Merge branch 'main' into post-release-prep/codeql-cli-2.16.2

Author: dbartol

cpp/ql/lib/change-notes/2024-02-06-flow-out-barrier-function.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added an abstract class `FlowOutBarrierFunction` that can be used to block flow out of a function.

cpp/ql/lib/semmle/code/cpp/exprs/Assignment.qll

@@ -244,9 +244,15 @@ class ConditionDeclExpr extends Expr, @condition_decl {
 
   /**
    * Gets the compiler-generated variable access that conceptually occurs after
-   * the initialization of the declared variable.
+   * the initialization of the declared variable, if any.
    */
-  VariableAccess getVariableAccess() { result = this.getChild(0) }
+  VariableAccess getVariableAccess() { result = this.getExpr() }
+
+  /**
+   * Gets the expression that is evaluated after the initialization of the declared
+   * variable.
+   */
+  Expr getExpr() { result = this.getChild(0) }
 
   /**
    * Gets the expression that initializes the declared variable. This predicate

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -2,8 +2,11 @@ private import codeql.ssa.Ssa as SsaImplCommon
 private import semmle.code.cpp.ir.IR
 private import DataFlowUtil
 private import DataFlowImplCommon as DataFlowImplCommon
+private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
 private import semmle.code.cpp.models.interfaces.Allocation as Alloc
 private import semmle.code.cpp.models.interfaces.DataFlow as DataFlow
+private import semmle.code.cpp.models.interfaces.FlowOutBarrier as FOB
+private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs as FIO
 private import semmle.code.cpp.ir.internal.IRCppLanguage
 private import DataFlowPrivate
 private import ssa0.SsaInternals as SsaInternals0
@@ -784,10 +787,30 @@ private Node getAPriorDefinition(SsaDefOrUse defOrUse) {
   )
 }
 
+/**
+ * Holds if there should not be use-use flow out of `n` (or a conversion that
+ * flows to `n`).
+ */
+private predicate modeledFlowBarrier(Node n) {
+  exists(FIO::FunctionInput input, CallInstruction call |
+    call.getStaticCallTarget().(FOB::FlowOutBarrierFunction).isFlowOutBarrier(input) and
+    n = callInput(call, input)
+  )
+  or
+  exists(Operand operand, Instruction instr, Node n0, int indirectionIndex |
+    modeledFlowBarrier(n0) and
+    nodeHasInstruction(n0, instr, indirectionIndex) and
+    conversionFlow(operand, instr, false, _) and
+    nodeHasOperand(n, operand, indirectionIndex)
+  )
+}
+
 /** Holds if there is def-use or use-use flow from `nodeFrom` to `nodeTo`. */
 predicate ssaFlow(Node nodeFrom, Node nodeTo) {
   exists(Node nFrom, boolean uncertain, SsaDefOrUse defOrUse |
-    ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and nodeFrom != nodeTo
+    ssaFlowImpl(defOrUse, nFrom, nodeTo, uncertain) and
+    not modeledFlowBarrier(nFrom) and
+    nodeFrom != nodeTo
   |
     if uncertain = true then nodeFrom = [nFrom, getAPriorDefinition(defOrUse)] else nodeFrom = nFrom
   )

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll

@@ -2125,13 +2125,6 @@ class ChiInstruction extends Instruction {
    */
   final Instruction getPartial() { result = this.getPartialOperand().getDef() }
 
-  /**
-   * Gets the bit range `[startBit, endBit)` updated by the partial operand of this `ChiInstruction`, relative to the start address of the total operand.
-   */
-  final predicate getUpdatedInterval(int startBit, int endBit) {
-    Construction::getIntervalUpdatedByChi(this, startBit, endBit)
-  }
-
   /**
    * Holds if the `ChiPartialOperand` totally, but not exactly, overlaps with the `ChiTotalOperand`.
    * This means that the `ChiPartialOperand` will not override the entire memory associated with the

cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll

@@ -233,20 +233,6 @@ private module Cached {
     )
   }
 
-  /**
-   * Holds if the partial operand of this `ChiInstruction` updates the bit range
-   * `[startBitOffset, endBitOffset)` of the total operand.
-   */
-  cached
-  predicate getIntervalUpdatedByChi(ChiInstruction chi, int startBitOffset, int endBitOffset) {
-    exists(Alias::MemoryLocation location, OldInstruction oldInstruction |
-      oldInstruction = getOldInstruction(chi.getPartial()) and
-      location = Alias::getResultMemoryLocation(oldInstruction) and
-      startBitOffset = Alias::getStartBitOffset(location) and
-      endBitOffset = Alias::getEndBitOffset(location)
-    )
-  }
-
   /**
    * Holds if `operand` totally overlaps with its definition and consumes the bit range
    * `[startBitOffset, endBitOffset)`.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll

