C++: Speed up the 'cpp/unbounded-write' query.

MathiasVP · MathiasVP · commit 2bccb81de08d · 2025-01-13T13:35:11.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -1375,3 +1375,25 @@ private module Cached {
 }
 
 private import Cached
+
+/**
+ * Holds if `left < right + k` evaluates to `isLt` given that some guard
+ * evaluates to `value`.
+ *
+ * To find the specific guard that performs the comparison
+ * use `IRGuards.comparesLt`.
+ */
+predicate comparesLt(Operand left, Operand right, int k, boolean isLt, AbstractValue value) {
+  compares_lt(_, left, right, k, isLt, value)
+}
+
+/**
+ * Holds if `left = right + k` evaluates to `isLt` given that some guard
+ * evaluates to `value`.
+ *
+ * To find the specific guard that performs the comparison
+ * use `IRGuards.comparesEq`.
+ */
+predicate comparesEq(Operand left, Operand right, int k, boolean isLt, AbstractValue value) {
+  compares_eq(_, left, right, k, isLt, value)
+}
diff --git a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -73,11 +73,42 @@ predicate isSink(DataFlow::Node sink, BufferWrite bw, boolean qualifier) {
   unboundedWriteSource(sink.asDefiningArgument(), bw, qualifier)
 }
 
+/**
+ * A configuration that specifies flow from a `FlowSource` to a relational
+ * comparison.
+ *
+ * This configuration is used to speed up the barrier computations in Config.
+ */
+module BarrierConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { isSource(source, _) }
+
+  predicate isSink(DataFlow::Node sink) {
+    comparesEq(sink.asOperand(), _, _, true, _) or
+    comparesLt(sink.asOperand(), _, _, true, _)
+  }
+}
+
+module BarrierFlow = TaintTracking::Global<BarrierConfig>;
+
+import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
+
+/**
+ * Holds if `left` is a left operand of some relational comparison that may
+ * depend on user input.
+ */
+predicate interestingLessThanOrEqual(Operand left) {
+  exists(DataFlowImplCommon::NodeEx node |
+    node.asNode().asOperand() = left and
+    BarrierFlow::Stages::Stage1::sinkNode(node, _)
+  )
+}
+
 predicate lessThanOrEqual(IRGuardCondition g, Expr e, boolean branch) {
   exists(Operand left |
     g.comparesLt(left, _, _, true, branch) or
     g.comparesEq(left, _, _, true, branch)
   |
+    interestingLessThanOrEqual(left) and
     left.getDef().getUnconvertedResultExpression() = e
   )
 }
