Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

C++: Fix global flow without an SSA definition #12740

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

MathiasVP
Copy link
Contributor

Turns out we didn't create an GlobalUse node (which represents the use of a global variable after exiting a function body) when there was just a store step to the global variable.

Commit-by-commit review recommended.

@MathiasVP MathiasVP requested a review from a team as a code owner April 2, 2023 15:24
@github-actions github-actions bot added the C++ label Apr 2, 2023
@MathiasVP MathiasVP added the no-change-note-required This PR does not need a change note label Apr 2, 2023
@MathiasVP
Copy link
Contributor Author

Hmm... Lots of new results and quite a bad performance regression. Will convert this PR to a draft and investigate 👀.

@MathiasVP MathiasVP marked this pull request as draft April 2, 2023 18:23
@geoffw0
Copy link
Contributor

geoffw0 commented Apr 5, 2023

I just took a look at the first few new results locally, so that I could see the full flow paths etc and assess.

  • cpp/cleartext-storage-file on git-linux was already a result (with source credential.c line 207), this change adds an additional source for that result (imap-send.c line 955). The path I checked was long but looks plausible. TP I think.
  • cpp/command-line-injection on vim__vim; 478 results all on the same line of code. I failed to find the new one. Not sure what's going on here.
  • cpp/non-constant-format on vim__vim; this is not a path problem but involves macros; I think it's a false positive due to the underscore macro, which the query attempts to treat as a barrier / constant string. Have we accidentally worked around that?
  • cpp/path-injection on Nelson-numerical-software__nelson; three new results; like cpp/cleartext-storage-file on git-linux, these are results we already had but an additional source is associated with each of them. All the new taint flows are similar to each other, and look OK except:
    • gram.c line 1410 writes the tainted data into yyval.extval but it's read on gram.c line 979 as yypt[-0].yyv.charpval, a different member of the union. Whether that's reasonable depends on how the union is used, I suppose. I lean towards yes, it's reasonable taint flow.
    • flow appears to go on names.c line 781 from stateno to extsymtab[-1-stateno].fextname, which seems a little dubious to me, I'm not sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C++ no-change-note-required This PR does not need a change note
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants