Merge branch 'main' into clean-tests

Author: RasmusWL

…c/change-notes/2023-10-31-odbc-models.md …b/change-notes/2023-10-31-odbc-models.mdcpp/ql/src/change-notes/2023-10-31-odbc-models.md renamed to cpp/ql/lib/change-notes/2023-10-31-odbc-models.md cpp/ql/src/change-notes/2023-10-31-odbc-models.md renamed to cpp/ql/lib/change-notes/2023-10-31-odbc-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.

cpp/ql/lib/change-notes/2023-11-15-return-stack-allocated-memory.md

@@ -27,16 +27,26 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
   ReturnStackAllocatedMemoryConfig() { this = "ReturnStackAllocatedMemoryConfig" }
 
   override predicate isSource(Instruction source) {
-    // Holds if `source` is a node that represents the use of a stack variable
-    exists(VariableAddressInstruction var, Function func |
-      var = source and
-      func = source.getEnclosingFunction() and
-      var.getAstVariable() instanceof StackVariable and
-      // Pointer-to-member types aren't properly handled in the dbscheme.
-      not var.getResultType() instanceof PointerToMemberType and
+    exists(Function func |
       // Rule out FPs caused by extraction errors.
       not any(ErrorExpr e).getEnclosingFunction() = func and
-      not intentionallyReturnsStackPointer(func)
+      not intentionallyReturnsStackPointer(func) and
+      func = source.getEnclosingFunction()
+    |
+      // `source` is an instruction that represents the use of a stack variable
+      exists(VariableAddressInstruction var |
+        var = source and
+        var.getAstVariable() instanceof StackVariable and
+        // Pointer-to-member types aren't properly handled in the dbscheme.
+        not var.getResultType() instanceof PointerToMemberType
+      )
+      or
+      // `source` is an instruction that represents the return value of a
+      // function that is known to return stack-allocated memory.
+      exists(Call call |
+        call.getTarget().hasGlobalName(["alloca", "strdupa", "strndupa", "_alloca", "_malloca"]) and
+        source.getUnconvertedResultExpression() = call
+      )
     )
   }
 
@@ -85,10 +95,10 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
 }
 
 from
-  MustFlowPathNode source, MustFlowPathNode sink, VariableAddressInstruction var,
+  MustFlowPathNode source, MustFlowPathNode sink, Instruction instr,
   ReturnStackAllocatedMemoryConfig conf
 where
   conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
-  source.getInstruction() = var
+  source.getInstruction() = instr
 select sink.getInstruction(), source, sink, "May return stack-allocated memory from $@.",
-  var.getAst(), var.getAst().toString()
+  instr.getAst(), instr.getAst().toString()

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -14,25 +14,47 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.IR
+import Flow::PathGraph
 
-predicate isProcessOperationExplanation(Expr arg, string processOperation) {
+predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperation) {
   exists(int processOperationArg, FunctionCall call |
     isProcessOperationArgument(processOperation, processOperationArg) and
     call.getTarget().getName() = processOperation and
-    call.getArgument(processOperationArg) = arg
+    call.getArgument(processOperationArg) = [arg.asExpr(), arg.asIndirectExpr()]
   )
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
+predicate isSource(FlowSource source, string sourceType) {
+  not source instanceof DataFlow::ExprNode and
+  sourceType = source.getSourceType()
 }
 
-from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { isSource(node, _) }
+
+  predicate isSink(DataFlow::Node node) { isProcessOperationExplanation(node, _) }
+
+  predicate isBarrier(DataFlow::Node node) {
+    isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
+    or
+    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+from
+  string processOperation, string sourceType, DataFlow::Node source, DataFlow::Node sink,
+  Flow::PathNode sourceNode, Flow::PathNode sinkNode
 where
-  isProcessOperationExplanation(arg, processOperation) and
-  taintedWithPath(source, arg, sourceNode, sinkNode)
-select arg, sourceNode, sinkNode,
+  source = sourceNode.getNode() and
+  sink = sinkNode.getNode() and
+  isSource(source, sourceType) and
+  isProcessOperationExplanation(sink, processOperation) and
+  Flow::flowPath(sourceNode, sinkNode)
+select sink, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being passed to " + processOperation + ".",
-  source, source.toString()
+  source, sourceType

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -14,10 +14,13 @@
 
 import cpp
 import semmle.code.cpp.security.Overflow
-import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
+import semmle.code.cpp.dataflow.new.TaintTracking
+import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.controlflow.IRGuards as IRGuards
+import semmle.code.cpp.security.FlowSources as FS
 import Bounded
+import Flow::PathGraph
 
 bindingset[op]
 predicate missingGuard(Operation op, Expr e, string effect) {
@@ -28,28 +31,90 @@ predicate missingGuard(Operation op, Expr e, string effect) {
   not e instanceof VariableAccess and effect = "overflow"
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element e) {
-    exists(Operation op |
-      missingGuard(op, e, _) and
-      op.getAnOperand() = e
-    |
-      op instanceof UnaryArithmeticOperation or
-      op instanceof BinaryArithmeticOperation or
-      op instanceof AssignArithmeticOperation
-    )
-  }
+predicate isSource(FS::FlowSource source, string sourceType) { sourceType = source.getSourceType() }
+
+predicate isSink(DataFlow::Node sink, Operation op, Expr e) {
+  e = sink.asExpr() and
+  missingGuard(op, e, _) and
+  op.getAnOperand() = e and
+  (
+    op instanceof UnaryArithmeticOperation or
+    op instanceof BinaryArithmeticOperation or
+    op instanceof AssignArithmeticOperation
+  )
+}
+
+predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+predicate constantInstruction(Instruction instr) {
+  instr instanceof ConstantInstruction or
+  constantInstruction(instr.(UnaryInstruction).getUnary())
+}
+
+predicate readsVariable(LoadInstruction load, Variable var) {
+  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
+}
 
