taint flow from argument to return value
+      input.isParameterDeref(0, indirectionIndex) and
+      output.isReturnValueDeref(indirectionIndex)
+    )
     // TODO: it would be more accurate to model copy assignment as data flow
   }
 }
@@ -81,12 +83,14 @@ private class CopyAssignmentOperatorModel extends CopyAssignmentOperator, TaintF
 private class MoveAssignmentOperatorModel extends MoveAssignmentOperator, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // taint flow from argument to self
-    input.isParameterDeref(0) and
-    output.isQualifierObject()
-    or
-    // taint flow from argument to return value
-    input.isParameterDeref(0) and
-    output.isReturnValueDeref()
+    exists(int indirectionIndex |
+      input.isParameterDeref(0, indirectionIndex) and
+      output.isQualifierObject(indirectionIndex)
+      or
+      // taint flow from argument to return value
+      input.isParameterDeref(0, indirectionIndex) and
+      output.isReturnValueDeref(indirectionIndex)
+    )
     // TODO: it would be more accurate to model move assignment as data flow
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll

@@ -53,11 +53,13 @@ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffect
   override predicate hasArrayOutput(int bufParam) { bufParam = this.getParamDest() }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(this.getParamSrc()) and
-    output.isParameterDeref(this.getParamDest())
-    or
-    input.isParameterDeref(this.getParamSrc()) and
-    output.isReturnValueDeref()
+    exists(int indirectionIndex |
+      input.isParameterDeref(this.getParamSrc(), indirectionIndex) and
+      output.isParameterDeref(this.getParamDest(), indirectionIndex)
+      or
+      input.isParameterDeref(this.getParamSrc(), indirectionIndex) and
+      output.isReturnValueDeref(indirectionIndex)
+    )
     or
     input.isParameter(this.getParamDest()) and
     output.isReturnValue()

cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll

@@ -40,8 +40,10 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
   int getArgsStartPosition() { result = this.getNumberOfParameters() }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(this.(ScanfFunction).getInputParameterIndex()) and
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition()))
+    exists(int indirectionIndex |
+      input.isParameterDeref(this.(ScanfFunction).getInputParameterIndex(), indirectionIndex) and
+      output.isParameterDeref(any(int i | i >= this.getArgsStartPosition()), indirectionIndex)
+    )
   }
 
   override predicate parameterNeverEscapes(int index) {

cpp/ql/lib/semmle/code/cpp/models/implementations/SmartPointer.qll

@@ -38,12 +38,17 @@ private class PointerUnwrapperFunction extends MemberFunction, TaintFunction, Da
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
+    exists(int indirectionIndex |
+      input.isReturnValueDeref(indirectionIndex) and
+      output.isQualifierObject(indirectionIndex)
+    )
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and output.isReturnValue()
+    exists(int indirectionIndex |
+      input.isQualifierObject(indirectionIndex + 1) and
+      output.isReturnValueDeref(indirectionIndex)
+    )
   }
 
   override predicate hasOnlySpecificReadSideEffects() { any() }
@@ -75,11 +80,16 @@ private class MakeUniqueOrShared extends TaintFunction {
     // since these just take a size argument, which we don't want to propagate taint through.
     not this.isArray() and
     (
-      input.isParameter([0 .. this.getNumberOfParameters() - 1])
+      input.isParameter([0 .. this.getNumberOfParameters() - 1]) and
+      output.isReturnValue()
       or
-      input.isParameterDeref([0 .. this.getNumberOfParameters() - 1])
-    ) and
-    output.isReturnValue()
+      exists(int indirectionIndex | output.isReturnValueDeref(indirectionIndex) |
+        input.isParameterDeref([0 .. this.getNumberOfParameters() - 1], indirectionIndex - 1)
+        or
+        input.isParameter([0 .. this.getNumberOfParameters() - 1]) and
+        indirectionIndex = 1
+      )
+    )
   }
 
   /**