weggli icon indicating copy to clipboard operation
weggli copied to clipboard
verified publisher icon googleprojectzero

false negative when using not

Open LuciaMartinezGavier opened this issue 2 years ago • 2 comments

When using not: in this case, the order of the lines are not considered

weggli '{
    function(_($param));
    NOT: $foo = _;
    function();
}' /target/src

for example, with this target, there are no findings:

void fun(){
    foo = 1;
    function(&param);
    function(&param);
}

But it should because there is no assignment to foo between calls to function.

In this other case where i remove the _(...) in the function parameter, then it works as expected

weggli '{
    function($param);
    NOT: $foo = _;
    function();
}' /target/src

LuciaMartinezGavier avatar Nov 08 '23 16:11 LuciaMartinezGavier

[I am not a maintainer, just curios] I believe the second case you wrote is the right way to query what you want. In the first one you query for a call of "function" that gets as a parameter another call for a function that gets &param.

The interesting thing here is actually that this query matches:

weggli '{
    $function(_(&$param));
    $function(&$param);
}' .

/tmp/src/./a.c:1
void fun(){
    int param;
    int foo = 1;
    function(&param); // <----- These two lines actually match
    function(&param);
}

As the first call to "function" has no parameter that is by itself a call for a function

matan7890 avatar Jan 16 '24 18:01 matan7890

A

{
    function();        
    NOT: foo = _;
    function();
}

also works. Same as

{
    function(&$param);        
    NOT: foo = _;
    function(&$param);
}

or

{
    function(_);        
    NOT: foo = _;
    function(_);
}

Looks like the _(...) expressions with not throws it off.

bluec0re avatar Jan 30 '24 08:01 bluec0re