Skip to content

CPP: Add query for CWE-190: Integer Overflow or Wraparound when using transform after operation #8247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Mar 7, 2022
Merged

CPP: Add query for CWE-190: Integer Overflow or Wraparound when using transform after operation #8247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3d1f4d5
Merge pull request #1 from github/main
ihsinme Feb 25, 2022
74f8145
Add files via upload
ihsinme Feb 25, 2022
ffdca61
Add files via upload
ihsinme Feb 25, 2022
c6083a6
Apply suggestions from code review
ihsinme Mar 1, 2022
bc22b9b
Update test.cpp
ihsinme Mar 1, 2022
f5267ba
Update DangerousUseOfTransformationAfterOperation.qhelp
ihsinme Mar 2, 2022
9e76260
Update DangerousUseOfTransformationAfterOperation.ql
ihsinme Mar 2, 2022
b32be69
Update DangerousUseOfTransformationAfterOperation.expected
ihsinme Mar 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
...
vUnsignedLong = (unsigned long)(vUnsignedInt*vUnsignedInt); // BAD
...
vUnsignedLong = ((unsigned long)vUnsignedInt*vUnsignedInt); // GOOD
...
24 changes: 24 additions & 0 deletions ...ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Search for places where the result of the multiplication is subjected to explicit conversion, not the arguments. Therefore, during the multiplication period, you can lose meaningful data.</p>


</overview>

<example>
<p>The following example demonstrates erroneous and fixed methods for working with type conversion.</p>
<sample src="DangerousUseOfTransformationAfterOperation.cpp" />

</example>
<references>

<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/INT30-C.+Ensure+that+unsigned+integer+operations+do+not+wrap">INT30-C. Ensure that unsigned integer operations do not wrap</a>.
</li>

</references>
</qhelp>
102 changes: 102 additions & 0 deletions cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
/**
* @name Dangerous use of transformation after operation.
* @description By using the transformation after the operation, you are doing a pointless and dangerous action.
* @kind problem
* @id cpp/dangerous-use-of-transformation-after-operation
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-190
*/

import cpp

/** Returns the number of the expression in the function call arguments. */
int argumentPosition(FunctionCall fc, Expr exp, int n) {
n in [0 .. fc.getNumberOfArguments() - 1] and
fc.getArgument(n) = exp and
result = n
}

/** Holds if a nonsensical type conversion situation is found. */
predicate conversionDoneLate(MulExpr mexp) {
exists(Expr e1, Expr e2 |
mexp.hasOperands(e1, e2) and
not e1.isConstant() and
not e1.hasConversion() and
not e1.hasConversion() and
(
e2.isConstant() or
not e2.hasConversion()
) and
mexp.getConversion().hasExplicitConversion() and
mexp.getConversion() instanceof ParenthesisExpr and
mexp.getConversion().getConversion() instanceof CStyleCast and
mexp.getConversion().getConversion().getType().getSize() > mexp.getType().getSize() and
mexp.getConversion().getConversion().getType().getSize() > e2.getType().getSize() and
mexp.getConversion().getConversion().getType().getSize() > e1.getType().getSize() and
exists(Expr e0 |
e0.(AssignExpr).getRValue() = mexp.getParent*() and
e0.(AssignExpr).getLValue().getType().getSize() =
mexp.getConversion().getConversion().getType().getSize()
or
mexp.getEnclosingElement().(ComparisonOperation).hasOperands(mexp, e0) and
e0.getType().getSize() = mexp.getConversion().getConversion().getType().getSize()
or
e0.(FunctionCall)
.getTarget()
.getParameter(argumentPosition(e0.(FunctionCall), mexp, _))
.getType()
.getSize() = mexp.getConversion().getConversion().getType().getSize()
)
)
}

/** Holds if the situation of a possible signed overflow used in pointer arithmetic is found. */
predicate signSmallerWithEqualSizes(MulExpr mexp) {
exists(Expr e1, Expr e2 |
mexp.hasOperands(e1, e2) and
not e1.isConstant() and
not e1.hasConversion() and
not e1.hasConversion() and
(
e2.isConstant() or
not e2.hasConversion()
) and
mexp.getConversion+().getUnderlyingType().getSize() = e1.getUnderlyingType().getSize() and
(
e2.isConstant() or
mexp.getConversion+().getUnderlyingType().getSize() = e2.getUnderlyingType().getSize()
) and
mexp.getConversion+().getUnderlyingType().getSize() = e1.getUnderlyingType().getSize() and
exists(AssignExpr ae |
ae.getRValue() = mexp.getParent*() and
ae.getRValue().getUnderlyingType().(IntegralType).isUnsigned() and
ae.getLValue().getUnderlyingType().(IntegralType).isSigned() and
(
not exists(DivExpr de | mexp.getParent*() = de)
or
exists(DivExpr de, Expr ec |
e2.isConstant() and
de.hasOperands(mexp.getParent*(), ec) and
ec.isConstant() and
e2.getValue().toInt() > ec.getValue().toInt()
)
) and
exists(PointerAddExpr pa |
ae.getASuccessor+() = pa and
pa.getAnOperand().(VariableAccess).getTarget() = ae.getLValue().(VariableAccess).getTarget()
)
)
)
}

from MulExpr mexp, string msg
where
conversionDoneLate(mexp) and
msg = "This transformation is applied after multiplication."
or
signSmallerWithEqualSizes(mexp) and
msg = "Possible signed overflow followed by offset of the pointer out of bounds."
select mexp, msg
4 changes: 4 additions & 0 deletions ...rousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
| test.cpp:9:8:9:12 | ... * ... | Possible signed overflow followed by offset of the pointer out of bounds. |
| test.cpp:13:24:13:28 | ... * ... | This transformation is applied after multiplication. |
| test.cpp:16:28:16:32 | ... * ... | This transformation is applied after multiplication. |
| test.cpp:19:22:19:26 | ... * ... | This transformation is applied after multiplication. |
1 change: 1 addition & 0 deletions ...ngerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
23 changes: 23 additions & 0 deletions ...ntal/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
void testCall (unsigned long);
void functionWork(char aA[10],unsigned int aUI) {

unsigned long aL;
char *aP;
int aI;

aI = (aUI*8)/10; // GOOD
aI = aUI*8; // BAD
aP = aA+aI;
aI = (int)aUI*8; // GOOD

aL = (unsigned long)(aI*aI); // BAD
aL = ((unsigned long)aI*aI); // GOOD

testCall((unsigned long)(aI*aI)); // BAD
testCall(((unsigned long)aI*aI)); // GOOD

if((unsigned long)(aI*aI) > aL) // BAD
return;
if(((unsigned long)aI*aI) > aL) // GOOD
return;
}