|
| 1 | +/** |
| 2 | + * @name Fizz Overflow |
| 3 | + * @description Narrowing conversions on untrusted data could enable |
| 4 | + * an attacker to trigger an integer overflow. |
| 5 | + * @kind path-problem |
| 6 | + * @problem.severity warning |
| 7 | + */ |
| 8 | + |
| 9 | +import cpp |
| 10 | +import semmle.code.cpp.ir.dataflow.TaintTracking |
| 11 | +import semmle.code.cpp.ir.IR |
| 12 | +import DataFlow::PathGraph |
| 13 | + |
| 14 | +/** |
| 15 | + * The endianness conversion function `Endian::big()`. |
| 16 | + * It is Folly's replacement for `ntohs` and `ntohl`. |
| 17 | + */ |
| 18 | +class EndianConvert extends Function { |
| 19 | + EndianConvert() { |
| 20 | + this.getName() = "big" and |
| 21 | + this.getDeclaringType().getName().matches("Endian") |
| 22 | + } |
| 23 | +} |
| 24 | + |
| 25 | +class Cfg extends TaintTracking::Configuration { |
| 26 | + Cfg() { this = "FizzOverflowIR" } |
| 27 | + |
| 28 | + /** Holds if `source` is a call to `Endian::big()`. */ |
| 29 | + override predicate isSource(DataFlow::Node source) { |
| 30 | + source.(CallInstruction).getCallTarget().(FunctionInstruction).getFunctionSymbol() instanceof |
| 31 | + EndianConvert |
| 32 | + } |
| 33 | + |
| 34 | + /** Hold if `sink` is a narrowing conversion. */ |
| 35 | + override predicate isSink(DataFlow::Node sink) { |
| 36 | + sink.getResultSize() < sink.(ConvertInstruction).getUnary().getResultSize() |
| 37 | + } |
| 38 | +} |
| 39 | + |
| 40 | +from |
| 41 | + Cfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink, ConvertInstruction conv, |
| 42 | + Type inputType, Type outputType |
| 43 | +where |
| 44 | + cfg.hasFlowPath(source, sink) and |
| 45 | + conv = sink.getNode() and |
| 46 | + inputType = conv.getUnary().getResultType() and |
| 47 | + outputType = conv.getResultType() |
| 48 | +select sink, source, sink, |
| 49 | + "Conversion of untrusted data from " + inputType + " to " + outputType + "." |
0 commit comments