Merge pull request #9997 from rdmarsh2/rdmarsh2/cpp/product-flow

C++: Experimental product flow library

Author: MathiasVP

cpp/ql/lib/experimental/semmle/code/cpp/dataflow/ProductFlow.qll

@@ -0,0 +1,136 @@
+import semmle.code.cpp.ir.dataflow.DataFlow
+import semmle.code.cpp.ir.dataflow.DataFlow2
+
+module ProductFlow {
+  abstract class Configuration extends string {
+    bindingset[this]
+    Configuration() { any() }
+
+    /**
+     * Holds if `(source1, source2)` is a relevant data flow source.
+     *
+     * `source1` and `source2` must belong to the same callable.
+     */
+    abstract predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2);
+
+    /**
+     * Holds if `(sink1, sink2)` is a relevant data flow sink.
+     *
+     * `sink1` and `sink2` must belong to the same callable.
+     */
+    abstract predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2);
+
+    predicate hasFlowPath(
+      DataFlow::PathNode source1, DataFlow2::PathNode source2, DataFlow::PathNode sink1,
+      DataFlow2::PathNode sink2
+    ) {
+      reachable(this, source1, source2, sink1, sink2)
+    }
+  }
+
+  private import Internal
+
+  module Internal {
+    class Conf1 extends DataFlow::Configuration {
+      Conf1() { this = "Conf1" }
+
+      override predicate isSource(DataFlow::Node source) {
+        exists(Configuration conf | conf.isSourcePair(source, _))
+      }
+
+      override predicate isSink(DataFlow::Node sink) {
+        exists(Configuration conf | conf.isSinkPair(sink, _))
+      }
+    }
+
+    class Conf2 extends DataFlow2::Configuration {
+      Conf2() { this = "Conf2" }
+
+      override predicate isSource(DataFlow::Node source) {
+        exists(Configuration conf, DataFlow::Node source1 |
+          conf.isSourcePair(source1, source) and
+          any(Conf1 c).hasFlow(source1, _)
+        )
+      }
+
+      override predicate isSink(DataFlow::Node sink) {
+        exists(Configuration conf, DataFlow::Node sink1 |
+          conf.isSinkPair(sink1, sink) and any(Conf1 c).hasFlow(_, sink1)
+        )
+      }
+    }
+  }
+
+  private predicate reachableInterprocEntry(
+    Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
+    DataFlow::PathNode node1, DataFlow2::PathNode node2
+  ) {
+    conf.isSourcePair(node1.getNode(), node2.getNode()) and
+    node1 = source1 and
+    node2 = source2
+    or
+    exists(
+      DataFlow::PathNode midEntry1, DataFlow2::PathNode midEntry2, DataFlow::PathNode midExit1,
+      DataFlow2::PathNode midExit2
+    |
+      reachableInterprocEntry(conf, source1, source2, midEntry1, midEntry2) and
+      interprocEdgePair(midExit1, midExit2, node1, node2) and
+      localPathStep1*(midEntry1, midExit1) and
+      localPathStep2*(midEntry2, midExit2)
+    )
+  }
+
+  private predicate localPathStep1(DataFlow::PathNode pred, DataFlow::PathNode succ) {
+    DataFlow::PathGraph::edges(pred, succ) and
+    pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
+      pragma[only_bind_out](succ.getNode().getEnclosingCallable())
+  }
+
+  private predicate localPathStep2(DataFlow2::PathNode pred, DataFlow2::PathNode succ) {
+    DataFlow2::PathGraph::edges(pred, succ) and
+    pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
+      pragma[only_bind_out](succ.getNode().getEnclosingCallable())
+  }
+
+  pragma[nomagic]
+  private predicate interprocEdge1(
+    Declaration predDecl, Declaration succDecl, DataFlow::PathNode pred1, DataFlow::PathNode succ1
+  ) {
+    DataFlow::PathGraph::edges(pred1, succ1) and
+    predDecl != succDecl and
+    pred1.getNode().getEnclosingCallable() = predDecl and
+    succ1.getNode().getEnclosingCallable() = succDecl
+  }
+
+  pragma[nomagic]
+  private predicate interprocEdge2(
+    Declaration predDecl, Declaration succDecl, DataFlow2::PathNode pred2, DataFlow2::PathNode succ2
+  ) {
+    DataFlow2::PathGraph::edges(pred2, succ2) and
+    predDecl != succDecl and
+    pred2.getNode().getEnclosingCallable() = predDecl and
+    succ2.getNode().getEnclosingCallable() = succDecl
+  }
+
+  private predicate interprocEdgePair(
+    DataFlow::PathNode pred1, DataFlow2::PathNode pred2, DataFlow::PathNode succ1,
+    DataFlow2::PathNode succ2
+  ) {
+    exists(Declaration predDecl, Declaration succDecl |
+      interprocEdge1(predDecl, succDecl, pred1, succ1) and
+      interprocEdge2(predDecl, succDecl, pred2, succ2)
+    )
+  }
+
+  private predicate reachable(
+    Configuration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
+    DataFlow::PathNode sink1, DataFlow2::PathNode sink2
+  ) {
+    exists(DataFlow::PathNode mid1, DataFlow2::PathNode mid2 |
+      reachableInterprocEntry(conf, source1, source2, mid1, mid2) and
+      conf.isSinkPair(sink1.getNode(), sink2.getNode()) and
+      localPathStep1*(mid1, sink1) and
+      localPathStep2*(mid2, sink2)
+    )
+  }
+}

cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql

@@ -0,0 +1,51 @@
+import cpp
+import experimental.semmle.code.cpp.dataflow.ProductFlow
+import experimental.semmle.code.cpp.semantic.analysis.RangeAnalysis
+import experimental.semmle.code.cpp.rangeanalysis.Bound
+import experimental.semmle.code.cpp.semantic.SemanticExprSpecific
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.models.interfaces.Allocation
+import semmle.code.cpp.ir.IRConfiguration
+
+predicate bounded(Instruction i, Bound b, int delta, boolean upper) {
+  // TODO: reason
+  semBounded(getSemanticExpr(i), b, delta, upper, _)
+}
+
+class ArraySizeConfiguration extends ProductFlow::Configuration {
+  ArraySizeConfiguration() { this = "ArraySizeConfiguration" }
+
+  override predicate isSourcePair(DataFlow::Node source1, DataFlow::Node source2) {
+    exists(GVN sizeGvn |
+      source1.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and
+      source2.asConvertedExpr() = sizeGvn.getAnExpr()
+    )
+  }
+
+  override predicate isSinkPair(DataFlow::Node sink1, DataFlow::Node sink2) {
+    exists(PointerAddInstruction pai, Instruction index, Bound b, int delta |
+      pai.getRight() = index and
+      pai.getLeft() = sink1.asInstruction() and
+      bounded(index, b, delta, true) and
+      sink2.asInstruction() = b.getInstruction() and
+      (
+        delta = 0 and
+        exists(DataFlow::Node paiNode, DataFlow::Node derefNode |
+          DataFlow::localFlow(paiNode, derefNode) and
+          paiNode.asInstruction() = pai and
+          derefNode.asOperand() instanceof AddressOperand
+        )
+        or
+        delta >= 1
+      )
+    )
+  }
+}
+
+from
+  ArraySizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
+  DataFlow::PathNode sink1, DataFlow2::PathNode sink2
+where conf.hasFlowPath(source1, source2, sink1, sink2)
+// TODO: pull delta out and display it
+select source1, source2, sink1, sink2

