more tests

Author: GrosQuildu

cpp/src/security/DecOverflowWhenComparing/DecOverflowWhenComparing.ql

@@ -21,6 +21,8 @@ predicate isDefOf(ControlFlowNode node, Variable var) {
   node = var.getAnAccess() and node.(VariableAccess).isLValue()
   or
   node.(DeclStmt).getADeclaration() = var and exists(var.getInitializer())
+  or
+  node.(Assignment).getLValue().(VariableAccess).getTarget() = var
 }
 
 /**
@@ -55,9 +57,10 @@ where
   cmp.getAnOperand().getAChild*() = varAcc and
   cmp.getAnOperand() instanceof Zero and
 
-  // only if the variable is used after the comparison
+  // only if the variable is used (not just overwritten) after the comparison
   successorGuarded(cmp, varAccAfterOverflow, var) and
   cmp.getAnOperand().getAChild*() != varAccAfterOverflow and
+  not exists(AssignExpr ae | ae.getLValue() = varAccAfterOverflow) and
 
   // var-- > 0 (0 < var--) then accesses only in false branch
   // var-- >= 0 then accesses in all branches

cpp/test/query-tests/security/DecOverflowWhenComparing/DecOverflowWhenComparing.c

@@ -3,6 +3,7 @@
 #include "../../../include/libc/unistd.h"
 #include "../../../include/libc/stdint.h"
 
+// BAD
 // from https://github.com/apple-oss-distributions/Libinfo/blob/9fce29e5c5edc15d3ecea55116ca17d3f6350603/lookup.subproj/mdns_module.c#L1033C1-L1079C2
 char* _mdns_parse_domain_name(const uint8_t *data, uint32_t datalen)
 {
@@ -20,18 +21,18 @@ char* _mdns_parse_domain_name(const uint8_t *data, uint32_t datalen)
 
 		if (domain == NULL) return NULL;
 
-		if (len == 0) break;	// DNS root (NUL)
+		if (len == 0) break;
 
 		if (j > 0)
 		{
 			domain[j++] = datalen ? '.' : '\0';
 		}
 
+		// bug is in datalen decrementation here
 		while ((len-- > 0) && (0 != datalen--))
 		{
 			if (data[i] == '.')
 			{
-				/* special case: escape the '.' with a '\' */
 				domain = reallocf(domain, ++domainlen);
 				if (domain == NULL) return NULL;
 
@@ -47,6 +48,106 @@ char* _mdns_parse_domain_name(const uint8_t *data, uint32_t datalen)
 	return domain;
 }
 
