[C++] Alias analysis failure on pointer to local variable

[JustusAdam]

Assigning to a local variable though a pointer appears to defeat the taint tracking. In the following example I would have expected to see a taint flow from line 16 to 17 but only the one from line 19 to 20 is reported. The taint seems to not propagate through the pointer correctly.

int source()
{
    return 2;
}

int target(int source)
{
    return source;
}
int main(int argv, char **argc)
{
    int a;
    int *c = &a;
    *c = source();
    target(a); // not detected as reached

    a = source();
    target(a); // detected as reached

    return 0;
}

This is the query I ran.

import cpp
import semmle.code.cpp.dataflow.new.TaintTracking

module SourceSinkCallConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    source.asExpr().(Call).getTarget().getName() = "source"
  }

  predicate isSink(DataFlow::Node sink) {
    exists(Call call |
      call.getTarget().getName() = "target" and
      call.getArgument(0) = sink.asExpr()
    )
  }
}

module SourceSinkCallTaint = TaintTracking::Global<SourceSinkCallConfig>;

from DataFlow::Node source, DataFlow::Node sink, int source_line, int sink_line
where
  SourceSinkCallTaint::flow(source, sink) and
  source_line = source.getLocation().getStartLine() and
  sink_line = sink.getLocation().getStartLine()
select source, source_line, sink, sink_line

This is the output I received.

|     source     | source_line | sink | sink_line |
+----------------+-------------+------+-----------+
| call to source |          19 | a    |        20 |

CodeQL version: 2.19.3

[redsun82]

Hi @JustusAdam

Yes, we are aware of this limitation, which is one we are actively working on resolving. We might get that covered in the near future, though I cannot commit to any specific roadmap yet. Stay tuned 🙂