cpp/ql/src/experimental/Likely Bugs/OverrunWriteProductFlow.ql

@@ -0,0 +1,34 @@
+import cpp
+import experimental.semmle.code.cpp.dataflow.ProductFlow
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.models.interfaces.Allocation
+import semmle.code.cpp.models.interfaces.ArrayFunction
+
+class StringSizeConfiguration extends ProductFlow::Configuration {
+  StringSizeConfiguration() { this = "StringSizeConfiguration" }
+
+  override predicate isSourcePair(DataFlow::Node bufSource, DataFlow::Node sizeSource) {
+    exists(
+      GVN sizeGvn // TODO: use-use flow instead of GVN
+    |
+      bufSource.asConvertedExpr().(AllocationExpr).getSizeExpr() = sizeGvn.getAnExpr() and
+      sizeSource.asConvertedExpr() = sizeGvn.getAnExpr()
+    )
+  }
+
+  override predicate isSinkPair(DataFlow::Node bufSink, DataFlow::Node sizeSink) {
+    exists(CallInstruction c, int bufIndex, int sizeIndex |
+      c.getStaticCallTarget().(ArrayFunction).hasArrayWithVariableSize(bufIndex, sizeIndex) and
+      c.getArgument(bufIndex) = bufSink.asInstruction() and
+      c.getArgument(sizeIndex) = sizeSink.asInstruction()
+    )
+  }
+}
+
+// we don't actually check correctness yet. Right now the query just finds relevant source/sink pairs.
+from
+  StringSizeConfiguration conf, DataFlow::PathNode source1, DataFlow2::PathNode source2,
+  DataFlow::PathNode sink1, DataFlow2::PathNode sink2
+where conf.hasFlowPath(source1, source2, sink1, sink2)
+select source1, source2, sink1, sink2

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.expected

@@ -0,0 +1,2 @@
+| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:26:18:26:23 | string | test.cpp:26:31:26:39 | (size_t)... |
+| test.cpp:19:19:19:24 | call to malloc | test.cpp:18:17:18:20 | size | test.cpp:30:18:30:23 | string | test.cpp:30:31:30:39 | (size_t)... |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/OverrunWriteProductFlow.qlref

@@ -0,0 +1 @@
+experimental/Likely Bugs/OverrunWriteProductFlow.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-119/test.cpp

@@ -0,0 +1,37 @@
+
+typedef unsigned long long size_t;
+int sprintf(char *s, const char *format, ...);
+int snprintf(char *s, size_t n, const char *format, ...);
+int scanf(const char *format, ...);
+int sscanf(const char *s, const char *format, ...);
+char *malloc(size_t size);
+char *strncpy(char *dst, const char *src, size_t n);
+
+typedef struct
+{
+	char *string;
+	int size;
+} string_t;
+
+string_t *mk_string_t(int size) {
+    string_t *str = (string_t *) malloc(sizeof(string_t));
+    str->size = size;
+    str->string = malloc(size);
+    return str;
+}
+
+void test1(int size, char *buf) {
+    string_t *str = mk_string_t(size);
+
+    strncpy(str->string, buf, str->size);
+}
+
+void strncpy_wrapper(string_t *str, char *buf) {
+    strncpy(str->string, buf, str->size);
+}
+
+void test2(int size, char *buf) {
+    string_t *str = mk_string_t(size);
+    strncpy_wrapper(str, buf);
+}
+

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected

@@ -0,0 +1,23 @@
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:4:24:4:27 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:4:24:4:27 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:24:4:27 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:5:25:5:28 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:5:25:5:28 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
+| test.cpp:4:17:4:22 | call to malloc | test.cpp:9:26:9:29 | size | test.cpp:10:9:10:11 | arr | test.cpp:9:26:9:29 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:5:55:19 | Store |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:16:55:19 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:55:16:55:19 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:55:16:55:19 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:56:20:56:23 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:56:20:56:23 | size | test.cpp:63:13:63:13 | p | test.cpp:56:20:56:23 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:63:13:63:13 | p | test.cpp:58:29:58:32 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:58:29:58:32 | size | test.cpp:63:13:63:13 | p | test.cpp:58:29:58:32 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:63:13:63:13 | p | test.cpp:62:30:62:33 | size |
+| test.cpp:56:13:56:18 | call to malloc | test.cpp:62:30:62:33 | size | test.cpp:63:13:63:13 | p | test.cpp:62:30:62:33 | size |
+| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:83:14:83:14 | p | test.cpp:82:31:82:34 | size |
+| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | p | test.cpp:88:30:88:33 | size |
+| test.cpp:70:14:70:19 | call to malloc | test.cpp:69:17:69:20 | size | test.cpp:93:14:93:14 | p | test.cpp:92:31:92:34 | size |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref

@@ -0,0 +1 @@
+experimental/Likely Bugs/ArrayAccessProductFlow.ql