Skip to content

C++: Taint propagation through dynamic_cast #2713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 28, 2020
Merged

C++: Taint propagation through dynamic_cast #2713

merged 4 commits into from
Jan 28, 2020

Conversation

MathiasVP
Copy link
Contributor

Adds taint propagation through dynamic_cast expressions

@MathiasVP MathiasVP added the C++ label Jan 28, 2020
@MathiasVP MathiasVP requested a review from a team as a code owner January 28, 2020 16:42
@MathiasVP MathiasVP requested a review from a team as a code owner January 28, 2020 16:53
rdmarsh2
rdmarsh2 approved these changes Jan 28, 2020
View reviewed changes
Copy link
Contributor

@rdmarsh2 rdmarsh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rdmarsh2 rdmarsh2 merged commit 9504da5 into github:master Jan 28, 2020
jbj
jbj reviewed Jan 29, 2020
View reviewed changes
cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -96,6 +96,10 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
bitOffset = Ints::mul(convert.getDerivation().getByteOffset(), 8)
)
or
// Conversion using dynamic_cast results in an unknown offset
instr instanceof CheckedConvertOrNullInstruction and
bitOffset = Ints::unknown()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must the offset be unknown in order for the alias analysis to work? I think of dynamic_cast<D*>(b) as meaning roughly (*b instanceof D) ? static_cast<D*>(b) : nullptr, but maybe that's an oversimplification? If the type check doesn't pass, then the returned pointer doesn't point to any object, but that's also sort of true for a static_cast.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "sidecast" case in https://en.cppreference.com/w/cpp/language/dynamic_cast means that the offset is at least sometimes unknown. Even for the downcast case, there isn't an unambiguous offset for a conversion from Y to Base in https://godbolt.org/z/ebWA7x

Copy link
Contributor Author

@MathiasVP MathiasVP Jan 30, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's also the special case of dynamic_cast<void*> which casts to the most specific polymorphic class: https://godbolt.org/z/AZJpxS

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanations. Inheritance is scary!

@rdmarsh2 rdmarsh2 mentioned this pull request Jan 29, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbj jbj jbj left review comments

@rdmarsh2 rdmarsh2 rdmarsh2 approved these changes

Assignees
No one assigned
Labels
C++
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MathiasVP @jbj @rdmarsh2