Using TaintTracking C++

[assafsion]

Hi,
Assuming i have the following c code snippet:

/*
This struct have a member that is a pointer to char array, for example
*/
someStruct *tmp = someFunc1(); // <-- Source

/*
This function extracts the pointer from the struct
*/
char *use_me = someFunc2(tmp); 
int pos = 10;

for(int x=0; x < 10; x++)
{
    char *tmp_poi = use_me + pos*x // <--Sink
    /*
        Some other code goes here
    */
}

I want to write a query that will find all the paths that exists from the function call to someFunc1() (as source) to the variable access - tmp_poi.

The current state of my query does not find this such path, and I am not sure what I should:

class MyConfig extends TaintTracking::Configuration{
    MyConfig() {this = "MyConfig"}

    override predicate isSource(DataFlow::Node node){
        exists(
            //SomeFunc1 extends from Function and describes the targeted function 
            SomeFunc1 func1 | 
            node.asExpr() = func1.getACallToThisFunction()
        )
    }

    override predicate isSink(DataFlow::Node node){
        exists(
            // TmpPoiVariableAccess extends VariableAccess and describes such accesses
            TmpPoiVariableAccess poi | 
            node.asExpr() = poi
        )
    }
}

from MyConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where 
    cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, source.getNode()

I should mention the I only care about local paths, meaning the flow should exist only within the function.

[xcorail]

Hey @assafsion

On my mobile now, I cannot give you an exact answer, but please try first these steps to "debug" your query:

1. Quick eval your predicate isSource to check that it gives you your tmp pointer.
2. Do the same for the isSink predicate to check that you get tmp_poi

Let us know what you get from there.

[assafsion]

I debugged it like that before, the predicated return what i expect.

[MathiasVP]

The problem is that the statement:

char *tmp_poi = use_me + pos*x

is not an access to the tmp_poi variable (unlike use_me, pos and x which are all variable accesses). Instead, it is a declaration of a local variable. You can verify this for yourself by checking that

from TmpPoiVariableAccess acc
select acc

has 0 results on the snippet you posted.

To capture this path, you can define a TmpPoiVariable class that describes the declaration instead:

class TmpPoiVariable extends LocalVariable {
  TmpPoiVariable() { this.hasName("tmp_poi") }
}

and modify your configuration's isSink to be:

override predicate isSink(DataFlow::Node node) {
  exists(TmpPoiVariable var | node.asExpr() = var.getInitializer().getExpr())
}

That is, a sink is the expression that is used to initialize the tmp_poi variable.

Hope it helps! :)