C++ IR: allow inexact defs in taint tracking

jbj · jbj · commit 2ce8612a057a · 2019-07-03T11:05:06.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/TaintTracking.qll
@@ -145,6 +145,11 @@ module TaintTracking {
       nodeTo instanceof PointerArithmeticInstruction
       or
       nodeTo instanceof FieldAddressInstruction
+      or
+      // The `CopyInstruction` case is also present in non-taint data flow, but
+      // that uses `getDef` rather than `getAnyDef`. For taint, we want flow
+      // from a definition of `myStruct` to a `myStruct.myField` expression.
+      nodeTo instanceof CopyInstruction
     )
     or
     nodeTo.(LoadInstruction).getSourceAddress() = nodeFrom
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -143,7 +143,7 @@ UninitializedNode uninitializedNode(LocalVariable v) { result.getLocalVariable()
  */
 predicate localFlowStep(Node nodeFrom, Node nodeTo) {
   nodeTo.(CopyInstruction).getSourceValue() = nodeFrom or
-  nodeTo.(PhiInstruction).getAnOperand().getAnyDef() = nodeFrom or
+  nodeTo.(PhiInstruction).getAnOperand().getDef() = nodeFrom or
   // Treat all conversions as flow, even conversions between different numeric types.
   nodeTo.(ConvertInstruction).getUnary() = nodeFrom
 }

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ UninitializedNode uninitializedNode(LocalVariable v) { result.getLocalVariable()`
`143`	`143`	`*/`
`144`	`144`	`predicate localFlowStep(Node nodeFrom, Node nodeTo) {`
`145`	`145`	`nodeTo.(CopyInstruction).getSourceValue() = nodeFrom or`
`146`		`- nodeTo.(PhiInstruction).getAnOperand().getAnyDef() = nodeFrom or`
	`146`	`+ nodeTo.(PhiInstruction).getAnOperand().getDef() = nodeFrom or`
`147`	`147`	`// Treat all conversions as flow, even conversions between different numeric types.`
`148`	`148`	`nodeTo.(ConvertInstruction).getUnary() = nodeFrom`
`149`	`149`	`}`