C++: Fix more FPs in cpp/overflow-buffer
#18629
Conversation
There was a problem hiding this comment.
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
| // Given an object `S2 s2` the size of the buffer `&s2.s.y` | ||
| // is the size of the base object type (i.e., `S2`) minutes the offset | ||
| // of `y` relative to the type `S2` (i.e., `4`). So the size of the | ||
| // buffer is `12 - 4 = 8`. |
There was a problem hiding this comment.
So "size" here includes everything between the start of s2.s.y and the end of the outermost struct? Is that correct? If so why is that a sensible notion of "size"?
There was a problem hiding this comment.
Correct. This is sensible when you consider how S2 is laid out in memory:
| x | y | z |
|---|
So we compute the buffer starting at y by computing the size of the outermost struct (i.e., S2 in this case) which includes x, y, and z. We subtract how many bytes we've already "passed" in order to get to y. So the total size is the size of y + the size of z.
There was a problem hiding this comment.
Right, so you're basically interested in not writing beyond the end of the struct?
Co-authored-by: Jeroen Ketema <[email protected]>
Co-authored-by: Jeroen Ketema <[email protected]>
| * `f.getOffsetInClass(S2) = 0` holds. Likewise, if `f` represents the | ||
| * field `a`, then `f.getOffsetInClass(c) = 0` holds. | ||
| */ | ||
| int getOffsetInClass(Class c) { hasAFieldWithOffset(c, this, result) } |
There was a problem hiding this comment.
I think we do need a change note for the predicate that's being added here.
There was a problem hiding this comment.
Oh, that's a good point. I'll add that
MathiasVP
removed
the
no-change-note-required
C++: Fix regression from #18629
This PR is a follow-up to #18615. This PR fixes an annoying case that happens when people write code such as:
The logic in #18615 wasn't enough to capture this since that PR computed the size of the buffer
x1asx1.getDeclaringType().getSize() - x1.getByteOffset()and sincex1.getDeclaringType()is the anonymous struct (of size4bytes) and the offset is0we conclude that the buffer is size4, but in reality it should be of size8.This PR makes use of a helper predicate initially used only in https://github.com/github/codeql/blob/main/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql by moving the implementation to a public member predicate on
Fieldand generalizing the above "buffer size" calculation so that it works on nested unions/structs.This fixes a large class of FPs internally at Microsoft 🎉
I've not done a change note since this change is covered by the change note in #18615