diff --git a/assets/semgrep_rules/blocklist.txt b/assets/semgrep_rules/blocklist.txt index 2ecc71d0..214398ba 100644 --- a/assets/semgrep_rules/blocklist.txt +++ b/assets/semgrep_rules/blocklist.txt @@ -20,3 +20,4 @@ https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value. https://semgrep.dev/r/generic.secrets.gitleaks.aws-access-token.aws-access-token https://github.com/0xdea/semgrep-rules/blob/main/c/missing-break-in-switch.yaml https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled +https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml diff --git a/assets/semgrep_rules/c/mismatched-memory-management-cpp.yaml b/assets/semgrep_rules/c/mismatched-memory-management-cpp.yaml new file mode 100644 index 00000000..30c6b8f0 --- /dev/null +++ b/assets/semgrep_rules/c/mismatched-memory-management-cpp.yaml @@ -0,0 +1,86 @@ +rules: + - id: raptor-mismatched-memory-management-cpp + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/762 + - https://cwe.mitre.org/data/definitions/590 + - https://github.com/struct/mms + - https://docs.microsoft.com/en-us/cpp/sanitizers/asan-error-examples + confidence: LOW + # NOTE: valloc(), reallocf(), aligned_alloc(), and custom wrappers + # are not covered. + # NOTE: overloaded operators, VirtualAlloc()/VirtualFree(), + # mmap()/munmap() are not covered. + message: >- + The software attempts to return a memory resource to the system, but + it calls a release function that is not compatible with the function + that was originally used to allocate that resource. + When the memory management functions are mismatched, the consequences + may be as severe as code execution, memory corruption, or program + crash. Consequences and ease of exploit will vary depending on the + implementation of the routines and the object being managed. + Due to inherent limitations of Semgrep, this rule might generate many + false positives and should therefore be customized for your codebase. + severity: INFO + languages: + - cpp + pattern-either: + # free + - patterns: + - pattern: free($PTR); + - pattern-not-inside: | + $PTR = malloc(...); + ... + free($PTR); + - pattern-not-inside: | + $PTR = ($CAST)malloc(...); + ... + free($PTR); + - pattern-not-inside: | + $PTR = calloc(...); + ... + free($PTR); + - pattern-not-inside: | + $PTR = ($CAST)calloc(...); + ... + free($PTR); + - pattern-not-inside: | + $PTR = realloc(...); + ... + free($PTR); + - pattern-not-inside: | + $PTR = ($CAST)realloc(...); + ... + free($PTR); + - pattern-not-inside: | + $PTR = strdup(...); + ... + free($PTR); + - pattern-not-inside: | + $PTR = strndup(...); + ... + free($PTR); + # delete[] + - patterns: + - pattern: delete[]($PTR); + - pattern-not-inside: | + $PTR = new $OBJ[$SIZE]; + ... + delete[]($PTR); + - pattern-not: delete[](this); + # delete + - patterns: + - pattern: delete($PTR); + - pattern-not-inside: | + $PTR = new $OBJ; + ... + delete($PTR); + - pattern-not: delete(this); + - patterns: + - pattern: delete($PTR); + - pattern-inside: | + $PTR = new $OBJ[$SIZE]; + ... + delete($PTR); + - pattern-not: delete(this);