C#: Add data flow 'getARuntimeTarget' predicate to 'FunctionPointerCall'

Author: tamasvajk

csharp/ql/src/semmle/code/csharp/dataflow/internal/FunctionPointerDataFlow.qll

@@ -0,0 +1,205 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides classes for resolving function pointer calls.
+ */
+
+import csharp
+private import dotnet
+private import semmle.code.csharp.dataflow.CallContext
+private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
+private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import semmle.code.csharp.dataflow.internal.DataFlowPublic
+private import semmle.code.csharp.dataflow.FlowSummary
+private import semmle.code.csharp.dispatch.Dispatch
+private import semmle.code.csharp.frameworks.system.linq.Expressions
+
+/** A source of flow for a function pointer expression. */
+private class FunctionPointerFlowSource extends DataFlow::ExprNode {
+  Callable c;
+
+  FunctionPointerFlowSource() {
+    this.getExpr() =
+      any(Expr e |
+        c = e.(AddressOfExpr).getOperand().(CallableAccess).getTarget().getUnboundDeclaration()
+      )
+  }
+
+  /** Gets the callable that is referenced in this function pointer flow source. */
+  Callable getCallable() { result = c }
+}
+
+/** A sink of flow for a function pointer expression. */
+abstract private class FunctionPointerFlowSink extends DataFlow::Node {
+  /**
+   * Gets an actual run-time target of this function pointer call in the given call
+   * context, if any. The call context records the *last* call required to
+   * resolve the target, if any.
+   *
+   * See examples in `DelegateFlowSink`.
+   */
+  cached
+  Callable getARuntimeTarget(CallContext context) {
+    exists(FunctionPointerFlowSource fptrfs |
+      flowsFrom(this, fptrfs, _, context) and
+      result = fptrfs.getCallable()
+    )
+  }
+}
+
+/** A function pointer call expression. */
+class FunctionPointerCallExpr extends FunctionPointerFlowSink, DataFlow::ExprNode {
+  FunctionPointerCall fptrc;
+
+  FunctionPointerCallExpr() { this.getExpr() = fptrc.getFunctionPointerExpr() }
+
+  /** Gets the function pointer call that this expression belongs to. */
+  FunctionPointerCall getFunctionPointerCall() { result = fptrc }
+}
+
+/** A non-function pointer call. */
+private class NonFunctionPointerCall extends Expr {
+  private DispatchCall dc;
+
+  NonFunctionPointerCall() { this = dc.getCall() }
+
+  /**
+   * Gets a run-time target of this call. A target is always a source
+   * declaration, and if the callable has both CIL and source code, only
+   * the source code version is returned.
+   */
+  Callable getARuntimeTarget() { result = getCallableForDataFlow(dc.getADynamicTarget()) }
+
+  /** Gets the `i`th argument of this call. */
+  Expr getArgument(int i) { result = dc.getArgument(i) }
+}
+
+private class NormalReturnNode extends Node {
+  NormalReturnNode() { this.(ReturnNode).getKind() instanceof NormalReturnKind }
+}
+
+/**
+ * Holds if data can flow (inter-procedurally) to function pointer `sink` from
+ * `node`. This predicate searches backwards from `sink` to `node`.
+ *
+ * The parameter `isReturned` indicates whether the path from `sink` to
+ * `node` goes through a returned expression. The call context `lastCall`
+ * records the last call on the path from `node` to `sink`, if any.
+ */
+private predicate flowsFrom(
+  FunctionPointerFlowSink sink, DataFlow::Node node, boolean isReturned, CallContext lastCall
+) {
+  // Base case
+  sink = node and
+  isReturned = false and
+  lastCall instanceof EmptyCallContext
+  or
+  // Local flow
+  exists(DataFlow::Node mid | flowsFrom(sink, mid, isReturned, lastCall) |
