Merge pull request #5011 from ihsinme/ihsinme-patch-221

MathiasVP · web-flow · commit d3d56fb0af79 · 2021-02-04T14:25:27.000+01:00
CPP: add query for CWE-788 Access of memory location after the end of a buffer using strlen.
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c
@@ -0,0 +1,9 @@
+// BAD: if buffer does not have a terminal zero, then access outside the allocated memory is possible.
+
+buffer[strlen(buffer)] = 0;
+
+
+// GOOD: we will eliminate dangerous behavior if we use a different method of calculating the length. 
+size_t len;
+...
+buffer[len] = 0
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Potentially dangerous use of the strlen function to calculate the length of a string.
+The expression <code>buffer[strlen(buffer)] = 0</code> is potentially dangerous, if the variable buffer does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
+If terminal zero is present, then the specified expression is meaningless.</p>
+
+<p>False positives include heavily nested strlen. This situation is unlikely.</p>
+
+</overview>
+<recommendation>
+
+<p>We recommend using another method for calculating the string length</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates an erroneous and corrected use of the strlen function.</p>
+<sample src="AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string">STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -0,0 +1,34 @@
+/**
+ * @name Access Of Memory Location After End Of Buffer
+ * @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
+ *              If terminal zero is present, then the specified expression is meaningless.
+ * @kind problem
+ * @id cpp/access-memory-location-after-end-buffer
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-788
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.dataflow.DataFlow
+
+from StrlenCall fc, AssignExpr expr, ArrayExpr exprarr
+where
+  exprarr = expr.getLValue() and
+  expr.getRValue().getValue().toInt() = 0 and
+  globalValueNumber(exprarr.getArrayOffset()) = globalValueNumber(fc) and
+  not exists(Expr exptmp |
+    (
+      DataFlow::localExprFlow(fc, exptmp) or
+      exptmp.getAChild*() = fc.getArgument(0).(VariableAccess).getTarget().getAnAccess()
+    ) and
+    dominates(exptmp, expr) and
+    postDominates(exptmp, fc) and
+    not exptmp.getEnclosingStmt() = fc.getEnclosingStmt() and
+    not exptmp.getEnclosingStmt() = expr.getEnclosingStmt()
+  ) and
+  globalValueNumber(fc.getArgument(0)) = globalValueNumber(exprarr.getArrayBase())
+select expr, "potential unsafe or redundant assignment."
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
@@ -0,0 +1,9 @@
+| test.c:42:3:42:24 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:43:3:43:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:44:3:44:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:45:3:45:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:46:3:46:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:47:3:47:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:48:3:48:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:49:3:49:50 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:50:3:50:50 | ... = ... | potential unsafe or redundant assignment. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -26,3 +26,48 @@ void workFunction_2_1(char *s) {
   strncat(buf, s, len-strlen(buf)-1); // GOOD
   strncat(buf, s, len-strlen(buf));  // GOOD
 }
+
+struct buffers
+{
+    unsigned char buff1[50];
+    unsigned char *buff2;
+} globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
+
+
+void badFunc0(){
+  unsigned char buff1[12];
+  struct buffers buffAll;
+  struct buffers * buffAll1;
+  
+  buff1[strlen(buff1)]=0; // BAD
+  buffAll.buff1[strlen(buffAll.buff1)]=0; // BAD
+  buffAll.buff2[strlen(buffAll.buff2)]=0; // BAD
+  buffAll1->buff1[strlen(buffAll1->buff1)]=0; // BAD
+  buffAll1->buff2[strlen(buffAll1->buff2)]=0; // BAD
+  globalBuff1.buff1[strlen(globalBuff1.buff1)]=0; // BAD
+  globalBuff1.buff2[strlen(globalBuff1.buff2)]=0; // BAD
+  globalBuff2->buff1[strlen(globalBuff2->buff1)]=0; // BAD
+  globalBuff2->buff2[strlen(globalBuff2->buff2)]=0; // BAD
+}
+void noBadFunc0(){
+  unsigned char buff1[12],buff1_c[12];
+  struct buffers buffAll,buffAll_c;
+  struct buffers * buffAll1,*buffAll1_c;
+  
+  buff1[strlen(buff1_c)]=0; // GOOD
+  buffAll.buff1[strlen(buffAll_c.buff1)]=0; // GOOD
+  buffAll.buff2[strlen(buffAll.buff1)]=0; // GOOD
+  buffAll1->buff1[strlen(buffAll1_c->buff1)]=0; // GOOD
+  buffAll1->buff2[strlen(buffAll1->buff1)]=0; // GOOD
+  globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0; // GOOD
+  globalBuff1.buff2[strlen(globalBuff1.buff1)]=0; // GOOD
+  globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0; // GOOD
+  globalBuff2->buff2[strlen(globalBuff2->buff1)]=0; // GOOD
+}
+void goodFunc0(){
+  unsigned char buffer[12];
+  int i;
+  for(i = 0; i < 6; i++)
+    buffer[i] = 'A';
+  buffer[i]=0;
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql`