-
Notifications
You must be signed in to change notification settings - Fork 283
Expand file tree
/
Copy path06_stackaddress_dataflow.ql
More file actions
43 lines (38 loc) · 1.66 KB
/
06_stackaddress_dataflow.ql
File metadata and controls
43 lines (38 loc) · 1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
/**
* @name Data flow from stack variable address
* @description This restricts results to those that are most likely to be
* dangerous: copying directly into a stack variable.
* @kind path-problem
* @problem.severity warning
* @id demo/msm/06-stackaddress-dataflow
*/
import cpp
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.dataflow.DataFlow
import DataFlow::PathGraph
class Config extends DataFlow::Configuration {
Config() { this = "copy_from_user" }
override predicate isSource(DataFlow::Node source) {
exists(LocalVariable v | source.asExpr().(AddressOfExpr).getOperand() = v.getAnAccess())
}
override predicate isSink(DataFlow::Node sink) {
// This is the logic that was previously in the select clause of the query.
exists(FunctionCall call, Expr destArg, Expr sizeArg |
call.getTarget().getName() = "copy_from_user" and
destArg = sink.asExpr() and
destArg = call.getArgument(0) and
sizeArg = call.getArgument(2) and
not destArg.getType().(PointerType).getBaseType().getSize() >= upperBound(sizeArg) and
not destArg.getType().(ArrayType).getSize() >= upperBound(sizeArg)
)
}
}
// This query looks specifically for cases where the address of a local
// variable is used as the target address of the `copy_from_user`. It also
// uses the DataFlow library, so that you can use the path viewer to see
// where the stack address comes from.
//
// The vulnerabilities are the final two results in `msm_cpp.c`.
from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "possibly unsafe copy_from_user"