C++: stitch paths and ignore cast arrays in constant off-by-one query #13045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

rdmarsh2 merged 12 commits into github:main from rdmarsh2:rdmarsh2/cpp/improve-constant-off-by-one

May 26, 2023

Contributor

rdmarsh2 commented May 4, 2023

This PR does two things - stitch the first and second data flow paths together to make reviewing results easier, and then fix a false positive where casts to a differently-sized type (e.g. int[] to char*) would result in false positives.

rdmarsh2 added 3 commits

May 4, 2023 16:28


          C++: stitch paths in array off-by-one query

3abf5d1


          C++: add case test for constant off-by-one query

d9665e1


          C++: ignore cast arrays in constant off-by-one query

b7653ec

rdmarsh2 requested a review from a team as a code owner

May 4, 2023 20:50

github-actions bot added the C++ label

MathiasVP reviewed

View reviewed changes

Contributor

MathiasVP left a comment

A couple of comments, but otherwise this LGTM once we have a successful DCA run

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Outdated Show resolved Hide resolved

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Outdated Show resolved Hide resolved

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Outdated Show resolved Hide resolved

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Outdated Show resolved Hide resolved

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Outdated

+                  FieldAddressToPointerArithmeticFlow::flowPath(fieldSource, sink) and
+                  isFieldAddressSource(f, fieldSource.getNode()) and
+                  pai.getLeft() = sink.getNode().(DataFlow::InstructionNode).asInstruction() and
+                  pai.getElementSize() = f.getUnspecifiedType().(ArrayType).getBaseType().getSize() and

Contributor

MathiasVP May 5, 2023 •

edited

Loading

I think we should push the f.getUnspecifiedType() instanceof ArrayType conjunct into the FieldAddressToPointerArithmeticConfig::isSource predicate (or even better: into the isFieldAddressSource predicate) to get a smaller isSource predicate for the first dataflow traversal.

Thinking more about this: If we push the restriction saying that f.getUnspecifiedType() must be an ArrayType into the isSource predicate we can use a flow state to remember the size of the array. Does that not mean that we would be able to handle cases like the one you added:

char *charBuf = (char*) arr->buf;
charBuf[MAX_SIZE_BYTES] = 0;

then?


          C++: refactor off-by-one query to use flowstate

f77c77f

This was referenced May 10, 2023

C++: include stack-allocated arrays in off-by-one query #13116

Merged

C++: handle cast arrays properly in off-by-one query #13117

Merged

MathiasVP reviewed

View reviewed changes

Contributor

MathiasVP left a comment

I like this new approach, but I fear there's a potential performance problem with the current code.

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Outdated Show resolved Hide resolved

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Outdated Show resolved Hide resolved


          C++: restrict flowstates in constant off-by-one query

584adf8

MathiasVP mentioned this pull request

C++: fix equality refinement in new range analysis #13226

Merged

rdmarsh2 added 2 commits

May 19, 2023 18:32


          C++: fix cxartesian product in constant off-by-one query

bf07b0f


          C++: autoformat

604affd

MathiasVP reviewed

View reviewed changes

Contributor

MathiasVP left a comment

A couple of small remaining things, but otherwise this LGTM!

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql Outdated Show resolved Hide resolved


          C++: remove unneeded pragma

4ed7450

MathiasVP previously approved these changes

View reviewed changes

Contributor

MathiasVP left a comment

LGTM once DCA shows that performance is fine. Although, it looks like the latest DCA run still shows some performance issues?

MathiasVP added 2 commits

May 24, 2023 16:02


          C++: Prune flow states based on 'PointerArithmeticToDerefConfig'.

64d7b49


          C++: Add in-barrier on sources to reduce duplication.

298013a

MathiasVP dismissed their stale review via

298013a

May 24, 2023 23:03


          Merge branch 'main' into rdmarsh2/cpp/improve-constant-off-by-one

ebc1d5f

Contributor

MathiasVP commented May 24, 2023

I've pushed two performance-related commits @rdmarsh2 to your branch. Feel free to modify them as you see fit. I'll start a DCA run to check the performance impact of them. Hopefully that's done by the time your day starts tomorrow 🤞.

github-advanced-security bot found potential problems

View reviewed changes

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

-                  size != 0 and
-                  size != 1
-                )
+              predicate pointerArithOverflow0(

Check warning

Code scanning / CodeQL

Candidate predicate not marked as `nomagic`

Candidate predicate to [pointerArithOverflow](1) is not marked as nomagic.


          C++: Also add an out barrier on all sinks.

c3fdc83

MathiasVP approved these changes

View reviewed changes

Contributor

MathiasVP left a comment

LGTM!

rdmarsh2 merged commit b2fb2aa into github:main

rdmarsh2 deleted the rdmarsh2/cpp/improve-constant-off-by-one branch

May 26, 2023 17:20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

C++