|
| 1 | +/** |
| 2 | + * @name Errors When Using Bit Operations |
| 3 | + * @description Unlike the binary operations `||` and `&&`, there is no sequence point after evaluating an |
| 4 | + * operand of a bitwise operation like `|` or `&`. If left-to-right evaluation is expected this may be confusing. |
| 5 | + * @kind problem |
| 6 | + * @id cpp/errors-when-using-bit-operations |
| 7 | + * @problem.severity warning |
| 8 | + * @precision medium |
| 9 | + * @tags correctness |
| 10 | + * security |
| 11 | + * external/cwe/cwe-691 |
| 12 | + */ |
| 13 | + |
| 14 | +import cpp |
| 15 | +import semmle.code.cpp.valuenumbering.GlobalValueNumbering |
| 16 | + |
| 17 | +/** |
| 18 | + * Dangerous uses of bit operations. |
| 19 | + * For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`. |
| 20 | + * In this case, the function will be called in any case, and even the sequence of the call is not guaranteed. |
| 21 | + */ |
| 22 | +class DangerousBitOperations extends BinaryBitwiseOperation { |
| 23 | + FunctionCall bfc; |
| 24 | + |
| 25 | + /** |
| 26 | + * The assignment indicates the conscious use of the bit operator. |
| 27 | + * Use in comparison, conversion, or return value indicates conscious use of the bit operator. |
| 28 | + * The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator. |
| 29 | + */ |
| 30 | + DangerousBitOperations() { |
| 31 | + bfc = this.getRightOperand() and |
| 32 | + not this.getParent*() instanceof Assignment and |
| 33 | + not this.getParent*() instanceof Initializer and |
| 34 | + not this.getParent*() instanceof ReturnStmt and |
| 35 | + not this.getParent*() instanceof EqualityOperation and |
| 36 | + not this.getParent*() instanceof UnaryLogicalOperation and |
| 37 | + not this.getParent*() instanceof BinaryLogicalOperation and |
| 38 | + not this.getAChild*() instanceof BitwiseXorExpr and |
| 39 | + not this.getAChild*() instanceof LShiftExpr and |
| 40 | + not this.getAChild*() instanceof RShiftExpr |
| 41 | + } |
| 42 | + |
| 43 | + /** Holds when part of a bit expression is used in a logical operation. */ |
| 44 | + predicate useInLogicalOperations() { |
| 45 | + exists(BinaryLogicalOperation blop, Expr exp | |
| 46 | + blop.getAChild*() = exp and |
| 47 | + exp.(FunctionCall).getTarget() = bfc.getTarget() and |
| 48 | + not exp.getParent() instanceof ComparisonOperation and |
| 49 | + not exp.getParent() instanceof BinaryBitwiseOperation |
| 50 | + ) |
| 51 | + } |
| 52 | + |
| 53 | + /** Holds when part of a bit expression is used as part of another supply. For example, as an argument to another function. */ |
| 54 | + predicate useInOtherCalls() { |
| 55 | + bfc.hasQualifier() or |
| 56 | + bfc.getTarget() instanceof Operator or |
| 57 | + exists(FunctionCall fc | fc.getAnArgument().getAChild*() = this) or |
| 58 | + bfc.getTarget() instanceof BuiltInFunction |
| 59 | + } |
| 60 | + |
| 61 | + /** Holds when the bit expression contains both arguments and a function call. */ |
| 62 | + predicate dangerousArgumentChecking() { |
| 63 | + not this.getLeftOperand() instanceof Call and |
| 64 | + globalValueNumber(this.getLeftOperand().getAChild*()) = globalValueNumber(bfc.getAnArgument()) |
| 65 | + } |
| 66 | + |
| 67 | + /** Holds when function calls are present in the bit expression. */ |
| 68 | + predicate functionCallsInBitsExpression() { |
| 69 | + this.getLeftOperand().getAChild*() instanceof FunctionCall |
| 70 | + } |
| 71 | +} |
| 72 | + |
| 73 | +from DangerousBitOperations dbo |
| 74 | +where |
| 75 | + not dbo.useInOtherCalls() and |
| 76 | + dbo.useInLogicalOperations() and |
| 77 | + (not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking()) |
| 78 | +select dbo, "This bitwise operation appears in a context where a Boolean operation is expected." |
0 commit comments