C++: Expose a public memset model and use it in the exposure queries.

MathiasVP · MathiasVP · commit 4a1bf95a877c · 2023-10-31T11:17:51.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll
@@ -9,18 +9,17 @@ import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
-/**
- * The standard function `memset` and its assorted variants
- */
-private class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction,
+private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, AliasFunction,
   SideEffectFunction
 {
-  MemsetFunction() {
+  MemsetFunctionModel() {
     this.hasGlobalOrStdOrBslName("memset")
     or
     this.hasGlobalOrStdName("wmemset")
     or
-    this.hasGlobalName([bzero(), "__builtin_memset", "__builtin_memset_chk"])
+    this.hasGlobalName([
+        bzero(), "__builtin_memset", "__builtin_memset_chk", "RtlZeroMemory", "RtlSecureZeroMemory"
+      ])
   }
 
   override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
@@ -60,3 +59,8 @@ private class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunct
 }
 
 private string bzero() { result = ["bzero", "explicit_bzero"] }
+
+/**
+ * The standard function `memset` and its assorted variants
+ */
+class MemsetFunction extends Function instanceof MemsetFunctionModel { }
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -15,6 +15,7 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.models.interfaces.FlowSource
+import semmle.code.cpp.models.implementations.Memset
 import ExposedSystemData::PathGraph
 import SystemData
 
@@ -28,6 +29,10 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {
       fc.getArgument(arg).getAChild*() = sink.asIndirectExpr()
     )
   }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
+  }
 }
 
 module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
@@ -28,6 +28,7 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.models.interfaces.FlowSource
 import semmle.code.cpp.security.OutputWrite
+import semmle.code.cpp.models.implementations.Memset
 import PotentiallyExposedSystemData::PathGraph
 import SystemData
 
@@ -49,6 +50,10 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig {
       else child = sink.asExpr()
     )
   }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
+  }
 }
 
 module PotentiallyExposedSystemData = TaintTracking::Global<PotentiallyExposedSystemDataConfig>;

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`import cpp`
`16`	`16`	`import semmle.code.cpp.ir.dataflow.TaintTracking`
`17`	`17`	`import semmle.code.cpp.models.interfaces.FlowSource`
	`18`	`+import semmle.code.cpp.models.implementations.Memset`
`18`	`19`	`import ExposedSystemData::PathGraph`
`19`	`20`	`import SystemData`
`20`	`21`
`@@ -28,6 +29,10 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {`
`28`	`29`	`fc.getArgument(arg).getAChild*() = sink.asIndirectExpr()`
`29`	`30`	`)`
`30`	`31`	`}`
	`32`	`+`
	`33`	`+ predicate isBarrier(DataFlow::Node node) {`
	`34`	`+ node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()`
	`35`	`+ }`
`31`	`36`	`}`
`32`	`37`
`33`	`38`	`module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ import cpp`
`28`	`28`	`import semmle.code.cpp.ir.dataflow.TaintTracking`
`29`	`29`	`import semmle.code.cpp.models.interfaces.FlowSource`
`30`	`30`	`import semmle.code.cpp.security.OutputWrite`
	`31`	`+import semmle.code.cpp.models.implementations.Memset`
`31`	`32`	`import PotentiallyExposedSystemData::PathGraph`
`32`	`33`	`import SystemData`
`33`	`34`
`@@ -49,6 +50,10 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig {`
`49`	`50`	`else child = sink.asExpr()`
`50`	`51`	`)`
`51`	`52`	`}`
	`53`	`+`
	`54`	`+ predicate isBarrier(DataFlow::Node node) {`
	`55`	`+ node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()`
	`56`	`+ }`
`52`	`57`	`}`
`53`	`58`
`54`	`59`	`module PotentiallyExposedSystemData = TaintTracking::Global<PotentiallyExposedSystemDataConfig>;`