Skip to content

CodeQl C Taint Analysis #13499

Answered by MathiasVP
F1o0T asked this question in Q&A
Jun 19, 2023 · 1 comments · 1 reply
Discussion options

You must be logged in to vote

Hi @xreinheitx,

The flow in the second example isn't reported because we're only seeing a read of the address of len1 with no preceding write. So in order to get flow in this example you need to add an additional taint step to your taint configueration like:

override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
  exists(FieldAccess fa |
    // flow from the qualifier
    n1.asExpr() = fa.getQualifier() and
    // to the result of the field access
    n2.asExpr() = fa and
    // when we're accessing the `len1` field
    fa.getTarget().hasName("len1") and
    // on a struct of type `s_tls` (or `s_tls*` or `s_tls&`, etc.)
    fa.getQualifier().getUnspecifiedType().s…

Replies: 1 comment 1 reply

Comment options

You must be logged in to vote
1 reply
@F1o0T
Comment options

Answer selected by F1o0T
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants