Skip to content

Change IntegerOverflowTainted.ql @kind to path-problem.Execution error:“These should include at least an 'edges' result set” #19209

Closed
@ysuLihua

Description

@ysuLihua

I change IntegerOverflowTainted.ql @kind to path-problem. like this:

/**
 * @name Uncontrolled allocation size
 * @description Allocating memory with a size controlled by an external user can result in
 *              arbitrary amounts of memory being allocated.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 8.1
 * @precision medium
 * @id cpp/integer-overflow-tainted
 * @tags reliability
 *       security
 *       external/cwe/cwe-190
 *       external/cwe/cwe-789
 */

 import cpp
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.controlflow.IRGuards
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.controlflow.IRGuards as IRGuards
 
 /**
  * Holds if `alloc` is an allocation, and `tainted` is a child of it that is a
  * taint sink.
  */
 predicate outOfBoundsExpr(Expr expr, string kind) {
  if convertedExprMightOverflowPositively(expr)
  then kind = "overflow"
  else
    if convertedExprMightOverflowNegatively(expr)
    then kind = "overflow negatively"
    else none()
 
  }

  predicate isSink(DataFlow::Node sink, string kind) {
    exists(Expr use |
      not use.getUnspecifiedType() instanceof PointerType and
      outOfBoundsExpr(use, kind) and
      not inSystemMacroExpansion(use) and
      use = sink.asExpr()
    )
  }


  predicate hasUpperBoundsCheck(Variable var) {
    exists(RelationalOperation oper, VariableAccess access |
      oper.getAnOperand() = access and
      access.getTarget() = var and
      // Comparing to 0 is not an upper bound check
      not oper.getAnOperand().getValue() = "0"
    )
  }
  
  predicate constantInstruction(Instruction instr) {
    instr instanceof ConstantInstruction or
    constantInstruction(instr.(UnaryInstruction).getUnary())
  }
  
  predicate readsVariable(LoadInstruction load, Variable var) {
    load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
  }
  
  predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
    exists(Instruction instr | instr = node.asInstruction() |
      readsVariable(instr, checkedVar) and
      any(IRGuards::IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
    )
  }
 
 predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
 
 module TaintedIntOverflowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) {
    // Block flow if there's an upper bound check of the variable anywhere in the program
    exists(Variable checkedVar, Instruction instr | instr = node.asInstruction() |
      readsVariable(instr, checkedVar) and
      hasUpperBoundsCheck(checkedVar)
    )
    or
    // Block flow if the node is guarded by an equality check
    exists(Variable checkedVar, Operand access |
      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
      readsVariable(access.getDef(), checkedVar)
    )
    or
    // Block flow to any binary instruction whose operands are both non-constants.
    exists(BinaryInstruction iTo |
      iTo = node.asInstruction() and
      not constantInstruction(iTo.getLeft()) and
      not constantInstruction(iTo.getRight()) and
      // propagate taint from either the pointer or the offset, regardless of constantness
      not iTo instanceof PointerArithmeticInstruction
    )
  }
 }
 
 module TaintedIntOverflow = TaintTracking::Global<TaintedIntOverflowConfig>;
 
 from
   TaintedIntOverflow::PathNode source, TaintedIntOverflow::PathNode sink,
   string sourceType, string kind
 where
   isFlowSource(source.getNode(), sourceType) and
   TaintedIntOverflow::flowPath(source, sink) and
   isSink(sink.getNode(), kind)
 select sink.getNode(), source, sink, "message"
 

But exec query error, how can i resolve this problem?

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions