Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Go/feature/shared ssa library #19011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 24 commits into
base: main
Choose a base branch
Loading
from
Draft

Go/feature/shared ssa library #19011

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
8d844e8
Switch to use-use dataflow. This will make post-update nodes easy to …
owen-mc Nov 10, 2023
06404d8
Add missing QLDoc
owen-mc Nov 28, 2023
d8002a0
Clean up code in basicLocalFlowStep
owen-mc Nov 28, 2023
1904daf
Include first step from SsaVariableCapture
owen-mc Nov 28, 2023
9d88795
Adjust SafeFormatArgumentSanitizer to use-use flow
owen-mc Nov 29, 2023
f67555a
Test result that was missing is now found
owen-mc Nov 10, 2023
03204cf
Expected changes in dataflow edges
owen-mc Nov 10, 2023
487dba3
f extra edge
owen-mc Nov 29, 2023
c040c9a
Line numbers change because 3 lines were added
owen-mc Nov 29, 2023
8b6a173
Changes in edges in .expected files
owen-mc Nov 29, 2023
ef9f740
Extra edge to captured variable
owen-mc Nov 29, 2023
ad0b836
Fix Allocation Size Overflow for use-use flow
owen-mc Nov 30, 2023
68128b3
Expected test changes (odd because post update nodes are still at the…
owen-mc Nov 30, 2023
818ebea
Optimise join order for varBlockReaches
smowton Jan 26, 2021
6c863c6
Fix IncorrectIntegerConversion for use-use flow
owen-mc Nov 30, 2023
5a09b15
accept edge changes
owen-mc Mar 6, 2025
7f5e973
Accept fixed test result
owen-mc Mar 6, 2025
c308978
Make insecure randomness test more realistic
owen-mc Mar 6, 2025
a3dbc5e
Fix TypeAssertionCheck to not block successor flow
owen-mc Mar 7, 2025
635b722
Improve SSA tests for variables in closures
owen-mc Mar 12, 2025
a15ab99
Invoke `SsaImplCommon::Make`
owen-mc Mar 1, 2025
5bc4ccf
Refactor: reorder parameters of `SsaDefinition.definesAt`
owen-mc Mar 8, 2025
521b971
Base SSA classes on shared SSA library
owen-mc Mar 10, 2025
d49f05f
Test changes
owen-mc Mar 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix Allocation Size Overflow for use-use flow 
We have an operator expression like `x * 5`. We want to follow where the
value of the operator expression goes. We used to follow local flow from
an operand, but now there is flow from that operand to the next use of
the variable. The fix is to explicitly start local flow from the
operator expression.

There are also some expected edge changes due to use-use flow.
  • Loading branch information
@owen-mc
owen-mc committed Mar 6, 2025
commit ad0b836fe579e2b654ea36ac7fee0ceed6ec39d8
23 changes: 14 additions & 9 deletions 23 go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,10 @@ module AllocationSizeOverflow {
/**
* A data-flow node that is an operand to an operation that may overflow.
*/
abstract class OverflowProneOperand extends DataFlow::Node { }
abstract class OverflowProneOperand extends DataFlow::Node {
/** Gets the operation that may overflow that `this` is an operand of. */
abstract DataFlow::Node getOverflowProneOperation();
}

/**
* A data-flow node that represents the size argument of an allocation, such as the `n` in
Expand Down Expand Up @@ -91,8 +94,7 @@ module AllocationSizeOverflow {
AllocationSize allocsz;

DefaultSink() {
this instanceof OverflowProneOperand and
localStep*(this, allocsz) and
localStep*(this.(OverflowProneOperand).getOverflowProneOperation(), allocsz) and
not allocsz instanceof AllocationSizeCheckBarrier
}

Expand Down Expand Up @@ -134,15 +136,18 @@ module AllocationSizeOverflow {

/** An operand of an arithmetic expression that could cause overflow. */
private class DefaultOverflowProneOperand extends OverflowProneOperand {
OperatorExpr parent;

DefaultOverflowProneOperand() {
exists(OperatorExpr parent | isOverflowProne(parent) |
this.asExpr() = parent.getAnOperand() and
// only consider outermost operands to avoid double reporting
not exists(OperatorExpr grandparent | parent = grandparent.getAnOperand().stripParens() |
isOverflowProne(grandparent)
)
isOverflowProne(parent) and
this.asExpr() = parent.getAnOperand() and
// only consider outermost operands to avoid double reporting
not exists(OperatorExpr grandparent | parent = grandparent.getAnOperand().stripParens() |
isOverflowProne(grandparent)
)
}

override DataFlow::Node getOverflowProneOperation() { result.asExpr() = parent }
}

/**
Expand Down
10 changes: 8 additions & 2 deletions 10 go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,13 @@ edges
| tst2.go:14:2:14:29 | ... := ...[0] | tst2.go:15:26:15:29 | data | provenance | |
| tst2.go:15:26:15:29 | data | tst2.go:15:22:15:30 | call to len | provenance | Config |
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:7:26:7:33 | jsonData | provenance | |
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:24:20:24:27 | jsonData | provenance | |
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:32:20:32:27 | jsonData | provenance | |
| tst3.go:7:26:7:33 | jsonData | tst3.go:7:22:7:34 | call to len | provenance | Config |
| tst3.go:7:26:7:33 | jsonData | tst3.go:9:32:9:39 | jsonData | provenance | |
| tst3.go:9:32:9:39 | jsonData | tst3.go:11:9:11:16 | jsonData | provenance | |
| tst3.go:11:9:11:16 | jsonData | tst3.go:16:20:16:27 | jsonData | provenance | |
| tst3.go:16:20:16:27 | jsonData | tst3.go:24:20:24:27 | jsonData | provenance | |
| tst3.go:24:20:24:27 | jsonData | tst3.go:24:16:24:28 | call to len | provenance | Config |
| tst3.go:24:20:24:27 | jsonData | tst3.go:32:20:32:27 | jsonData | provenance | |
| tst3.go:32:20:32:27 | jsonData | tst3.go:32:16:32:28 | call to len | provenance | Config |
| tst.go:14:2:14:30 | ... = ...[0] | tst.go:15:26:15:33 | jsonData | provenance | |
| tst.go:15:26:15:33 | jsonData | tst.go:15:22:15:34 | call to len | provenance | Config |
Expand All @@ -45,6 +48,9 @@ nodes
| tst3.go:6:2:6:31 | ... := ...[0] | semmle.label | ... := ...[0] |
| tst3.go:7:22:7:34 | call to len | semmle.label | call to len |
| tst3.go:7:26:7:33 | jsonData | semmle.label | jsonData |
| tst3.go:9:32:9:39 | jsonData | semmle.label | jsonData |
| tst3.go:11:9:11:16 | jsonData | semmle.label | jsonData |
| tst3.go:16:20:16:27 | jsonData | semmle.label | jsonData |
| tst3.go:24:16:24:28 | call to len | semmle.label | call to len |
| tst3.go:24:20:24:27 | jsonData | semmle.label | jsonData |
| tst3.go:32:16:32:28 | call to len | semmle.label | call to len |
Expand Down
Morty Proxy This is a proxified and sanitized view of the page, visit original site.