Skip to content

C++: IR data flow from WriteSideEffectInstructions to partial ChiInstruction operands #3220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

C++: IR data flow from WriteSideEffectInstructions to partial ChiInstruction operands #3220

wants to merge 2 commits into from

Conversation

MathiasVP
Copy link
Contributor

@MathiasVP MathiasVP commented Apr 7, 2020
edited
Loading

Previously we did not catch data flows such as:

int a = source();
int b = 0;
memcpy(&b, &a, sizeof(int));
sink(b); // tainted

because there's a ChiInstruction between the WriteSideEffect instruction and the load in sink(b). (Note that this was a still caught by taint flow).

This PR recovers these flows by inserting flow from write side effect instructions to the partial operand of Chi instructions, similar to how #3219 handles taint flows.

@MathiasVP MathiasVP added the C++ label Apr 7, 2020
@MathiasVP
Copy link
Contributor Author

MathiasVP commented Apr 7, 2020
edited
Loading

I've started a CPP-differences run to make sure we don't add too much flow: https://jenkins.internal.semmle.com/job/Changes/job/CPP-Differences/1026/

As @jbj pointed out, we have flow to partial chi operands already in DefaultTaintTracking. So there's no new query results as there's no query that uses IR dataflow without using taintflow.

@MathiasVP MathiasVP mentioned this pull request Apr 7, 2020
Merged
@jbj jbj mentioned this pull request Apr 7, 2020
Merged
@jbj jbj modified the milestone: 1.24 Apr 7, 2020
MathiasVP added a commit to MathiasVP/ql that referenced this pull request Apr 15, 2020
@MathiasVP
C++: Add flow from github#3220
f02feac
@MathiasVP
Copy link
Contributor Author

Closed as this PR was integrated into #3118.

@MathiasVP MathiasVP closed this Apr 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees
No one assigned
Labels
C++
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MathiasVP @jbj