Skip to content

C++: Taint propagation through dynamic_cast#2713

Merged
rdmarsh2 merged 4 commits intogithub:masterfrom
MathiasVP:dynamic-cast-taint-propagation
Jan 28, 2020
Merged

C++: Taint propagation through dynamic_cast#2713
rdmarsh2 merged 4 commits intogithub:masterfrom
MathiasVP:dynamic-cast-taint-propagation

Conversation

@MathiasVP
Copy link
Contributor

@MathiasVP MathiasVP commented Jan 28, 2020

Adds taint propagation through dynamic_cast expressions

@MathiasVP MathiasVP added the C++ label Jan 28, 2020
@MathiasVP MathiasVP requested a review from a team as a code owner January 28, 2020 16:42
@MathiasVP MathiasVP requested a review from a team as a code owner January 28, 2020 16:53
rdmarsh2
rdmarsh2 approved these changes Jan 28, 2020
View reviewed changes
Copy link
Contributor

@rdmarsh2 rdmarsh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rdmarsh2 rdmarsh2 merged commit 9504da5 into github:master Jan 28, 2020
jbj
jbj reviewed Jan 29, 2020
View reviewed changes
cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
or
// Conversion using dynamic_cast results in an unknown offset
instr instanceof CheckedConvertOrNullInstruction and
bitOffset = Ints::unknown()
Copy link
Contributor

@jbj jbj Jan 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must the offset be unknown in order for the alias analysis to work? I think of dynamic_cast<D*>(b) as meaning roughly (*b instanceof D) ? static_cast<D*>(b) : nullptr, but maybe that's an oversimplification? If the type check doesn't pass, then the returned pointer doesn't point to any object, but that's also sort of true for a static_cast.

Copy link
Contributor

@rdmarsh2 rdmarsh2 Jan 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "sidecast" case in https://en.cppreference.com/w/cpp/language/dynamic_cast means that the offset is at least sometimes unknown. Even for the downcast case, there isn't an unambiguous offset for a conversion from Y to Base in https://godbolt.org/z/ebWA7x

Copy link
Contributor Author

@MathiasVP MathiasVP Jan 30, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's also the special case of dynamic_cast<void*> which casts to the most specific polymorphic class: https://godbolt.org/z/AZJpxS

Copy link
Contributor

@jbj jbj Jan 30, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanations. Inheritance is scary!

@rdmarsh2 rdmarsh2 mentioned this pull request Jan 29, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbj jbj jbj left review comments

+1 more reviewer

@rdmarsh2 rdmarsh2 rdmarsh2 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

C++

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MathiasVP @jbj @rdmarsh2