You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are trying to track taint flow from the state parameter here: https://github.com/ggerganov/whisper.cpp/blob/master/whisper.cpp#L7118. We don't want to taint the struct itself, because then all instances of the struct are tainted. Instead, we are only interested in the taint flow of the parameter state. The query below is very close to achieving the results we want:
exists(FieldAccessfa|// check node2 is the FieldAccessnode2.asExpr()= fa
// check node1 is an indirect parent
and node1.asIndirectExpr()= fa.getQualifier()// prevent false positivesandfa.getQualifier().getType().(PointerType).getBaseType().hasName("whisper_state"))
When we run the quick eval on the isSource predicate, CodeQL correctly identifies the state parameter as the only source. In addition, when we run the quick eval on the isAdditionalFlowStep predicate, CodeQL correctly identifies the field accesses of the the state parameter as tainted (see the screenshot below). However, when we run the whole query, we do not get the results we expect: the field accesses of the state parameter are not part of the results. We have a feeling there is a disconnect between the source and the nodes selected by the isAdditionalFlowStep predicate. Do you have any ideas on how to proceed? We greatly appreciate your help!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
We are trying to track taint flow from the
stateparameter here: https://github.com/ggerganov/whisper.cpp/blob/master/whisper.cpp#L7118. We don't want to taint the struct itself, because then all instances of the struct are tainted. Instead, we are only interested in the taint flow of the parameterstate. The query below is very close to achieving the results we want:When we run the quick eval on the
isSourcepredicate, CodeQL correctly identifies thestateparameter as the only source. In addition, when we run the quick eval on theisAdditionalFlowSteppredicate, CodeQL correctly identifies the field accesses of the thestateparameter as tainted (see the screenshot below). However, when we run the whole query, we do not get the results we expect: the field accesses of thestateparameter are not part of the results. We have a feeling there is a disconnect between the source and the nodes selected by theisAdditionalFlowSteppredicate. Do you have any ideas on how to proceed? We greatly appreciate your help!Beta Was this translation helpful? Give feedback.
All reactions