-
Notifications
You must be signed in to change notification settings - Fork 283
Expand file tree
/
Copy pathFizzOverflow.ql
More file actions
57 lines (51 loc) · 1.61 KB
/
FizzOverflow.ql
File metadata and controls
57 lines (51 loc) · 1.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
/**
* @name Fizz Overflow
* @description Narrowing conversions on untrusted data could enable
* an attacker to trigger an integer overflow.
* @kind path-problem
* @problem.severity warning
*/
import cpp
import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.ir.IR
import DataFlow::PathGraph
/**
* The endianness conversion function `Endian::big()`.
* It is Folly's replacement for `ntohs` and `ntohl`.
*/
class EndianConvert extends Function {
EndianConvert() {
this.getName() = "big" and
this.getDeclaringType().getName().matches("Endian")
}
}
class Cfg extends TaintTracking::Configuration {
Cfg() { this = "FizzOverflowIR" }
/** Holds if `source` is a call to `Endian::big()`. */
override predicate isSource(DataFlow::Node source) {
source
.asInstruction()
.(CallInstruction)
.getCallTarget()
.(FunctionInstruction)
.getFunctionSymbol() instanceof EndianConvert
}
/** Holds if `sink` is a narrowing conversion. */
override predicate isSink(DataFlow::Node sink) {
sink.asInstruction().getResultSize() < sink
.asInstruction()
.(ConvertInstruction)
.getUnary()
.getResultSize()
}
}
from
Cfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink, ConvertInstruction conv,
Type inputType, Type outputType
where
cfg.hasFlowPath(source, sink) and
conv = sink.getNode().asInstruction() and
inputType = conv.getUnary().getResultType() and
outputType = conv.getResultType()
select sink, source, sink,
"Conversion of untrusted data from " + inputType + " to " + outputType + "."