Skip to content

Commit

Permalink
mismatched-memory-management-cpp.yaml: remove delete(this)
Browse files Browse the repository at this point in the history
Resolves: #159
  • Loading branch information
thypon committed Jul 17, 2023
1 parent 29d3411 commit 73e2f8b
Show file tree
Hide file tree
Showing 2 changed files with 87 additions and 0 deletions.
1 change: 1 addition & 0 deletions assets/semgrep_rules/blocklist.txt
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@ https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.
https://semgrep.dev/r/generic.secrets.gitleaks.aws-access-token.aws-access-token
https://github.com/0xdea/semgrep-rules/blob/main/c/missing-break-in-switch.yaml
https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled
https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml
86 changes: 86 additions & 0 deletions assets/semgrep_rules/c/mismatched-memory-management-cpp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
rules:
- id: raptor-mismatched-memory-management-cpp
metadata:
author: Marco Ivaldi <raptor@0xdeadbeef.info>
references:
- https://cwe.mitre.org/data/definitions/762
- https://cwe.mitre.org/data/definitions/590
- https://github.com/struct/mms
- https://docs.microsoft.com/en-us/cpp/sanitizers/asan-error-examples
confidence: LOW
# NOTE: valloc(), reallocf(), aligned_alloc(), and custom wrappers
# are not covered.
# NOTE: overloaded operators, VirtualAlloc()/VirtualFree(),
# mmap()/munmap() are not covered.
message: >-
The software attempts to return a memory resource to the system, but
it calls a release function that is not compatible with the function
that was originally used to allocate that resource.
When the memory management functions are mismatched, the consequences
may be as severe as code execution, memory corruption, or program
crash. Consequences and ease of exploit will vary depending on the
implementation of the routines and the object being managed.
Due to inherent limitations of Semgrep, this rule might generate many
false positives and should therefore be customized for your codebase.
severity: INFO
languages:
- cpp
pattern-either:
# free
- patterns:
- pattern: free($PTR);
- pattern-not-inside: |
$PTR = malloc(...);
...
free($PTR);
- pattern-not-inside: |
$PTR = ($CAST)malloc(...);
...
free($PTR);
- pattern-not-inside: |
$PTR = calloc(...);
...
free($PTR);
- pattern-not-inside: |
$PTR = ($CAST)calloc(...);
...
free($PTR);
- pattern-not-inside: |
$PTR = realloc(...);
...
free($PTR);
- pattern-not-inside: |
$PTR = ($CAST)realloc(...);
...
free($PTR);
- pattern-not-inside: |
$PTR = strdup(...);
...
free($PTR);
- pattern-not-inside: |
$PTR = strndup(...);
...
free($PTR);
# delete[]
- patterns:
- pattern: delete[]($PTR);
- pattern-not-inside: |
$PTR = new $OBJ[$SIZE];
...
delete[]($PTR);
- pattern-not: delete[](this);
# delete
- patterns:
- pattern: delete($PTR);
- pattern-not-inside: |
$PTR = new $OBJ;
...
delete($PTR);
- pattern-not: delete(this);
- patterns:
- pattern: delete($PTR);
- pattern-inside: |
$PTR = new $OBJ[$SIZE];
...
delete($PTR);
- pattern-not: delete(this);

0 comments on commit 73e2f8b

Please sign in to comment.