@@ -2125,13 +2125,6 @@ class ChiInstruction extends Instruction {
    */
   final Instruction getPartial() { result = this.getPartialOperand().getDef() }
 
-  /**
-   * Gets the bit range `[startBit, endBit)` updated by the partial operand of this `ChiInstruction`, relative to the start address of the total operand.
-   */
-  final predicate getUpdatedInterval(int startBit, int endBit) {
-    Construction::getIntervalUpdatedByChi(this, startBit, endBit)
-  }
-
   /**
    * Holds if the `ChiPartialOperand` totally, but not exactly, overlaps with the `ChiTotalOperand`.
    * This means that the `ChiPartialOperand` will not override the entire memory associated with the

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll

@@ -202,12 +202,6 @@ Instruction getMemoryOperandDefinition(
   none()
 }
 
-/**
- * Holds if the partial operand of this `ChiInstruction` updates the bit range
- * `[startBitOffset, endBitOffset)` of the total operand.
- */
-predicate getIntervalUpdatedByChi(ChiInstruction chi, int startBit, int endBit) { none() }
-
 /**
  * Holds if the operand totally overlaps with its definition and consumes the
  * bit range `[startBitOffset, endBitOffset)`.

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -3173,7 +3173,7 @@ class TranslatedConditionDeclExpr extends TranslatedNonConstantExpr {
   private TranslatedConditionDecl getDecl() { result = getTranslatedConditionDecl(expr) }
 
   private TranslatedExpr getConditionExpr() {
-    result = getTranslatedExpr(expr.getVariableAccess().getFullyConverted())
+    result = getTranslatedExpr(expr.getExpr().getFullyConverted())
   }
 }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll

@@ -2125,13 +2125,6 @@ class ChiInstruction extends Instruction {
    */
   final Instruction getPartial() { result = this.getPartialOperand().getDef() }
 
-  /**
-   * Gets the bit range `[startBit, endBit)` updated by the partial operand of this `ChiInstruction`, relative to the start address of the total operand.
-   */
-  final predicate getUpdatedInterval(int startBit, int endBit) {
-    Construction::getIntervalUpdatedByChi(this, startBit, endBit)
-  }
-
   /**
    * Holds if the `ChiPartialOperand` totally, but not exactly, overlaps with the `ChiTotalOperand`.
    * This means that the `ChiPartialOperand` will not override the entire memory associated with the

cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll

@@ -233,20 +233,6 @@ private module Cached {
     )
   }
 
-  /**
-   * Holds if the partial operand of this `ChiInstruction` updates the bit range
-   * `[startBitOffset, endBitOffset)` of the total operand.
-   */
-  cached
-  predicate getIntervalUpdatedByChi(ChiInstruction chi, int startBitOffset, int endBitOffset) {
-    exists(Alias::MemoryLocation location, OldInstruction oldInstruction |
-      oldInstruction = getOldInstruction(chi.getPartial()) and
-      location = Alias::getResultMemoryLocation(oldInstruction) and
-      startBitOffset = Alias::getStartBitOffset(location) and
-      endBitOffset = Alias::getEndBitOffset(location)
-    )
-  }
-
   /**
    * Holds if `operand` totally overlaps with its definition and consumes the bit range
    * `[startBitOffset, endBitOffset)`.

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -3,6 +3,7 @@ private import implementations.Deallocation
 private import implementations.Fread
 private import implementations.Getenv
 private import implementations.Gets
+private import implementations.GetText
 private import implementations.IdentityFunction
 private import implementations.Inet
 private import implementations.Iterator

cpp/ql/lib/semmle/code/cpp/models/implementations/GetText.qll

@@ -0,0 +1,33 @@
+import semmle.code.cpp.models.interfaces.DataFlow
+
+/**
+ * Returns the transated text index for a given gettext function `f`
+ */
+private int getTextArg(Function f) {
+  // basic variations of gettext
+  f.hasGlobalOrStdName("gettext") and result = 0
+  or
+  f.hasGlobalOrStdName("dgettext") and result = 1
+  or
+  f.hasGlobalOrStdName("dcgettext") and result = 1
+  or
+  // plural variations of gettext that take one format string for singular and another for plural form
+  f.hasGlobalOrStdName("ngettext") and
+  (result = 0 or result = 1)
+  or
+  f.hasGlobalOrStdName("dngettext") and
+  (result = 1 or result = 2)
+  or
+  f.hasGlobalOrStdName("dcngettext") and
+  (result = 1 or result = 2)
+}
+
+class GetTextFunction extends DataFlowFunction {
+  int argInd;
+
+  GetTextFunction() { argInd = getTextArg(this) }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(argInd) and output.isReturnValueDeref()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/Swap.qll

@@ -1,14 +1,15 @@
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.FlowOutBarrier
 
