csutils · kdudka · Feb 19, 2024
diff --git a/src/lib/parser-cov.cc b/src/lib/parser-cov.cc
@@ -296,6 +296,7 @@ KeyEventDigger::KeyEventDigger():
     d->denyList.insert("remediation");
     d->denyList.insert("rounding_remediation");
     d->denyList.insert("scope_hint");
+    d->denyList.insert("use_same_locks_for_read_and_modify");
 
     // trace events
     d->traceEvts.insert("break");

diff --git a/tests/csgrep/0121-cov-parser-lock-evasion-args.txt b/tests/csgrep/0121-cov-parser-lock-evasion-args.txt
@@ -0,0 +1 @@
+--mode=json
diff --git a/tests/csgrep/0121-cov-parser-lock-evasion-stdin.txt b/tests/csgrep/0121-cov-parser-lock-evasion-stdin.txt
@@ -0,0 +1,13 @@
+Error: LOCK_EVASION (CWE-543):
+p11-kit-0.23.22/p11-kit/rpc-client.c:808: thread1_checks_field: Thread1 uses the value read from field "initialized_forkid" in the condition "module->initialized_forkid == p11_forkid". It sees that the condition is true. Control is switched to Thread2.
+p11-kit-0.23.22/p11-kit/rpc-client.c:808: thread2_checks_field: Thread2 uses the value read from field "initialized_forkid" in the condition "module->initialized_forkid == p11_forkid". It sees that the condition is true.
+p11-kit-0.23.22/p11-kit/rpc-client.c:811: thread2_acquires_lock: Thread2 acquires lock "rpc_client.mutex".
+p11-kit-0.23.22/p11-kit/rpc-client.c:826: thread2_modifies_field: Thread2 sets "initialized_forkid" to a new value. Note that this write can be reordered at runtime to occur before instructions that do not access this field within this locked region. After Thread2 leaves the critical section, control is switched back to Thread1.
+p11-kit-0.23.22/p11-kit/rpc-client.c:811: thread1_acquires_lock: Thread1 acquires lock "rpc_client.mutex".
+p11-kit-0.23.22/p11-kit/rpc-client.c:826: thread1_overwrites_value_in_field: Thread1 sets "initialized_forkid" to a new value. Now the two threads have an inconsistent view of "initialized_forkid" and updates to fields correlated with "initialized_forkid" may be lost.
+p11-kit-0.23.22/p11-kit/rpc-client.c:808: use_same_locks_for_read_and_modify: Guard the modification of "initialized_forkid" and the read used to decide whether to modify "initialized_forkid" with the same set of locks.
+#  824|   	}
+#  825|   
+#  826|-> 	module->initialized_forkid = 0;
+#  827|   
+#  828|   	p11_mutex_unlock (&module->mutex);
diff --git a/tests/csgrep/0121-cov-parser-lock-evasion-stdout.txt b/tests/csgrep/0121-cov-parser-lock-evasion-stdout.txt
@@ -0,0 +1,96 @@
+{
+    "defects": [
+        {
+            "checker": "LOCK_EVASION",
+            "cwe": 543,
+            "tool": "coverity",
+            "key_event_idx": 5,
+            "events": [
+                {
+                    "file_name": "p11-kit-0.23.22/p11-kit/rpc-client.c",
+                    "line": 808,
+                    "event": "thread1_checks_field",
+                    "message": "Thread1 uses the value read from field \"initialized_forkid\" in the condition \"module->initialized_forkid == p11_forkid\". It sees that the condition is true. Control is switched to Thread2.",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "p11-kit-0.23.22/p11-kit/rpc-client.c",
+                    "line": 808,
+                    "event": "thread2_checks_field",
+                    "message": "Thread2 uses the value read from field \"initialized_forkid\" in the condition \"module->initialized_forkid == p11_forkid\". It sees that the condition is true.",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "p11-kit-0.23.22/p11-kit/rpc-client.c",
+                    "line": 811,
+                    "event": "thread2_acquires_lock",
+                    "message": "Thread2 acquires lock \"rpc_client.mutex\".",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "p11-kit-0.23.22/p11-kit/rpc-client.c",
+                    "line": 826,
+                    "event": "thread2_modifies_field",
+                    "message": "Thread2 sets \"initialized_forkid\" to a new value. Note that this write can be reordered at runtime to occur before instructions that do not access this field within this locked region. After Thread2 leaves the critical section, control is switched back to Thread1.",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "p11-kit-0.23.22/p11-kit/rpc-client.c",
+                    "line": 811,
+                    "event": "thread1_acquires_lock",
+                    "message": "Thread1 acquires lock \"rpc_client.mutex\".",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "p11-kit-0.23.22/p11-kit/rpc-client.c",
+                    "line": 826,
+                    "event": "thread1_overwrites_value_in_field",
+                    "message": "Thread1 sets \"initialized_forkid\" to a new value. Now the two threads have an inconsistent view of \"initialized_forkid\" and updates to fields correlated with \"initialized_forkid\" may be lost.",
+                    "verbosity_level": 0
+                },
+                {
+                    "file_name": "p11-kit-0.23.22/p11-kit/rpc-client.c",
+                    "line": 808,
+                    "event": "use_same_locks_for_read_and_modify",
+                    "message": "Guard the modification of \"initialized_forkid\" and the read used to decide whether to modify \"initialized_forkid\" with the same set of locks.",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "",
+                    "line": 0,
+                    "event": "#",
+                    "message": "  824|   \t}",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "",
+                    "line": 0,
+                    "event": "#",
+                    "message": "  825|   ",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "",
+                    "line": 0,
+                    "event": "#",
+                    "message": "  826|-> \tmodule->initialized_forkid = 0;",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "",
+                    "line": 0,
+                    "event": "#",
+                    "message": "  827|   ",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "",
+                    "line": 0,
+                    "event": "#",
+                    "message": "  828|   \tp11_mutex_unlock (&module->mutex);",
+                    "verbosity_level": 1
+                }
+            ]
+        }
+    ]
+}
diff --git a/tests/csgrep/CMakeLists.txt b/tests/csgrep/CMakeLists.txt
@@ -164,3 +164,4 @@ test_csgrep("0117-csgrep-set-imp-level"               )
 test_csgrep("0118-gcc-parser-ubsan-dedup"             )
 test_csgrep("0119-cov-parser-sigma"                   )
 test_csgrep("0120-sarif-parser-semgrep"               )
+test_csgrep("0121-cov-parser-lock-evasion"            )