-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mismatched-memory-management-cpp.yaml: remove delete(this)
Resolves: #159
- Loading branch information
Showing
2 changed files
with
87 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
86 changes: 86 additions & 0 deletions
86
assets/semgrep_rules/c/mismatched-memory-management-cpp.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
rules: | ||
- id: raptor-mismatched-memory-management-cpp | ||
metadata: | ||
author: Marco Ivaldi <raptor@0xdeadbeef.info> | ||
references: | ||
- https://cwe.mitre.org/data/definitions/762 | ||
- https://cwe.mitre.org/data/definitions/590 | ||
- https://github.com/struct/mms | ||
- https://docs.microsoft.com/en-us/cpp/sanitizers/asan-error-examples | ||
confidence: LOW | ||
# NOTE: valloc(), reallocf(), aligned_alloc(), and custom wrappers | ||
# are not covered. | ||
# NOTE: overloaded operators, VirtualAlloc()/VirtualFree(), | ||
# mmap()/munmap() are not covered. | ||
message: >- | ||
The software attempts to return a memory resource to the system, but | ||
it calls a release function that is not compatible with the function | ||
that was originally used to allocate that resource. | ||
When the memory management functions are mismatched, the consequences | ||
may be as severe as code execution, memory corruption, or program | ||
crash. Consequences and ease of exploit will vary depending on the | ||
implementation of the routines and the object being managed. | ||
Due to inherent limitations of Semgrep, this rule might generate many | ||
false positives and should therefore be customized for your codebase. | ||
severity: INFO | ||
languages: | ||
- cpp | ||
pattern-either: | ||
# free | ||
- patterns: | ||
- pattern: free($PTR); | ||
- pattern-not-inside: | | ||
$PTR = malloc(...); | ||
... | ||
free($PTR); | ||
- pattern-not-inside: | | ||
$PTR = ($CAST)malloc(...); | ||
... | ||
free($PTR); | ||
- pattern-not-inside: | | ||
$PTR = calloc(...); | ||
... | ||
free($PTR); | ||
- pattern-not-inside: | | ||
$PTR = ($CAST)calloc(...); | ||
... | ||
free($PTR); | ||
- pattern-not-inside: | | ||
$PTR = realloc(...); | ||
... | ||
free($PTR); | ||
- pattern-not-inside: | | ||
$PTR = ($CAST)realloc(...); | ||
... | ||
free($PTR); | ||
- pattern-not-inside: | | ||
$PTR = strdup(...); | ||
... | ||
free($PTR); | ||
- pattern-not-inside: | | ||
$PTR = strndup(...); | ||
... | ||
free($PTR); | ||
# delete[] | ||
- patterns: | ||
- pattern: delete[]($PTR); | ||
- pattern-not-inside: | | ||
$PTR = new $OBJ[$SIZE]; | ||
... | ||
delete[]($PTR); | ||
- pattern-not: delete[](this); | ||
# delete | ||
- patterns: | ||
- pattern: delete($PTR); | ||
- pattern-not-inside: | | ||
$PTR = new $OBJ; | ||
... | ||
delete($PTR); | ||
- pattern-not: delete(this); | ||
- patterns: | ||
- pattern: delete($PTR); | ||
- pattern-inside: | | ||
$PTR = new $OBJ[$SIZE]; | ||
... | ||
delete($PTR); | ||
- pattern-not: delete(this); |