Merge branch 'main' into pointers3

Author: lcartey

.vscode/tasks.json

@@ -210,6 +210,7 @@
                 "Declarations4",
                 "Declarations5",
                 "Declarations6",
+                "Declarations7",
                 "Exceptions1",
                 "Exceptions2",
                 "Expressions",
@@ -222,6 +223,8 @@
                 "Includes",
                 "Initialization",
                 "IntegerConversion",
+                "InvalidMemory1",
+                "InvalidMemory2",
                 "Invariants",
                 "Iterators",
                 "Lambdas",
@@ -230,6 +233,8 @@
                 "Literals",
                 "Loops",
                 "Macros",
+                "Memory1",
+                "Memory2",
                 "Misc",
                 "MoveForward",
                 "Naming",

README.md

@@ -9,7 +9,7 @@ _Carnegie Mellon and CERT are registered trademarks of Carnegie Mellon Universit
 This repository contains CodeQL queries and libraries which support various Coding Standards for the [C++14](https://www.iso.org/standard/64029.html) programming language.
 
 The following coding standards are supported:
-- [AUTOSAR - Guidelines for the use of C++14 language in critical and safety-related systems Release 20-11](https://www.autosar.org/fileadmin/user_upload/standards/adaptive/20-11/AUTOSAR_RS_CPP14Guidelines.pdf)
+- [AUTOSAR - Guidelines for the use of C++14 language in critical and safety-related systems Release 20-11](https://www.autosar.org/fileadmin/standards/adaptive/20-11/AUTOSAR_RS_CPP14Guidelines.pdf)
 - [MISRA C++:2008](https://www.misra.org.uk) (support limited to the rules specified in AUTOSAR 20-11).
 - [SEI CERT C++ Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=494932)
 

c/cert/src/rules/DCL39-C/InformationLeakageAcrossTrustBoundariesC.md

@@ -0,0 +1,22 @@
+/**
+ * @id c/cert/information-leakage-across-trust-boundaries-c
+ * @name DCL39-C: Avoid information leakage when passing a structure across a trust boundary
+ * @description Passing a structure with uninitialized fields or padding bytes can cause information
+ *              to be unintentionally leaked.
+ * @kind problem
+ * @precision medium
+ * @problem.severity error
+ * @tags external/cert/id/dcl39-c
+ *       security
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.rules.informationleakageacrossboundaries.InformationLeakageAcrossBoundaries
+
+class InformationLeakageAcrossTrustBoundariesCQuery extends InformationLeakageAcrossBoundariesSharedQuery {
+  InformationLeakageAcrossTrustBoundariesCQuery() {
+    this = Declarations7Package::informationLeakageAcrossTrustBoundariesCQuery()
+  }
+}

c/cert/src/rules/DCL39-C/InformationLeakageAcrossTrustBoundariesC.ql

@@ -0,0 +1,23 @@
+/**
+ * @id c/cert/do-not-read-uninitialized-memory
+ * @name EXP33-C: Do not read uninitialized memory
+ * @description Using the value of an object with automatic storage duration while it is
+ *              indeterminate is undefined behavior.
+ * @kind problem
+ * @precision medium
+ * @problem.severity error
+ * @tags external/cert/id/exp33-c
+ *       correctness
+ *       security
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.rules.readofuninitializedmemory.ReadOfUninitializedMemory
+
+class DoNotReadUninitializedMemoryQuery extends ReadOfUninitializedMemorySharedQuery {
+  DoNotReadUninitializedMemoryQuery() {
+    this = InvalidMemory1Package::doNotReadUninitializedMemoryQuery()
+  }
+}

c/cert/src/rules/EXP33-C/DoNotReadUninitializedMemory.md

@@ -0,0 +1,21 @@
+/**
+ * @id c/cert/do-not-dereference-null-pointers
+ * @name EXP34-C: Do not dereference null pointers
+ * @description Dereferencing a null pointer leads to undefined behavior.
+ * @kind problem
+ * @precision medium
+ * @problem.severity error
+ * @tags external/cert/id/exp34-c
+ *       correctness
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.rules.dereferenceofnullpointer.DereferenceOfNullPointer
+
+class DoNotDereferenceNullPointersQuery extends DereferenceOfNullPointerSharedQuery {
+  DoNotDereferenceNullPointersQuery() {
+    this = InvalidMemory1Package::doNotDereferenceNullPointersQuery()
+  }
+}

c/cert/src/rules/EXP33-C/DoNotReadUninitializedMemory.ql

@@ -0,0 +1,66 @@
+/**
+ * @id c/cert/do-not-access-freed-memory
+ * @name MEM30-C: Do not access freed memory
+ * @description Accessing memory that has been deallocated is undefined behavior.
+ * @kind problem
+ * @precision high
+ * @problem.severity error
+ * @tags external/cert/id/mem30-c
+ *       correctness
+ *       security
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.Allocations
+import semmle.code.cpp.controlflow.StackVariableReachability
+
+/** `e` is an expression that frees the memory pointed to by `v`. */
+predicate isFreeExpr(Expr e, StackVariable v) {
+  exists(VariableAccess va | va.getTarget() = v and freeExprOrIndirect(e, va, _))
+}
+
+/** `e` is an expression that accesses `v` but is not the lvalue of an assignment. */
+predicate isAccessExpr(Expr e, StackVariable v) {
+  v.getAnAccess() = e and
+  not exists(Assignment a | a.getLValue() = e)
+  or
+  isDerefByCallExpr(_, _, e, v)
+}
+
+/**
+ * `va` is passed by value as (part of) the `i`th argument in
+ * call `c`. The target function is either a library function
+ * or a source code function that dereferences the relevant
+ * parameter.
+ */
+predicate isDerefByCallExpr(Call c, int i, VariableAccess va, StackVariable v) {
+  v.getAnAccess() = va and
+  va = c.getAnArgumentSubExpr(i) and
+  not c.passesByReference(i, va) and
+  (c.getTarget().hasEntryPoint() implies isAccessExpr(_, c.getTarget().getParameter(i)))
+}
+
+class UseAfterFreeReachability extends StackVariableReachability {
+  UseAfterFreeReachability() { this = "UseAfterFree" }
+
+  override predicate isSource(ControlFlowNode node, StackVariable v) { isFreeExpr(node, v) }
+
+  override predicate isSink(ControlFlowNode node, StackVariable v) { isAccessExpr(node, v) }
+
+  override predicate isBarrier(ControlFlowNode node, StackVariable v) {
+    definitionBarrier(v, node) or
+    isFreeExpr(node, v)
+  }
+}
+
+// This query is a modified version of the `UseAfterFree.ql`
+// (cpp/use-after-free) query from the CodeQL standard library.
+from UseAfterFreeReachability r, StackVariable v, Expr free, Expr e
+where
+  not isExcluded(e, InvalidMemory1Package::doNotAccessFreedMemoryQuery()) and
+  r.reaches(free, v, e)
+select e,
+  "Pointer '" + v.getName().toString() + "' accessed but may have been previously freed $@.", free,
+  "here"