Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space CCPPOBJ and version Publish

...

Dont print
Code Block
languageql
titleQuery: ArithmeticWithExtremeValues.ql
collapsetrue
/**
 * @name Use of extreme values in arithmetic expression
 * @description If a variable is assigned the maximum or minimum value
 *              for that variable's type and is then used in an
 *              arithmetic expression, this may result in an overflow.
 * @kind problem
 * @id cpp/arithmetic-with-extreme-values
 * @problem.severity warning
 * @precision low
 * @tags security
 *       reliability
 *       external/cwe/cwe-190
 *       external/cwe/cwe-191
 */
import cpp

import semmle.code.cpp.security.Overflow
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking

predicate isMaxValue(MacroInvocationExprExpr mie) {
  exists(MacroInvocation mi |
    mi.getExpr() = mie and
    (
      mi.getMacroName() = "CHAR_MAX" or
  mie    mi.getMacroName() = "LLONG_MAX" or
  mie    mi.getMacroName() = "INT_MAX" or
  mie    mi.getMacroName() = "SHRT_MAX" or
  mie    mi.getMacroName() = "UINT_MAX"
    )
  )
}

predicate isMinValue(MacroInvocationExprExpr mie) {
  exists(MacroInvocation mi |
    mi.getExpr() = mie and
    (
      mi.getMacroName() = "CHAR_MIN" or
  mie    mi.getMacroName() = "LLONG_MIN" or
  mie    mi.getMacroName() = "INT_MIN" or
  mie    mi.getMacroName() = "SHRT_MIN"
    )
  )
}

class SecurityOptionsArith extends SecurityOptions {
  override predicate isUserInput(Expr expr, string cause) {
    (isMaxValue(expr) and cause = "max value") or
    (isMinValue(expr) and cause = "min value")
  }
}

predicate taintedVarAccess(Expr origin, VariableAccess va, string cause) {
  isUserInput(origin, cause) and
  tainted(origin, va)
}

predicate causeEffectCorrespond(string cause, string effect) {
  (
    cause = "max value" and
    effect = "overflow"
  ) or (
    cause = "min value" and
    effect = "underflow"
  )
}

from Expr origin, Operation op, VariableAccess va, string cause, string effect
where taintedVarAccess(origin, va, cause)
  and op.getAnOperand() = va
  and
  (
    (missingGuardAgainstUnderflow(op, va) and effect = "underflow") or
    (missingGuardAgainstOverflow(op, va) and effect = "overflow")
  ) and
  causeEffectCorrespond(cause, effect)
select va, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
  origin, "Extreme value"

...

Htmlcomment
hiddentrue
hashconfluence_uploader_hash:59bafecf957897d8d57f713d4d059806e57b90904d9f5c631e603e74c7482ee7840770f69792fe1b