-  override predicate isBarrier(Expr e) {
-    super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
+predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
+  exists(Instruction instr | instr = node.asInstruction() |
+    readsVariable(instr, checkedVar) and
+    any(IRGuards::IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
+  )
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { isSource(source, _) }
+
+  predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
+
+  predicate isBarrier(DataFlow::Node node) {
+    exists(StoreInstruction store | store = node.asInstruction() |
+      // Block flow to "likely small expressions"
+      bounded(store.getSourceValue().getUnconvertedResultExpression())
+      or
+      // Block flow to "small types"
+      store.getResultType().getUnspecifiedType().(IntegralType).getSize() <= 1
+    )
+    or
+    // Block flow if there's an upper bound check of the variable anywhere in the program
+    exists(Variable checkedVar, Instruction instr | instr = node.asInstruction() |
+      readsVariable(instr, checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+    or
+    // Block flow if the node is guarded by an equality check
+    exists(Variable checkedVar, Operand access |
+      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
+      readsVariable(access.getDef(), checkedVar)
+    )
+    or
+    // Block flow to any binary instruction whose operands are both non-constants.
+    exists(BinaryInstruction iTo |
+      iTo = node.asInstruction() and
+      not constantInstruction(iTo.getLeft()) and
+      not constantInstruction(iTo.getRight()) and
+      // propagate taint from either the pointer or the offset, regardless of constantness
+      not iTo instanceof PointerArithmeticInstruction
+    )
   }
 }
 
-from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
+module Flow = TaintTracking::Global<Config>;
+
+from
+  Expr e, string effect, Flow::PathNode source, Flow::PathNode sink, Operation op, string sourceType
 where
-  taintedWithPath(origin, e, sourceNode, sinkNode) and
-  op.getAnOperand() = e and
+  Flow::flowPath(source, sink) and
+  isSource(source.getNode(), sourceType) and
+  isSink(sink.getNode(), op, e) and
   missingGuard(op, e, effect)
-select e, sourceNode, sinkNode,
+select e, source, sink,
   "$@ flows to an operand of an arithmetic expression, potentially causing an " + effect + ".",
-  origin, "User-provided value"
+  source, sourceType

cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -43,6 +43,11 @@ edges
 | test.cpp:189:16:189:16 | p | test.cpp:189:16:189:16 | (reference to) |
 | test.cpp:190:10:190:13 | (reference dereference) | test.cpp:190:10:190:13 | (reference to) |
 | test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | (reference dereference) |
+| test.cpp:237:12:237:17 | call to alloca | test.cpp:237:12:237:17 | call to alloca |
+| test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p |
+| test.cpp:249:13:249:20 | call to strndupa | test.cpp:249:13:249:20 | call to strndupa |
+| test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | s2 |
+| test.cpp:250:9:250:10 | s2 | test.cpp:250:9:250:10 | (void *)... |
 nodes
 | test.cpp:17:9:17:11 | & ... | semmle.label | & ... |
 | test.cpp:17:10:17:11 | mc | semmle.label | mc |
@@ -101,6 +106,14 @@ nodes
 | test.cpp:190:10:190:13 | (reference dereference) | semmle.label | (reference dereference) |
 | test.cpp:190:10:190:13 | (reference to) | semmle.label | (reference to) |
 | test.cpp:190:10:190:13 | pRef | semmle.label | pRef |
+| test.cpp:237:12:237:17 | call to alloca | semmle.label | call to alloca |
+| test.cpp:237:12:237:17 | call to alloca | semmle.label | call to alloca |
+| test.cpp:238:9:238:9 | p | semmle.label | p |
+| test.cpp:245:9:245:15 | call to strdupa | semmle.label | call to strdupa |
+| test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa |
+| test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa |
+| test.cpp:250:9:250:10 | (void *)... | semmle.label | (void *)... |
+| test.cpp:250:9:250:10 | s2 | semmle.label | s2 |
 #select
 | test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
 | test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |
@@ -115,3 +128,6 @@ nodes
 | test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray |
 | test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal |
 | test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p |
+| test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca |
+| test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa |
+| test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected

@@ -229,4 +229,23 @@ int* id(int* px) {
 void f() {
   int x;
   int* px = id(&x); // GOOD
+}
+
+void *alloca(size_t);
+
+void* test_alloca() {
+	void* p = alloca(10);
+	return p; // BAD
+}
+
+char *strdupa(const char *);
+char *strndupa(const char *, size_t);
+
+char* test_strdupa(const char* s) {
+	return strdupa(s); // BAD
+}
+
+void* test_strndupa(const char* s, size_t size) {
+	char* s2 = strndupa(s, size);
+	return s2; // BAD
 }

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp

@@ -1,23 +1,12 @@
 edges
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:73:24:73:27 | data | test.cpp:37:73:37:76 | data |
+| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data indirection |
+| test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:73:24:73:27 | data indirection |
 | test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | data indirection |
-subpaths
 nodes
-| test.cpp:37:73:37:76 | data | semmle.label | data |
 | test.cpp:37:73:37:76 | data indirection | semmle.label | data indirection |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:73:24:73:27 | data | semmle.label | data |
+| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
+| test.cpp:64:30:64:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
+subpaths
 #select
-| test.cpp:43:32:43:35 | data | test.cpp:64:30:64:35 | call to getenv | test.cpp:43:32:43:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv | call to getenv |
+| test.cpp:43:32:43:35 | data indirection | test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:43:32:43:35 | data indirection | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv indirection | an environment variable |