+// BAD: n used after loop without overwrite (overflowed on last iteration)
+void simple_use_after_loop(uint32_t n, int *buf) {
+    while (n-- > 0) {
+        buf[0] = 1;
+    }
+    buf[n] = 0; // BAD: n is UINT32_MAX here
+}
+
+// BAD: use in false branch of != 0
+void use_after_neq(uint32_t n, int *buf) {
+    if (n-- != 0) {
+        buf[0] = 1;
+    }
+    buf[n] = 0; // BAD
+}
+
+// GOOD: variable overwritten by assignment before use
+void overwrite_by_assignment(uint32_t n, int *buf) {
+    while (n-- > 0) {
+        buf[0] = 1;
+    }
+    n = 42;
+    buf[n] = 0;
+}
+
+// GOOD: signed integer - not unsigned
+void signed_decrement(int n, int *buf) {
+    while (n-- > 0) {
+        buf[n] = 0;
+    }
+}
+
+// GOOD: variable not used after comparison
+void no_use_after(uint32_t n, int *buf) {
+    while (n-- > 0) {
+        buf[0] = 1;
+    }
+}
+
+// BAD: reversed comparison form 0 < n--
+void reversed_lt(uint32_t n, int *buf) {
+    while (0 < n--) {
+        buf[0] = 1;
+    }
+    buf[n] = 0; // BAD
+}
+
+// BAD: n-- == 0, use in true branch where n just wrapped to UINT32_MAX
+void eq_zero(uint32_t n, int *buf) {
+    if (n-- == 0) {
+        buf[n] = 0; // BAD
+    }
+}
+
+// BAD: do-while, use after loop
+void do_while(uint32_t n, int *buf) {
+    do {
+        buf[0] = 1;
+    } while (n-- > 0);
+    buf[n] = 0; // BAD
+}
+
+// BAD: conditional overwrite (only one branch overwrites)
+void conditional_overwrite(uint32_t n, int *buf, int cond) {
+    if (n-- != 0) {
+        buf[0] = 1;
+    }
+    if (cond) {
+        n = 42;
+    }
+    buf[n] = 0; // BAD: path exists where n is not overwritten
+}
+
+// GOOD: use only in true branch of > 0 (n was confirmed > 0)
+void use_in_true_branch(uint32_t n, int *buf) {
+    if (n-- > 0) {
+        buf[n] = 0;
+    }
+}
+
+// GOOD: prefix decrement (query only checks postfix)
+void prefix_decrement(uint32_t n, int *buf) {
+    while (--n > 0) {
+        buf[n] = 0;
+    }
+}
+
+// GOOD: overwrite in all branches before use
+void overwrite_all_branches(uint32_t n, int *buf, int cond) {
+    while (n-- > 0) {
+        buf[0] = 1;
+    }
+    if (cond) {
+        n = 10;
+    } else {
+        n = 20;
+    }
+    buf[n] = 0;
+}
+
 int main() {
     const uint16_t datalen = 128;
     uint8_t data[datalen] = {};

cpp/test/query-tests/security/DecOverflowWhenComparing/DecOverflowWhenComparing.expected

@@ -1 +1,7 @@
-| DecOverflowWhenComparing.c:30:31:30:39 | ... -- | Unsigned decrementation in comparison ($@) - $@ | DecOverflowWhenComparing.c:30:26:30:39 | ... != ... | ... != ... | DecOverflowWhenComparing.c:15:9:15:15 | datalen | datalen |
+| DecOverflowWhenComparing.c:32:31:32:39 | ... -- | Unsigned decrementation in comparison ($@) - $@ | DecOverflowWhenComparing.c:32:26:32:39 | ... != ... | ... != ... | DecOverflowWhenComparing.c:16:9:16:15 | datalen | datalen |
+| DecOverflowWhenComparing.c:53:12:53:14 | ... -- | Unsigned decrementation in comparison ($@) - $@ | DecOverflowWhenComparing.c:53:12:53:18 | ... > ... | ... > ... | DecOverflowWhenComparing.c:56:9:56:9 | n | n |
+| DecOverflowWhenComparing.c:61:9:61:11 | ... -- | Unsigned decrementation in comparison ($@) - $@ | DecOverflowWhenComparing.c:61:9:61:16 | ... != ... | ... != ... | DecOverflowWhenComparing.c:64:9:64:9 | n | n |
+| DecOverflowWhenComparing.c:92:16:92:18 | ... -- | Unsigned decrementation in comparison ($@) - $@ | DecOverflowWhenComparing.c:92:12:92:18 | ... < ... | ... < ... | DecOverflowWhenComparing.c:95:9:95:9 | n | n |
+| DecOverflowWhenComparing.c:100:9:100:11 | ... -- | Unsigned decrementation in comparison ($@) - $@ | DecOverflowWhenComparing.c:100:9:100:16 | ... == ... | ... == ... | DecOverflowWhenComparing.c:101:13:101:13 | n | n |
+| DecOverflowWhenComparing.c:109:14:109:16 | ... -- | Unsigned decrementation in comparison ($@) - $@ | DecOverflowWhenComparing.c:109:14:109:20 | ... > ... | ... > ... | DecOverflowWhenComparing.c:110:9:110:9 | n | n |
+| DecOverflowWhenComparing.c:115:9:115:11 | ... -- | Unsigned decrementation in comparison ($@) - $@ | DecOverflowWhenComparing.c:115:9:115:16 | ... != ... | ... != ... | DecOverflowWhenComparing.c:121:9:121:9 | n | n |