 /**
  * The standard function `swap`. A use of `swap` looks like this:
  * ```
  * std::swap(obj1, obj2)
  * ```
  */
-private class Swap extends DataFlowFunction {
+private class Swap extends DataFlowFunction, FlowOutBarrierFunction {
   Swap() { this.hasQualifiedName(["std", "bsl"], "swap") }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -18,6 +19,8 @@ private class Swap extends DataFlowFunction {
     input.isParameterDeref(1) and
     output.isParameterDeref(0)
   }
+
+  override predicate isFlowOutBarrier(FunctionInput input) { input.isParameterDeref([0, 1]) }
 }
 
 /**
@@ -26,7 +29,9 @@ private class Swap extends DataFlowFunction {
  * obj1.swap(obj2)
  * ```
  */
-private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
+private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction,
+  FlowOutBarrierFunction
+{
   MemberSwap() {
     this.hasName("swap") and
     this.getNumberOfParameters() = 1 and
@@ -47,4 +52,8 @@ private class MemberSwap extends TaintFunction, MemberFunction, AliasFunction {
   override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
 
   override predicate parameterIsAlwaysReturned(int index) { index = 0 }
+
+  override predicate isFlowOutBarrier(FunctionInput input) {
+    input.isQualifierObject() or input.isParameterDeref(0)
+  }
 }

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowOutBarrier.qll

@@ -0,0 +1,26 @@
+/**
+ * Provides an abstract class for blocking flow out of functions. To use this
+ * QL library, create a QL class extending `FlowOutBarrierFunction` with a
+ * characteristic predicate that selects the function or set of functions you
+ * are modeling. Within that class, override the predicates provided by
+ * `FlowOutBarrierFunction` to match the flow within that function.
+ */
+
+import semmle.code.cpp.Function
+import FunctionInputsAndOutputs
+
+/**
+ * A library function for which flow should not continue after reaching one
+ * of its inputs.
+ *
+ * For example, since `std::swap(a, b)` swaps the values pointed to by `a`
+ * and `b` there should not be use-use flow out of `a` or `b`.
+ */
+abstract class FlowOutBarrierFunction extends Function {
+  /**
+   * Holds if use-use flow should not continue onwards after reaching
+   * the argument, qualifier, or buffer represented by `input`.
+   */
+  pragma[nomagic]
+  abstract predicate isFlowOutBarrier(FunctionInput input);
+}

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -16,6 +16,7 @@
  */
 
 import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.models.implementations.GetText
 import semmle.code.cpp.commons.Printf
 
 // For the following `...gettext` functions, we assume that
@@ -26,30 +27,21 @@ predicate whitelistFunction(Function f, int arg) {
   // basic variations of gettext
   f.getName() = "_" and arg = 0
   or
-  f.getName() = "gettext" and arg = 0
-  or
-  f.getName() = "dgettext" and arg = 1
-  or
-  f.getName() = "dcgettext" and arg = 1
-  or
-  // plural variations of gettext that take one format string for singular and another for plural form
-  f.getName() = "ngettext" and
-  (arg = 0 or arg = 1)
-  or
-  f.getName() = "dngettext" and
-  (arg = 1 or arg = 2)
-  or
-  f.getName() = "dcngettext" and
-  (arg = 1 or arg = 2)
+  exists(FunctionInput input |
+    f.(GetTextFunction).hasDataFlow(input, _) and
+    input.isParameterDeref(arg)
+  )
 }
 
-// we assume that ALL uses of the `_` macro
+// we assume that ALL uses of the `_` macro (and calls to `gettext`)
 // return constant string literals
 predicate underscoreMacro(Expr e) {
   exists(MacroInvocation mi |
     mi.getMacroName() = "_" and
     mi.getExpr() = e
   )
+  or
+  e = any(GetTextFunction gettext).getACallToThisFunction()
 }
 
 /**

cpp/ql/src/change-notes/2024-02-05-gettext-dataflows.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow models for the `gettext` function variants. 

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -303,6 +303,12 @@ irFlow
 | test.cpp:914:46:914:53 | source | test.cpp:919:10:919:30 | global_pointer_static |
 | test.cpp:915:57:915:76 | *indirect_source(1) | test.cpp:921:19:921:50 | *global_pointer_static_indirect_1 |
 | test.cpp:932:23:932:28 | call to source | test.cpp:937:10:937:24 | * ... |
+| test.cpp:958:18:958:32 | *call to indirect_source | test.cpp:961:19:961:28 | *translated |
+| test.cpp:973:18:973:32 | *call to indirect_source | test.cpp:977:19:977:28 | *translated |
+| test.cpp:994:18:994:32 | *call to indirect_source | test.cpp:999:19:999:28 | *translated |
+| test.cpp:994:18:994:32 | *call to indirect_source | test.cpp:1003:19:1003:28 | *translated |
+| test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1027:19:1027:28 | *translated |
+| test.cpp:1021:18:1021:32 | *call to indirect_source | test.cpp:1031:19:1031:28 | *translated |
 | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |