ihsinme: Add query for CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

[ihsinme]

Query

Relevant PR: github/codeql#6231

Report

in this query I am looking for possible undefined behavior errors in expressions.
I have identified 4 main areas:

dangerous use of several incremental (decremental) operations, between sequence points.
using the functions of freeing resources.
the use of a common argument that can change the value inside the function.
the presence of a common global variable that can change its value.

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

• fix dangerous undefined behavior. pnggroup/libpng#378
• FortressOne/fteqw-code#5
• undefined behavior arthurodriguesbatista/tiger-compiler#1
• possibly undefined behavior. robertdavidgraham/masscan#586

[ghsecuritylab]

Your submission is now in status FP Check.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[antonio-morales]

Hi @ihsinme,

first of all, I've to say that the query looks great :)

But I think we need a more detailed description of undefined behavior alerts. "This expression may have undefined behavior" looks very general and makes really difficult to distinguish TP from FP.

I look forward to your reply.

Regards,
Antonio.

[ihsinme]

good day @antonio-morales.

I hope you remember that the English text is not my strong point, so I will be glad to have corrections.

from what i see i can add 3 different messages

1. undefined behavior due to a possible change in the argument of a function.
2. undefined behavior due to the release of the resource.
3. undefined behavior when using cremental operations.

thanks

[ihsinme]

Good afternoon @antonio-morales.
can you missed my answer?

[kevinbackhouse]

My suggestion:
"This expression may have undefined behavior, because the order of evaluation is not specified."

Thanks for this query! I remember getting burned by this exact issue at a previous job. A test was failing, but only on macOS, because the compiler chose a different order of evaluation for the function arguments. Took a while to track the bug down because I didn't have easy access to Apple hardware at the time.

[ihsinme]

@kevinbackhouse thanks for the help!
I made corrections.
github/codeql#6486

[ihsinme]

Good afternoon.
tell me, maybe I need to do something for this request?

[ghsecuritylab]

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ihsinme]

good afternoon have news on this request?

[ghsecuritylab]

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[xcorail]

Created Hackerone report 1345483 for bounty 335988 : [402] ihsinme: Add query for CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior