BuiltinBitCast doesn't seem to be tracked by TaintTracking.

[marpom]

I've been looking into the taint tracking module and I believe there's an issue when it comes to BuiltinBitCast. Specifically it looks like it doesn't identify the flow to the "argument" of __builtin_bit_cast() and as a result the return value is never tainted.
As an example, library.cc:

#include "absl/base/casts.h"

void outside_fun(uint64_t arg);
void outside_fun2(double arg);

class ExampleClass {
 private:
  void HandleWrite(uint64_t value) {
    uint64_t test = value++;
    outside_fun(test);
    double d = __builtin_bit_cast(double, value);
    outside_fun2(d);
  }
};

BUILD:

cc_library(
    name = "library",
    srcs = ["library.cc"],
    deps = [ 
        "@com_google_absl//absl/base:base",
    ],  
)

and query.ql:

import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.dataflow.new.TaintTracking

module SampleConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { 
    exists( Function function | 
      function.getName() = "HandleWrite" and
      source.asParameter() = function.getParameter(0)
    )
  }

  predicate isSink(DataFlow::Node sink) {
    any()
  }
}

module SampleFlow = TaintTracking::Global<SampleConfig>;
import SampleFlow::PathGraph

from SampleFlow::PathNode source, SampleFlow::PathNode sink
where SampleFlow::flowPath(source, sink)
select source, source.getLocation(), sink, sink.getLocation()

Create the db with:
codeql database create database --language=cpp --command='bazel build --spawn_strategy=local --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results //library:library'
and run the query with:
codeql query run --database=<path>/database -- <path>/query.ql

In this case the results do not include the use of value at line 11 or d at lines 11 and 12.

Any ideas on how to work around this issue?

Thanks!

[MathiasVP]

Hi @marpom,

Thanks for reporting this to us. Turns out we weren't propagating flow through __builtin_bit_cast . I've fixed this in a PR here: #16688. I expect that it'll be merged soon and be part of the CodeQL 2.17.5 release which is expected to be released on June 13.

[MathiasVP]

#16688 is now merged, and it will now definitely appear in the 2.17.5 release :)

[marpom]

Great, thanks a lot for the quick fix!