+    LocalFlow::localFlowStepCommon(node, mid)
+    or
+    exists(Ssa::Definition def |
+      LocalFlow::localSsaFlowStep(def, node, mid) and
+      LocalFlow::usesInstanceField(def)
+    )
+  )
+  or
+  // Flow through static field or property
+  exists(DataFlow::Node mid |
+    flowsFrom(sink, mid, _, _) and
+    jumpStep(node, mid) and
+    isReturned = false and
+    lastCall instanceof EmptyCallContext
+  )
+  or
+  // Flow into a callable (non-function pointer call)
+  exists(ParameterNode mid, CallContext prevLastCall, NonFunctionPointerCall call, Parameter p |
+    flowsFrom(sink, mid, isReturned, prevLastCall) and
+    isReturned = false and
+    p = mid.getParameter() and
+    flowIntoNonFunctionPointerCall(call, node.asExpr(), p) and
+    lastCall = getLastCall(prevLastCall, call, p.getPosition())
+  )
+  or
+  // Flow into a callable (function pointer call)
+  exists(
+    ParameterNode mid, CallContext prevLastCall, FunctionPointerCall call, Callable c, Parameter p,
+    int i
+  |
+    flowsFrom(sink, mid, isReturned, prevLastCall) and
+    isReturned = false and
+    flowIntoFunctionPointerCall(call, c, node.asExpr(), i) and
+    c.getParameter(i) = p and
+    p = mid.getParameter() and
+    lastCall = getLastCall(prevLastCall, call, i)
+  )
+  or
+  // Flow out of a callable (non-function pointer call).
+  exists(DataFlow::ExprNode mid |
+    flowsFrom(sink, mid, _, lastCall) and
+    isReturned = true and
+    flowOutOfNonFunctionPointerCall(mid.getExpr(), node)
+  )
+  or
+  // Flow out of a callable (function pointer call).
+  exists(DataFlow::ExprNode mid |
+    flowsFrom(sink, mid, _, _) and
+    isReturned = true and
+    flowOutOfFunctionPointerCall(mid.getExpr(), node, lastCall)
+  )
+}
+
+/**
+ * Gets the last call when tracking flow into `call`. The context
+ * `prevLastCall` is the previous last call, so the result is the
+ * previous call if it exists, otherwise `call` is the last call.
+ */
+bindingset[call, i]
+private CallContext getLastCall(CallContext prevLastCall, Expr call, int i) {
+  prevLastCall instanceof EmptyCallContext and
+  result.(ArgumentCallContext).isArgument(call, i)
+  or
+  prevLastCall instanceof ArgumentCallContext and
+  result = prevLastCall
+}
+
+pragma[noinline]
+private predicate flowIntoNonFunctionPointerCall(
+  NonFunctionPointerCall call, Expr arg, DotNet::Parameter p
+) {
+  exists(DotNet::Callable callable, int i |
+    callable = call.getARuntimeTarget() and
+    p = callable.getAParameter() and
+    arg = call.getArgument(i) and
+    i = p.getPosition()
+  )
+}
+
+pragma[noinline]
+private predicate flowIntoFunctionPointerCall(FunctionPointerCall call, Callable c, Expr arg, int i) {
+  exists(FunctionPointerFlowSource fptrfs, FunctionPointerCallExpr fptrce |
+    // the call context is irrelevant because the function pointer call
+    // itself will be the context
+    flowsFrom(fptrce, fptrfs, _, _) and
+    arg = call.getArgument(i) and
+    c = fptrfs.getCallable() and
+    call = fptrce.getFunctionPointerCall()
+  )
+}
+
+pragma[noinline]
+private predicate flowOutOfNonFunctionPointerCall(NonFunctionPointerCall call, NormalReturnNode ret) {
+  call.getARuntimeTarget() = ret.getEnclosingCallable()
+}
+
+pragma[noinline]
+private predicate flowOutOfFunctionPointerCall(
+  FunctionPointerCall call, NormalReturnNode ret, CallContext lastCall
+) {
+  exists(FunctionPointerFlowSource fptrfs, FunctionPointerCallExpr fptrce, Callable c |
+    flowsFrom(fptrce, fptrfs, _, lastCall) and
+    ret.getEnclosingCallable() = c and
+    c = fptrfs.getCallable() and
+    call = fptrce.getFunctionPointerCall()
+  )
+}

csharp/ql/src/semmle/code/csharp/exprs/Call.qll

@@ -8,6 +8,7 @@ import Expr
 import semmle.code.csharp.Callable
 import semmle.code.csharp.dataflow.CallContext as CallContext
 private import semmle.code.csharp.dataflow.internal.DelegateDataFlow
+private import semmle.code.csharp.dataflow.internal.FunctionPointerDataFlow
 private import semmle.code.csharp.dispatch.Dispatch
 private import dotnet
 
@@ -618,8 +619,24 @@ class DelegateCall extends Call, @delegate_invocation_expr {
 class FunctionPointerCall extends Call, @function_pointer_invocation_expr {
   override Callable getTarget() { none() }
 
+  /**
+   * Gets a potential run-time target of this function pointer call in the given
+   * call context `cc`.
+   */
+  Callable getARuntimeTarget(CallContext::CallContext cc) {
+    exists(FunctionPointerCallExpr call |
+      this = call.getFunctionPointerCall() and
+      result = call.getARuntimeTarget(cc)
+    )
+  }
+
+  override Callable getARuntimeTarget() { result = getARuntimeTarget(_) }
+
   override Expr getRuntimeArgument(int i) { result = getArgument(i) }
 
+  /** Gets the function pointer expression of this call. */
+  Expr getFunctionPointerExpr() { result = this.getChild(-1) }
+
   override string toString() { result = "function pointer call" }
 
   override string getAPrimaryQlClass() { result = "FunctionPointerCall" }

csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.cs

@@ -0,0 +1,83 @@
+using System;
+
+unsafe class FunctionPointerFlow
+{
+    public static void Log1(int i) { }
+    public static void Log2(int i) { }
+    public static void Log3(int i) { }
+    public static void Log4(int i) { }
+    public static void Log5(int i) { }
+    public static void Log6(int i) { }
+
+    public static void M2(delegate*<int, void> a)
+    {
+        a(1);
+        a = &Log3;
+        a(2);
+    }
+
+    public void M3()
+    {
+        M2(&Log1);
+    }
+
+    public static void M4(delegate*<int, void> a)
+    {
+        M2(a);
+    }
+
+    public void M5()
+    {
+        M4(&Log2);
+    }
+
+    public delegate*<int, void> M6()
+    {
+        return &Log4;
+    }
+
+    public void M7()
+    {
+        M6()(0);
+    }
+
+    public void M8()
+    {
+        static void LocalFunction(int i) { };
+        M2(&LocalFunction);
+    }
+
+    private static delegate*<int, void> field = &Log5;
+
+    public void M9()
+    {
+        field(1);
+    }
+
+    public void M10(delegate*<delegate*<int, void>, void> aa, delegate*<int, void> a)
+    {
+        aa(a);
+    }
+
+    public void M11()
+    {
+        M10(&M4, &Log6);
+    }
+
+    public void M16(delegate*<Action<int>, void> aa, Action<int> a)
+    {
+        aa(a);
+    }
+
+    public static void M17(Action<int> a)
+    {
+        a(0);
+        a = _ => { };
+        a(0);
+    }
+
+    public void M18()
+    {
+        M16(&M17, (i) => { });
+    }
+}

csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.expected

@@ -0,0 +1,9 @@
+| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:5:24:5:27 | Log1 | FunctionPointerFlow.cs:21:12:21:16 | &... |
+| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:6:24:6:27 | Log2 | FunctionPointerFlow.cs:26:12:26:12 | access to parameter a |
+| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:10:24:10:27 | Log6 | FunctionPointerFlow.cs:26:12:26:12 | access to parameter a |
+| FunctionPointerFlow.cs:14:9:14:12 | function pointer call | FunctionPointerFlow.cs:46:9:46:44 | LocalFunction | FunctionPointerFlow.cs:47:12:47:25 | &... |
+| FunctionPointerFlow.cs:16:9:16:12 | function pointer call | FunctionPointerFlow.cs:7:24:7:27 | Log3 | file://:0:0:0:0 | <empty> |
+| FunctionPointerFlow.cs:41:9:41:15 | function pointer call | FunctionPointerFlow.cs:8:24:8:27 | Log4 | file://:0:0:0:0 | <empty> |
+| FunctionPointerFlow.cs:54:9:54:16 | function pointer call | FunctionPointerFlow.cs:9:24:9:27 | Log5 | file://:0:0:0:0 | <empty> |
+| FunctionPointerFlow.cs:59:9:59:13 | function pointer call | FunctionPointerFlow.cs:24:24:24:25 | M4 | FunctionPointerFlow.cs:64:13:64:15 | &... |
+| FunctionPointerFlow.cs:69:9:69:13 | function pointer call | FunctionPointerFlow.cs:72:24:72:26 | M17 | FunctionPointerFlow.cs:81:13:81:16 | &... |

csharp/ql/test/library-tests/dataflow/functionpointers/FunctionPointerFlow.ql

@@ -0,0 +1,5 @@
+import csharp
+
+query predicate fptrCall(FunctionPointerCall fptrc, Callable c, CallContext::CallContext cc) {
+  c = fptrc.getARuntimeTarget(cc)
+}