Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

C++: Promote cpp/invalid-pointer-deref out of experimental #14006

Open
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

MathiasVP
Copy link
Contributor

@MathiasVP MathiasVP commented Aug 21, 2023

This PR moves the cpp/invalid-pointer-deref query out of experimental and into the security-extended suite.

Documentation friends: I've added a bunch of unnecessary whitespace in e776178 that will ensure the relevant files show up in the diff. Once you're done reviewing the files I'll remove the whitespace again.

@github-actions
Copy link
Contributor

github-actions bot commented Aug 21, 2023

QHelp previews:

cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.qhelp

Invalid pointer dereference

The program performs an out-of-bounds read or write operation, which can cause program instability. In addition, attackers may take advantage of the situation, and implement techniques to use this vulnerability to execute arbitrary code.

Recommendation

Ensure that pointer dereferences are properly guarded to ensure that they cannot be used to read or write past the end of the allocation.

Example

The first example allocates a buffer of size size and creates a local variable that stores the location that is one byte past the end of the allocation. This local variable is then dereferenced, which results in an out-of-bounds write. The second example subtracts one from the end variable before dereferencing it. This subtraction ensures that the write correctly updates the final byte of the allocation.

void *malloc(unsigned);
unsigned get_size();
void write_data(const unsigned char*, const unsigned char*);

int main(int argc, char* argv[]) {
  unsigned size = get_size();
  
  {
    unsigned char *begin = (unsigned char*)malloc(size);
    if(!begin) return -1;

    unsigned char* end = begin + size;
    write_data(begin, end);
    *end = '\0'; // BAD: Out-of-bounds write
  }

  {
    unsigned char *begin = (unsigned char*)malloc(size);
    if(!begin) return -1;

    unsigned char* end = begin + size;
    write_data(begin, end);
    *(end - 1) = '\0'; // GOOD: writing to the last byte
  }

}

References

@MathiasVP MathiasVP force-pushed the promote-invalid-pointer-deref-out-of-experimental branch from c026232 to 2154be0 Compare August 21, 2023 09:07
@MathiasVP MathiasVP force-pushed the promote-invalid-pointer-deref-out-of-experimental branch from e24fbbc to e776178 Compare August 21, 2023 09:23
@MathiasVP MathiasVP added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Aug 22, 2023
@mchammer01 mchammer01 self-requested a review August 22, 2023 10:38
@mchammer01
Copy link
Contributor

I'll review this for Docs.

mchammer01
mchammer01 previously approved these changes Aug 22, 2023
Copy link
Contributor

@mchammer01 mchammer01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✨
Made a few comments and suggestions. Feel free to ignore the ones you don't agree with 😅

cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql Outdated Show resolved Hide resolved
cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.qhelp Outdated Show resolved Hide resolved
cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.qhelp Outdated Show resolved Hide resolved
@MathiasVP MathiasVP marked this pull request as ready for review August 22, 2023 16:11
@MathiasVP MathiasVP requested a review from a team as a code owner August 22, 2023 16:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C++ documentation ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants