Skip to content

C++: Missing return-value check for scanf-like functions #1076 #10033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 17 commits into from
Closed

C++: Missing return-value check for scanf-like functions #1076 #10033

wants to merge 17 commits into from

Conversation

d10c
Copy link
Contributor

@d10c d10c commented Aug 12, 2022

  • Update .gitignore for .vscode/*.log temporaries
  • C++: Add test and placeholder query.
  • C++: First working. We now prefer flagging the cases where the variable was initialized, as in real world cases we haven't seen it done safely.
  • Add more (false-negative) MissingCheckScanf tests
  • Add more MissingCheckScanf test cases

d10c and others added 3 commits August 11, 2022 12:18
@d10c
Update .gitignore for .vscode/*.log temporaries
94c43c0 
These keep getting added, by the Makefile extension I believe.
@geoffw0 @d10c
C++: Add test and placeholder query.
76ef779
@geoffw0 @d10c
C++: First working. We now prefer flagging the cases where the variab…
c62ae3b 
…le was initialized, as in real world cases we haven't seen it done safely.
@github-actions github-actions bot added the C++ label Aug 12, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 12, 2022
View reviewed changes
cpp/ql/src/Critical/MissingCheckScanf.ql Fixed
Comment on lines 1 to 19
/**
* @name TODO
* @description TODO
* @kind problem
* @problem.severity warning
* @security-severity TODO
* @precision TODO
* @id cpp/missing-check-scanf
* @tags TODO
*/

import cpp
import semmle.code.cpp.commons.Scanf

from ScanfFunction scanf, FunctionCall fc
where
fc.getTarget() = scanf and
fc instanceof ExprInVoidContext
select fc, "This is a call to scanf."

Check warning

Code scanning / CodeQL

Missing security metadata

This query file is missing a `@tag security`.
@d10c d10c changed the title New query: Missing return-value check for scanf-like functions #1076 C++: New query: Missing return-value check for scanf-like functions #1076 Aug 12, 2022
@d10c d10c changed the title C++: New query: Missing return-value check for scanf-like functions #1076 C++: Missing return-value check for scanf-like functions #1076 Aug 12, 2022
@d10c d10c force-pushed the missing-check-scanf branch from d999e0e to 3e71ef2 Compare August 12, 2022 11:31
@d10c
WIP: ScanfOutput.getAnAccess() returns all immediate use()s.
c7db7ec 
Also, include a couple of other test cases for related corner cases,
namely, to catch stores-before-uses and another case of aliasing.
geoffw0
geoffw0 reviewed Aug 16, 2022
View reviewed changes
@d10c
WIP: Full-featured query
a7f46e8 
Still needs to be tested further. But currently returns results on
the `unbit/uwsgi` database: see https://github.com/github/semmle-code/actions/runs/2868369365
d10c added 7 commits August 17, 2022 16:26
@d10c
WIP: More test cases, including False Positives
28331a5
@d10c
.clang-format: do not autoformat test.cpp
b380e9a
@d10c
WIP: Eliminated the _scanf_l false positive
9b4b7cb
@d10c
WIP: Fix the %n-related False Positive
ea033f5
@d10c
WIP: Add test for loop-related False Positive
db04f77 
The problem with the current query is that instructions can be in a
cycle, so the scanf argument itself is viewed as an unguarded use.
@d10c
WIP: Fix loop-related False Positive
f7800f2
@d10c
WIP: Added a test case exercising the last uwsgi FP
0132865 
The other problem is that this query is slow on a real database, like
unbit/uwsgi. Particularly during the step called:

ScanfOutput::getASubsequentSameValuedInstruction#dispred#f0820431#ff#antijoin_rhs#2

Perhaps it can be optimized further.
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 17, 2022
View reviewed changes
@d10c
Copy link
Contributor Author

d10c commented Aug 18, 2022

TODO: Remove a Cartesian Product! This query can run for hours and run out of space:

https://github.com/github/semmle-code/runs/7886119315?check_suite_focus=true#step:6:54

The offender is getASubsequentSameValuedInstruction.

d10c added 4 commits August 18, 2022 15:12
@d10c
WIP: use explicit this. in method calls
230f411 
To quiet the QL-on-QL "implicit this" warnings.
@d10c
WIP: Fix bad join order.
63a64ee 
Offender: getASameValuedInstruction

This reduced its runtime on unbit/uwsgi from 1+min to 10ms.

Re-running MRVA top 100, and it still looks like there are a few DBs on
which it takes over 30 minutes to run this query. So further
optimization is warranted.
@d10c
WIP: Found another false positive via opencv/opencv
362980b
@d10c
WIP: Fixed the loop-related FP !!
0af6160 
The query is now shorter, simpler, more correct, and after some local
testing, faster.

MRVA top 100 and DCA runs pending.
@d10c
Copy link
Contributor Author

d10c commented Aug 23, 2022

MRVA top 10 run as of this commit: https://github.com/github/semmle-code/actions/runs/2914985782
MRVA top 100 run as of this commit: https://github.com/github/semmle-code/actions/runs/2915212812

@d10c d10c mentioned this pull request Aug 24, 2022
Merged
@d10c
Copy link
Contributor Author

d10c commented Aug 24, 2022

Superceded by squashed PR #10163

@d10c d10c closed this Aug 24, 2022
@d10c d10c deleted the missing-check-scanf branch September 22, 2022 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoffw0 geoffw0 geoffw0 left review comments

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees
No one assigned
Labels
C++
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@d10c @geoffw0