Merge pull request #8599 from 4B5F5F4B/main

geoffw0 · web-flow · commit cb211f88443a · 2022-04-11T15:57:27.000+01:00
C++: refactor some code, and add access_ok cases
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql b/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
@@ -21,7 +21,7 @@ class WriteAccessCheckMacro extends Macro {
   VariableAccess va;
 
   WriteAccessCheckMacro() {
-    this.getName() = ["user_write_access_begin", "user_access_begin"] and
+    this.getName() = ["user_write_access_begin", "user_access_begin", "access_ok"] and
     va.getEnclosingElement() = this.getAnInvocation().getAnExpandedElement()
   }
 
@@ -37,7 +37,8 @@ class UnSafePutUserMacro extends Macro {
   }
 
   Expr getUserModePtr() {
-    result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier()
+    result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier() or
+    result = writeUserPtr.getOperand()
   }
 }
 
@@ -46,11 +47,13 @@ class ExploitableUserModePtrParam extends Parameter {
     not exists(WriteAccessCheckMacro writeAccessCheck |
       DataFlow::localFlow(DataFlow::parameterNode(this),
         DataFlow::exprNode(writeAccessCheck.getArgument()))
+    ) and
+    exists(UnSafePutUserMacro unsafePutUser |
+      DataFlow::localFlow(DataFlow::parameterNode(this),
+        DataFlow::exprNode(unsafePutUser.getUserModePtr()))
     )
   }
 }
 
-from ExploitableUserModePtrParam p, UnSafePutUserMacro unsafePutUser
-where
-  DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(unsafePutUser.getUserModePtr()))
+from ExploitableUserModePtrParam p
 select p, "unsafe_put_user write user-mode pointer $@ without check.", p, p.toString()

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ class WriteAccessCheckMacro extends Macro {`
`21`	`21`	`VariableAccess va;`
`22`	`22`
`23`	`23`	`WriteAccessCheckMacro() {`
`24`		`- this.getName() = ["user_write_access_begin", "user_access_begin"] and`
	`24`	`+ this.getName() = ["user_write_access_begin", "user_access_begin", "access_ok"] and`
`25`	`25`	`va.getEnclosingElement() = this.getAnInvocation().getAnExpandedElement()`
`26`	`26`	`}`
`27`	`27`
`@@ -37,7 +37,8 @@ class UnSafePutUserMacro extends Macro {`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`Expr getUserModePtr() {`
`40`		`- result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier()`
	`40`	`+ result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier() or`
	`41`	`+ result = writeUserPtr.getOperand()`
`41`	`42`	`}`
`42`	`43`	`}`
`43`	`44`
`@@ -46,11 +47,13 @@ class ExploitableUserModePtrParam extends Parameter {`
`46`	`47`	`not exists(WriteAccessCheckMacro writeAccessCheck \|`
`47`	`48`	`DataFlow::localFlow(DataFlow::parameterNode(this),`
`48`	`49`	`DataFlow::exprNode(writeAccessCheck.getArgument()))`
	`50`	`+ ) and`
	`51`	`+ exists(UnSafePutUserMacro unsafePutUser \|`
	`52`	`+ DataFlow::localFlow(DataFlow::parameterNode(this),`
	`53`	`+ DataFlow::exprNode(unsafePutUser.getUserModePtr()))`
`49`	`54`	`)`
`50`	`55`	`}`
`51`	`56`	`}`
`52`	`57`
`53`		`-from ExploitableUserModePtrParam p, UnSafePutUserMacro unsafePutUser`
`54`		`-where`
`55`		`- DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(unsafePutUser.getUserModePtr()))`
	`58`	`+from ExploitableUserModePtrParam p`
`56`	`59`	`select p, "unsafe_put_user write user-mode pointer $@ without check.", p, p.toString()`