CPP: Support flow of pointed-to things through function calls.

geoffw0 · geoffw0 · commit ef4756313975 · 2020-01-16T11:08:19.000Z
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -602,9 +602,14 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
       exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel, int iIn |
         call.getTarget() = f and
         f.hasDataFlow(inModel, outModel) and
-        outModel.isReturnValue() and
-        inModel.isParameter(iIn) and
-        fromExpr = call.getArgument(iIn)
+        fromExpr = call.getArgument(iIn) and
+        (
+          inModel.isParameter(iIn) and
+          outModel.isReturnValue()
+          or
+          inModel.isParameterDeref(iIn) and
+          outModel.isReturnValueDeref()
+        )
       )
     )
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -144,6 +144,7 @@
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:171:8:171:13 | buffer |  |
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:172:10:172:15 | buffer |  |
 | taint.cpp:170:10:170:15 | ref arg buffer | taint.cpp:173:8:173:13 | buffer |  |
+| taint.cpp:170:18:170:26 | Hello,  | taint.cpp:170:3:170:8 | call to strcpy |  |
 | taint.cpp:170:18:170:26 | Hello,  | taint.cpp:170:10:170:15 | ref arg buffer | TAINT |
 | taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:172:10:172:15 | buffer |  |
 | taint.cpp:171:8:171:13 | ref arg buffer | taint.cpp:173:8:173:13 | buffer |  |
@@ -163,6 +164,8 @@
 | taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:194:2:194:7 | call to memcpy |  |
 | taint.cpp:194:9:194:10 | ref arg & ... | taint.cpp:195:7:195:7 | x |  |
 | taint.cpp:194:10:194:10 | x | taint.cpp:194:9:194:10 | & ... |  |
+| taint.cpp:194:13:194:18 | ref arg source | taint.cpp:194:2:194:7 | call to memcpy |  |
+| taint.cpp:194:13:194:18 | source | taint.cpp:194:2:194:7 | call to memcpy |  |
 | taint.cpp:194:13:194:18 | source | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
 | taint.cpp:194:21:194:31 | sizeof(int) | taint.cpp:194:9:194:10 | ref arg & ... | TAINT |
 | taint.cpp:207:6:207:11 | call to source | taint.cpp:207:2:207:13 | ... = ... |  |
@@ -328,8 +331,10 @@
 | taint.cpp:365:24:365:29 | source | taint.cpp:371:14:371:19 | source |  |
 | taint.cpp:369:6:369:11 | call to strdup | taint.cpp:369:2:369:19 | ... = ... |  |
 | taint.cpp:369:6:369:11 | call to strdup | taint.cpp:372:7:372:7 | a |  |
+| taint.cpp:369:13:369:18 | source | taint.cpp:369:6:369:11 | call to strdup |  |
 | taint.cpp:370:6:370:11 | call to strdup | taint.cpp:370:2:370:27 | ... = ... |  |
 | taint.cpp:370:6:370:11 | call to strdup | taint.cpp:373:7:373:7 | b |  |
+| taint.cpp:370:13:370:26 | hello, world | taint.cpp:370:6:370:11 | call to strdup |  |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:371:2:371:25 | ... = ... |  |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:374:7:374:7 | c |  |
 | taint.cpp:377:23:377:28 | source | taint.cpp:381:30:381:35 | source |  |
@@ -338,5 +343,7 @@
 | taint.cpp:385:27:385:32 | source | taint.cpp:389:13:389:18 | source |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:389:2:389:19 | ... = ... |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:391:7:391:7 | a |  |
+| taint.cpp:389:13:389:18 | source | taint.cpp:389:6:389:11 | call to wcsdup |  |
 | taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:390:2:390:28 | ... = ... |  |
 | taint.cpp:390:6:390:11 | call to wcsdup | taint.cpp:392:7:392:7 | b |  |
+| taint.cpp:390:13:390:27 | hello, world | taint.cpp:390:6:390:11 | call to wcsdup |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -369,7 +369,7 @@ void test_strdup(char *source)
 	a = strdup(source);
 	b = strdup("hello, world");
 	c = strndup(source, 100);
-	sink(a); // tainted [NOT DETECTED]
+	sink(a); // tainted
 	sink(b);
 	sink(c); // tainted [NOT DETECTED]
 }
@@ -388,6 +388,6 @@ void test_wcsdup(wchar_t *source)
 
 	a = wcsdup(source);
 	b = wcsdup(L"hello, world");
-	sink(a); // tainted [NOT DETECTED]
+	sink(a); // tainted
 	sink(b);
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -37,3 +37,5 @@
 | taint.cpp:350:7:350:7 | t | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:351:7:351:7 | a | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source |
+| taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
+| taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -25,3 +25,5 @@
 | taint.cpp:350:7:350:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |
+| taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
+| taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |

Original file line number	Diff line number	Diff line change
`@@ -602,9 +602,14 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {`
`602`	`602`	`exists(DataFlowFunction f, FunctionInput inModel, FunctionOutput outModel, int iIn \|`
`603`	`603`	`call.getTarget() = f and`
`604`	`604`	`f.hasDataFlow(inModel, outModel) and`
`605`		`- outModel.isReturnValue() and`
`606`		`- inModel.isParameter(iIn) and`
`607`		`- fromExpr = call.getArgument(iIn)`
	`605`	`+ fromExpr = call.getArgument(iIn) and`
	`606`	`+ (`
	`607`	`+ inModel.isParameter(iIn) and`
	`608`	`+ outModel.isReturnValue()`
	`609`	`+ or`
	`610`	`+ inModel.isParameterDeref(iIn) and`
	`611`	`+ outModel.isReturnValueDeref()`
	`612`	`+ )`
`608`	`613`	`)`
`609`	`614`	`)`
`610`	`615`	`}`