forked from github/securitylab
-
Notifications
You must be signed in to change notification settings - Fork 0
/
FizzOverflow.ql
60 lines (52 loc) · 1.75 KB
/
FizzOverflow.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
/**
* @name Fizz Overflow
* @description Narrowing conversions on untrusted data could enable
* an attacker to trigger an integer overflow.
* @kind path-problem
* @problem.severity warning
*/
import cpp
import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.ir.IR
import DataFlow::PathGraph
/**
* The endianness conversion function `Endian::big()`.
* It is Folly's replacement for `ntohs` and `ntohl`.
*/
class EndianConvert extends Function {
EndianConvert() {
this.getName() = "big" and
this.getDeclaringType().getName().matches("Endian")
}
}
/**
* Holds if `i` is an endianness conversion.
* (A telltale sign of network data.)
*/
predicate isNetworkData(Instruction i) {
i.(CallInstruction).getCallTarget().(FunctionInstruction).getFunctionSymbol() instanceof
EndianConvert
}
/** Holds if `i` is a narrowing conversion. */
predicate isNarrowingConversion(ConvertInstruction i) {
i.getResultSize() < i.getUnary().getResultSize()
}
class Cfg extends TaintTracking::Configuration {
Cfg() { this = "FizzOverflowIR" }
/**
* Holds if `source` is network data.
*/
override predicate isSource(DataFlow::Node source) { isNetworkData(source.asInstruction()) }
/** Holds if `sink` is a narrowing conversion. */
override predicate isSink(DataFlow::Node sink) { isNarrowingConversion(sink.asInstruction()) }
}
from
Cfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink, ConvertInstruction conv,
Type inputType, Type outputType
where
cfg.hasFlowPath(source, sink) and
conv = sink.getNode().asInstruction() and
inputType = conv.getUnary().getResultType() and
outputType = conv.getResultType()
select sink, source, sink,
"Conversion of untrusted data from " + inputType + " to " + outputType + "."