C++: How to precisely track data flow through specific class members via smart pointers

[mcc0612mcc0612]

Description of the issue

I'm trying to implement precise data flow tracking through a class that contains multiple pointer members when accessed via smart pointers (like std::unique_ptr). Specifically, I want to track the flow from a source pointer to only one specific member, without tainting other members.

Consider the following code:

class A {
public:
    A(int* a, int* b) : a_(a), b_(b) {}
    int* geta() {return a_;}
    int* getb() {return b_;}

private:
    int* a_;
    int* b_;
};

void test() {
    int* ux;
    *ux = 10;
    int* uy;
    *uy = 20;
    auto uptr = std::make_unique<A>(ux, uy); // Data flow from ux -> a_ and uy -> b_
    int* um = uptr->geta();
    int* un = uptr->getb();
    int uk = *um + *un;
}

int main() {
    test();
    return 0;
}

I've added a new taint edge as suggested in #5244:

private predicate uniqueTaintEdge(DataFlow::Node node1, DataFlow::Node node2) {
  // Given this assignment:
  // u_ptr->data = get_taint();
  // This case transfers flow from the assignment to `data` to `u_ptr`.
  node2.asPartialDefinition() =
    node1.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().(FieldAccess).getQualifier()
  or
  // Given this read:
  // read_taint(u_ptr->data);
  // This case transfers flow from `u_ptr.operator->()` to `data`.
  node1.asExpr() = node2.asExpr().(FieldAccess).getQualifier()
}

predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2){
  uniqueTaintEdge(node1, node2)
}

However, with this implementation, when I track the data flow from ux to um, both um and un are being tainted. I want to track only the specific flow path from ux to um (through a_), without tainting un (which should only be affected by uy through b_).
Is there any way to distinguish between different member paths ?

[rvermeulen]

Hi @mcc0612mcc0612,

Thanks for your question. It looks like our new dataflow implementation can track the correct values 10 and 20 up the add expression *um + *un;, but not to the individual operands for some reason. I will inquire about that.

[rvermeulen]

Hi @mcc0612mcc0612,

I re-tried with a very simple dataflow configuration using our new dataflow framework and we correctly track the values of the pointers up to their use in +.

Does that meet your goal?

/**
 * @kind path-problem
 */

import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.dataflow.new.TaintTracking

module FlowConfig implements DataFlow::ConfigSig {

  predicate isSource(DataFlow::Node source) {
    source.asExpr() instanceof Literal
  }

  predicate isSink(DataFlow::Node sink) {
    any(AddExpr addExpr).getAnOperand() = sink.asExpr()
  }

}

module Flow = TaintTracking::Global<FlowConfig>;

import Flow::PathGraph

from Flow::PathNode source, Flow::PathNode sink
where Flow::flowPath(source, sink)
select sink, source, sink, "Flow"

[mcc0612mcc0612]

Thanks for your reply! But the result I got from your query seemingly only works well for raw pointer. It fail to find the taint flow from literal to access of unique pointer in AddExpr.

[rvermeulen]

How are you building the database for your example?

In my example you can see we track the assignment to the fields (e.g., 10 to a_ through the constructor of A) and track it with the unique pointer all the way until we access the field a_ again through uptr->geta() up to the operand in +.

So we track 10 all the way to *um (and similar for 20 to un).

This is only possible when we can observe the contents of memory that has the definitions of make_unique.

[mcc0612mcc0612]

My taint flow flow stops at the initialier, without tainting the corresponding memeber value.
Could you please share how you built your CodeQL database for my example? I initally clang++ my_program.cpp simply, then I tried to delete .o and .so of libstdc++ and build together with my_program.cpp together when creating database, but both attempts all failed. I tried to run query from File f select f, f.getBaseName() and confirm that all the relevant header files are included in the database.
Really appreciate your help and patience!

[rvermeulen]

I created the database of your example in test.cpp using codeql database create -l cpp -s . -c 'clang++ -fsyntax-only test.cpp' test-db

[mcc0612mcc0612]

I could reproduce your result on OSX but failed on Linux. This issue appears to be related to the database creation process, because after I copied the database created on my MacBook to my remote Linux server, the result was correct! However, I'm still confused why the database I created directly on Linux doesn't work properly. My environment: Clang version 14.0.0-1ubuntu1.1, Ubuntu version 22.04, and the latest version of CodeQL."

This is build-tracer log for the database I created on Linux build-tracer.log. Really appreaciate your help.

[mcc0612mcc0612]

I succeeded when change my c++ stand library with clang++ -fsyntax-only -stdlib=libc++ only_unique_test.cpp' on Linux and it worked. Could it be because CodeQL does not support global tracking for the libstdc++ library?

[rvermeulen]

Peeking in https://github.com/github/codeql/tree/main/cpp/ql/lib/ext and https://github.com/github/codeql/tree/main/cpp/ql/lib/semmle/code/cpp/models/implementations I would say our summarization does indeed not contain the full libstdc++ library.