From 063bff073be875a9cc907b773d4b6a7cbea90648 Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Thu, 24 Apr 2025 12:15:31 +0100 Subject: [PATCH 1/2] C++: Add checks for build mode in various queries Adds a check for the absence of build-mode-none in cpp/wrong-type-format-argument cpp/comparison-with-wider-type cpp/integer-multiplication-cast-to-long cpp/implicit-function-declaration cpp/suspicious-add-sizeof --- cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql | 1 + cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql | 1 + .../Underspecified Functions/ImplicitFunctionDeclaration.ql | 1 + cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql | 1 + cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql | 1 + 5 files changed, 5 insertions(+) diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql index ba7a6b58aa01..7eb465d35a92 100644 --- a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql +++ b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql @@ -179,6 +179,7 @@ predicate overflows(MulExpr me, Type t) { from MulExpr me, Type t1, Type t2 where + not any(Compilation c).buildModeNone() and t1 = me.getType().getUnderlyingType() and t2 = me.getConversion().getType().getUnderlyingType() and t1.getSize() < t2.getSize() and diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql index 75fe855c6f91..02975d2bdcab 100644 --- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql +++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql @@ -154,6 +154,7 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) } from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual where + not any(Compilation c).buildModeNone() and ( formattingFunctionCallExpectedType(ffc, n, expected) and formattingFunctionCallActualType(ffc, n, arg, actual) and diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql b/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql index a361a3401f36..aa9d5d43c738 100644 --- a/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql +++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql @@ -38,6 +38,7 @@ predicate isCompiledAsC(File f) { from FunctionDeclarationEntry fdeIm, FunctionCall fc where + not any(Compilation c).buildModeNone() and isCompiledAsC(fdeIm.getFile()) and not isFromMacroDefinition(fc) and fdeIm.isImplicit() and diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql index 7d9ef88adea1..021be5d091b3 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql @@ -51,6 +51,7 @@ int getComparisonSizeAdjustment(Expr e) { from Loop l, RelationalOperation rel, VariableAccess small, Expr large where + not any(Compilation c).buildModeNone() and small = rel.getLesserOperand() and large = rel.getGreaterOperand() and rel = l.getCondition().getAChild*() and diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql index 4ac00fc42c6d..11b7779118fc 100644 --- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql +++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql @@ -24,6 +24,7 @@ private predicate isCharSzPtrExpr(Expr e) { from Expr sizeofExpr, Expr e where + not any(Compilation c).buildModeNone() and // If we see an addWithSizeof then we expect the type of // the pointer expression to be `char*` or `void*`. Otherwise it // is probably a mistake. From 0cd859c5593949c4413c65b953450d6b8a50d886 Mon Sep 17 00:00:00 2001 From: Ian Lynagh Date: Thu, 24 Apr 2025 12:48:21 +0100 Subject: [PATCH 2/2] C++: qlformat --- cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql index 11b7779118fc..da92c792432c 100644 --- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql +++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql @@ -28,7 +28,8 @@ where // If we see an addWithSizeof then we expect the type of // the pointer expression to be `char*` or `void*`. Otherwise it // is probably a mistake. - addWithSizeof(e, sizeofExpr, _) and not isCharSzPtrExpr(e) + addWithSizeof(e, sizeofExpr, _) and + not isCharSzPtrExpr(e) select sizeofExpr, "Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@.", e.getFullyConverted().getType() as t, t.toString()