C++: Add MaD models for SysAllocString and friends
#18463
Conversation
There was a problem hiding this comment.
Copilot reviewed 1 out of 5 changed files in this pull request and generated no comments.
Files not reviewed (4)
- cpp/ql/test/library-tests/dataflow/external-models/flow.expected: Language not supported
- cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected: Language not supported
- cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp: Language not supported
- cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected: Language not supported
Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
MathiasVP
added
no-change-note-required
| - ["", "", False, "SysAllocStringByteLen", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] | ||
| - ["", "", False, "SysAllocStringLen", "", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"] |
There was a problem hiding this comment.
These two presumably can cut the tail of the string passed in as an argument (when the passed length is too short). I assume we still consider that value flow (although part of the data has gone missing)?
There was a problem hiding this comment.
That's a good point. We model that somewhat inconsistency across different models. For example, strncpy is currently modeled as taint because the length argument could mean that we only did a partial copy. In practice, I have a feeling that most of these length-bounded functions are used simply as defensive programming and do provide full copies in most cases. So nowadays I tend to lean towards modeling them as value-preserving.
The lack of these models were causing some false negatives at Microsoft.